https://cerbos.dev logo
Powered by
Title
v

Vijey Deepan

01/26/2023, 6:19 AM
Hi all, I have added resource policy using go sdk. As well as for checking also am using go sdk. While audit I want to know who made the check request. For that I want to send some attribute along with check call to cerbos. Is that possible . TIA
o

oguzhan

01/26/2023, 8:33 AM
Hi @Vijey Deepan, Assuming you are looking for the principal or an IP who made the request you can see it by following these steps. If it is something else you are looking for, please let me know. After enabling the 
decision
logsa and admin API from the configuration file as follows; 
audit:
  enabled: true
  decisionLogsEnabled: true # Log policy decisions
server:
  adminAPI:
    enabled: true
You can check the 
decision
logs using the 
cerbosctl
like this; 
cerbosctl --server=localhost:3593 --username=cerbos --password=cerbosAdmin --plaintext audit --kind decision
As an example, you will observe audit log entries like the following. Is it what you are looking for? 
{
  "callId": "01GQPJQJ66STBED5B35VJ8X4RA",
  "timestamp": "2023-01-26T08:22:27.803937Z",
  "peer": {
    "address": "127.0.0.1:61619",
    "userAgent": "...",
    "forwardedFor": "127.0.0.1"
  },
  "checkResources": {
    "inputs": [
      {
        "requestId": "1",
        "resource": {
          "kind": "student-management",
          "policyVersion": "default",
          "id": "XX125"
        },
        "principal": {
          "id": "john",
          "policyVersion": "default",
          "roles": [
            "user"
          ]
        },
        "actions": [
          "read",
          "delete"
        ]
      }
    ],
    "outputs": [
      {
        "requestId": "1",
        "resourceId": "XX125",
        "actions": {
          "delete": {
            "effect": "EFFECT_DENY",
            "policy": "NO_MATCH"
          },
          "read": {
            "effect": "EFFECT_DENY",
            "policy": "NO_MATCH"
          }
        }
      }
    ]
  }
}
v

Vijey Deepan

01/26/2023, 8:42 AM
Thank you for the help. This is exactly what I need. I want the principle info
so How to send the principle info along with check request to cerbos grpc api , if we use resource policy.
principal := client.NewPrincipal("here i can add the principle right", "somerole")
resource := client.NewResource(mdkind[0], "resource id here")
resource.WithScope("scope")
batch := client.NewResourceBatch()
batch.Add(resource, "read")
resp, err := cli.CheckResources(context.Background(), principal, batch)
if err != nil {
return nil, err
}
what ever principle id am add here while making check request will reflect in audit log right
o

oguzhan

01/26/2023, 8:55 AM
Yes, that is how you send a request using the SDK. You will see the principal in the audit logs.
v

Vijey Deepan

01/26/2023, 9:01 AM
sdk is available for audit as well right
o

oguzhan

01/26/2023, 9:32 AM
It is not available for Go SDK right now. You could use Admin API directly, or 
cerbosctl
to see audit logs.
c

Charith (Cerbos)

01/26/2023, 11:41 AM
Actually, the Go SDK does have a way to get the audit logs: https://pkg.go.dev/github.com/cerbos/cerbos/client#AdminClient However, it's stream of the latest entries and not directly queriable for specific records. If you want advanced querying for audit logs, we recommend using the 
file
backend and ingesting the logs into a log indexer.
#helpJoin Slack
Powered by