access log: add JSON logging mode

[aa-stripe]

These are the code changes to add a JSON access logging mode. I am working on the docs/release notes, but wanted to get started on code review!

Description:

• Add a new config option under access_log called json_format. This is a single level dictionary that contains strings as keys, and envoy access log format specifiers (such as %PROTOCOL%) as values. The specifiers will be replaced with actual values at logging time. I call this dictionary the "format dictionary" (as opposed to "format string").
• You can specify only one of format (format string) or json_format (format dictionary). If neither are there, we fall back to the default string format.
• Add the correct plumbing inside the configuration parsing to handle this.
• Add a new access log formatter class that is instantiated with the format dictionary. It maintains the mapping of dictionary keys to loggers
• Create a new class called FormatterProvider, to distinguish things that actually extract the information from a request. The things that combine together a bunch of FormatterProviders are still called Formatters. This is primarily a semantic/naming difference, but imo these are two conceptually separate things. There is, however no API difference, and if people are truly opposed to this, I could just merge them back into one Formatter class. This also provides a better foundation for adding more log formats in the future.
• At present, only one specifier per key in the format dictionary is allowed. This is because the whole point of JSON logging is to make logs easily machine-parseable. If you can include multiple formats in the same field, then you'll be right back to parsing those manually
• At present, only top-level keys are allowed in the format dictionary. This is validated at config load time. In the future, we can expand this to have nested dictionaries.

Risk Level:
Low. It's an optional feature that has to be explicitly enabled.

Testing:
Unit testing for the actual formatter, and config load. Also manually tested using an example config file.

Docs:

• Amended Access Log docs to create a notion of "Format Strings" and "Format Dictionaries".
  • Put things that are common to access logs in general under "Format Rules", and then distinguished how strings and dictionaries are different.
  • Called out restrictions on format dictionaries
• Added protobuf comments for format and json_format

Release Notes:
Will have to add Release notes

Fixes #2692

[aa-stripe]

@alyssawilk This should work now. I think doing the rebase/signoff thing after rebasing on master confused things a bit.

cc'ing @mattklein123 @htuch @ggreenway

[aa-stripe]

I also noticed the Once you submit a PR, please do not rebase it guidance

[htuch]

Thanks for the contribution! Some comments to get started.

[htuch]

Can you add a comment describing how this is interpreted? E.g. can we use the same custom access log formats in leaf strings, limitations on depth of nesting, etc.

[aa-stripe]

Yup, this will be coming soon with the docs updates.

• protobuf comment

[htuch]

Can you add a Doxygen comment here with args/return explanation?

[aa-stripe]

Agreed

• doxygen comment on FormatterProvider

[aa-stripe]

Felt like it was redundant to call out the args, so just added an explanation and then an @return

[htuch]

Envoy include/envoy APIs do have a verbose/redundant format, the best way to think of them is as official documentation that could ship without even the code (even though nobody uses them that way today, this is the style..).

[htuch]

Can you put this explanation that you have of Formatter vs FormatterProvider in the PR commit message here as well?

[aa-stripe]

Agreed

• Add FormatterProvider explanation

[htuch]

Why do we need this restriction? Why can't leaves have arbitrary format strings?

[aa-stripe]

Yeah, that's a good question. I mentioned it in the PR summary too:

At present, only one specifier per key in the format dictionary is allowed. This is because the whole point of JSON logging is to make logs easily machine-parseable. If you can include multiple formats in the same field, then you'll be right back to parsing those manually

The reason I chose to do this is to make the values sane. I didn't really see the value in doing something like:
{"protocol_and_duration": "%PROTOCOL% %DURATION%"}
because during log parsing you'd just have to manually parse that (with a regex or whatever) again.

The other use case would be to put plaintext in there, like:
{"protocol": "my protocol was %PROTOCOL%"}, which also doesn't seem particularly useful.

To me, it seemed saner to keep things simple. However this is an arbitrary restriction, and I'm not married to it. If you feel strongly that there should be multiple specifiers per key, let me know and I'll go ahead and lift that.

[htuch]

I guess my thinking was that the implementation of general purpose "%FOO% is %BAR% is already essentially free, you just reuse the existing access log formatter for leaf entries.

I can see legitimate uses here, e.g. where you are building semi-structured JSON for consumption by tools that don't care about the innermost structure.

It seems easier to just do this, as you have less validation to implement :D

[aa-stripe]

I do see that argument, but I feel that having a forcing function to keep logs structured is net win. Additionally, it's easy to add multi-token support in the future, but hard to take it back.

Similar to disallowing nested dictionaries I propose we stick to single-token leaves for the time being, and then expand that if we see demand for it. As you mentioned it'll be a really simple change if we decide to do it.

[htuch]

In general, with the Envoy APIs we like to provide users flexibility and not to be too opinionated on their use. I generally would prefer if we relaxed the requirement, since it's not very hard to implement - we already have the formatter that should be able to do this in a single line.

[aa-stripe]

Ok great, will tackle this

• relax one formatter requiredment

[htuch]

The alternative to using RapidJSON here is to build a google.protobuf.Struct and then do a Proto3 --> JSON conversion. I kind of prefer this, unless you want fine grained control over the output format.

[aa-stripe]

I can look into this. Shouldn't be too complex, although there is a fair bit of boilerplate with constructing Proto3 objects (see the unit tests I wrote in config.cc). But I'll move forward with this anyway.

• use protobuf to serialize instead of JSON

[aa-stripe]

Turned out to be pretty straightforward

[htuch]

Do you need this to be ordered? Otherwise use unordered_map

[aa-stripe]

No reason. Unordered should be fine

• switch to unordered_map

[htuch]

Does this need to be public? Should it just be a helper function in the .cc anonymous namespace?

[aa-stripe]

Yeah not too happy about this either, the reasons were:

1. it's kinda hard to test this otherwise. exposing the map function makes it easy to just compare dicts instead of going through a parse/unparse dance. this isn't a super strong reason though
2. If we ever support other structured log formats (like proto), then the idea is that we would just rely on this function to create a c++ map, and then each new format would be a simple "serializer" that writes that out (even the current json stuff can be thought of like that). In that case, testing the map function provides more peace of mind

[aa-stripe]

If you feel strongly though, lmk and I'm happy to make it anonymous

[htuch]

Why is the logic for non-JSON different to before here?

[aa-stripe]

It's not strictly different, it has just been moved inside the check for
if (fal_config.access_log_format_case() == envoy::config::accesslog::v2::FileAccessLog::kFormat || fal_config.access_log_format_case() == envoy::config::accesslog::v2::FileAccessLog::ACCESS_LOG_FORMAT_NOT_SET)

i.e:

If the format key was provided, or neither key was provided, fall back to the old logic
else if the json_format key was provided, use the json logic
else something bad happened, bail

[htuch]

convertJsonFormatToMap, same other comemnts as above.

[aa-stripe]

• case change convertJsonFormatToMap

[htuch]

Probably don't want to be doing any raw new here, I think either make it stack allocated or a make_unique.

[aa-stripe]

I was having some trouble with that earlier, will give it another try

[aa-stripe]

So as far as I can tell, calling set_allocated_* with a non-null pointer causes protobuf to take ownership of that object, including releasing the object later (https://developers.google.com/protocol-buffers/docs/reference/cpp-generated#embeddedmessage). So I think using new is actually ok here.

Indeed, if I switch to using a unique_ptr and pass it in with .get(), I get a crash, presumably because the object gets freed twice, once by protobuf and the other by c++. It does work fine if you use make_unique and then .release() the pointer when passing it to set_allocated. I'm happy to do that if you want, although functionally, the effect is the same. Other option is to leave a comment on the call to new explaining why this is ok here.

[htuch]

The usual pattern is to have protobuf do this for you by reordering and doing a fal_config.mutable_allocated_json_format() first.

[aa-stripe]

Figured this out. Thanks for the tip, that was the missing piece

[aa-stripe]

Thanks for the feedback @htuch! I agree with most of it, and I'll be updating the code shortly. Left a couple of explanations as well. In the meantime I've just some docs changes.

[htuch]

Thanks, taken another pass at it. Looks like it's getting into shape.

[htuch]

FWIW, I think "command operator" is not the right terminology, but I see it was existing before this PR. I probably would have used "format expressions" or the like.

[aa-stripe]

I'll see if it's pretty straightforward to change this. I personally prefer "format specifiers" since it lines up with the C terminology

[aa-stripe]

I left this as is for now

[htuch]

Sure, this was more just a non-actionable observation.

[htuch]

Nit: thte typo

[aa-stripe]

Done

[htuch]

This got copy/pasted :)

[aa-stripe]

Argh! Fixed

[htuch]

Nit: FWIW @return std::string containing.. is better Envoy Doxygen style.

[aa-stripe]

Done

[htuch]

Looking at this interface, it's a bit unclear how they do this combining; they don't take FormatterProviders as arguments to format..

[aa-stripe]

Agreed. The combining takes place in the subclass which isn't entirely clear at this level. I changed to Formatters provide a complete access log output line for the given headers/trailers/stream.

[htuch]

Nit: const auto

[aa-stripe]

Done

[htuch]

We can't safely throw exceptions at runtime on the data path in Envoy, only during construction (config ingestion). Otherwise, Envoy will behave badly. We should have a more graceful failure in this scenario.

[aa-stripe]

Cool, which do you prefer:

• Return an empty string
• Return a string containing something to the effect of Error converting access log output to JSON
• pointer shenanigans to return an error code (I'm against this personally)

[htuch]

Probably JSON conversion error, it will be easier to understand WTF happened when this fails.

[aa-stripe]

Done

[htuch]

If you want this accessible in tests, I suggest creating a test peer. I'm not sure why we need to test this internal behavior though, I'd skip it; it's pretty trivial.

[aa-stripe]

I took another look at this. If we stop using this function to test and make it private, then we'll be relying on either

1. parsing the JSON string in order to do our asserts or
2. hardcoding an expected JSON string and comparing the raw string

I'll attempt 1, and see how it goes. I suppose it's a more accurate test anyway. I was worried 2 might be susceptible to the order of keys changing and therefore randomly failing tests

[htuch]

yep, 1 sounds good!

[aa-stripe]

Done

[htuch]

Can you add a comment everywhere there is std::map indicating why order matters (or switch to unordered_map)?

[aa-stripe]

Yeah. Will do

[aa-stripe]

Order didn't matter here either, changed to unordered

[aa-stripe]

Thanks for the valuable comments. I will upload changes soon

[aa-stripe]

I do have one question for you here: #4693 (comment)

[htuch]

LGTM, just some nits and test structure suggestions.

[htuch]

Sure, this was more just a non-actionable observation.

[htuch]

Nit: you should be able to just write toMap rather than this->toMap. Personally I would inline toMap since it is now private, but up to you.

[aa-stripe]

Removed the this->

[htuch]

Can you break these into seperate TESTs. It's best to have distinct tests to control reruns and have finer grained visibility into specific failures. Also, can you add a one line // description above each?

[aa-stripe]

Sure! Was following the style of the file, will break them up now

[htuch]

Nit: {} not needed for these.

[aa-stripe]

Removed

[htuch]

Same here.

[aa-stripe]

Done

[htuch]

Nit: do you need these std::string conversions?

[aa-stripe]

Good catch! I must have been doing something else wrong earlier when I put them in. Removed

[htuch]

Can you factor this repeated match pattern into a helper?

[aa-stripe]

Done

[htuch]

Thanks @aa-stripe!

[aa-stripe]

Thank you!

[mattklein123]

@aa-stripe if possible can you do a follow up PR to add a release note? Thank you!