What would you like to be added:
We need a mechanism to write access policy information on evaluation to dynamic metadata. Since this isn't present in the RBAC filter itself, solutions could be an extra filter such as a Lua filter assuming the evaluation information could be read from an additional filter, or if necessary, patches to RBAC filter itself.
The dynamic metadata should include the information to populate spans as described below, namely:
- rule name
- rule matching boolean (true, false)
- action taken (allow, deny)
- rule evaluation outcome (success, failure)
- policy name (not 100% on this one - this one may be accessible by the namespaced resource?)
Why this is needed:
As proposed in #33 we would like to enable observability tracing from agents through gateways to any tool calls. Specifically, when access policies are evaluated via the RBAC filter, we want to understand the policy name evaluated, rules evaluated, and the outcomes and success of these evaluations. Specifically we want to produce the values for spans documented here: security_rule., event. spans.
If the dynamic metadata is written out, then we can explore @guicassolato 's suggestion of leveraging https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-msg-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager and custom_tags.tag.metadata to read the metadata, add attributes as needed, and send the spans to a collector.
What would you like to be added:
We need a mechanism to write access policy information on evaluation to dynamic metadata. Since this isn't present in the RBAC filter itself, solutions could be an extra filter such as a Lua filter assuming the evaluation information could be read from an additional filter, or if necessary, patches to RBAC filter itself.
The dynamic metadata should include the information to populate spans as described below, namely:
Why this is needed:
As proposed in #33 we would like to enable observability tracing from agents through gateways to any tool calls. Specifically, when access policies are evaluated via the RBAC filter, we want to understand the policy name evaluated, rules evaluated, and the outcomes and success of these evaluations. Specifically we want to produce the values for spans documented here:
security_rule.,event.spans.If the dynamic metadata is written out, then we can explore @guicassolato 's suggestion of leveraging https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-msg-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager and
custom_tags.tag.metadatato read the metadata, add attributes as needed, and send the spans to a collector.