feat(authz): ensure logging parity between authz v2 and v1 #2443
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @jakedoublev, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request enhances the audit logging capabilities for the authorization v2 service. The primary goal is to ensure that the audit logs for access decisions provide comprehensive details about the evaluation process, mirroring the intent of the v1 logs while reflecting the v2 architecture. This involves restructuring the data captured during the decision evaluation and formatting it appropriately for the audit trail.
Highlights
- Audit Log Parity: This PR focuses on bringing the audit logging for the v2 authorization decision process closer to the v1 structure and content, specifically for the 'decision' event.
- Detailed V2 Decision Logging: Introduced a new audit event type and creation logic (
GetDecisionV2EventParams,CreateV2GetDecisionEvent) to capture and log the detailed results of the v2 policy evaluation, including the specific resource values and attribute evaluation outcomes. - Updated Data Structure: Modified the
DataRuleResultstruct in the v2 PDP logic to includeResourceValueFQNsand a simplifiedAttributedefinition, providing more context on why a specific data rule passed or failed in the audit log. - Integration into PDP: The v2 Policy Decision Point (
pdp.go) is updated to call the new v2 audit logging function after evaluating a decision. - Minor Refactoring and Test Updates: Includes minor code cleanup (e.g., logger parameter naming, removing redundant log fields) and updates to unit tests to align with the changes in the
DataRuleResultstructure.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Logs flow like a stream, Showing access, a coded dream. V2 now joins the flow, Details clear, watch them grow.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configureGemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request introduces audit logging for authorization v2 decisions, aiming to achieve parity with the existing v1 logging format. The changes involve updating the DataRuleResult structure, implementing a new CreateV2GetDecisionEvent function to build the v2 audit event, and integrating this new logging mechanism into the PolicyDecisionPoint's GetDecision method. The modifications to evaluate.go and pdp_test.go are consistent with these new data structures.
The new log structure appears to align well with the example provided in the PR description. A few points to consider for future improvement include potentially strengthening the type for ResourceDecisions in GetDecisionV2EventParams.
A significant concern is that the PR checklist indicates unit tests have not been added or updated. While existing tests in pdp_test.go were adapted for data structure changes, it is crucial to add specific tests that verify the content and structure of the new v2 audit logs themselves. This is essential to confirm that the "logging parity" goal is met and to prevent regressions.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
…ues on the attribute
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
🤖 I have created a release *beep* *boop* --- ## [0.7.0](service/v0.6.0...service/v0.7.0) (2025-06-24) ### ⚠ BREAKING CHANGES * **policy:** disable kas grants in favor of key mappings ([#2220](#2220)) ### Features * **authz:** Add caching to keycloak ERS ([#2466](#2466)) ([f5b0a06](f5b0a06)) * **authz:** auth svc registered resource GetDecision support ([#2392](#2392)) ([5405674](5405674)) * **authz:** authz v2 GetBulkDecision ([#2448](#2448)) ([0da3363](0da3363)) * **authz:** cache entitlement policy within authorization service ([#2457](#2457)) ([c16361c](c16361c)) * **authz:** ensure logging parity between authz v2 and v1 ([#2443](#2443)) ([ef68586](ef68586)) * **core:** add cache manager ([#2449](#2449)) ([2b062c5](2b062c5)) * **core:** consume RPC interceptor request context metadata in logging ([#2442](#2442)) ([2769c48](2769c48)) * **core:** DSPX-609 - add cli-client to keycloak provisioning ([#2396](#2396)) ([48e7489](48e7489)) * **core:** ERS cache setup, fix cache initialization ([#2458](#2458)) ([d0c6938](d0c6938)) * inject logger and cache manager to key managers ([#2461](#2461)) ([9292162](9292162)) * **kas:** expose provider config from key details. ([#2459](#2459)) ([0e7d39a](0e7d39a)) * **main:** Add Close() method to cache manager ([#2465](#2465)) ([32630d6](32630d6)) * **policy:** disable kas grants in favor of key mappings ([#2220](#2220)) ([30f8cf5](30f8cf5)) * **policy:** Restrict deletion of pc with used key. ([#2414](#2414)) ([3b40a46](3b40a46)) * **sdk:** allow Connect-Protocol-Version RPC header for cors ([#2437](#2437)) ([4bf241e](4bf241e)) ### Bug Fixes * **core:** remove generics on new platform cache manager and client ([#2456](#2456)) ([98c3c16](98c3c16)) * **core:** replace opentdf-public client with cli-client ([#2422](#2422)) ([fb18525](fb18525)) * **deps:** bump github.com/casbin/casbin/v2 from 2.106.0 to 2.107.0 in /service in the external group ([#2416](#2416)) ([43afd48](43afd48)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.4.0 to 0.5.0 in /service ([#2470](#2470)) ([3a73fc9](3a73fc9)) * **deps:** bump github.com/opentdf/platform/sdk from 0.4.7 to 0.5.0 in /service ([#2473](#2473)) ([ad37476](ad37476)) * **deps:** bump the external group across 1 directory with 2 updates ([#2450](#2450)) ([9d8d1f1](9d8d1f1)) * **deps:** bump the external group across 1 directory with 2 updates ([#2472](#2472)) ([d45b3c8](d45b3c8)) * only request a token when near expiration ([#2370](#2370)) ([556d95e](556d95e)) * **policy:** fix casing bug and get provider config on update. ([#2403](#2403)) ([a52b8f9](a52b8f9)) * **policy:** properly formatted pem in test fixtures ([#2409](#2409)) ([54ffd23](54ffd23)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Proposed Changes
Old audit log PERMIT JSON:
{ "time": "2025-06-06T08:01:11.898519-07:00", "level": "AUDIT", "msg": "decision", "namespace": "authorization", "audit": { "object": { "type": "entity_object", "id": "rewrap-token-rewrap-0", "name": "", "attributes": { "assertions": null, "attrs": ["https://example.com/attr/class/value/highest"], "permissions": null } }, "action": { "type": "read", "result": "success" }, "actor": { "id": "rewrap-token", "attributes": [ { "entityId": "jwtentity-0-clientid-opentdf", "entityCategory": "CATEGORY_ENVIRONMENT", "attributeValueReferences": [ "https://example.com/attr/class/value/highest" ] }, { "entityId": "jwtentity-1-clientid-opentdf", "entityCategory": "CATEGORY_SUBJECT", "attributeValueReferences": [ "https://example.com/attr/class/value/highest" ] } ] }, "eventMetaData": { "entities": [ { "id": "jwtentity-1-clientid-opentdf", "decision": "DECISION_PERMIT", "entitlements": [ "https://example.com/attr/class/value/highest" ] } ] }, "clientInfo": { "userAgent": "grpc-go/1.69.4", "platform": "authorization", "requestIP": "None" }, "original": null, "updated": null, "requestID": "45b48d41-20e5-4520-a4aa-cc0caa029098", "timestamp": "2025-06-06T08:01:11-07:00" } }New audit log PERMIT JSON:
{ "time": "2025-06-13T16:57:34.938039-07:00", "level": "AUDIT", "msg": "decision", "namespace": "authorization", "version": "v2", "entityID": "jwtentity-1-clientid-opentdf", "action": "read", "audit": { "object": { "type": "entity_object", "id": "jwtentity-1-clientid-opentdf-read", "name": "decisionRequest-read", "attributes": { "assertions": null, "attrs": null, "permissions": null } }, "action": { "type": "read", "result": "success" }, "actor": { "id": "jwtentity-1-clientid-opentdf", "attributes": [ { "entitlements": { "https://example.com/attr/class/value/highest": [ { "id": "ad5aa68c-e275-46b1-be94-3c4c98aa7eb2", "Value": null, "name": "read" } ] } } ] }, "eventMetaData": [ { "passed": true, "resource_id": "rewrap-0", "data_rule_results": [ { "passed": true, "resource_value_fqns": [ "https://example.com/attr/class/value/lowest" ], "attribute": { "id": "e105dc51-30fa-4b15-a6ec-ee42169133d5", "rule": 3, "fqn": "https://example.com/attr/class" }, "entitlement_failures": null } ] } ], "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.4)", "platform": "authorization.v2", "requestIP": "None" }, "original": null, "updated": null, "requestID": "e7c99a04-f7d1-4d20-b9dc-3747669008a4", "timestamp": "2025-06-13T16:57:34-07:00" } }Old audit log DENY JSON:
{ "time": "2025-06-06T07:33:18.171544-07:00", "level": "AUDIT", "msg": "decision", "namespace": "authorization", "audit": { "object": { "type": "entity_object", "id": "rewrap-token-rewrap-0", "name": "", "attributes": { "assertions": null, "attrs": [ "https://example.com/attr/class/value/highest", "https://example.com/attr/department/value/engineering" ], "permissions": null } }, "action": { "type": "read", "result": "failure" }, "actor": { "id": "rewrap-token", "attributes": [ { "entityId": "jwtentity-0-clientid-opentdf", "entityCategory": "CATEGORY_ENVIRONMENT", "attributeValueReferences": [ "https://example.com/attr/class/value/highest" ] }, { "entityId": "jwtentity-1-clientid-opentdf", "entityCategory": "CATEGORY_SUBJECT", "attributeValueReferences": [ "https://example.com/attr/class/value/highest" ] } ] }, "eventMetaData": { "entities": [ { "id": "jwtentity-1-clientid-opentdf", "decision": "DECISION_DENY", "entitlements": [ "https://example.com/attr/class/value/highest" ] } ] }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.2)", "platform": "authorization", "requestIP": "None" }, "original": null, "updated": null, "requestID": "65497d1e-1f2a-4e85-9c60-c68492ea0245", "timestamp": "2025-06-06T07:33:18-07:00" } }New audit log DENY JSON:
{ "time": "2025-06-13T17:00:41.113762-07:00", "level": "AUDIT", "msg": "decision", "namespace": "authorization", "version": "v2", "entityID": "jwtentity-1-clientid-opentdf", "action": "read", "audit": { "object": { "type": "entity_object", "id": "jwtentity-1-clientid-opentdf-read", "name": "decisionRequest-read", "attributes": { "assertions": null, "attrs": null, "permissions": null } }, "action": { "type": "read", "result": "failure" }, "actor": { "id": "jwtentity-1-clientid-opentdf", "attributes": [ { "entitlements": { "https://example.com/attr/class/value/highest": [ { "id": "ad5aa68c-e275-46b1-be94-3c4c98aa7eb2", "Value": null, "name": "read" } ] } } ] }, "eventMetaData": [ { "passed": false, "resource_id": "rewrap-0", "data_rule_results": [ { "passed": true, "resource_value_fqns": [ "https://example.com/attr/class/value/highest" ], "attribute": { "id": "e105dc51-30fa-4b15-a6ec-ee42169133d5", "rule": 3, "fqn": "https://example.com/attr/class" }, "entitlement_failures": null }, { "passed": false, "resource_value_fqns": ["https://example.com/attr/department/value/engineering"], "attribute": { "id": "38733cb4-0299-4d3a-a24b-981d3065f931", "rule": 2, "fqn": "https://example.com/attr/department" }, "entitlement_failures": [ { "attribute_value": "https://example.com/attr/department/value/engineering", "action": "read" } ] } ] } ], "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.4)", "platform": "authorization.v2", "requestIP": "None" }, "original": null, "updated": null, "requestID": "3e4d2964-582b-428f-a074-a3d49041cb22", "timestamp": "2025-06-13T17:00:41-07:00" } }Checklist
Testing Instructions