-
Notifications
You must be signed in to change notification settings - Fork 122
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* feature: Add decision logging * Introduce audit log * Integrate audit log * Add StreamAuditLogs RPC * Add docs * Add Kube example * Add HTTP endpoint * Update engine benchmark * Add query by ID * Cleanup context tags * Update docs
- Loading branch information
Showing
56 changed files
with
7,592 additions
and
915 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -40,7 +40,7 @@ jobs: | |
fi | ||
- name: Test | ||
run: make test | ||
run: make test-all | ||
|
||
docs: | ||
name: Build docs | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# Illustrates how to deploy Cerbos with an SQLite3 backend and audit logs. | ||
|
||
cerbos: | ||
config: | ||
# Configure the SQLite3 storage driver | ||
storage: | ||
driver: "sqlite3" | ||
sqlite3: | ||
dsn: "file:/data/cerbos.sqlite?mode=rwc&_fk=true" | ||
# Configure audit logging | ||
audit: | ||
enabled: true | ||
accessLogsEnabled: true | ||
decisionLogsEnabled: true | ||
backend: local | ||
local: | ||
storagePath: /audit/cerbos | ||
|
||
# Create volumes to hold the SQLite3 database and the audit log. | ||
# Note that this example uses emptyDir volumes that lose data when the pod or node is killed. | ||
# Use persistent volumes in production to preserve the data between pod restarts. | ||
|
||
volumes: | ||
- name: cerbos-policies | ||
emptyDir: {} | ||
- name: cerbos-auditlog | ||
emptyDir: {} | ||
|
||
volumeMounts: | ||
- name: cerbos-policies | ||
mountPath: /data | ||
- name: cerbos-auditlog | ||
mountPath: /audit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
include::ROOT:partial$attributes.adoc[] | ||
|
||
= Audit block | ||
|
||
The `audit` block configures the audit logging settings for the Cerbos instance. Audit logs capture access records and decisions made by the engine along with the associated context data. | ||
|
||
|
||
Log storage is handled by different backends. In the free version, only the `local` backend is supported. | ||
|
||
NOTE: Audit logging has some overhead in terms of resource usage (disk IO, CPU and memory). This overhead is usually negligible unless Cerbos is running in a resource-constrained environment. If resources are scarce or if you are expecting heavy traffic, disabling audit logging might have a positive impact on performance. | ||
|
||
|
||
[source,yaml,linenums] | ||
---- | ||
audit: | ||
enabled: true # Set to false to completely disable audit logging. | ||
accessLogsEnabled: true # Log API access attempts | ||
decisionLogsEnabled: true # Log policy decisions | ||
backend: local # Audit backend to use. | ||
local: # Configuration for the local audit backend | ||
storagePath: /path/to/dir # Path to store the data | ||
retentionPeriod: 168h # Records older than this will be automatically deleted | ||
---- | ||
|
||
|
||
== Local backend | ||
|
||
The `local` backend uses an embedded key-value store to save audit records. The default settings should be sufficient for many use cases. Advanced users can fine-tune these settings using the `advanced` section. | ||
|
||
|
||
[source,yaml,linenums] | ||
---- | ||
audit: | ||
enabled: true | ||
backend: local | ||
local: | ||
storagePath: /path/to/dir | ||
retentionPeriod: 168h | ||
advanced: | ||
bufferSize: 16 # Size of the memory buffer. Increasing this will use more memory and the chances of losing data during a crash. | ||
maxBatchSize: 16 # Write batch size. If your records are small, increasing this will reduce disk IO. | ||
flushInterval: 30s # Time to keep records in memory before committing. | ||
gcInterval: 15m # How often the garbage collector runs to remove old entries from the log. | ||
---- | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.