Versions Compared

Old Version 2

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The IdP includes a framework for instrumentation, diagnostics, and performance management that complements the logging support and integrates with it to allow tuning of instrumentation overhead. The framework is based on the Metrics library and includes a number of related features:

...

The registry of metrics is extended by Shibboleth with the ability to "filter" metrics by reusing the logging configuration's ability to adjust the logging level of particular categories hierarchically. By naming metrics in a similar way, it's possible to effectively enable and disable metrics at runtime, which can have very small (or in rare cases, less small) impacts on performance. You may want to leave a metric configured all the time, but toggle it on only at particular times. Using the logging layer is easy, flexible, reloadable, and ignorable if you don't care about the overhead.

...

As a (greatly enhanced) replacement for the status page, an Administrative flow is provided for access to specific metrics, named groups, or all of the metrics in the system, in JSON or JSONP format.

...

In addition to the built-in metrics, support exists across a number of components (primarily the Action beans and a few of the major services like the Attribute Resolver and Attribute Filter) to add counters and timers to specific requests. This is done by providing a script (or alternative Java code, but a script is simpler) to add the counters and timers to install.

...

Expand
titleTiming attribute resolution
Code Block
languagexml
	<bean id="shibboleth.metrics.MetricStrategy" parent="shibboleth.ContextFunctions.Scripted"
			factory-method="inlineScript">
		<constructor-arg>
			<value>
			<![CDATA[
				var metricCtx = input.getSubcontext("org.opensaml.profile.context.MetricContext");
				metricCtx.addTimer("idp.attribute.resolution",
					"ResolveAttributes",
					"FilterAttributes"
					);
				true; // Signals success.
			]]>
			</value>
		</constructor-arg>
	</bean>

Another example demonstrates the use of a counter tracking the number of times the SAML 1.1 Attribute Query flow executes based on counting each time the "DecodeMessage" action runs. It shows how, because the function is run dynamically, it's possible to conditionally enable metrics based on the specific profile flow being run.

Expand
titleCounter of SAML 1 queries
Code Block
languagexml
	<bean id="shibboleth.metrics.MetricStrategy" parent="shibboleth.ContextFunctions.Scripted"
			factory-method="inlineScript">
		<constructor-arg>
			<value>
			<![CDATA[
				var profileType = Java.type("net.shibboleth.idp.saml.saml1.profile.config.AttributeQueryProfileConfiguration");
				if (profileType.PROFILE_ID.equals(input.getProfileId())) {
					metricCtx = input.getSubcontext("org.opensaml.profile.context.MetricContext");
					metricCtx.addCounter("idp.profile.saml1.attributeQueries", "DecodeMessage");
				}
				true; // Signals success.
			]]>
			</value>
		</constructor-arg>
	</bean>

Reference

Expand
titleBeans

Name

Type

Description

shibboleth.metrics.MetricRegistry

FilteredMetricRegistry

Registry of all metrics known to the system

shibboleth.metrics.RegisterMetricSets

MethodInvokingBean

Spring parent bean for invoking the registerMultiple method on the registry

shibboleth.metrics.RegisterMetricSetRegisterMetric

MethodInvokingBean   

Spring parent bean for invoking the register method on the registry

shibboleth.metrics.CoreGaugeSet

MetricSet / MetricFilter

Low-level gauges for OS, Java, and memory information

shibboleth.metrics.IdPGaugeSet

MetricSet / MetricFilter

Basic IdP system information (version, uptime)

shibboleth.metrics.LoggingGaugeSet

MetricSet / MetricFilter

Information about the logging service

shibboleth.metrics.AccessControlGaugeSet

MetricSet / MetricFilter

Information about the access control service

shibboleth.metrics.MetadataGaugeSet

MetricSet / MetricFilter

Information about the metadata resolver service

shibboleth.metrics.RelyingPartyGaugeSet

MetricSet / MetricFilter

Information about the RelyingParty configuration service

shibboleth.metrics.NameIdentifierGaugeSet

MetricSet / MetricFilter

Information about the Name Identifier generation service

shibboleth.metrics.AttributeResolverGaugeSet     

MetricSet / MetricFilter

Information about the attribute resolver service

shibboleth.metrics.AttributeFilterGaugeSet

MetricSet / MetricFilter

Information about the attribute filter service

shibboleth.metrics.AttributeRegistryGaugeSet

MetricSet / MetricFilter

Information about the attribute registry service

shibboleth.metrics.HTTPReporter

HTTPReporter

A schedulable background reporter that sends a JSON feed of metrics to a URL

shibboleth.metrics.MetricGroups

Map<String,MetricFilter>

Associates metrics matching a supplied filter with a string label that "names" that set of metrics

shibboleth.metrics.MetricLevelMap

Map<String,Level>

Optional mapping of metric names to logging levels to associate with the metric

shibboleth.metrics.DefaultAccessPolicy

String

Name of the access control policy to apply to the metrics API in the absence of a more specific policy

shibboleth.metrics.AccessPolicyMap

Map<String,String>

Maps a named metric group/filter from the "shibboleth.metrics.MetricGroups" bean to a named access control policy to apply when accessing that group via the API

shibboleth.metrics.AccessPolicyStrategy

Function<ProfileRequestContext,String>

A mechanism to determine the access control policy to apply to a request to the metrics API, normally relies on the two previous beans but can be replaced if desired

shibboleth.metrics.AllowedOrigin

String

Optional "Access-Control-Allow-Origin" header value to return within REST API response

shibboleth.metrics.JSONPCallback

String

Optional name of JSONP callback function to pass the REST API response

shibboleth.metrics.MetricStrategy

Function<ProfileRequestContext,Boolean>

A hook to provide a function to execute at the beginning of every request that can programmatically enable timers and counters for objects during the execution of that request

shibboleth.metrics.ExposedProperties

Set<String>

Collection of property names to expose as IdP metric gauges. Take care not to expose confidental information through this hook.

shibboleth.metrics.ModuleGaugeSet

MetricSet / MetricFilter

Information about which Modules are availablle and which ones are enabled.

shibboleth.metrics.InstallableComponents

MetricSet / MetricFilter

Information about which Plugins are installed. Also information about the update status of these plugins and the IdP itself,

Expand
titleProperties

Properties configuring this flow via admin/admin.properties are:

Name

Default

Description

idp.metrics.logging

Metrics

Audit log identifier for flow

idp.metrics.authenticated

false

Whether authentication should be performed prior to access control evaluation

idp.metrics.nonBrowserSupported

false

Whether the flow should allow for non-browser clients during authentication

idp.metrics.resolveAttributes

false

Whether attributes should be resolved prior to access control evaluation

...