Description
Describe the improvement you'd like to request
The cedar-local-agent crate supports the logging of authorization requests. A developer using the crate can configure which properties of the request should be logged using FieldSetBuilder, as in this example:
let log_config = log::ConfigBuilder::default()
.field_set(
log::FieldSetBuilder::default()
.principal(true)
.action(true)
.resource(true)
.context(true)
.entities(log::FieldLevel::All)
.build()
.expect("building log field set"),
)
.build()
.expect("building log config");But even when .context(true) is set on the field set builder, as in the example above, the context object is logged opaquely, like this:
request with principal Example::Principal::"foo", action Example::Action::"bar", resource Example::Resource::"baz", and context <first-class record with 4 fields>
Our particular application of Cedar makes extensive use of the context, and as it stands, it's difficult to do any kind of useful analysis of the logs we get from cedar-local-agent. When I raised this with the Cedar team, @GurvirDehal pointed out that cedar-local-agent simply relies on the impl std::fmt::Display for Request provided by the core Cedar SDK. This implementation does not serialize the context's contents.
Since it's already possible to deserialize a Context from JSON via from_json_str and from_json_value, one option might be to implement the corresponding serialization steps for easy logging.
Describe alternatives you've considered
No response
Additional context
No response
Is this something that you'd be interested in working on?
- 👋 I may be able to implement this internal improvement
-
⚠️ This feature might incur a breaking change
Activity