CE Changes for Auth Method Usage Metrics (#28931)

* CE Changes for Auth Method Usage Metrics

* Import cycle weirdness

* Cleanup

helper/builtinplugins/registry_full.go

@@ -40,6 +40,7 @@ import (
 	logicalNomad "github.com/hashicorp/vault/builtin/logical/nomad"
 	logicalRabbit "github.com/hashicorp/vault/builtin/logical/rabbitmq"
 	logicalTotp "github.com/hashicorp/vault/builtin/logical/totp"
+	"github.com/hashicorp/vault/helper/pluginconsts"
 	dbCass "github.com/hashicorp/vault/plugins/database/cassandra"
 	dbHana "github.com/hashicorp/vault/plugins/database/hana"
 	dbInflux "github.com/hashicorp/vault/plugins/database/influxdb"
@@ -54,26 +55,26 @@ import (
 func newFullAddonRegistry() *registry {
 	return &registry{
 		credentialBackends: map[string]credentialBackend{
-			"alicloud": {Factory: credAliCloud.Factory},
-			"app-id": {
+			pluginconsts.AuthTypeAliCloud: {Factory: credAliCloud.Factory},
+			pluginconsts.AuthTypeAppId: {
 				Factory:           removedFactory,
 				DeprecationStatus: consts.Removed,
 			},
-			"aws":        {Factory: credAws.Factory},
-			"azure":      {Factory: credAzure.Factory},
-			"cf":         {Factory: credCF.Factory},
-			"gcp":        {Factory: credGcp.Factory},
-			"github":     {Factory: credGitHub.Factory},
-			"kerberos":   {Factory: credKerb.Factory},
-			"kubernetes": {Factory: credKube.Factory},
-			"ldap":       {Factory: credLdap.Factory},
-			"oci":        {Factory: credOCI.Factory},
-			"okta":       {Factory: credOkta.Factory},
-			"pcf": {
+			pluginconsts.AuthTypeAWS:        {Factory: credAws.Factory},
+			pluginconsts.AuthTypeAzure:      {Factory: credAzure.Factory},
+			pluginconsts.AuthTypeCF:         {Factory: credCF.Factory},
+			pluginconsts.AuthTypeGCP:        {Factory: credGcp.Factory},
+			pluginconsts.AuthTypeGitHub:     {Factory: credGitHub.Factory},
+			pluginconsts.AuthTypeKerberos:   {Factory: credKerb.Factory},
+			pluginconsts.AuthTypeKubernetes: {Factory: credKube.Factory},
+			pluginconsts.AuthTypeLDAP:       {Factory: credLdap.Factory},
+			pluginconsts.AuthTypeOCI:        {Factory: credOCI.Factory},
+			pluginconsts.AuthTypeOkta:       {Factory: credOkta.Factory},
+			pluginconsts.AuthTypePCF: {
 				Factory:           credCF.Factory,
 				DeprecationStatus: consts.Deprecated,
 			},
-			"radius": {Factory: credRadius.Factory},
+			pluginconsts.AuthTypeRadius: {Factory: credRadius.Factory},
 		},
 		databasePlugins: map[string]databasePlugin{
 			// These four plugins all use the same mysql implementation but with

helper/pluginconsts/plugin_consts.go

@@ -0,0 +1,29 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package pluginconsts
+
+// These consts live outside the plugin registry files to prevent import cycles.
+const (
+	AuthTypeAliCloud   = "alicloud"
+	AuthTypeAppId      = "app-id"
+	AuthTypeAWS        = "aws"
+	AuthTypeAzure      = "azure"
+	AuthTypeCF         = "cf"
+	AuthTypeGCP        = "gcp"
+	AuthTypeGitHub     = "github"
+	AuthTypeKerberos   = "kerberos"
+	AuthTypeKubernetes = "kubernetes"
+	AuthTypeLDAP       = "ldap"
+	AuthTypeOCI        = "oci"
+	AuthTypeOkta       = "okta"
+	AuthTypePCF        = "pcf"
+	AuthTypeRadius     = "radius"
+	AuthTypeToken      = "token"
+	AuthTypeCert       = "cert"
+	AuthTypeOIDC       = "oidc"
+	AuthTypeUserpass   = "userpass"
+	AuthTypeSAML       = "saml"
+	AuthTypeApprole    = "approle"
+	AuthTypeJWT        = "jwt"
+)

vault/core_metrics.go

@@ -535,6 +535,31 @@ func getMeanNamespaceSecrets(mapOfNamespacesToSecrets map[string]int) int {
 	return getTotalSecretsAcrossAllNamespaces(mapOfNamespacesToSecrets) / length
 }
 
+// GetAuthMethodUsageMetrics returns a map of auth mount types to the number of those mounts that exist.
+func (c *Core) GetAuthMethodUsageMetrics() map[string]int {
+	mounts := make(map[string]int)
+
+	c.authLock.RLock()
+	defer c.authLock.RUnlock()
+
+	// we don't grab the statelock, so this code might run during or after the seal process.
+	// Therefore, we need to check if c.auth is nil. If we do not, this will panic when
+	// run after seal.
+	if c.auth == nil {
+		return mounts
+	}
+
+	for _, entry := range c.auth.Entries {
+		authType := entry.Type
+		if _, ok := mounts[authType]; !ok {
+			mounts[authType] = 1
+		} else {
+			mounts[authType] += 1
+		}
+	}
+	return mounts
+}
+
 // GetKvUsageMetrics returns a map of namespace paths to KV secret counts within those namespaces.
 func (c *Core) GetKvUsageMetrics(ctx context.Context, kvVersion string) (map[string]int, error) {
 	mounts := c.findKvMounts()

website/content/docs/enterprise/license/product-usage-reporting.mdx

@@ -119,7 +119,29 @@ All of these metrics are numerical, and contain no sensitive values or additiona
 | `vault.kv.version1.secrets.namespace.min`  | The lowest number of KVv1 secrets in a namespace in Vault, e.g. `2`.     |
 | `vault.kv.version2.secrets.namespace.min`  | The highest number of KVv2 secrets in a namespace in Vault, e.g. `1000`. |
 | `vault.kv.version1.secrets.namespace.mean` | The mean number of KVv1 secrets in namespaces in Vault, e.g. `52.8`.     |
-| `vault.kv.version1.secrets.namespace.mean` | The mean number of KVv2 secrets in namespaces in Vault, e.g. `52.8`.     |
+| `vault.kv.version2.secrets.namespace.mean` | The mean number of KVv2 secrets in namespaces in Vault, e.g. `52.8`.     |
+| `vault.auth.method.approle.count`          | The total number of Approle auth mounts in Vault.                        |
+| `vault.auth.method.alicloud.count`         | The total number of Alicloud auth mounts in Vault.                       |
+| `vault.auth.method.aws.count`              | The total number of AWS auth mounts in Vault.                            |
+| `vault.auth.method.appid.count`            | The total number of App ID auth mounts in Vault.                         |
+| `vault.auth.method.azure.count`            | The total number of Azure auth mounts in Vault.                          |
+| `vault.auth.method.cloudfoundry.count`     | The total number of Cloud Foundry auth mounts in Vault.                  |
+| `vault.auth.method.github.count`           | The total number of GitHub auth mounts in Vault.                         |
+| `vault.auth.method.gcp.count`              | The total number of GCP auth mounts in Vault.                            |
+| `vault.auth.method.jwt.count`              | The total number of JWT auth mounts in Vault.                            |
+| `vault.auth.method.kerberos.count`         | The total number of Kerberos auth mounts in Vault.                       |
+| `vault.auth.method.kubernetes.count`       | The total number of kubernetes auth mounts in Vault.                     |
+| `vault.auth.method.ldap.count`             | The total number of LDAP auth mounts in Vault.                           |
+| `vault.auth.method.oci.count`              | The total number of OCI auth mounts in Vault.                            |
+| `vault.auth.method.okta.count`             | The total number of Okta auth mounts in Vault.                           |
+| `vault.auth.method.pcf.count`              | The total number of PCF auth mounts in Vault.                            |
+| `vault.auth.method.radius.count`           | The total number of Radius auth mounts in Vault.                         |
+| `vault.auth.method.saml.count`             | The total number of SAML auth mounts in Vault.                           |
+| `vault.auth.method.cert.count`             | The total number of Cert auth mounts in Vault.                           |
+| `vault.auth.method.oidc.count`             | The total number of OIDC auth mounts in Vault.                           |
+| `vault.auth.method.token.count`            | The total number of Token auth mounts in Vault.                          |
+| `vault.auth.method.userpass.count`         | The total number of Userpass auth mounts in Vault.                       |
+| `vault.auth.method.plugin.count`           | The total number of custom plugin auth mounts in Vault.                  |
 
 ## Usage metadata list