Open Policy Agent
Masking custom headers in logs #370
-
|
Hi all, I'm wondering if there is a way to mask or upsert values from custom headers, the documentation "only" points to input, result and nd_builtin_cache. Our use case is that we need to utilize custom heardes for authorization towards a tunnel. We would therefore like to not have the secret and username stored in the logs if possible. I think the question was brought up a couple of years ago in open-policy-agent/opa#3950. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
So I take it your headers make it to OPA's REST API, There's no masking for logs in OPA. The general guidance would be to not use debug logging in production settings. Masking only applies to decision logs, and they typically don't include any request headers. (They are also what you should rely on for auditability, not the debug request logs, I would thin.) |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the answer. |
Beta Was this translation helpful? Give feedback.
So I take it your headers make it to OPA's REST API,
/v1/data, after having passed your tunnel, and are then logged with debug log level?There's no masking for logs in OPA. The general guidance would be to not use debug logging in production settings. Masking only applies to decision logs, and they typically don't include any request headers. (They are also what you should rely on for auditability, not the debug request logs, I would thin.)