Enable OPA decision logs in end-to-end-security demo (#86)

sbernauer · web-flow · commit 429587cda1ad · 2024-08-07T07:20:57.000Z
* Enable OPA decision logs in end-to-end-security demo

* Add TODO
diff --git a/docs/modules/demos/pages/end-to-end-security.adoc b/docs/modules/demos/pages/end-to-end-security.adoc
@@ -13,7 +13,7 @@ This demo will:
 ** *Spark*: A multi-language engine for executing data engineering, data science, and machine learning. This demo uses it to create a (rather simple) report and write the results back into the persistence.
 ** *HDFS*: A distributed file system that is designed to scale up from single servers to thousands of machines, each offering local computation and storage.
 ** *Hive metastore*: A service that stores metadata related to Apache Hive and other services. This demo uses it as metadata storage for Trino and Spark.
-** *Open policy agent (OPA)*: An open-source, general-purpose policy engine unifies policy enforcement across the stack. This demo uses it as the authorizer for Trino, which decides which user can query which data.
+** *Open policy agent (OPA)*: An open-source, general-purpose policy engine unifies policy enforcement across the stack. This demo uses it as the authorizer for Trino and HDFS, which decides which user can query which data.
 ** *Superset*: A modern data exploration and visualization platform. This demo utilizes Superset to retrieve data from Trino via SQL queries and build dashboards on top of that data.
 * Configure security to showcase the following features
 ** Column- and row-level filtering
@@ -125,3 +125,8 @@ Access control at the row level has been implemented on the employee table, wher
 about themselves, as well as people who report to them.
 
 image::e2e-sophia-employee.png[]
+
+=== Decision logging (aka audit log)
+
+The OPA server logs every single request it receives along with the decision it took to STDOUT.
+This gives you an audit log across the whole Data Platform.
diff --git a/stacks/end-to-end-security/opa.yaml b/stacks/end-to-end-security/opa.yaml
@@ -21,6 +21,13 @@ spec:
           adminRealm: demo
           userRealm: demo
   servers:
+    config:
+      logging:
+        containers:
+          opa:
+            loggers:
+              decision:
+                level: INFO
     roleGroups:
       default:
         replicas: 1
diff --git a/stacks/end-to-end-security/trino-policies.yaml b/stacks/end-to-end-security/trino-policies.yaml
@@ -172,6 +172,8 @@ data:
       "procedures": [],
     }
 
+    # TODO: Once 24.11 is out, switch to https://github.com/stackabletech/opa-operator/pull/580 instead of doing the
+    # http call itself
     extra_groups := groups if {
       request := {
         "method": "POST",

Original file line number	Diff line number	Diff line change
`@@ -172,6 +172,8 @@ data:`
`172`	`172`	`"procedures": [],`
`173`	`173`	`}`
`174`	`174`
	`175`	`+ # TODO: Once 24.11 is out, switch to https://github.com/stackabletech/opa-operator/pull/580 instead of doing the`
	`176`	`+ # http call itself`
`175`	`177`	`extra_groups := groups if {`
`176`	`178`	`request := {`
`177`	`179`	`"method": "POST",`