Vijey Deepan
01/26/2023, 6:19 AMoguzhan
01/26/2023, 8:33 AMdecision
logsa and admin API from the configuration file as follows;
audit:
enabled: true
decisionLogsEnabled: true # Log policy decisions
server:
adminAPI:
enabled: true
You can check the decision
logs using the cerbosctl
like this;
cerbosctl --server=localhost:3593 --username=cerbos --password=cerbosAdmin --plaintext audit --kind decision
As an example, you will observe audit log entries like the following. Is it what you are looking for?
{
"callId": "01GQPJQJ66STBED5B35VJ8X4RA",
"timestamp": "2023-01-26T08:22:27.803937Z",
"peer": {
"address": "127.0.0.1:61619",
"userAgent": "...",
"forwardedFor": "127.0.0.1"
},
"checkResources": {
"inputs": [
{
"requestId": "1",
"resource": {
"kind": "student-management",
"policyVersion": "default",
"id": "XX125"
},
"principal": {
"id": "john",
"policyVersion": "default",
"roles": [
"user"
]
},
"actions": [
"read",
"delete"
]
}
],
"outputs": [
{
"requestId": "1",
"resourceId": "XX125",
"actions": {
"delete": {
"effect": "EFFECT_DENY",
"policy": "NO_MATCH"
},
"read": {
"effect": "EFFECT_DENY",
"policy": "NO_MATCH"
}
}
}
]
}
}
Vijey Deepan
01/26/2023, 8:42 AMprincipal := client.NewPrincipal("here i can add the principle right", "somerole")
resource := client.NewResource(mdkind[0], "resource id here")
resource.WithScope("scope")
batch := client.NewResourceBatch()
batch.Add(resource, "read")
resp, err := cli.CheckResources(context.Background(), principal, batch)
if err != nil {
return nil, err
}
oguzhan
01/26/2023, 8:55 AMVijey Deepan
01/26/2023, 9:01 AMoguzhan
01/26/2023, 9:32 AMcerbosctl
to see audit logs.Charith (Cerbos)
01/26/2023, 11:41 AMfile
backend and ingesting the logs into a log indexer.