New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Audit Logging] Authz policy support for audit logging #32944
Conversation
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good overall! Comments are mostly minor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Feel free to merge after addressing the remaining comments.
Rbac::Rbac(Rbac::Action action, std::map<std::string, Policy> policies, | ||
absl::string_view name) | ||
: action(action), policies(std::move(policies)), name(name) {} | ||
Rbac::Rbac(absl::string_view name, Rbac::Action action, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might as well take the name parameter as std::string
instead of absl::string_view
, since we're making a copy anyway. That way, if a caller happens to have a temp string that they don't need to keep, they can pass it in with std::move()
and avoid the copy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Thanks for the tip!
@@ -394,7 +392,8 @@ ParseAuditLogger(const Json& json, size_t pos) { | |||
absl::StrFormat("\"audit_loggers[%d].name\" is not a string.", pos)); | |||
} | |||
absl::string_view name = it->second.string(); | |||
Json config = Json::Object(); | |||
// The config defaults to an empty object. | |||
Json config = Json::FromObject(Json::Object()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can just say Json::FromObject({})
. The compiler is smart enough to know the type of the {}
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed.
Add audit condition and audit logger config into `grpc_core::Rbac`. Support translation of audit logging options from authz policy to it. Audit logging options in authz policy looks like: ```json { "audit_logging_options": { "audit_condition": "ON_DENY", "audit_loggers": [ { "name": "logger", "config": {}, "is_optional": false } ] } } ``` which is consistent with what's in the xDS RBAC proto but a little flattened. --------- Co-authored-by: rockspore <rockspore@users.noreply.github.com>
Add audit condition and audit logger config into `grpc_core::Rbac`. Support translation of audit logging options from authz policy to it. Audit logging options in authz policy looks like: ```json { "audit_logging_options": { "audit_condition": "ON_DENY", "audit_loggers": [ { "name": "logger", "config": {}, "is_optional": false } ] } } ``` which is consistent with what's in the xDS RBAC proto but a little flattened. --------- Co-authored-by: rockspore <rockspore@users.noreply.github.com>
Add audit condition and audit logger config into
grpc_core::Rbac
. Support translation of audit logging options from authz policy to it.Audit logging options in authz policy looks like:
which is consistent with what's in the xDS RBAC proto but a little flattened.