Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CORE-7152] Admin: Introduce GET /v1/features/enterprise endpoint #23314

Merged

Conversation

oleiman
Copy link
Member

@oleiman oleiman commented Sep 13, 2024

This PR introduces an Admin API endpoint to expose

  • Whether or not each enterprise licensed feature is enabled
  • The current license status of the cluster (valid, expired, or not present)
  • Whether the current set of enabled enterprise features violates the license
    • i.e. violation = (any enterprise feature enabled) AND (license status != valid)

Includes integration tests for the endpoint and a "feature report" representation for config state.

Fixes CORE-7152

Backports Required

  • none - not a bug fix
  • none - this is a backport
  • none - issue does not exist in previous branches
  • none - papercut/not impactful enough to backport
  • v24.2.x
  • v24.1.x
  • v23.3.x

Release Notes

Features

  • Adds admin API endpoint for enterprise feature info GET /v1/features/enterprise

@oleiman oleiman self-assigned this Sep 13, 2024
@oleiman oleiman force-pushed the license/core-7152/admin-features-endpoint branch 2 times, most recently from cc05a65 to 23b1634 Compare September 13, 2024 21:42
@oleiman oleiman marked this pull request as ready for review September 16, 2024 18:04
@oleiman oleiman requested a review from a team as a code owner September 16, 2024 18:04
@oleiman oleiman requested review from a team, pgellert and michael-redpanda and removed request for a team September 16, 2024 18:04
Copy link
Contributor

@michael-redpanda michael-redpanda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks really good

violation = rsp.get('violation', None)
assert type(
violation) == bool, f"Ill-formed violation flag {type(violation)}"
assert not violation, "Config unexpectedly in violation"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fix/test: will probably in FIPS CDT as FIPS is enabled in the FIPS CDT environment

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right, right, we talked about this the other day. per below, will give a run through CDT and see what happens.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added fips_ok_to_fail to avoid too much mucking around. lmk if you think it's worth refactoring the tests to account for this.

tests/rptest/tests/enterprise_features_license_test.py Outdated Show resolved Hide resolved
tests/rptest/tests/enterprise_features_license_test.py Outdated Show resolved Hide resolved
@michael-redpanda
Copy link
Contributor

Once initial CI completes let's run a "/cdt fips "

@vbotbuildovich
Copy link
Collaborator

vbotbuildovich commented Sep 16, 2024

new failures in https://buildkite.com/redpanda/redpanda/builds/54529#0191fc48-b238-4427-9ff6-97c8d35ff9a1:

"rptest.tests.enterprise_features_license_test.EnterpriseFeaturesTest.test_get_enterprise"

new failures in https://buildkite.com/redpanda/redpanda/builds/54529#0191fc4b-47f3-4c1f-8d94-c1278905b7e1:

"rptest.tests.enterprise_features_license_test.EnterpriseFeaturesTest.test_get_enterprise"

new failures in https://buildkite.com/redpanda/redpanda/builds/54545#0191fd0d-6347-47ad-a2f6-a8f7862da9cf:

"rptest.tests.delete_records_test.DeleteRecordsTest.test_delete_records_concurrent_truncations.cloud_storage_enabled=True.truncate_point=start_offset"

new failures in https://buildkite.com/redpanda/redpanda/builds/54570#0191feb1-8056-482d-8eb3-fac453fd76f5:

"rptest.tests.data_migrations_api_test.DataMigrationsApiTest.test_migrated_topic_data_integrity.transfer_leadership=True.params=TmtpdiParams.cancellation=None.use_alias=False"

@oleiman
Copy link
Member Author

oleiman commented Sep 16, 2024

oh, whoops, my license tests are bugged - forgot to populate the env var on the last few runs. back to draft for a sec

@oleiman oleiman marked this pull request as draft September 16, 2024 20:31
@oleiman oleiman force-pushed the license/core-7152/admin-features-endpoint branch from 23b1634 to 6943ee6 Compare September 16, 2024 21:14
@oleiman
Copy link
Member Author

oleiman commented Sep 16, 2024

force push contents:

  • CR comments (dead code, etc)
  • Fixed wonky license testing.

@oleiman oleiman marked this pull request as ready for review September 16, 2024 21:16
src/v/model/metadata.h Outdated Show resolved Hide resolved
src/v/cluster/feature_manager.cc Outdated Show resolved Hide resolved
res.license_status = license_status;
res.violation = license_status != status::valid && report.any();
for (std::size_t i = 0; i < report.size(); ++i) {
auto feat = static_cast<model::license_required_feature>(i);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if the feature set were represented as a vector of enum then we could avoid this casting from integer to enum, right? is the size of the feature set important? it seems like right now it would be about 20 bytes max and one would only exist in memory for the lifetime of the request?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

feature set were represented as a vector of enum

we want both enabled and disabled features, so I was choosing between bitset and map<enum,bool>, both of which are kinda smelly IMO. not really about size, just teasing out a "natural" representation for both the state of each feature and whether any enterprise feature is ON.

that said I think the answer is neither - 2x vector<enum> is 👌

@oleiman oleiman force-pushed the license/core-7152/admin-features-endpoint branch from 6943ee6 to b0afb4b Compare September 17, 2024 05:14
@oleiman
Copy link
Member Author

oleiman commented Sep 17, 2024

force push move report bits to v/features and clean up interface

@oleiman oleiman force-pushed the license/core-7152/admin-features-endpoint branch from b0afb4b to 9b13050 Compare September 17, 2024 05:23
@oleiman
Copy link
Member Author

oleiman commented Sep 17, 2024

force push bazel flub

@oleiman oleiman force-pushed the license/core-7152/admin-features-endpoint branch from 9b13050 to 77e64c4 Compare September 17, 2024 15:49
@oleiman
Copy link
Member Author

oleiman commented Sep 17, 2024

force push another bazel flub

@oleiman oleiman force-pushed the license/core-7152/admin-features-endpoint branch from 77e64c4 to f60fc59 Compare September 17, 2024 15:57
src/v/features/enterprise_features.h Outdated Show resolved Hide resolved
Comment on lines +47 to +51
bool any() const { return !_enabled.empty(); }

private:
vtype _enabled;
vtype _disabled;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Comment on lines 226 to +230

return cfg.audit_enabled || cfg.cloud_storage_enabled
|| cfg.partition_autobalancing_mode
== model::partition_autobalancing_mode::continuous
|| cfg.core_balancing_continuous() || has_gssapi() || has_oidc()
|| has_schma_id_validation() || has_non_default_roles
|| fips_enabled();
features::enterprise_feature_report report;
report.set(
features::license_required_feature::audit_logging, cfg.audit_enabled());
report.set(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome. this diff is great

Comment on lines +2294 to +2296
ss::httpd::features_json::enterprise_feature elt;
elt.name = fmt::format("{}", feat);
elt.enabled = enabled;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

src/v/features/enterprise_features.cc Outdated Show resolved Hide resolved
Copy link
Contributor

@pgellert pgellert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, mainly nits and test-related suggestions (nit: the PR header is slightly out of date as a bitset)

What's the reasoning behind only backporting this to v24.2.x?

@oleiman
Copy link
Member Author

oleiman commented Sep 17, 2024

force push minor test improvements (formatting, fips_ok_to_fail) and some asserts in feature report

dotnwat
dotnwat previously approved these changes Sep 17, 2024
@oleiman oleiman force-pushed the license/core-7152/admin-features-endpoint branch from 689e482 to 44e8f6c Compare September 17, 2024 21:40
- features::license_required_feature

Enumeration of redpanda features that require an enterprise license.

- features::enterprise_feature_report

A thin wrapper around a couple of sets to account for the status of
enterprise features (usually based on cluster configs).

Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Also refactor feature_manager::license_required_feature_enabled to
use the report rather than calculating feature status on its own.

Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Useful for testing enterprise features, since a condition for
"RBAC enabled" is the presence of one or more non-default roles.

Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Includes scenarios both with and without a valid license loaded up.

Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
@oleiman oleiman force-pushed the license/core-7152/admin-features-endpoint branch from 44e8f6c to ebfdd7f Compare September 17, 2024 21:40
@oleiman
Copy link
Member Author

oleiman commented Sep 17, 2024

@oleiman
Copy link
Member Author

oleiman commented Sep 17, 2024

CI Failure:

@oleiman oleiman merged commit 6d6a87c into redpanda-data:dev Sep 18, 2024
18 checks passed
@vbotbuildovich
Copy link
Collaborator

/backport v24.2.x

@vbotbuildovich
Copy link
Collaborator

Failed to create a backport PR to v24.2.x branch. I tried:

git remote add upstream https://github.com/redpanda-data/redpanda.git
git fetch --all
git checkout -b backport-pr-23314-v24.2.x-820 remotes/upstream/v24.2.x
git cherry-pick -x bf972c04d80c297ed9322e2e6501cb8cda9ec63f 067df42f1df3d30b50230d1c3df34efaafc276ae 653d5a979aba1e50f37dee31b6cf231fb1fcafc8 d6e33cd177f87c52c847e7398a9384c73c6d34b3 5fdc1782506e85d43c05b06f4551f5627017494a b5c06fa59d7c149bdb5b723592f16c4d04a5db64 ebfdd7fe27a4f441e2379397501c639420724fc1

Workflow run logs.

@oleiman
Copy link
Member Author

oleiman commented Sep 19, 2024

/cdt
tests/rptest/tests/enterprise_features_license_test.py

@oleiman
Copy link
Member Author

oleiman commented Oct 11, 2024

/backport v24.1.x

@vbotbuildovich
Copy link
Collaborator

Failed to create a backport PR to v24.1.x branch. I tried:

git remote add upstream https://github.com/redpanda-data/redpanda.git
git fetch --all
git checkout -b backport-pr-23314-v24.1.x-779 remotes/upstream/v24.1.x
git cherry-pick -x bf972c04d8 067df42f1d 653d5a979a d6e33cd177 5fdc178250 b5c06fa59d ebfdd7fe27

Workflow run logs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants