Uploaded image for project: 'Connectivity Link'
  1. Connectivity Link
  2. CONNLINK-653

Authorino logs "no such key: identity" error for TelemetryPolicy labels - expected behavior due to evaluation timing

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • RHCL Operator
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      ### Summary
      Authorino logs show CEL expression evaluation failures (`"no such key: identity"`) when evaluating TelemetryPolicy metric labels. This is *expected behavior* due to the timing of when expressions are evaluated in the Gateway-Authorino interaction flow, not an actual error.

      ### Problem Statement
      When using TelemetryPolicy with metric labels that reference `auth.identity.*` fields (e.g., `auth.identity.userid`, `auth.identity.tier`), Authorino logs show errors like:

      ```
      "msg": "failed to evaluate CEL expression",
      "expression": "auth.identity.userid",
      "error": "no such key: identity"
      ```

      ### Root Cause
      The error occurs due to a *timing and context issue* in the request processing pipeline:

      1. *Premature Evaluation*: The Gateway forwards unevaluated CEL label expressions (e.g., `"auth.identity.userid"`) to Authorino before the authentication context is fully established.

      2. *Missing Context*: Authorino attempts to evaluate these expressions immediately, but at that point in the processing pipeline, the `identity` context has not yet been populated. The authentication process hasn't completed, so the identity mapping doesn't exist yet.

      3. *Successful Resolution*: After Authorino processes the authentication request and returns a successful response (with identity data populated from the AuthPolicy), the Gateway re-evaluates the metric labels correctly and sends them to Limitador/Prometheus.

      ### Expected Behavior
      - *Authorino logs the failure* because it tries to evaluate the label expressions too early in the pipeline
      - *The Gateway successfully handles it* afterwards using Authorino's response
      - *Limitador metrics are correctly populated* with user and tier information
      - *This is not a bug* - it's the expected flow of how the Gateway and Authorino interact

      ### Impact
      - *Low*: No functional impact - metrics are correctly populated despite the log messages
      - *Medium*: Log noise can be confusing for operators debugging issues
      - The error messages in logs may cause unnecessary concern or investigation

      ### Proposed Solution / Improvement
      Consider improving Authorino's logging behavior to:
      - Ignore metric label expressions that cannot be evaluated at Authorino's evaluation stage
      - Log at DEBUG level instead of ERROR/WARN for these expected timing-related evaluation failures
      - Add documentation clarifying this is expected behavior

      ### Related Components
      - Kuadrant Gateway
      - Authorino (authentication service)
      - TelemetryPolicy
      - Limitador (rate limiting service)
      - Prometheus metrics

      ### References

              Unassigned Unassigned
              liangwen12year Wen Liang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: