Log decisions when context is already cancelled

[ashutosh-narkar]

Currently the opa-envoy plugins logs decisions in all conditions (ie. presence/absence of errors). For example, when the context is cancelled or deadline is reached before query execution, the plugin passes the same context to the decision logger routine in order to log the decision. The decision log plugin then tries to evaluate the log masking policy and passes it the same context. The rego.eval method eventually gets called and it contains a custom query cancellation mechanism which leads to a race between the context cancellation and query evaluation completion. As a result in some cases the decision event does not get logged. This scenario can be reproduced by running this test multiple times.

Something that needs to be explored here is whether a decision event should even be logged when the context is cancelled or deadline is reached before query execution. One could argue that users may expect to see a corresponding decision log event.

[srenatus]

Something that needs to be explored here is whether a decision event should even be logged when the context is cancelled or deadline is reached before query execution. One could argue that users may expect to see a corresponding decision log event.

💯 I'd think so, too. Decisions should be logged regardless of the context being cancelled, they might unveil issues that would otherwise go unnoticed...?

[stale]

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.