RubyGems - fluent-plugin-kusto - Versions diffs - 0.0.1.beta → 0.0.3.beta - Mend

fluent-plugin-kusto 0.0.1.beta → 0.0.3.beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

checksums.yaml +4 -4
data/Gemfile +1 -1
data/README.md +260 -57
data/lib/fluent/plugin/auth/aad_tokenprovider.rb +2 -3
data/lib/fluent/plugin/auth/mi_tokenprovider.rb +8 -7
data/lib/fluent/plugin/auth/tokenprovider_base.rb +259 -10
data/lib/fluent/plugin/auth/wif_tokenprovider.rb +22 -3
data/lib/fluent/plugin/client.rb +82 -1
data/lib/fluent/plugin/conffile.rb +1 -1
data/lib/fluent/plugin/ingester.rb +27 -11
data/lib/fluent/plugin/kusto_constants.rb +57 -0
data/lib/fluent/plugin/kusto_query.rb +8 -1
data/lib/fluent/plugin/kusto_version.rb +9 -0
data/lib/fluent/plugin/out_kusto.rb +5 -3
data/test/plugin/test_e2e_kusto.rb +459 -119
data/test/plugin/test_mi_tokenprovider.rb +165 -0
data/test/plugin/test_wif_tokenprovider.rb +145 -0
metadata +38 -15

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 90834d37833dc31d3a1aaa3f3de064ee260f9c619753857be060c2e48ba4a79c
-  data.tar.gz: 854001eaf38c3065262d2fd4abdb20c14e95af65ba8f08418825ddf6ac56ad94
+  metadata.gz: 2f46e06c2f84df5ddae86b8bffc55bbd0e7a92ad636d4c02512b7c9fa909e563
+  data.tar.gz: ef350fc500e82cbf80a0b91c1247463b8a4a00487324bbbc39f04a4017436d90
 SHA512:
-  metadata.gz: 66e9089d652413b6a405dc49fafa2fb3fe5399461dd18fdd87025293790dc8d92c9fcf4b8122937f2c06ec766ea43a48716dce499a61c6d298ad03f23299d5c0
-  data.tar.gz: 93e5fb41d9e4a76a5a34bad266abf596161f24143b1763d27a3378cf7f22afb87601f0a23b80775bb5cb75dc52b9876f6077f35ba59ae6dd3f19182790e32e68
+  metadata.gz: 00634a1a008a0dcb07929181b4946ad42b5d0d2d8b4aa1099498f13f72fd4b5479cb64f347fb065937d930870ca933dd6320cac8c096d0e689415dcd79564b5b
+  data.tar.gz: db35058e072ed1bdabce57439db87c161a026a4654bc61afd40f9a87f305c75a146017fbbdf91f3c71e7017a24b80ffed48eb061167c44361e3792615baa6b84

data/Gemfile CHANGED Viewed

@@ -2,7 +2,7 @@
 source 'https://rubygems.org'
-gemspec
+gemspec name: 'fluent-plugin-kusto'
 gem 'fiddle'
 gem 'mocha'
 gem 'ostruct'

data/README.md CHANGED Viewed

@@ -50,7 +50,7 @@ $ gem install fluent-plugin-kusto --pre
 Add the following line to your Gemfile:
 ```ruby
-gem "fluent-plugin-kusto", "~> 0.0.1.beta"
+gem "fluent-plugin-kusto", "~> 0.0.2.beta"
 ```
 **Note:** This is a beta release. Use the `--pre` flag with gem install or specify the beta version in your Gemfile.
@@ -116,76 +116,271 @@ A table with the expected schema must exist in order for data to be ingested pro
 .create table <table_name> (tag:string, timestamp:datetime, record:dynamic)
 ```
-## Configuration parameters
-| Key                                    | Description                                                                                                                                                                                                                                                             | Default                        |
-| -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
-| `tenant_id`                            | The tenant/domain ID of the Azure Active Directory (AAD) registered application. Required if `managed_identity_client_id` isn't set.                                                                                                                                    | _none_                         |
-| `client_id`                            | The client ID of the AAD registered application. Required if `managed_identity_client_id` isn't set.                                                                                                                                                                    | _none_                         |
-| `client_secret`                        | The client secret of the AAD registered application ([App Secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret)). Required if `managed_identity_client_id` isn't set. | _none_                         |
-| `managed_identity_client_id`           | The managed identity ID to authenticate with. Set to `SYSTEM` for system-assigned managed identity, or set to the MI client ID (`GUID`) for user-assigned managed identity. Required if `tenant_id`, `client_id`, and `client_secret` aren't set.                       | _none_                         |
-| `endpoint`                   | The cluster's endpoint, usually in the form `https://cluster_name.region.kusto.windows.net`                                                                                                                                                            | _none_                         |
-| `database_name`                        | The database name.                                                                                                                                                                                                                                                      | _none_                         |
-| `table_name`                           | The table name.                                                                                                                                                                                                                                                         | _none_                         |
-| `compression_enabled`                  | If enabled, sends compressed HTTP payload (gzip) to Kusto.                                                                                                                                                                                                              | `true`                         |
-| `workers`                              | The number of [workers](../../../administration/multithreading#outputs) to perform flush operations for this output.                                                                                                                                                    | `0`                            |
-| `buffered`                    | Enable buffering into disk before ingesting into Azure Kusto. If `buffered` is `true`, buffered mode is activated. If `false`, non-buffered mode is used.                                                                                                               | `true`                        |
-| `delayed`                              | If `true`, enables delayed commit for buffer chunks. Only supported in buffered mode (`buffered` must be `true`). If `buffered` is `false`, delayed commit is not available.                                                     | `false`                        |
-| `azure_cloud`                          | Azure cloud environment. E.g., `AzureCloud`, `AzureChinaCloud`, `AzureUSGovernmentCloud`, `AzureGermanCloud`.                                                                                                                    | `AzureCloud`                   |
-| `chunk_keys` (buffer section)          | Only in buffered mode. Keys to use for chunking the buffer. Possible values: `tag`, `time`, or a combination such as `["tag", "time"]`. Controls how data is grouped and flushed.                                               | `["time"]`                    |
-| `timekey` (buffer section)             | Only in buffered mode. Time interval for buffer chunking. Possible values: integer seconds (e.g., `60`, `3600`, `86400`).                                                                                                         | `86400` (1 day)                |
-| `timekey_wait` (buffer section)        | Only in buffered mode. Wait time before flushing a timekey chunk after its time window closes. Possible values: duration string (e.g., `30s`, `5m`).                                                                             | `30s`                           |
-| `timekey_use_utc` (buffer section)     | Only in buffered mode. Use UTC for timekey chunking. Possible values: `true`, `false`.                                                                                                                                           | `true`                          |
-| `flush_at_shutdown` (buffer section)   | Only in buffered mode. Flush buffer at shutdown. Possible values: `true`, `false`.                                                                                                                                               | `true`                          |
-| `retry_max_times` (buffer section)     | Only in buffered mode. Maximum number of retry attempts for buffer flush. Possible values: integer (e.g., `5`, `10`).                                                                                                            | `5`                             |
-| `retry_wait` (buffer section)          | Only in buffered mode. Wait time between buffer flush retries. Possible values: duration string (e.g., `1s`, `10s`).                                                                                                             | `1s`                            |
-| `overflow_action` (buffer section)     | Only in buffered mode. Action to take when buffer overflows. Possible values: `block`, `drop_oldest_chunk`, `throw_exception`.                                                            | `block`                         |
-| `chunk_limit_size` (buffer section)    | Only in buffered mode. Maximum size per buffer chunk. Possible values: size string (e.g., `256m`, `1g`).                                                                                                                         | `256m`                          |
-| `total_limit_size` (buffer section)    | Only in buffered mode. Maximum total buffer size. Possible values: size string (e.g., `2g`, `10g`).                                                                                                                              | `2g`                            |
-| `flush_mode` (buffer section)          | Only in buffered mode. Buffer flush mode. Possible values: `interval`, `immediate`, `lazy`.                                                                                               | `interval`                      |
-| `flush_interval` (buffer section)      | Only in buffered mode. Interval for buffer flush. Possible values: duration string (e.g., `10s`, `1m`).                                                                                                                          | `10s`                           |
-| `logger_path`                           | Optional. File path for plugin log output. If not set, logs are written to stdout.                                                                                                                      | stdout(terminal)                        |
-| `auth_type`                            | The authentication type to use. Possible values: `aad`, `user_managed_identity`, `system_managed_identity`,`workload_identity`.                                                                                                                                                                                                                                     | `aad`                        |
-| `workload_identity_client_id`              | The client ID for Azure Workload Identity authentication. Required if using workload identity for authentication.                                                                                                               | _none_                         |
-| `workload_identity_tenant_id`              | The tenant ID for Azure Workload Identity authentication. Required if using workload identity for authentication.                                                                                                               | _none_                         |
-| `workload_identity_token_file`             | The file path to the token file for Azure Workload Identity authentication. Required if using workload identity for authentication.                                                                                             | `/var/run/secrets/azure/tokens/azure-identity-token`                        |
-## Sample Configuration
+## Authentication Methods
+This plugin supports four authentication methods for connecting to Azure Data Explorer:
+### 1. Azure AD Application (aad)
+Traditional client credentials flow using Azure AD app registration. Best for CI/CD pipelines and traditional applications.
+**Required Parameters:**
+- `auth_type`: `aad`
+- `tenant_id`: Your Azure AD tenant ID
+- `client_id`: The Azure AD application client ID
+- `client_secret`: The Azure AD application client secret
+### 2. System-Assigned Managed Identity (system_managed_identity)
+Uses the system-assigned managed identity of Azure resources (VMs, App Services, AKS nodes). No secrets to manage.
+**Required Parameters:**
+- `auth_type`: `system_managed_identity`
+- `managed_identity_client_id`: Set to `SYSTEM`
+### 3. User-Assigned Managed Identity (user_managed_identity)
+Uses a user-assigned managed identity. Allows sharing the same identity across multiple Azure resources.
+**Required Parameters:**
+- `auth_type`: `user_managed_identity`
+- `managed_identity_client_id`: The client ID (GUID) of the user-assigned managed identity
+### 4. Azure Workload Identity (workload_identity)
+Modern approach for Kubernetes/AKS workloads. Replaces the legacy Pod Identity system using OIDC federation.
+**Required Parameters:**
+- `auth_type`: `workload_identity`
+- `workload_identity_client_id`: The client ID for workload identity
+- `workload_identity_tenant_id`: The tenant ID for workload identity
+- `workload_identity_token_file_path`: Path to the workload identity token file (optional, defaults to `/var/run/secrets/azure/tokens/azure-identity-token`)
+## Data Schema and Ingestion Mapping
+### Fixed 3-Column Schema
+The plugin uses a standardized 3-column schema for all ingested data:
+| Column | Type | Description |
+|--------|------|-------------|
+| `tag` | string | The Fluentd event tag |
+| `timestamp` | datetime | The event timestamp |
+| `record` | dynamic | The actual event payload as JSON |
+### Ingestion Mapping Support
+You can now use pre-defined ingestion mappings in Kusto to transform data during ingestion by setting the `ingestion_mapping_reference` parameter. This allows you to:
+- Transform the default 3-column format into your desired schema
+- Apply data transformations during ingestion for better performance
+- Use Kusto's native ingestion mapping capabilities
+**Example:**
+```conf
+<match test.kusto>
+  @type kusto
+  # ... other configuration ...
+  ingestion_mapping_reference my_custom_mapping
+</match>
+```
+Then create the mapping in Kusto:
+```kql
+.create table MyTable ingestion json mapping "my_custom_mapping"
+@'[
+  {"column":"EventTime", "path":"$.timestamp", "datatype":"datetime"},
+  {"column":"Source", "path":"$.tag", "datatype":"string"},
+  {"column":"Level", "path":"$.record.level", "datatype":"string"},
+  {"column":"Message", "path":"$.record.message", "datatype":"string"}
+]'
+```
+### Alternative Pattern: Landing Table + Update Policy
+If you prefer not to use ingestion mappings, you can still use this pattern for schema transformation:
+```kql
+-- 1. Create landing table (matches plugin output)
+.create table RawLogs (tag:string, timestamp:datetime, record:dynamic)
+-- 2. Create your target table with desired schema
+.create table ProcessedLogs (
+    EventTime: datetime,
+    Source: string,
+    Level: string,
+    Message: string,
+    UserId: string,
+    Properties: dynamic
+)
+-- 3. Create update policy to transform data
+.alter table ProcessedLogs policy update
+@'[{
+    "IsEnabled": true,
+    "Source": "RawLogs",
+    "Query": "RawLogs | extend EventTime=timestamp, Source=tag, Level=tostring(record.level), Message=tostring(record.message), UserId=tostring(record.userId), Properties=record.properties | project EventTime, Source, Level, Message, UserId, Properties",
+    "IsTransactional": true,
+    "PropagateIngestionProperties": false
+}]'
+```
+This approach provides flexibility to transform the generic 3-column format into any schema you need.
+## Configuration Parameters
+| Key | Description | Default |
+| --- | ----------- | ------- |
+| `auth_type` | Authentication method: `aad`, `system_managed_identity`, `user_managed_identity`, `workload_identity` | `aad` |
+| `tenant_id` | Azure AD tenant ID. Required for `aad` authentication. | _none_ |
+| `client_id` | Azure AD application client ID. Required for `aad` authentication. | _none_ |
+| `client_secret` | Azure AD application client secret. Required for `aad` authentication. | _none_ |
+| `managed_identity_client_id` | For managed identity: `SYSTEM` for system-assigned, or client ID (GUID) for user-assigned. | _none_ |
+| `workload_identity_client_id` | Client ID for workload identity authentication. | _none_ |
+| `workload_identity_tenant_id` | Tenant ID for workload identity authentication. | _none_ |
+| `workload_identity_token_file_path` | Path to workload identity token file. | `/var/run/secrets/azure/tokens/azure-identity-token` |
+| `endpoint` | Kusto cluster endpoint (e.g., `https://cluster.region.kusto.windows.net`) | _none_ |
+| `database_name` | Target database name. | _none_ |
+| `table_name` | Target table name. | _none_ |
+| `compression_enabled` | Enable gzip compression for HTTP payload. | `true` |
+| `buffered` | Enable disk buffering before ingestion. | `true` |
+| `delayed` | Enable delayed commit for buffer chunks (requires `buffered: true`). | `false` |
+| `deferred_commit_timeout` | Max time (seconds) to wait for deferred commit verification. | `30` |
+| `ingestion_mapping_reference` | Name of a pre-defined ingestion mapping in Kusto for data transformation during ingestion. | _none_ |
+| `azure_cloud` | Azure cloud environment: `AzureCloud`, `AzureChinaCloud`, `AzureUSGovernmentCloud`, `AzureGermanCloud` | `AzureCloud` |
+| `logger_path` | File path for plugin logs. If not set, logs to stdout. | stdout |
+### Buffer Configuration (buffered mode only)
+| Key | Description | Default |
+| --- | ----------- | ------- |
+| `chunk_keys` | Buffer chunking keys: `tag`, `time`, or `["tag", "time"]` | `["time"]` |
+| `timekey` | Time interval for buffer chunking (seconds) | `86400` (1 day) |
+| `timekey_wait` | Wait time before flushing timekey chunk | `30s` |
+| `timekey_use_utc` | Use UTC for timekey chunking | `true` |
+| `flush_at_shutdown` | Flush buffer at shutdown | `true` |
+| `retry_max_times` | Maximum retry attempts for buffer flush | `5` |
+| `retry_wait` | Wait time between retries | `1s` |
+| `overflow_action` | Action on buffer overflow: `block`, `drop_oldest_chunk`, `throw_exception` | `block` |
+| `chunk_limit_size` | Maximum size per buffer chunk | `256m` |
+| `total_limit_size` | Maximum total buffer size | `2g` |
+| `flush_mode` | Buffer flush mode: `interval`, `immediate`, `lazy` | `interval` |
+| `flush_interval` | Buffer flush interval | `10s` |
+## Sample Configurations
+### 1. Azure AD Authentication
 ```conf
-<system>
-  workers 1
-</system>
 <match test.kusto>
   @type kusto
   @log_level debug
+  # Authentication - Azure AD
+  auth_type aad
+  tenant_id 12345678-1234-1234-1234-123456789abc
+  client_id 87654321-4321-4321-4321-abcdef123456
+  client_secret your-app-secret-here
+  # Kusto connection
+  endpoint https://mycluster.eastus.kusto.windows.net
+  database_name MyDatabase
+  table_name MyLogs
+  # Optional settings
+  azure_cloud AzureCloud
+  compression_enabled true
   buffered true
   delayed false
-  endpoint https://yourcluster.region.kusto.windows.net
-  database_name your-db
-  table_name your-table
-  tenant_id <your-tenant-id>
-  client_id <your-client-id>
+  <buffer>
+    @type memory
+    timekey 1m
+    timekey_wait 30s
+    flush_interval 10s
+  </buffer>
+</match>
+```
+### 2. System-Assigned Managed Identity
+```conf
+<match test.kusto>
+  @type kusto
+  @log_level debug
+  # Authentication - System Managed Identity
+  auth_type system_managed_identity
   managed_identity_client_id SYSTEM
+  # Kusto connection
+  endpoint https://mycluster.eastus.kusto.windows.net
+  database_name MyDatabase
+  table_name MyLogs
+  # Optional settings
+  azure_cloud AzureCloud
+  compression_enabled true
+  buffered true
+  delayed false
+  <buffer>
+    @type memory
+    timekey 1m
+    timekey_wait 30s
+    flush_interval 10s
+  </buffer>
+</match>
+```
+### 3. User-Assigned Managed Identity
+```conf
+<match test.kusto>
+  @type kusto
+  @log_level debug
+  # Authentication - User Managed Identity
+  auth_type user_managed_identity
+  managed_identity_client_id 11111111-2222-3333-4444-555555555555
+  # Kusto connection
+  endpoint https://mycluster.eastus.kusto.windows.net
+  database_name MyDatabase
+  table_name MyLogs
+  # Optional settings
+  azure_cloud AzureCloud
   compression_enabled true
+  buffered true
+  delayed false
+  <buffer>
+    @type memory
+    timekey 1m
+    timekey_wait 30s
+    flush_interval 10s
+  </buffer>
+</match>
+```
+### 4. Azure Workload Identity (Kubernetes/AKS)
+```conf
+<match test.kusto>
+  @type kusto
+  @log_level debug
+  # Authentication - Workload Identity
+  auth_type workload_identity
+  workload_identity_client_id 99999999-8888-7777-6666-555555555555
+  workload_identity_tenant_id 12345678-1234-1234-1234-123456789abc
+  workload_identity_token_file_path /var/run/secrets/azure/tokens/azure-identity-token
+  # Kusto connection
+  endpoint https://mycluster.eastus.kusto.windows.net
+  database_name MyDatabase
+  table_name MyLogs
+  # Optional settings
   azure_cloud AzureCloud
-  logger_path /var/log/azure-kusto-fluentd.log
+  compression_enabled true
+  buffered true
+  delayed false
   <buffer>
     @type memory
-    # To chunk by tag only:
-    # chunk_keys tag
-    # To chunk by tag and time:
-    # chunk_keys tag,time
     timekey 1m
     timekey_wait 30s
-    timekey_use_utc true
-    flush_at_shutdown true
-    retry_max_times 5
-    retry_wait 1s
-    overflow_action block
-    chunk_limit_size 256m
-    total_limit_size 2g
-    flush_mode interval
     flush_interval 10s
   </buffer>
 </match>
@@ -196,6 +391,14 @@ A table with the expected schema must exist in order for data to be ingested pro
 This diagram shows the main components and data flow for the plugin, including configuration, error handling, token management, and Azure resource interactions.
+## Release Notes
+### v0.0.2.beta (Latest)
+- **Fixed critical authentication initialization bugs** - Resolved `NameError` in ManagedIdentityTokenProvider and WorkloadIdentityTokenProvider
+- **Added comprehensive unit test coverage** - New test suites for authentication providers with 14 test cases and 45+ assertions
+- **Improved E2E test reliability** - Enhanced timeout configurations to handle Azure Kusto ingestion delays (480s-600s timeouts)
+- **Enhanced authentication stability** - All authentication methods now properly validated: AAD, System/User Managed Identity, Workload Identity, Azure CLI
 ## Copyright
 * License: Apache License, Version 2.0

data/lib/fluent/plugin/auth/aad_tokenprovider.rb CHANGED Viewed

@@ -52,7 +52,7 @@ class AadTokenProvider < AbstractTokenProvider
   def post_token_request
     headers = header
-    max_retries = 10
+    max_retries = 3  # Reduced from 10 to prevent rate limiting cascade
     retries = 0
     uri = URI.parse(@token_request_uri)
     form_data = URI.encode_www_form(
@@ -63,8 +63,7 @@ class AadTokenProvider < AbstractTokenProvider
     )
     while retries < max_retries
       begin
-        http = Net::HTTP.new(uri.host, uri.port)
-        http.use_ssl = (uri.scheme == 'https')
+        http = create_http_client(uri)
         request = Net::HTTP::Post.new(uri.request_uri, headers)
         request.body = form_data

data/lib/fluent/plugin/auth/mi_tokenprovider.rb CHANGED Viewed

@@ -18,6 +18,7 @@ class ManagedIdentityTokenProvider < AbstractTokenProvider
   def initialize(outconfiguration)
     super(outconfiguration)
+    setup_config(outconfiguration)
     token_request_params_set(outconfiguration)
   end
@@ -39,7 +40,7 @@ class ManagedIdentityTokenProvider < AbstractTokenProvider
   def token_request_params_set(_outconfiguration)
     token_acquire_url = IMDS_TOKEN_ACQUIRE_URL.dup + '?' + append_header('resource',
-                                                                         ERB::Util.url_encode(outconfiguration.kusto_endpoint)) + '&' + append_header(
+                                                                         ERB::Util.url_encode(@resource)) + '&' + append_header(
                                                                            'api-version', '2018-02-01'
                                                                          )
     unless @object_id.nil?
@@ -50,11 +51,11 @@ class ManagedIdentityTokenProvider < AbstractTokenProvider
       token_acquire_url = (token_acquire_url + '&' + append_header('msi_res_id',
                                                                    ERB::Util.url_encode(@msi_res_id)))
     end
-    URI.parse(token_acquire_url)
-    return unless @use_user_assigned
-    (token_acquire_url + '&' + append_header('client_id',
-                                             ERB::Util.url_encode(@managed_identity_client_id)))
+    if @use_user_assigned
+      token_acquire_url = (token_acquire_url + '&' + append_header('client_id',
+                                               ERB::Util.url_encode(@managed_identity_client_id)))
+    end
+    @token_acquire_url = token_acquire_url
   end
   def fetch_token
@@ -72,7 +73,7 @@ class ManagedIdentityTokenProvider < AbstractTokenProvider
     uri = URI.parse(@token_acquire_url)
     while retries < max_retries
       begin
-        http = Net::HTTP.new(uri.host, uri.port)
+        http = create_http_client(uri)
         request = Net::HTTP::Get.new(uri.request_uri, headers)
         response = http.request(request)
         return JSON.parse(response.body) if response.code.to_i == 200