https://cerbos.dev logo
#help
Title
r

Rob Crowe

12/05/2022, 3:53 PM
We currently wrap the Cerbos API, which means that the
peer.address
in the audit logs is showing the loopback address. Any chance there's a change that makes sense in PeerFromContext to support our use-case, where by we can pass through the original caller?
Maybe I hack the hostname into the user-agent ๐Ÿ˜‚
Ah, maybe it's
includeMetadataKeys
?
a

Alex Olivier (Cerbos)

12/05/2022, 4:11 PM
Hey
Not familiar how the context works so shall need to findout
r

Rob Crowe

12/05/2022, 4:12 PM
hey hey ๐Ÿ‘‹๐Ÿป thought I need to get better asking in public channels ๐Ÿ™‚
a

Alex Olivier (Cerbos)

12/05/2022, 4:12 PM
the include/exclude is in the full config in docs, but we havenโ€™t got a section for it just yet
r

Rob Crowe

12/05/2022, 4:13 PM
ah yeah, was just checking the audit section though just realised this is for access logs only & not decision logs, which is currently what we use at least according to the comment...
# IncludeMetadataKeys defines which gRPC request metadata keys should be included in access logs
a

Alex Olivier (Cerbos)

12/05/2022, 4:18 PM
That is how it works currently - but weโ€™ve had a few requests for it to apply to decision logs also so can look to extend it
c

Charith (Cerbos)

12/05/2022, 4:24 PM
Decision logs happen much later and we don't have much of the context by that point. So, the original design was to store the request details in access logs and allow them to be joined to decision logs using the Audit ID. We'll have to think about how to make them not depend on each other.
r

Rob Crowe

12/05/2022, 4:28 PM
It's perhaps viable now for us to re-enable access logs; we'd disabled before when all metadata was being logged & to reduce log volume. So we'll try this route & make use of
includeMetadataKeys
to pass through some custom values, so it can be joined up with the decision log. Thanks ๐Ÿ™‡๐Ÿป
c

Charith (Cerbos)

12/05/2022, 4:30 PM
Cool. Let us know if you spot something that we could do to make it easier.
r

Rob Crowe

12/05/2022, 4:31 PM
Will do. At this point it would just be allowing the metadata keys to be included from the config, in the decision log.
c

Charith (Cerbos)

12/06/2022, 12:30 PM
Hey, so, having the
metadata
field in the decision log entries would address your use case, right? Which keys to include/exclude will be driven by the config file. https://github.com/cerbos/cerbos/pull/1385
r

Rob Crowe

12/06/2022, 2:06 PM
Yeah, I think that would do it ๐Ÿ‘๐Ÿป
2 Views