kuma icon indicating copy to clipboard operation
kuma copied to clipboard

Published 20 hours ago verified publisher icon kumahq

Indicate if request was blocked by TrafficPermission in AccessLogs

Open slonka opened this issue 2 years ago • 11 comments

Description

It would be useful to have policy id in logs/response headers/something else(?) to be able to quickly identify which policy caused "RBAC: access denied".

This can be achieved using dynamic_metadata - shadow_effective_policy_id and be retrieved, and forwarded to log/header by LUA filter.

slonka avatar Oct 12 '22 15:10 slonka

Is there a way to log this for all policies, i.e. not just limit this to RBAC and TrafficPermissions?

doctorwu avatar Oct 12 '22 15:10 doctorwu

Unfortunately there is not :( I think only RBAC has this hint.

slonka avatar Oct 12 '22 15:10 slonka

Bummer.

doctorwu avatar Oct 12 '22 15:10 doctorwu

There is some info in the "Affected DPPs" tab in GUI:

image

so you can roughly match up policies to proxies

slonka avatar Oct 17 '22 08:10 slonka

Triage: The first step would be to mark in logs that the request was rejected because of traffic permission The second step would be to say which traffic permission rejected the request. This one might be hard to implement because of new policy merging.

jakubdyszkiewicz avatar Oct 17 '22 14:10 jakubdyszkiewicz

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar Jan 16 '23 08:01 github-actions[bot]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar Apr 24 '23 07:04 github-actions[bot]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar Aug 01 '23 07:08 github-actions[bot]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar Nov 07 '23 07:11 github-actions[bot]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar Feb 08 '24 07:02 github-actions[bot]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar May 10 '24 07:05 github-actions[bot]

Hi, is there a way to get this in latest version of kuma?

debianmaster avatar Jun 03 '24 19:06 debianmaster

Hi, is there a way to get this in latest version of kuma?

This is not yet implemented, these are just ideas on how to implement this.

slonka avatar Jun 13 '24 09:06 slonka

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar Sep 12 '24 07:09 github-actions[bot]