You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the opa-envoy plugins logs decisions in all conditions (ie. presence/absence of errors). For example, when the context is cancelled or deadline is reached before query execution, the plugin passes the same context to the decision logger routine in order to log the decision. The decision log plugin then tries to evaluate the log masking policy and passes it the same context. The rego.eval method eventually gets called and it contains a custom query cancellation mechanism which leads to a race between the context cancellation and query evaluation completion. As a result in some cases the decision event does not get logged. This scenario can be reproduced by running this test multiple times.
Something that needs to be explored here is whether a decision event should even be logged when the context is cancelled or deadline is reached before query execution. One could argue that users may expect to see a corresponding decision log event.
The text was updated successfully, but these errors were encountered:
Something that needs to be explored here is whether a decision event should even be logged when the context is cancelled or deadline is reached before query execution. One could argue that users may expect to see a corresponding decision log event.
💯 I'd think so, too. Decisions should be logged regardless of the context being cancelled, they might unveil issues that would otherwise go unnoticed...?
Currently the opa-envoy plugins logs decisions in all conditions (ie. presence/absence of errors). For example, when the context is cancelled or deadline is reached before query execution, the plugin passes the same context to the decision logger routine in order to log the decision. The decision log plugin then tries to evaluate the log masking policy and passes it the same context. The
rego.eval
method eventually gets called and it contains a custom query cancellation mechanism which leads to a race between the context cancellation and query evaluation completion. As a result in some cases the decision event does not get logged. This scenario can be reproduced by running this test multiple times.Something that needs to be explored here is whether a decision event should even be logged when the context is cancelled or deadline is reached before query execution. One could argue that users may expect to see a corresponding decision log event.
The text was updated successfully, but these errors were encountered: