Skip to content

Add proxy and user_agent labels to user login counter metric #60239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add proxy and user_agent labels to user login counter metric #60239

wants to merge 2 commits into from

Conversation

vapopov
Copy link
Contributor

@vapopov vapopov commented Oct 14, 2025

In this PR, added a user agent to the client tools request header. During login, it is passed through the proxy to the auth service. Additionally, information about the public proxy address is included so it can be recorded in metrics.

The user_login_total counter now has two labels: proxy and user_agent.

  • The proxy label allows us to track which regions are used by customers during login.
  • The user_agent label helps identify the client tools version in use, to detect any affected versions in future, and monitor the progress of client tools managed updates.

Example:

# HELP user_login_total Number of times there was a user login
# TYPE user_login_total counter
user_login_total{proxy="proxy1:8443",user_agent="api/19.0.0-dev"} 1
user_login_total{proxy="proxy1:8443",user_agent="web/19.0.0-dev"} 2
user_login_total{proxy="proxy2:8443",user_agent="api/18.2.5"} 1
user_login_total{proxy="proxy2:8443",user_agent="api/19.0.0-dev"} 2
user_login_total{proxy="proxy2:8443",user_agent="web/19.0.0-dev"} 3

Related:

@vapopov vapopov added the no-changelog Indicates that a PR does not require a changelog entry label Oct 14, 2025
@vapopov vapopov requested a review from tigrato as a code owner October 14, 2025 19:28
@github-actions github-actions bot requested a review from bernardjkim October 14, 2025 19:28
@tigrato
Copy link
Contributor

tigrato commented Oct 14, 2025

How can we ensure that an attacker doesn't break cloud monitoring by spamming tons of agents and causing Prometheus to fail? Are we going to drop them in cloud?

rosstimothy
rosstimothy reviewed Oct 14, 2025
View reviewed changes
Copy link
Contributor

@rosstimothy rosstimothy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with Tiago, this seems like it could be a very high cardinality metric. cc @evanfreed.

integrations/event-handler/go.mod
github.com/gosuri/uitable v0.0.4 // indirect
github.com/gravitational/license v0.0.0-20250329001817-070456fa8ec1 // indirect
github.com/gravitational/roundtrip v1.0.2 // indirect
github.com/gravitational/roundtrip v1.0.3 // indirect
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see a tag for this but not a GH release. Do you plan on creating a new release?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right, I will draft release for this version

sclevine
sclevine reviewed Oct 14, 2025
View reviewed changes
Copy link
Member

@sclevine sclevine left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the concern about high cardinality on the user agent is worth addressing for scalability reasons, even if authenticated users could likely already cause trouble by connecting many agent versions (which we already record).

Could we parse the user agent for Teleport major version, and only accept reasonable values?

@vapopov
Copy link
Contributor Author

vapopov commented Oct 14, 2025

How can we ensure that an attacker doesn't break cloud monitoring by spamming tons of agents and causing Prometheus to fail? Are we going to drop them in cloud?

@tigrato in order to do that, you need a user from the cluster and must complete the login process. We would probably need to reset counters periodically as well

@vapopov
Fixed defining default user-agent when extraHeaders map was nil
3cc147e 
Replaced Sprintf with string concatenation
@vapopov vapopov force-pushed the vapopov/user-login-agent-proxy-tags-metric branch from cbec0d8 to 3cc147e Compare October 15, 2025 05:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sclevine sclevine sclevine left review comments

@rosstimothy rosstimothy rosstimothy left review comments

@strideynet strideynet Awaiting requested review from strideynet strideynet is a code owner

@hugoShaka hugoShaka Awaiting requested review from hugoShaka hugoShaka is a code owner

@russjones russjones Awaiting requested review from russjones russjones is a code owner

@r0mant r0mant Awaiting requested review from r0mant r0mant is a code owner

@zmb3 zmb3 Awaiting requested review from zmb3 zmb3 is a code owner

@tigrato tigrato Awaiting requested review from tigrato tigrato is a code owner

@bernardjkim bernardjkim Awaiting requested review from bernardjkim

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

backport/branch/v16 backport/branch/v17 backport/branch/v18 no-changelog Indicates that a PR does not require a changelog entry size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vapopov @tigrato @sclevine @rosstimothy