logging of request headers in decision logs #5849
Comments
|
Traditionally decision logs record the inputs and results of policy decisions. I'm not sure I understand how the incoming request headers, which aren't available in the policy evaluation, can impact the decision making. If they can't, they don't belong into the decision logs, I think. This does not mean that there's no value in improving tracing, and especially giving your decision logs a reference to tracing spans, like done recently in #5230. Would that functionality help you in debugging production issues, too? |
Yup! This is exactly why I'm requesting it. It sounds like #5230 is specific to the envoy plugin, is that right? I can think of some other use-cases where we might want to log out headers that tells us about the client or other general request metadata, but I'm happy enough if it is focused on the tracing use cases. |
|
We've updated OPA's decision log format to now include the trace and span identifier. So it's not specific to the envoy plugin. |
@srenatus they are used in I am happy to know you've likely addressed my main use-case, so will look forward to testing out the next release. Thanks all! |
What is the underlying problem you're trying to solve?
Decision logs could include header fields from the request. This would improve the ability to understand decisions and other issues in production, where debug logging is not appropriate. I looked at
system.log.maskupsert functionality but did not have access toinput.headersthere. Possibly a change similar to #1456 could address that limitation.Describe the ideal solution
Ideally, logging of request headers in decision logs would be configurable. The user could decide which headers to mask using the existing
system.log.maskrule.Describe a "Good Enough" solution
Enable access to
input.headerswhen defining rules forsystem.log.maskand use the existing upsert functionality to modify the decision log body.Additional Context
The text was updated successfully, but these errors were encountered: