opa icon indicating copy to clipboard operation
opa copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Decision_logs console logging

Open ShevtsovBohdan opened this issue 3 years ago • 4 comments

Short description

When the decision_logs: console config option set to false, looks like OPA tries to send requests with decision_logs to an external service

Examples:

  • OPA configuration:
services:
  -name: ${authorization-service.name}
    url: "${authorization-service.host}:${authorization-service.port}"

discovery:
  name: discovery
  resource: "${authorization-service.resource}/${opa.service}"
  service: ${authorization-service.name}
  polling:
      min_delay_seconds: ${opa.discovery.polling.min.delay.seconds}
      max_delay_seconds: ${opa.discovery.polling.max.delay.seconds}

  • Discovery config 1: { "discovery": { "bundles": { "tenant": { "service": "as", "resource": "", "polling": { "min_delay_seconds": 20, "max_delay_seconds": 40 } } }, "decision_logs": { "console": true } } }

  • Discovery config 2: { "discovery": { "bundles": { "tenant": { "service": "as", "resource": "", "polling": { "min_delay_seconds": 20, "max_delay_seconds": 40 } } }, "decision_logs": { "console": false } } }

Note that the only change between config #1 and config #2 is decision_logs: console option value.

  • OPA version: latest

Steps To Reproduce

  1. Use the discovery config 1
  2. Verify that decision_logs is enabled
  3. Use the discovery config 2
  4. Verify that decision_logs is not disabled. OPA is trying to send lot of requests to service endpoint which is not configured

Expected behavior

On step 4 the decision_logs should be disabled.

ShevtsovBohdan avatar Sep 13 '22 10:09 ShevtsovBohdan

When you specify the decision_logs plugin in the configuration and console logging is disabled, OPA will use the first service in the service config to upload the logs. This is described in the docs here. If you don't want decision logging omit the plugin from the config.

ashutosh-narkar avatar Sep 13 '22 18:09 ashutosh-narkar

@ashutosh-narkar But discovery config, that is returned from the service is immutable, the omitting of the plugin does not change anything once OPA received the first response with the decision_logs attribute. The only way to make it work is to restart OPA. Sounds like a strange behavior

ShevtsovBohdan avatar Sep 15 '22 12:09 ShevtsovBohdan

@ShevtsovBohdan some of this behavior is for backwards compatibility. So if your turn off the console logger OPA will choose the first service to send the logs. Is there a reason to turn the console logger on and off ?

ashutosh-narkar avatar Sep 15 '22 16:09 ashutosh-narkar

It was a request from the DevOps engineers.

ShevtsovBohdan avatar Sep 16 '22 17:09 ShevtsovBohdan

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.

stale[bot] avatar Oct 17 '22 05:10 stale[bot]

Closing this as there do not seem to be any changes required in OPA.

ashutosh-narkar avatar Mar 08 '23 01:03 ashutosh-narkar