Add log redaction tutorial sample code (#9066)

* doc(logging): add log redaction boilerplate code

Create logging/redaction folder to store assets for log redaction tutorial.
Assets will include:
* documentation (README.md)
* boilerplate code to start the tutorial
* final version of the code

* chore(fix): refactor dataflow

fix package imports;
add requirements.txt file to allow import google-cloud-logging
that is not part of Beam SDK;
fix logging_v2 client initialization;
refactor some class, function and variable names;

* chore(doc): add custom image Dockerfile

Add a reference example for custom image Dockerfile

* chore(fix): refactor code sample for tutorial

Add "final" version of the code for tutorial.
Format boilerplate code to keep same quote style
and to add placeholder comments for code addition.

* chore(fix): adding redaction step to pipeline

Execute redaction function before sending logs in the pipeline.
Refactoring argument names.

* chore: fix compilation error

* chore: comment text correction

* chore: update codeowners

* chore: change indent size from 2 to 4

* chore: fix lint errors

* chore: minor text fix

* chore: updating DEE observability ownership

* chore: address style comments from dandhlee@

Author: minherz

.github/CODEOWNERS

@@ -62,12 +62,13 @@
 /kubernetes_engine/**/*                @GoogleCloudPlatform/python-samples-reviewers
 /kubernetes_engine/django_tutorial/**/*    @glasnt @GoogleCloudPlatform/python-samples-reviewers
 /language/**/*                         @GoogleCloudPlatform/dee-data-ai @GoogleCloudPlatform/python-samples-reviewers
+/logging/**/*                          @GoogleCloudPlatform/dee-observability @GoogleCloudPlatform/python-samples-reviewers
 /media_cdn/**/*                        @justin-mp @msampathkumar @GoogleCloudPlatform/python-samples-reviewers
 /memorystore/**/*                      @GoogleCloudPlatform/python-samples-reviewers
 /ml_engine/**/*                        @ivanmkc @GoogleCloudPlatform/python-samples-reviewers
 /monitoring/**/*                       @GoogleCloudPlatform/dee-observability @GoogleCloudPlatform/python-samples-reviewers
-/monitoring/opencensus                 @yuriatgoogle @GoogleCloudPlatform/python-samples-reviewers
-/monitoring/prometheus                 @yuriatgoogle @GoogleCloudPlatform/python-samples-reviewers
+/monitoring/opencensus                 @yuriatgoogle @GoogleCloudPlatform/dee-observability @GoogleCloudPlatform/python-samples-reviewers
+/monitoring/prometheus                 @yuriatgoogle @GoogleCloudPlatform/dee-observability @GoogleCloudPlatform/python-samples-reviewers
 /notebooks/**/*                        @alixhami @GoogleCloudPlatform/python-samples-reviewers
 /optimization/**/*                     @GoogleCloudPlatform/dee-data-ai @GoogleCloudPlatform/python-samples-reviewers
 /opencensus/**/*                       @GoogleCloudPlatform/python-samples-reviewers
@@ -83,7 +84,7 @@
 /storage/**/*                          @GoogleCloudPlatform/cloud-storage-dpes @GoogleCloudPlatform/python-samples-reviewers
 /storagetransfer/**/*                  @GoogleCloudPlatform/cloud-storage-dpes @GoogleCloudPlatform/python-samples-reviewers
 /texttospeech/**/*                     @GoogleCloudPlatform/dee-data-ai @GoogleCloudPlatform/python-samples-reviewers
-/trace/**/*                            @ymotongpoo @GoogleCloudPlatform/python-samples-reviewers
+/trace/**/*                            @ymotongpoo @GoogleCloudPlatform/dee-observability @GoogleCloudPlatform/python-samples-reviewers
 /translate/**/*                        @nicain @GoogleCloudPlatform/python-samples-reviewers
 /talent/**/*                           @GoogleCloudPlatform/python-samples-reviewers
 /vision/**/*                           @GoogleCloudPlatform/python-samples-reviewers

.github/blunderbuss.yml

@@ -144,7 +144,9 @@ assign_issues_by:
   - GoogleCloudPlatform/python-samples-reviewers
   - ivanmkc
 - labels:
+  - 'api: logging'
   - 'api: monitoring'
+  - 'api: trace'
   to:
   - GoogleCloudPlatform/dee-observability
 - labels:

logging/redaction/Dockerfile

@@ -0,0 +1,6 @@
+# From apache/beam_python3.9_sdk:2.43.0
+FROM apache/beam_python3.9_sdk@sha256:372abe1d342447118d517ed1325969115e2df03f09fc7604e606c7552380b2ce
+
+# Install google-cloud-logging package that is missing in Beam SDK
+COPY requirements.txt /tmp
+RUN pip3 install --upgrade pip && pip3 install -r /tmp/requirements.txt && pip3 check

logging/redaction/README.md

@@ -0,0 +1,16 @@
+# Logging redaction tutorial code samples
+
+> **Warning**
+> This section is still **W**ork **I**n **P**rogress.
+> Cloud Shell button now opens this README. It will open the tutorial _AFTER_ its official launch.
+> Tests to validate the code samples will be added.
+
+This section contains code that is used in the "Redact confidential information in logs" tutorial.
+You can open the tutorial in Cloud Shell:
+
+[![Open in Cloud Shell][shell_img]][shell_link]
+
+_NOTE:_ You will need a valid Google Cloud credentials to open the tutorial.
+
+[shell_img]: http://gstatic.com/cloudssh/images/open-btn.png
+[shell_link]: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=logging/redaction/README.md

logging/redaction/log_redaction.py

@@ -0,0 +1,150 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+import argparse
+import json
+import logging
+from typing import List
+
+from apache_beam import CombineFn, CombineGlobally, DoFn, io, ParDo, Pipeline, WindowInto
+from apache_beam.error import PipelineError
+from apache_beam.options.pipeline_options import PipelineOptions
+from apache_beam.transforms.window import FixedWindows
+
+from google.cloud import logging_v2
+
+
+# TODO: Place inspection and de-identification configurations
+
+class PayloadAsJson(DoFn):
+    '''Convert PubSub message payload to UTF-8 and return as JSON'''
+    def process(self, element):
+        yield json.loads(element.decode('utf-8'))
+
+
+class BatchPayloads(CombineFn):
+    '''Opinionated way to batch all payloads in the window'''
+
+    def create_accumulator(self):
+        return []
+
+    def add_input(self, accumulator, input):
+        accumulator.append(input)
+        return accumulator
+
+    def merge_accumulators(self, accumulators):
+        merged = [
+            item
+            for accumulator in accumulators
+            for item in accumulator
+        ]
+        return merged
+
+    def extract_output(self, accumulator):
+        return accumulator
+
+
+# TODO: Placeholder for LogRedaction class
+
+
+class IngestLogs(DoFn):
+    '''Ingest payloads into destination log'''
+
+    def __init__(self, destination_log_name):
+        self.destination_log_name = destination_log_name
+        self.logger = None
+
+    def _replace_log_name(self, entry):
+        # update log name in the entry with destination log
+        entry['logName'] = self.logger.name
+        return entry
+
+    def setup(self):
+        # initialize logging client
+        if self.logger:
+            return
+
+        logging_client = logging_v2.Client()
+        if not logging_client:
+            logging.error('Cannot create GCP Logging Client')
+            raise PipelineError('Cannot create GCP Logging Client')
+        self.logger = logging_client.logger(self.destination_log_name)
+        if not self.logger:
+            logging.error('Google client library cannot create Logger object')
+            raise PipelineError('Google client library cannot create Logger object')
+
+    def process(self, element):
+        if self.logger:
+            logs = list(map(self._replace_log_name, element))
+            self.logger.client.logging_api.write_entries(logs)
+        yield logs
+
+
+def run(
+    pubsub_subscription: str,
+    destination_log_name: str,
+    window_size: float,
+    pipeline_args: List[str] = None
+) -> None:
+    '''Runs Dataflow pipeline'''
+
+    pipeline_options = PipelineOptions(
+        pipeline_args,
+        streaming=True,
+        save_main_session=True
+    )
+    pipeline = Pipeline(options=pipeline_options)
+    _ = (
+        pipeline
+        | 'Read log entries from Pub/Sub' >> io.ReadFromPubSub(subscription=pubsub_subscription)
+        | 'Convert log entry payload to Json' >> ParDo(PayloadAsJson())
+        | 'Aggregate payloads in fixed time intervals' >> WindowInto(FixedWindows(window_size))
+        # Optimize Google API consumption and avoid possible throttling
+        # by calling APIs for batched data and not per each element
+        | 'Batch aggregated payloads' >> CombineGlobally(BatchPayloads()).without_defaults()
+        # TODO: Placeholder for redaction transformation
+        | 'Ingest to output log' >> ParDo(IngestLogs(destination_log_name))
+    )
+    pipeline.run()
+
+
+if __name__ == '__main__':
+    logging.getLogger().setLevel(logging.INFO)
+
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        '--pubsub_subscription',
+        help='The Cloud Pub/Sub subscription to read from in the format '
+        '"projects/<PROJECT_ID>/subscription/<SUBSCRIPTION_ID>".',
+    )
+    parser.add_argument(
+        '--destination_log_name',
+        help='The log name to ingest log entries in the format '
+        '"projects/<PROJECT_ID>/logs/<LOG_ID>".',
+    )
+    parser.add_argument(
+        '--window_size',
+        type=float,
+        default=60.0,
+        help='Output file\'s window size in seconds.',
+    )
+    known_args, pipeline_args = parser.parse_known_args()
+
+    run(
+        known_args.pubsub_subscription,
+        known_args.destination_log_name,
+        known_args.window_size,
+        pipeline_args,
+    )