Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mask opa.runtime().env from Data API explanations #6355

Open
leefernandes opened this issue Oct 27, 2023 · 2 comments
Open

Mask opa.runtime().env from Data API explanations #6355

leefernandes opened this issue Oct 27, 2023 · 2 comments
Labels
feature-request inactive

Comments

@leefernandes
Copy link

leefernandes commented Oct 27, 2023
edited
Loading

What is the underlying problem you're trying to solve?

We want to allow devs to troubleshoot policies with the Data API explain parameter, but also mask sensitive environment variable values from being output in the explanation.

Describe the ideal solution

Ideally the Data API's explanation result would be run through the same masking process as decision logs, with support for prefixing on explanation or env or opa.runtime.env similarly to masking input, result.

package system.log

# mask a single env key value.
mask["/env/MY_KEY_TO_REMOVE"]

# mask all env key values.
mask["/env/*"]

Describe a "Good Enough" solution

A good enough solution would be a configuration option to mask all environment variable values from being output in explanations, or block/allow list keys. Perhaps defaulting to masking all envvars.

So in your explanations you would see "env": {"MY_KEY": "[REDACTED]"} or even just a list of keys. "env": ["MY_KEY", "ANOTHER"]

data_api:
  unmask_explain_envvars: true # opt into unmasked environment variables.  (Default false)
data_api:
  unmasked_explain_envvars: ["MY_KEY_NOT_TO_MASK", "ANOTHER"] # allowlist keys
data_api:
  mask_explain_envvars: ["MY_KEY_TO_MASK", "ANOTHER"] # blocklist keys

Additional Context

There was a PR to mask opa.runtime().config credentials, which may have some relevancy or usefulness to reference.
@ashutosh-narkar
Copy link
Member

Currently we remove some fixed keys from the config. I think we could pass some config from the runtime into the evaluator to achieve this. Alternatively you have an env var that controls this but not an ideal way to achieve this.

@stale Stale
Copy link

stale bot commented Nov 26, 2023

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.

@stale stale bot added the inactive label Nov 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request inactive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leefernandes @ashutosh-narkar