Can we add additional fields to decision log from the policy rego

[joelmathew003]

I am using the Istio and OPA sidecar model for traffic authorization. I also have a decision log drop rego file, in which I want to drop the log in the case it was made by a particular allow rule. Wondering if I can inject an additional field in the decision log indicating this or is there some other way this can be done?

I can execute the same logic in the drop log rego file again to check if this was allowed by that particular rule, but this feels too heavy.

[srenatus]

opa-envoy-plugin converts the eval result into a "check response" for envoy in your scenario. It will discard anything that doesn't fit into the format, so that gives you enough leeway to do what you want.

In a sketch:

1. use the output document format
2. add some field that doesn't map to the envoy check response, like

result["_meta"] := true if is_special_rule

3. use that result field in your drop policy.

Does that help? Let me know if you get stuck in the process!

[joelmathew003]

So I tried adding the following snippet to my policy rego

result["rule_action"] := ruleAction

and I checked the decision log on the console and it looks like this

{
  "bundles": { "authz": {} },
  "decision_id": "e1bec642-f11e-4e4e-bb34-7ff5036a408b",
  "input": {
    "attributes": {
      "destination": {
        "address": {
          "socketAddress": { "address": "10.42.3.59", "portValue": 5432 }
        },
        "principal": "spiffe://cluster.local/ns/yelb/sa/default",
        "service": "outbound_.5432_._.yelb-db.yelb.svc.cluster.local"
      },
      "source": {
        "address": {
          "socketAddress": { "address": "10.42.2.212", "portValue": 47462 }
        },
        "principal": "spiffe://cluster.local/ns/yelb/sa/default"
      }
    },
    "parsed_body": null,
    "parsed_path": [""],
    "parsed_query": {},
    "truncated_body": false,
    "version": { "encoding": "protojson", "ext_authz": "v3" }
  },
  "labels": {
    "id": "59dc04e1-3369-4411-8151-bd3407045592",
    "version": "0.53.1-envoy-2"
  },
  "level": "info",
  "metrics": {
    "counter_rego_builtin_http_send_interquery_cache_hits": 1,
    "timer_rego_builtin_http_send_ns": 73945,
    "timer_rego_external_resolve_ns": 1315,
    "timer_rego_query_eval_ns": 1919319,
    "timer_server_handler_ns": 2700954
  },
  "msg": "Decision Log",
  "path": "istio/authz/allow",
  "result": true,
  "time": "2024-03-19T06:28:47Z",
  "timestamp": "2024-03-19T06:28:47.353273438Z",
  "type": "openpolicyagent.org/decision_logs"
}

I don't see the result field mutated. Do I have to set some configuration to change this decision log output format?

[srenatus]

Do I have to set some configuration to change this decision log output format?

Yes.

  "result": true,

this indicates that you're not using the document response variant (above, (1.)).

You'll need to adapt your policy to be like

package envoy.authz # just an example, whatever you have is fine as long as it matches the config

result["allowed"] = allow # your previous rule
result["rule_action"] := ruleAction

and adjust your config to query, in this example, envoy/authz/result, not envoy/authz/allow.

[joelmathew003]

This works. Thanks a lot!