Add possibility to enrich decision logs from custom builtins
Closed this issue · 0 comments
What is the underlying problem you're trying to solve?
In the use case of implementing OPA at my current company we are going to provide a common authorization policy that may fetch external data in order to apply authorization rules. This external data may include user attributes or feature flag evaluation, for example.
Both integrations are implemented by meas of custom builtin, where we handle caching, retries and other stuff.
Once this is done in a common policy, it would be great to have the fetched dynamic external data logged in the decision logs to aid in debugging and auditting policies.
Describe the ideal solution
Something like rule level tracing seems the ideal, the ability to automatically introspect a policy execution in a cheaper way.
Describe a "Good Enough" solution
The proposed solution here is the "Good Enough" one, where an API would be made available for custom builtin implementations to enrich OPA decision logs with arbitrary data.
Additional Context
This idea came up after a short discussion in the #6559 issue. This solution might be an alternative to what is proposed there, or even a building block for it.
From a built-in implementation perspective, I would like to be able to do something like the following:
rego.RegisterBuiltin1(
®o.Function{
Name: "hello",
Decl: types.NewFunction(types.Args(types.S), types.S),
},
func(bctx rego.BuiltinContext, a *ast.Term) (*ast.Term, error) {
// This is the proposed API to append extra data to decision logs
// Here we are adding the "extra.foo" key with value "bar"
logs.SetExtra(bctx.Context, "foo", "bar")
if str, ok := a.Value.(ast.String); ok {
return ast.StringTerm("hello, " + string(str)), nil
}
return nil, nil
},
)As a matter of fact, I've already implemented a solution for this at #6699. The PR is not completely ready, but I've opened it so that we may further discuss the implementation details.