You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What is the underlying problem you're trying to solve?
We want to allow devs to troubleshoot policies with the Data API explain parameter, but also mask sensitive environment variable values from being output in the explanation.
Describe the ideal solution
Ideally the Data API's explanation result would be run through the same masking process as decision logs, with support for prefixing on explanation or env or opa.runtime.env similarly to masking input, result.
package system.log
# mask a single env key value.
mask["/env/MY_KEY_TO_REMOVE"]
# mask all env key values.
mask["/env/*"]
Describe a "Good Enough" solution
A good enough solution would be a configuration option to mask all environment variable values from being output in explanations, or block/allow list keys. Perhaps defaulting to masking all envvars.
So in your explanations you would see "env": {"MY_KEY": "[REDACTED]"} or even just a list of keys. "env": ["MY_KEY", "ANOTHER"]
Currently we remove some fixed keys from the config. I think we could pass some config from the runtime into the evaluator to achieve this. Alternatively you have an env var that controls this but not an ideal way to achieve this.
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.
What is the underlying problem you're trying to solve?
We want to allow devs to troubleshoot policies with the Data API
explain
parameter, but also mask sensitive environment variable values from being output in the explanation.Describe the ideal solution
Ideally the Data API's explanation result would be run through the same masking process as decision logs, with support for prefixing on
explanation
orenv
oropa.runtime.env
similarly to maskinginput, result
.Describe a "Good Enough" solution
A good enough solution would be a configuration option to mask all environment variable values from being output in explanations, or block/allow list keys. Perhaps defaulting to masking all envvars.
So in your explanations you would see
"env": {"MY_KEY": "[REDACTED]"}
or even just a list of keys."env": ["MY_KEY", "ANOTHER"]
Additional Context
There was a PR to mask opa.runtime().config credentials, which may have some relevancy or usefulness to reference.
The text was updated successfully, but these errors were encountered: