Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add possibility to enrich decision logs from custom builtins #6700

Closed
xico42 opened this issue Apr 16, 2024 · 0 comments
Closed

Add possibility to enrich decision logs from custom builtins #6700

xico42 opened this issue Apr 16, 2024 · 0 comments
Labels
feature-request

Comments

@xico42
Copy link
Contributor

xico42 commented Apr 16, 2024
edited

What is the underlying problem you're trying to solve?

In the use case of implementing OPA at my current company we are going to provide a common authorization policy that may fetch external data in order to apply authorization rules. This external data may include user attributes or feature flag evaluation, for example.

Both integrations are implemented by meas of custom builtin, where we handle caching, retries and other stuff.

Once this is done in a common policy, it would be great to have the fetched dynamic external data logged in the decision logs to aid in debugging and auditting policies.

Describe the ideal solution

Something like rule level tracing seems the ideal, the ability to automatically introspect a policy execution in a cheaper way.

Describe a "Good Enough" solution

The proposed solution here is the "Good Enough" one, where an API would be made available for custom builtin implementations to enrich OPA decision logs with arbitrary data.

Additional Context

This idea came up after a short discussion in the #6559 issue. This solution might be an alternative to what is proposed there, or even a building block for it.

From a built-in implementation perspective, I would like to be able to do something like the following:

	rego.RegisterBuiltin1(
		&rego.Function{
			Name: "hello",
			Decl: types.NewFunction(types.Args(types.S), types.S),
		},
		func(bctx rego.BuiltinContext, a *ast.Term) (*ast.Term, error) {
                        // This is the proposed API to append extra data to decision logs
                        // Here we are adding the "extra.foo" key with value "bar"
			logs.SetExtra(bctx.Context, "foo", "bar")
			if str, ok := a.Value.(ast.String); ok {
				return ast.StringTerm("hello, " + string(str)), nil
			}
			return nil, nil
		},
	)

As a matter of fact, I've already implemented a solution for this at #6699. The PR is not completely ready, but I've opened it so that we may further discuss the implementation details.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xico42