We currently wrap the Cerbos API, which means that the

peer.address

in the audit logs is showing the loopback address. Any chance there's a change that makes sense in PeerFromContext to support our use-case, where by we can pass through the original caller?

Hey

hey hey 👋🏻 thought I need to get better asking in public channels 🙂

the include/exclude is in the full config in docs, but we haven’t got a section for it just yet

ah yeah, was just checking the audit section though just realised this is for access logs only & not decision logs, which is currently what we use at least according to the comment...

# IncludeMetadataKeys defines which gRPC request metadata keys should be included in access logs

That is how it works currently - but we’ve had a few requests for it to apply to decision logs also so can look to extend it

Decision logs happen much later and we don't have much of the context by that point. So, the original design was to store the request details in access logs and allow them to be joined to decision logs using the Audit ID. We'll have to think about how to make them not depend on each other.

It's perhaps viable now for us to re-enable access logs; we'd disabled before when all metadata was being logged & to reduce log volume. So we'll try this route & make use of

includeMetadataKeys

to pass through some custom values, so it can be joined up with the decision log. Thanks 🙇🏻

Cool. Let us know if you spot something that we could do to make it easier.

Will do. At this point it would just be allowing the metadata keys to be included from the config, in the decision log.

Hey, so, having the

metadata

field in the decision log entries would address your use case, right? Which keys to include/exclude will be driven by the config file. https://github.com/cerbos/cerbos/pull/1385

Yeah, I think that would do it 👍🏻