Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mask rule #2433

Merged
merged 2 commits into from
Jun 11, 2020
Merged

Mask rule #2433

merged 2 commits into from
Jun 11, 2020

Conversation

dkiser
Copy link
Contributor

@dkiser dkiser commented May 22, 2020

Fixes #2379

This is an initial attempt at enhancing decision log masks by providing a new structured format for mask rules that allow either erasing or modifying input objects. Backwards compatibility is maintained with the original mask rule format.

@dkiser
Copy link
Contributor Author

dkiser commented May 22, 2020

This implementation does indeed require the path to exist in the upsert opcode. However, if we want to be able to upsert a non-existing field in the input, we can modify this to support that easily.

patrick-east
patrick-east reviewed May 26, 2020
View reviewed changes
Copy link
Contributor

@patrick-east patrick-east left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a really nice improvement!

docs/content/management.md Outdated Show resolved Hide resolved
docs/content/management.md Show resolved Hide resolved
plugins/logs/mask.go Show resolved Hide resolved
plugins/logs/mask.go Outdated Show resolved Hide resolved
plugins/logs/mask.go Outdated Show resolved Hide resolved
plugins/logs/mask.go Outdated Show resolved Hide resolved
plugins/logs/mask_test.go Outdated Show resolved Hide resolved
plugins/logs/mask_test.go Outdated Show resolved Hide resolved
plugins/logs/plugin_test.go Outdated Show resolved Hide resolved
ashutosh-narkar
ashutosh-narkar reviewed May 27, 2020
View reviewed changes
plugins/logs/mask.go Outdated Show resolved Hide resolved
plugins/logs/mask.go Outdated Show resolved Hide resolved
plugins/logs/mask.go Outdated Show resolved Hide resolved
plugins/logs/mask.go Outdated Show resolved Hide resolved
tsandall
tsandall reviewed May 28, 2020
View reviewed changes
docs/content/management.md Outdated Show resolved Hide resolved
plugins/logs/mask.go Outdated Show resolved Hide resolved
@tsandall
Copy link
Member

tsandall commented Jun 1, 2020

@dkiser thanks for adding the upsert support! I tried it out this morning and it works nicely. We should adjust some of the error handling though IMO.

  1. The decision logger should validate as much of the mask instructions as possible in one shot and generate an error if any validation issues are found. Let's make the op validation happen inside newMaskRule. This way if the op is missing or incorrect and OPA cannot tell what to do with it, it will be caught.

  2. The decision logger should treat undefined paths consistently for remove and upsert operations. Currently if the upsert specifies an undefined path, e.g., a reference into an array, the decision logger reports an error. I think we should suppress these.

Re: (2), I could imagine some users wanting OPA to fail if the path is undefined. I think we can add support for this later if necesarry, either via config or by extending the instructions.

@tsandall
Copy link
Member

tsandall commented Jun 8, 2020

@dkiser let us know if you can work on those remaining comments around error handling in the next week or so. If not, we can take on those changes so that this lands in the next release.

@dkiser
Copy link
Contributor Author

dkiser commented Jun 8, 2020

@tsandall I'll find some time over the next couple of days and see about addressing those last two comments. Thanks!

@dkiser
Copy link
Contributor Author

dkiser commented Jun 9, 2020

@dkiser thanks for adding the upsert support! I tried it out this morning and it works nicely. We should adjust some of the error handling though IMO.

  1. The decision logger should validate as much of the mask instructions as possible in one shot and generate an error if any validation issues are found. Let's make the op validation happen inside newMaskRule. This way if the op is missing or incorrect and OPA cannot tell what to do with it, it will be caught.
  2. The decision logger should treat undefined paths consistently for remove and upsert operations. Currently if the upsert specifies an undefined path, e.g., a reference into an array, the decision logger reports an error. I think we should suppress these.

Re: (2), I could imagine some users wanting OPA to fail if the path is undefined. I think we can add support for this later if necesarry, either via config or by extending the instructions.

@tsandall Re: (2), Do we mean that an upsert to an undefined path for an undefined object type to fail silently? I think we want to keep the ability to upsert to an undefined path for a defined upsert object type, which right now it just a map[string]interface{}?

Do you have an existing unit test case to point to that behavior should be changed on?

@tsandall
Copy link
Member

tsandall commented Jun 9, 2020

@dkiser you're right. The term undefined is not accurate here. I'm referring to this line: https://github.com/open-policy-agent/opa/pull/2433/files#diff-dee023b2dcf1c8c236bac28d4d4fd7b8R189.

In the upsert implementation, if the path refers to a non-object intermediate value, it will result in an error being logged. OTOH, in the remove implementation, if the path refers to a non-object intermediate value, it's treated as undefined and ignored. The behaviour should be consistent. I suggest we remove that error and simply treat the upsert as undefined in this case.

@dkiser
Copy link
Contributor Author

dkiser commented Jun 9, 2020

@tsandall Can you take a gander at the last commit. I agree with the configurable option for undefined object path handling (silent or some kind of decision log error) and added low level error handling for this in the mask rule that can be used in a later PR at the plugin.go level (left a TODO comment in there).

Let me know if this new commit addresses your concerns. Thanks!

@tsandall
Copy link
Member

@dkiser this looks good! Can you please squash your commits and format the message according to these guidelines. Once that's done we can merge this.

@dkiser
logs: Add feature to mutate decision log data in addition to default …
1963f7a 
…erase masking feature.

This feature adds the ability to mutate decision logs in addition to the default behavior
of erasing object paths.  A new upsert command was added to a structured way to define
mask rules in a backwards compatible manner.

Fixes: open-policy-agent#2379
Signed-off-by: Domingo Kiser <domingo.kiser@gmail.com>
@dkiser
Copy link
Contributor Author

dkiser commented Jun 10, 2020

@tsandall Done. Thanks for all the help thus far.

tsandall
tsandall approved these changes Jun 11, 2020
View reviewed changes
Copy link
Member

@tsandall tsandall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tsandall tsandall merged commit 9553290 into open-policy-agent:master Jun 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ashutosh-narkar ashutosh-narkar ashutosh-narkar left review comments

@patrick-east patrick-east patrick-east left review comments

@tsandall tsandall tsandall approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

allow custom masking of fields
4 participants
@dkiser @tsandall @ashutosh-narkar @patrick-east