opa icon indicating copy to clipboard operation
opa copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

W3C tracing does not work as expected

Open Erates opened this issue 6 months ago • 4 comments

Short description

According to the documentation, OPA supports W3C tracing. Thus, we send the traceparent header to OPA when performing a REST request that evaluates policies. But we can not find a single place where this trace information is outputted. The documentation regarding decision logs mentions that the log should output the trace_id and span_id. But the trace info is not shown when outputting the decision logs to the console, configured using decision_logs.console=true.

OPA version used: 0.67.0

Steps To Reproduce

  1. Create a file policy/example.rego with the content
package example

import rego.v1

result := input.message
  1. Create a docker-compose.yml file with the content
services:
  opa:
    image: openpolicyagent/opa:0.67.0
    ports:
      - "8181:8181"
    volumes:
      - ./policy:/policy
    command:
      - "run"
      - "--server"
      - "--log-level=debug"
      - "--log-format=json"
      - "--set"
      - "decision_logs.console=true"
      - "/policy"
  1. Run the docker-compose
  2. Perform an http request to evaluate the policy
POST http://localhost:8181/v1/data/example/result
Content-Type: application/json
traceparent: 00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01

{
  "input": {
    "message": "Hello world!"
  }
}
  1. Verify the output log message, it contains something like this
{
  "decision_id": "c82e0a5a-0f5b-46bd-9b34-2c58673e9a0d",
  "input": {
    "message": "Hello world!"
  },
  "labels": {
    "id": "003e7aaa-d132-4980-b767-9f8f213bd478",
    "version": "0.67.0"
  },
  "level": "info",
  "metrics": {
    "counter_server_query_cache_hit": 0,
    "timer_rego_input_parse_ns": 141927,
    "timer_rego_query_compile_ns": 105805,
    "timer_rego_query_eval_ns": 165426,
    "timer_rego_query_parse_ns": 49788,
    "timer_server_handler_ns": 625141
  },
  "msg": "Decision Log",
  "path": "example/result",
  "req_id": 1,
  "requested_by": "172.19.0.1:33880",
  "result": "Hello world!",
  "time": "2024-07-31T08:15:18Z",
  "timestamp": "2024-07-31T08:15:18.532524912Z",
  "type": "openpolicyagent.org/decision_logs"
}

Expected behavior

We expect that (at least) the decision log in console contains the trace_id and span_id as mentioned in the documentation.

It would also be good that every log statement performed in this current span contain the trace_id and span_id.

We do not have a central OpenTelemetry collector that is able to receive requests made using the Decision Log Service API. We do have log collectors running on every pod. So outputting the log in the console is a good option for us.

Erates avatar Jul 31 '24 08:07 Erates