Skip to content

[CORE-12961] Add security report admin endpoint#27173

Merged
michael-redpanda merged 10 commits intoredpanda-data:devfrom
IoannisRP:CORE-12961/security-report
Sep 11, 2025
Merged

[CORE-12961] Add security report admin endpoint#27173
michael-redpanda merged 10 commits intoredpanda-data:devfrom
IoannisRP:CORE-12961/security-report

Conversation

@IoannisRP
Copy link
Copy Markdown
Contributor

@IoannisRP IoannisRP commented Aug 7, 2025
edited by michael-redpanda
Loading

Implemets: CORE-12961

Expose new admin api to report on the security settings of a redpanda node.

Backports Required

  • none - not a bug fix
  • none - this is a backport
  • none - issue does not exist in previous branches
  • none - papercut/not impactful enough to backport
  • v25.2.x
  • v25.1.x
  • v24.3.x

Release Notes

Features

  • Introduces GET /v1/security/report (Admin API)

@IoannisRP IoannisRP requested review from a team and michael-redpanda August 7, 2025 21:18
@IoannisRP IoannisRP self-assigned this Aug 7, 2025
@IoannisRP
Copy link
Copy Markdown
Contributor Author

IoannisRP commented Aug 7, 2025

/dt

dotnwat
dotnwat reviewed Aug 7, 2025
View reviewed changes
@vbotbuildovich
Copy link
Copy Markdown
Collaborator

vbotbuildovich commented Aug 7, 2025
edited
Loading

Retry command for Build#70421

please wait until all jobs are finished before running the slash command

/ci-repeat 1
tests/rptest/tests/security_report_test.py::RpcTLSSecurityReportTest.test_security_report
tests/rptest/tests/security_report_test.py::AdminSecurityReportTest.test_security_report

@vbotbuildovich
Copy link
Copy Markdown
Collaborator

vbotbuildovich commented Aug 7, 2025
edited
Loading

CI test results

test results on build#70421
test_class test_method test_arguments test_kind job_url test_status passed reason
FeaturesMultiNodeTest test_license_upload_and_query null integration https://buildkite.com/redpanda/redpanda/builds/70421#0198868d-32c7-4338-b2f1-48a3e248b359 FLAKY 18/21 upstream reliability is '91.59456118665018'. current run reliability is '85.71428571428571'. drift is 5.88028 and the allowed drift is set to 50. The test should PASS
DataMigrationsApiTest test_creating_and_listing_migrations null integration https://buildkite.com/redpanda/redpanda/builds/70421#01988690-a6d1-4e30-8252-9df1f3179242 FLAKY 20/21 upstream reliability is '100.0'. current run reliability is '95.23809523809523'. drift is 4.7619 and the allowed drift is set to 50. The test should PASS
DatalakeE2ETests test_json_schema_unicode {"catalog_type": "rest_hadoop", "cloud_storage_type": 1, "query_engine": "trino"} integration https://buildkite.com/redpanda/redpanda/builds/70421#0198868d-32c4-464a-a0e1-3889eccde55e FLAKY 20/21 upstream reliability is '98.66962305986696'. current run reliability is '95.23809523809523'. drift is 3.43153 and the allowed drift is set to 50. The test should PASS
AdminSecurityReportTest test_security_report null integration https://buildkite.com/redpanda/redpanda/builds/70421#0198868d-32c4-464a-a0e1-3889eccde55e FAIL 0/21 The test has failed across all retries
RpcTLSSecurityReportTest test_security_report null integration https://buildkite.com/redpanda/redpanda/builds/70421#0198868d-32c3-4150-a766-954b75371441 FAIL 0/21 The test has failed across all retries
test results on build#70461
test_class test_method test_arguments test_kind job_url test_status passed reason
FeaturesMultiNodeTest test_license_upload_and_query null integration https://buildkite.com/redpanda/redpanda/builds/70461#01988a0e-d0c2-4ddd-9d2d-08e373b8ff6e FLAKY 19/21 upstream reliability is '100.0'. current run reliability is '90.47619047619048'. drift is 9.52381 and the allowed drift is set to 50. The test should PASS
AdminSecurityReportTest test_security_report null integration https://buildkite.com/redpanda/redpanda/builds/70461#01988a0e-d0bf-4de5-9da8-4d931ff765e9 FAIL 0/21 The test has failed across all retries
test results on build#70478
test_class test_method test_arguments test_kind job_url test_status passed reason
DatalakeDiskUsageTest test_idle_finish {"cloud_storage_type": 1, "concurrent_translations": 4, "num_partitions": 10} integration https://buildkite.com/redpanda/redpanda/builds/70478#01988ae9-4898-44f5-846d-ac035631825d FAIL 0/21 The test has failed across all retries
DatalakeDiskUsageTest test_idle_finish {"cloud_storage_type": 1, "concurrent_translations": 4, "num_partitions": 40} integration https://buildkite.com/redpanda/redpanda/builds/70478#01988ae9-4899-448a-919f-b7a2e6121bce FAIL 0/21 The test has failed across all retries
MultiTopicAutomaticLeadershipBalancingTest test_topic_aware_rebalance null integration https://buildkite.com/redpanda/redpanda/builds/70478#01988ae9-4896-4b55-8da1-96f8b92bdb2a FAIL 0/21 The test has failed across all retries
NodeFolderDeletionTest test_deleting_node_folder null integration https://buildkite.com/redpanda/redpanda/builds/70478#01988ae9-4899-448a-919f-b7a2e6121bce FLAKY 7/21 upstream reliability is '93.95348837209302'. current run reliability is '33.33333333333333'. drift is 60.62016 and the allowed drift is set to 50. The test should FAIL
RaftAvailabilityTest test_leader_transfers_recovery {"acks": -1} integration https://buildkite.com/redpanda/redpanda/builds/70478#01988ae9-489b-47bb-8bd4-983116f6defc FAIL 0/21 The test has failed across all retries
RaftAvailabilityTest test_leader_transfers_recovery {"acks": -1} integration https://buildkite.com/redpanda/redpanda/builds/70478#01988aeb-6c6f-44c0-bc6f-a8f94f042539 FAIL 0/21 The test has failed across all retries
SelfTestTest test_self_test_unknown_test_type null integration https://buildkite.com/redpanda/redpanda/builds/70478#01988ae9-4898-4b04-be55-b7169281bfa1 FAIL 0/21 The test has failed across all retries
SelfTestTest test_self_test_unknown_test_type null integration https://buildkite.com/redpanda/redpanda/builds/70478#01988aeb-6c6d-4128-a598-556e84385657 FAIL 0/21 The test has failed across all retries
RedpandaUpgradeTest test_workloads_through_releases {"cloud_storage_type": 1} integration https://buildkite.com/redpanda/redpanda/builds/70478#01988ae9-489b-4473-9b58-aacd0ea65920 FAIL 0/21 The test has failed across all retries
WriteCachingFailureInjectionTest test_unavoidable_data_loss null integration https://buildkite.com/redpanda/redpanda/builds/70478#01988ae9-4898-44f5-846d-ac035631825d FLAKY 19/21 upstream reliability is '99.7584541062802'. current run reliability is '90.47619047619048'. drift is 9.28226 and the allowed drift is set to 50. The test should PASS
test results on build#71446
test_class test_method test_arguments test_kind job_url test_status passed reason
RandomNodeOperationsTest test_node_operations {"cloud_storage_type": 1, "compaction_mode": "sliding_window", "enable_failures": true, "mixed_versions": true, "with_iceberg": false} integration https://buildkite.com/redpanda/redpanda/builds/71446#0198eb43-916a-4119-95a3-8702b0a098ab FLAKY 20/21 upstream reliability is '99.51219512195122'. current run reliability is '95.23809523809523'. drift is 4.2741 and the allowed drift is set to 50. The test should PASS
test results on build#71689
test_class test_method test_arguments test_kind job_url test_status passed reason
Datalake3rdPartyMaintenanceTest test_e2e_basic {"catalog_type": "rest_jdbc", "cloud_storage_type": 1, "query_engine": "trino"} integration https://buildkite.com/redpanda/redpanda/builds/71689#0199056b-dc44-4172-998c-e4315e18c513 FLAKY 20/21 upstream reliability is '100.0'. current run reliability is '95.23809523809523'. drift is 4.7619 and the allowed drift is set to 50. The test should PASS
test results on build#71780
test_class test_method test_arguments test_kind job_url test_status passed reason
TxAtomicProduceConsumeTest test_basic_tx_consumer_transform_produce {"with_failures": true} integration https://buildkite.com/redpanda/redpanda/builds/71780#01991519-3aa6-4d47-82b9-bc15937f68a3 FLAKY 20/21 upstream reliability is '99.7134670487106'. current run reliability is '95.23809523809523'. drift is 4.47537 and the allowed drift is set to 50. The test should PASS
test results on build#71991
test_class test_method test_arguments test_kind job_url test_status passed reason
RandomNodeOperationsTest test_node_operations {"cloud_storage_type": 2, "compaction_mode": "sliding_window", "enable_failures": false, "mixed_versions": true, "with_iceberg": false} integration https://buildkite.com/redpanda/redpanda/builds/71991#01993408-f153-418d-9786-4664c84da411 FLAKY 20/21 upstream reliability is '98.8'. current run reliability is '95.23809523809523'. drift is 3.5619 and the allowed drift is set to 50. The test should PASS

@IoannisRP IoannisRP force-pushed the CORE-12961/security-report branch from 723082d to 0d9e44c Compare August 8, 2025 11:54
@IoannisRP IoannisRP marked this pull request as ready for review August 8, 2025 12:05
@IoannisRP IoannisRP requested a review from a team as a code owner August 8, 2025 12:05
@IoannisRP IoannisRP force-pushed the CORE-12961/security-report branch from 0d9e44c to 0e7bfba Compare August 8, 2025 13:42
@IoannisRP
Copy link
Copy Markdown
Contributor Author

IoannisRP commented Aug 8, 2025

changes in force-push:

  • add host/port info in rpc
  • add name in kafka client

@vbotbuildovich
Copy link
Copy Markdown
Collaborator

vbotbuildovich commented Aug 8, 2025

Retry command for Build#70461

please wait until all jobs are finished before running the slash command

/ci-repeat 1
tests/rptest/tests/security_report_test.py::AdminSecurityReportTest.test_security_report

@IoannisRP IoannisRP force-pushed the CORE-12961/security-report branch from 0e7bfba to a9b571f Compare August 8, 2025 17:36
@vbotbuildovich
Copy link
Copy Markdown
Collaborator

vbotbuildovich commented Aug 8, 2025
edited
Loading

Retry command for Build#70478

please wait until all jobs are finished before running the slash command

/ci-repeat 1
tests/rptest/tests/self_test_test.py::SelfTestTest.test_self_test_unknown_test_type
tests/rptest/tests/raft_availability_test.py::RaftAvailabilityTest.test_leader_transfers_recovery@{"acks":-1}
tests/rptest/tests/leadership_transfer_test.py::MultiTopicAutomaticLeadershipBalancingTest.test_topic_aware_rebalance
tests/rptest/tests/datalake/disk_budget_test.py::DatalakeDiskUsageTest.test_idle_finish@{"cloud_storage_type":1,"concurrent_translations":4,"num_partitions":10}
tests/rptest/tests/datalake/disk_budget_test.py::DatalakeDiskUsageTest.test_idle_finish@{"cloud_storage_type":1,"concurrent_translations":4,"num_partitions":40}
tests/rptest/tests/node_folder_deletion_test.py::NodeFolderDeletionTest.test_deleting_node_folder
tests/rptest/tests/workload_upgrade_runner_test.py::RedpandaUpgradeTest.test_workloads_through_releases@{"cloud_storage_type":1}

BenPope
BenPope reviewed Aug 11, 2025
View reviewed changes
kbatuigas
kbatuigas reviewed Aug 13, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@kbatuigas kbatuigas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, no blockers from docs, but would recommend descriptions and/or examples in the Swagger spec for some of the properties (e.g. what is the name in the various _security_report schemas, as well as security_report_alert.description?)

Do you also need specific ACLs so that this endpoint returns security reports for all interfaces?

@IoannisRP IoannisRP force-pushed the CORE-12961/security-report branch from a9b571f to 37a63ed Compare August 26, 2025 10:13
@IoannisRP
Copy link
Copy Markdown
Contributor Author

IoannisRP commented Aug 26, 2025

changes in force-push:

  • rebased to dev

@IoannisRP IoannisRP force-pushed the CORE-12961/security-report branch 2 times, most recently from 7f5a174 to 980d33e Compare August 26, 2025 13:29
@IoannisRP
Copy link
Copy Markdown
Contributor Author

IoannisRP commented Aug 26, 2025

changes in force-push:

  • move get_authn_method to config/broker_authn_endpoint

@IoannisRP IoannisRP requested review from BenPope and dotnwat August 26, 2025 13:31
@IoannisRP
Copy link
Copy Markdown
Contributor Author

IoannisRP commented Aug 27, 2025

@kbatuigas the security report endpoint requires superuser access.

The names are the names of each interface, as defined in the .yaml config.
The security_report_alert.description is a human-readable description of what this alert is.

I will add some descriptions to make it easier to parse the schemas.

@IoannisRP IoannisRP force-pushed the CORE-12961/security-report branch from 980d33e to 9c82307 Compare August 27, 2025 10:17
@IoannisRP
Copy link
Copy Markdown
Contributor Author

IoannisRP commented Aug 27, 2025

changes in force-push:

  • add descriptions to the security report jsons

@IoannisRP IoannisRP requested a review from kbatuigas August 27, 2025 10:18
@IoannisRP IoannisRP requested a review from BenPope September 8, 2025 13:52
@IoannisRP IoannisRP force-pushed the CORE-12961/security-report branch from c7f4b84 to afde0b1 Compare September 9, 2025 09:31
BenPope
BenPope previously approved these changes Sep 9, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@BenPope BenPope left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@IoannisRP
Copy link
Copy Markdown
Contributor Author

IoannisRP commented Sep 9, 2025

changes in force-push:

  • rebase to dev

@IoannisRP IoannisRP force-pushed the CORE-12961/security-report branch from afde0b1 to 7892646 Compare September 9, 2025 11:30
@IoannisRP
Copy link
Copy Markdown
Contributor Author

IoannisRP commented Sep 9, 2025

changes in force-push:

  • add field to report sasl mechanisms, when active
  • add alert for SASL/PLAIN

@IoannisRP IoannisRP requested a review from BenPope September 9, 2025 11:33
michael-redpanda
michael-redpanda previously approved these changes Sep 9, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@michael-redpanda michael-redpanda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some questions/nits but overall this is great

@IoannisRP IoannisRP force-pushed the CORE-12961/security-report branch from 7892646 to 1a68c61 Compare September 10, 2025 13:24
@IoannisRP
Copy link
Copy Markdown
Contributor Author

IoannisRP commented Sep 10, 2025
edited
Loading

changes in force-push:

  • reworked alert wording for more errors to be used with the inteface utility alert function.

@michael-redpanda michael-redpanda merged commit 567ff1c into redpanda-data:dev Sep 11, 2025
19 checks passed
@vbotbuildovich
Copy link
Copy Markdown
Collaborator

vbotbuildovich commented Sep 11, 2025

/backport v25.2.x

@vbotbuildovich
Copy link
Copy Markdown
Collaborator

vbotbuildovich commented Sep 11, 2025

Failed to create a backport PR to v25.2.x branch. I tried:

git remote add upstream https://github.com/redpanda-data/redpanda.git
git fetch --all
git checkout -b backport-pr-27173-v25.2.x-339 remotes/upstream/v25.2.x
git cherry-pick -x cb0074b5a7 222147588d 35ac3c613b 311da52fc9 461543b1ac fa5bfb8ef9 8cee595f98 e616e11815 221c772684 1a68c6123f

Workflow run logs.

@vbotbuildovich vbotbuildovich mentioned this pull request Sep 11, 2025
Closed
@IoannisRP IoannisRP mentioned this pull request Sep 12, 2025
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BenPope BenPope BenPope approved these changes

@dotnwat dotnwat Awaiting requested review from dotnwat

@kbatuigas kbatuigas Awaiting requested review from kbatuigas

+1 more reviewer

@michael-redpanda michael-redpanda michael-redpanda approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@IoannisRP IoannisRP

Labels

area/build area/redpanda

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@IoannisRP @vbotbuildovich @dotnwat @BenPope @kbatuigas @michael-redpanda