Daniel Doornekamp
01/23/2024, 12:16 PMaudit.log
file to a SIEM like Wazuh? We want to decouple authorization and ship all authorization-based decisions to a central point for auditing purposes. Would love to get some feedback.Charith (Cerbos)
stdout
and stderr
as well so you might even be able to set the audit.file.path
of Cerbos to stdout
and let the audit logs be captured that way.Daniel Doornekamp
01/23/2024, 3:37 PMDaniel Doornekamp
01/26/2024, 12:17 PMCharith (Cerbos)
x-forwarded-for
or x-forwarded-host
header, the peer IP will be derived from that. Otherwise it'd be the caller IP address as reported by the TCP connection. It shouldn't be the same IP address as the Cerbos container though (unless the requests are coming from the same container)Daniel Doornekamp
01/29/2024, 2:17 PMCharith (Cerbos)
withHeaders
method that you can use to forward the x-forwarded-for
header or any other header for that matter. So, if there's anything you'd like to be recorded in the audit log, you can send them as headers. By default, Cerbos doesn't log all headers because some of them contain sensitive data like access tokens. So, if you use a custom header, make sure to add it to the audit.includeMetadataKeys
configuration of Cerbos (https://docs.cerbos.dev/cerbos/latest/configuration/audit)Daniel Doornekamp
01/29/2024, 3:41 PMDaniel Doornekamp
01/31/2024, 8:40 AM'X-Forwarded-For'
in the audit configuration (includeMetadataKeys). Are there any other steps I need to configure so that the peer address uses the client IP?Charith (Cerbos)
x-forwarded-for
header is the way to identify the originator of the request. I think that is the usual way of interpreting request logs in most systems.Daniel Doornekamp
01/31/2024, 9:21 AMX-Forwarded-For
header in the includeMetadataKeys
adds the header to the audit log. Still, I dont seem to get it working. I added the header to the includeMetadataKeys
block but it seems to not add it to audit.log. I added a screenshot so you can see my config.yaml.Charith (Cerbos)
Daniel Doornekamp
01/31/2024, 9:34 AMCharith (Cerbos)
Daniel Doornekamp
01/31/2024, 9:37 AM{"log.level":"info","@timestamp":"2024-01-31T09:36:14.580Z","log.logger":"cerbos.grpc","message":"Handled request","protocol":"grpc","grpc.component":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"CheckResources","grpc.method_type":"unary","cerbos":{"call_id":"01HNFE0K7H31K0K5AJHXEQPKH4"},"grpc.request.meta":{"request_id":"55b42ed1-519d-4cf0-9735-3b3b036dcfe6"},"peer.address":"dummy_ip:49988","grpc.start_time":"2024-01-31T09:36:14Z","grpc.request.deadline":"2024-01-31T09:36:15Z","grpc.code":"OK","grpc.time_ms":"2.327"}
Charith (Cerbos)
Charith (Cerbos)
{"log.logger":"cerbos.audit","log.kind":"decision","callId":"01HNFE9M9C8RCDN7S0J34ABHGD","timestamp":"2024-01-31T09:41:10.583806308Z","peer":{"address":"127.0.0.1:47050","userAgent":"grpcurl/1.8.9 grpc-go/1.57.0","forwardedFor":"xxx"}, ...
Does yours not contain peer.forwardedFor
?Daniel Doornekamp
01/31/2024, 9:48 AM{"log.logger":"cerbos.audit","log.kind":"decision","callId":"01HNFEH9NC8M47SM05AJSNHYVM","timestamp":"2024-01-31T09:45:21.843917215Z","peer":{"address":"dummyip:dummyport","userAgent":"grpc-java-netty/1.61.0"},"checkResources":{"inputs":[{"requestId":"d5d694a9-fd54-4511-b761-90fff9fe635e","resource":{"kind":"klant","id":"_NEW_","attr":{"id":"1"}},"principal":{"id":"1","roles":["ROLE_USER"],"attr":{"rekeningen":"[\"NL00RABO00000000\"]"}},"actions":["read"],"auxData":{}}],"outputs":[{"requestId":"d5d694a9-fd54-4511-b761-90fff9fe635e","resourceId":"_NEW_","actions":{"read":{"effect":"EFFECT_ALLOW","policy":"resource.klant.vdefault"}},"effectiveDerivedRoles":["ROLE_KLANT_OWNER"]}]},"auditTrail":{"effectivePolicies":{"resource.klant.vdefault":{"attributes":{"driver":"disk","source":"klant.yaml"}}}}}
Daniel Doornekamp
01/31/2024, 9:48 AMCharith (Cerbos)
client.withHeaders(Map.of("x-forwarded-for", "xxx")).check(...)
Charith (Cerbos)
{
"log.logger": "cerbos.audit",
"log.kind": "access",
"timestamp": "2024-01-31T09:58:07.178950633Z",
"callId": "01HNFF8N2AFKQX50CWNKPZ0G1Q",
"peer": {
"address": "127.0.0.1:56062",
"userAgent": "grpc-java-netty/1.61.0",
"forwardedFor": "xxx"
},
"method": "/cerbos.svc.v1.CerbosService/CheckResources"
}
Daniel Doornekamp
01/31/2024, 10:24 AM.check
? I'm trying to configure the method the same as you.Daniel Doornekamp
01/31/2024, 10:25 AMCerbosAuthorizationService.java
file. This is where my global java configuration of Cerbos is defined. Is this the correct place to call the .withHeaders
method?Charith (Cerbos)
CheckResult have =
client.withHeaders(Map.of("x-forwarded-for", "xxx")).check(
Principal.newInstance("john", "employee")
.withPolicyVersion("20210210")
.withAttribute("department", stringValue("marketing"))
.withAttribute("geography", stringValue("GB")),
Resource.newInstance("leave_request", "xx125")
.withPolicyVersion("20210210")
.withAttribute("department", stringValue("marketing"))
.withAttribute("geography", stringValue("GB"))
.withAttribute("owner", stringValue("john")),
"view:public",
"approve");
Charith (Cerbos)
withHeaders
on the global client to obtain a request-scoped client instance with the correct headersDaniel Doornekamp
02/01/2024, 9:34 AM.withHeaders
method but I'm receiving a pretty weird error:
error: cannot access Metadata
cerbosClient.withHeaders(Map.of(headerKey, headerValue));
^
class file for io.grpc.Metadata not found
I tried adding gRPC to my build.gradle file but then there seems to be a dependency conflict as Cerbos doesn't function anymore.Charith (Cerbos)
./gradlew dependencies
to see whether there's another dependency that's pulling in a conflicting version of gRPC?Daniel Doornekamp
02/01/2024, 9:45 AM> BUG! exception in phase 'semantic analysis' in source unit '_BuildScript_' Unsupported class file major version 65
Charith (Cerbos)
Daniel Doornekamp
02/01/2024, 9:51 AMCharith (Cerbos)
Charith (Cerbos)
Daniel Doornekamp
02/01/2024, 1:02 PMCharith (Cerbos)