Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Record policy source attributes in audit log (#1889)
Adds ability for stores to add attributes to policies so that they can
be recorded in the audit log. One example of this is recording the git
hash of the store at the point a policy is loaded by the engine to make
a decision. This information can then be used in later analysis to
correlate the state of the policy repository with the access decisions.
Example of an audit trail produced by this change:
```json
{
...
"auditTrail": {
"effectivePolicies": {
"resource.leave_request.vdefault": {
"attributes": {
"commit_hash": "432bb16caac0a3cf7232532dac68b09a28cd2dc3",
"driver": "git",
"source": "store/resource_policies/policy_05.yaml"
}
},
"resource.leave_request.vdefault/acme": {
"attributes": {
"commit_hash": "432bb16caac0a3cf7232532dac68b09a28cd2dc3",
"driver": "git",
"source": "store/resource_policies/policy_05_acme.yaml"
}
},
"resource.leave_request.vdefault/acme.hr": {
"attributes": {
"commit_hash": "432bb16caac0a3cf7232532dac68b09a28cd2dc3",
"driver": "git",
"source": "store/resource_policies/policy_05_acme.hr.yaml"
}
},
"resource.leave_request.vdefault/acme.hr.uk": {
"attributes": {
"commit_hash": "432bb16caac0a3cf7232532dac68b09a28cd2dc3",
"driver": "git",
"source": "store/resource_policies/policy_05_acme.hr.uk.yaml"
}
}
}
}
...
}
```
---------
Signed-off-by: Charith Ellawala <charith@cerbos.dev>- Loading branch information
