Proposal: Add LOG action to RBAC filter

[davidraskin]

@liminw @yangminzhu

Description:

I’m proposing to add a new ‘LOG’ action to the RBAC filter API to choose whether to log requests based on permission and principal information. Based on the decision, a key-value pair can be set by the RBAC filter and later read by other filters to determine whether they should log a request. This makes it very flexible for access loggers and custom telemetry backends to act based on the decision. The implementation is very simple because it uses the same matching logic as the current RBAC filter.

Example:

  rules:
    action: LOG
    policies:
      log-policy:
        permissions:
          - header: { name: ":method", exact_match: "GET" }
        principals:
          - authenticated:
              principal_name:
                exact: "cluster.local/ns/default/sa/admin"

• Log any GET requests made with the service account "cluster.local/ns/default/sa/admin".

[liminw]

@mattklein123

[mattklein123]

Sorry can you explain more what this is going to do exactly? Is it going to set dynamic metadata? Is it going to set a flag in stream info that we can filter on? Etc.

[liminw]

Matt, the proposal is to simply add a "log" action in addition to the existing "allow"/"deny" actions in RBAC filter. Based on the matching result, the filter is going to generate a boolean and set it to dynamic metadata. The boolean result tells the subsequent logging filter to "log" a request or "skip" a request. This allows us to conditionally logging requests based on user configuration.

[mattklein123]

In general that sounds fine to me, but can we fully specify how the dynamic metadata is going to be specified?

[davidraskin]

It will be set in stream info filter state. We want to communicate with both WASM filters and general stream filters, so we are considering our options there.

[kyessenov]

cc @mandarjog @gargnupur
There is a temporal aspect that RBAC doesn't capture. You might want to log some cases only once every 30m to control the volume of the logs. We have a sample Wasm filter that accomplishes something similar.

[gargnupur]

@davidraskin and I discussed about this and I initially suggested to use same key that our AccessLog Filter uses https://github.com/istio/proxy/blob/master/extensions/common/context.h#L41:22 to mark that we should log the filter or not. His concern was that RBAC filter is a generic envoy filter and thus having "istio" in the name might not be generic enough to mark that access log should be filtered.

How about introducing a generic filter state key "envoy.Log" and mark it's value as something "Log/NotLog"? We can change the above access log filter to use the same

[mattklein123]

Yeah the key has to be generic, and also well documented. Otherwise this sounds fine to me.

[kyessenov]

How about creating a filter state envoy.log_decision with a string value (more flexible than just a boolean)? Then both filters can emit if needed. We probably need a list of well-known filter states and their values in the docs since it's not present at the moment.

[gargnupur]

How about value as an enum? Agreed, need a place for documenting well-known filter states..

[davidraskin]

Any value we choose would need to be wrapped in a WasmState to communicate with wasm plugins. Could we use that for communicating with host envoy filters as well, or should we use two filter states? Or is there a way that other filter states can be read in Wasm plugins?

[kyessenov]

@davidraskin Reconciling Wasm state vs filter state is part of the upstreaming discussion. Wasm needs to be able to serialize the filter state (and there's an optional protobuf serializer). It's in-efficient, but it would work to read native filter state in Wasm land.