From 85491247f843f193be0206a93acd8435ac3ee64c Mon Sep 17 00:00:00 2001 From: Josh Suereth Date: Wed, 3 Jul 2024 12:05:39 -0400 Subject: [PATCH 1/5] Bump weaver to latest version. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 1b6b4f499d..b2af508988 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ CHLOGGEN_CONFIG := .chloggen/config.yaml # see https://github.com/open-telemetry/build-tools/releases for semconvgen updates # Keep links in model/README.md and .vscode/settings.json in sync! SEMCONVGEN_VERSION=0.24.0 -WEAVER_VERSION=0.2.0 +WEAVER_VERSION=0.5.0 # From where to resolve the containers (e.g. "otel/weaver"). CONTAINER_REPOSITORY=docker.io From 9e5d66a9652161c89cf13cefd3bf75ef313fbab8 Mon Sep 17 00:00:00 2001 From: Josh Suereth Date: Wed, 3 Jul 2024 17:02:04 -0400 Subject: [PATCH 2/5] Add policy enforcement for attribute registry. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add REGO rules to enforce attribute registry things. - Add diagnostic rendering to improve error messages on attribute registry failure. Example failure: ``` $ make check-policies ✔ SemConv registry loaded (138 files) ✔ SemConv registry resolved Semantic Convention Model Validation Failures: /source/metrics/jvm-metrics.yaml: Attribute jvm.memory.bad_name cannot be defined in Group attributes.jvm.memory Attribute Group not in Attribute Registry. ``` --- Makefile | 10 ++++++ policies/registry.rego | 42 +++++++++++++++++++++++++ templates/diagnostic/ansi/errors.txt.j2 | 31 ++++++++++++++++++ templates/diagnostic/ansi/weaver.yaml | 4 +++ 4 files changed, 87 insertions(+) create mode 100644 policies/registry.rego create mode 100644 templates/diagnostic/ansi/errors.txt.j2 create mode 100644 templates/diagnostic/ansi/weaver.yaml diff --git a/Makefile b/Makefile index b2af508988..3abff581a7 100644 --- a/Makefile +++ b/Makefile @@ -103,6 +103,16 @@ install-yamllint: yamllint: yamllint . +# Check semantic convention policies on YAML files +.PHONY: check-policies +check-policies: + docker run --rm -v $(PWD)/model:/source -v $(PWD)/policies:/policies -v $(PWD)/templates:/templates \ + otel/weaver:${WEAVER_VERSION} registry check \ + --registry=/source \ + --diagnostic-format=ansi \ + --diagnostic-template=/templates/diagnostic \ + --policy=/policies/registry.rego + # Generate markdown tables from YAML definitions .PHONY: table-generation table-generation: diff --git a/policies/registry.rego b/policies/registry.rego new file mode 100644 index 0000000000..f7f96a20b7 --- /dev/null +++ b/policies/registry.rego @@ -0,0 +1,42 @@ +package before_resolution + +# This file enforces policies requiring all attributes to be defined within +# a semantic convention "registry". This is a naming/structure convention +# used by semantic conventions. + +# Helper to create attribute registry violations. +attr_registry_violation(violation_id, group_id, attr_id) = violation { + violation := { + "id": violation_id, + "type": "semconv_attribute", + "category": "attribute_registry", + "group": group_id, + "attr": attr_id, + } +} + +# We only allow attribute groups in the attribute registry. +deny[attr_registry_violation("registry_must_be_attribute_group", group.id, "")] { + group := input.groups[_] + startswith(group.id, "registry.") + group.type != "attribute_group" +} + +# Any group that is NOT in the attribute registry that has an attribute id is +# in violation of not using the attribute registry. +deny[attr_registry_violation("nonregistry_with_id_attr", group.id, attr.id)] { + group := input.groups[_] + not startswith(group.id, "registry.") + attr := group.attributes[_] + attr.id != null +} + +# A registry `attribute_group` containing at least one `ref` attribute is +# considered invalid if it's not in the registry group. +deny[attr_registry_violation("registry_with_ref_attr", group.id, attr.ref)] { + group := input.groups[_] + startswith(group.id, "registry.") + attr := group.attributes[_] + attr.ref != null +} + diff --git a/templates/diagnostic/ansi/errors.txt.j2 b/templates/diagnostic/ansi/errors.txt.j2 new file mode 100644 index 0000000000..6f1433c523 --- /dev/null +++ b/templates/diagnostic/ansi/errors.txt.j2 @@ -0,0 +1,31 @@ +{{ "Semantic Convention Model Validation Failures" | ansi_bold | ansi_red }}: + +{% for item in ctx %} +{%- if item.error.type == "policy_violation" %} +{%- if item.error.violation.category == "attribute_registry" %} +{{ item.error.provenance | ansi_red}}: +{%- if item.error.violation.id == "registry_must_be_attribute_group" %} + Group {{ item.error.violation.group | ansi_green }} cannot be defined in the registry. + not an attribute group. +{%- elif item.error.violation.id == "nonregistry_with_id_attr" %} + Attribute {{ item.error.violation.attr | ansi_cyan }} cannot be defined in Group {{ item.error.violation.group | ansi_green }} + Attribute Group not in Attribute Registry. +{%- elif item.error.violation.id == "registry_with_ref_attr" %} + Attribute {{ item.error.violation.attr | ansi_cyan }} cannot be defined in Group {{ item.error.violation.group | ansi_green }} + Registry cannot contain attribute references. +{%- else %} +UNKNOWN ATTRIBUTE REGISTRY ERROR! Please open a ticket agianst semconv with this info: +{{ debug(item) }} +{%- endif %} +{%- else %} +{{ item.error.provenance | ansi_red }}: + Violation: {{ item.error.violation.id | ansi_bold | ansi_green }} + - Category : {{ item.error.violation.category | ansi_cyan }} + - Type : {{ item.error.violation.type | ansi_cyan }} + - SemConv group : {{ item.error.violation.group | ansi_cyan }} + - SemConv attribute: {{ item.error.violation.attr | ansi_cyan }} +{%- endif %} +{% else %} +{{ item.diagnostic.ansi_message }} +{%- endif %} +{%- endfor %} \ No newline at end of file diff --git a/templates/diagnostic/ansi/weaver.yaml b/templates/diagnostic/ansi/weaver.yaml new file mode 100644 index 0000000000..36acd1bccf --- /dev/null +++ b/templates/diagnostic/ansi/weaver.yaml @@ -0,0 +1,4 @@ +templates: + - pattern: errors.txt.j2 + filter: . + application_mode: single From 5bc55e2057882f4ea7203fcc19ca8cc5574bce40 Mon Sep 17 00:00:00 2001 From: Josh Suereth Date: Wed, 3 Jul 2024 17:06:14 -0400 Subject: [PATCH 3/5] Add policy checks to check command. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 3abff581a7..9a74715181 100644 --- a/Makefile +++ b/Makefile @@ -182,7 +182,7 @@ fix-format: # Run all checks in order of speed / likely failure. # As a last thing, run attribute registry generation and git-diff for differences. .PHONY: check -check: misspell markdownlint check-format markdown-toc compatibility-check markdown-link-check attribute-registry-generation +check: misspell markdownlint check-format markdown-toc compatibility-check markdown-link-check check-policies attribute-registry-generation git diff --exit-code ':*.md' || (echo 'Generated markdown Table of Contents is out of date, please run "make markdown-toc" and commit the changes in this PR.' && exit 1) @echo "All checks complete" From 09cb3cf21934678ad09bdf9eec1bb6f2ec68a143 Mon Sep 17 00:00:00 2001 From: Josh Suereth Date: Thu, 18 Jul 2024 08:52:13 -0400 Subject: [PATCH 4/5] Update policy errors to follow new direction. --- Makefile | 1 - policies/registry.rego | 11 +++++---- templates/diagnostic/ansi/errors.txt.j2 | 31 ------------------------- templates/diagnostic/ansi/weaver.yaml | 4 ---- 4 files changed, 6 insertions(+), 41 deletions(-) delete mode 100644 templates/diagnostic/ansi/errors.txt.j2 delete mode 100644 templates/diagnostic/ansi/weaver.yaml diff --git a/Makefile b/Makefile index c181aa38b2..1550aa82aa 100644 --- a/Makefile +++ b/Makefile @@ -110,7 +110,6 @@ check-policies: otel/weaver:${WEAVER_VERSION} registry check \ --registry=/source \ --diagnostic-format=ansi \ - --diagnostic-template=/templates/diagnostic \ --policy=/policies/registry.rego # Generate markdown tables from YAML definitions diff --git a/policies/registry.rego b/policies/registry.rego index f7f96a20b7..a13f75edeb 100644 --- a/policies/registry.rego +++ b/policies/registry.rego @@ -8,15 +8,15 @@ package before_resolution attr_registry_violation(violation_id, group_id, attr_id) = violation { violation := { "id": violation_id, - "type": "semconv_attribute", - "category": "attribute_registry", + "type": "semantic_convention_policies", + "category": "attribute_registry_checks", "group": group_id, "attr": attr_id, } } # We only allow attribute groups in the attribute registry. -deny[attr_registry_violation("registry_must_be_attribute_group", group.id, "")] { +deny[attr_registry_violation("attribute_registry_can_only_contain_attribute_groups", group.id, "")] { group := input.groups[_] startswith(group.id, "registry.") group.type != "attribute_group" @@ -24,7 +24,7 @@ deny[attr_registry_violation("registry_must_be_attribute_group", group.id, "")] # Any group that is NOT in the attribute registry that has an attribute id is # in violation of not using the attribute registry. -deny[attr_registry_violation("nonregistry_with_id_attr", group.id, attr.id)] { +deny[attr_registry_violation("attributes_must_be_defined_in_attribute_registry", group.id, attr.id)] { group := input.groups[_] not startswith(group.id, "registry.") attr := group.attributes[_] @@ -33,7 +33,8 @@ deny[attr_registry_violation("nonregistry_with_id_attr", group.id, attr.id)] { # A registry `attribute_group` containing at least one `ref` attribute is # considered invalid if it's not in the registry group. -deny[attr_registry_violation("registry_with_ref_attr", group.id, attr.ref)] { +deny[attr_registry_violation("attributes_in_registry_cannot_reference_each_other", group.id, attr.ref)] { + # TODO - this will need to be updated to support `embed` in the future. group := input.groups[_] startswith(group.id, "registry.") attr := group.attributes[_] diff --git a/templates/diagnostic/ansi/errors.txt.j2 b/templates/diagnostic/ansi/errors.txt.j2 deleted file mode 100644 index 6f1433c523..0000000000 --- a/templates/diagnostic/ansi/errors.txt.j2 +++ /dev/null @@ -1,31 +0,0 @@ -{{ "Semantic Convention Model Validation Failures" | ansi_bold | ansi_red }}: - -{% for item in ctx %} -{%- if item.error.type == "policy_violation" %} -{%- if item.error.violation.category == "attribute_registry" %} -{{ item.error.provenance | ansi_red}}: -{%- if item.error.violation.id == "registry_must_be_attribute_group" %} - Group {{ item.error.violation.group | ansi_green }} cannot be defined in the registry. - not an attribute group. -{%- elif item.error.violation.id == "nonregistry_with_id_attr" %} - Attribute {{ item.error.violation.attr | ansi_cyan }} cannot be defined in Group {{ item.error.violation.group | ansi_green }} - Attribute Group not in Attribute Registry. -{%- elif item.error.violation.id == "registry_with_ref_attr" %} - Attribute {{ item.error.violation.attr | ansi_cyan }} cannot be defined in Group {{ item.error.violation.group | ansi_green }} - Registry cannot contain attribute references. -{%- else %} -UNKNOWN ATTRIBUTE REGISTRY ERROR! Please open a ticket agianst semconv with this info: -{{ debug(item) }} -{%- endif %} -{%- else %} -{{ item.error.provenance | ansi_red }}: - Violation: {{ item.error.violation.id | ansi_bold | ansi_green }} - - Category : {{ item.error.violation.category | ansi_cyan }} - - Type : {{ item.error.violation.type | ansi_cyan }} - - SemConv group : {{ item.error.violation.group | ansi_cyan }} - - SemConv attribute: {{ item.error.violation.attr | ansi_cyan }} -{%- endif %} -{% else %} -{{ item.diagnostic.ansi_message }} -{%- endif %} -{%- endfor %} \ No newline at end of file diff --git a/templates/diagnostic/ansi/weaver.yaml b/templates/diagnostic/ansi/weaver.yaml deleted file mode 100644 index 36acd1bccf..0000000000 --- a/templates/diagnostic/ansi/weaver.yaml +++ /dev/null @@ -1,4 +0,0 @@ -templates: - - pattern: errors.txt.j2 - filter: . - application_mode: single From 0bfa59ff3affa5e2bf533130f66bdc6125bcc7c5 Mon Sep 17 00:00:00 2001 From: Josh Suereth Date: Thu, 18 Jul 2024 08:58:59 -0400 Subject: [PATCH 5/5] Fix formatting. --- policies/registry.rego | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/policies/registry.rego b/policies/registry.rego index a13f75edeb..1c73ef450a 100644 --- a/policies/registry.rego +++ b/policies/registry.rego @@ -37,7 +37,6 @@ deny[attr_registry_violation("attributes_in_registry_cannot_reference_each_other # TODO - this will need to be updated to support `embed` in the future. group := input.groups[_] startswith(group.id, "registry.") - attr := group.attributes[_] + attr := group.attributes[_] attr.ref != null } -