From 56d27072b5362d655bdc7f190b1c02e9d17d44c4 Mon Sep 17 00:00:00 2001 From: Ashutosh Narkar Date: Wed, 24 Jan 2024 11:35:54 -0800 Subject: [PATCH] docs: Update log masking policy examples to be Rego v1 compatible Signed-off-by: Ashutosh Narkar --- docs/content/management-decision-logs.md | 27 +++++++++++++----------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/docs/content/management-decision-logs.md b/docs/content/management-decision-logs.md index f1eff7f2db..0f200b88d0 100644 --- a/docs/content/management-decision-logs.md +++ b/docs/content/management-decision-logs.md @@ -148,14 +148,16 @@ resources, supply the following policy to OPA: ```ruby package system.log -mask["/input/password"] { - # OPA provides the entire decision log event as input to the masking policy. - # Refer to the original input document under input.input. - input.input.resource == "user" +import rego.v1 + +mask contains "/input/password" if { + # OPA provides the entire decision log event as input to the masking policy. + # Refer to the original input document under input.input. + input.input.resource == "user" } # To mask certain fields unconditionally, omit the rule body. -mask["/input/ssn"] +mask contains "/input/ssn" ``` When the masking policy generates one or more JSON Pointers, they will be erased @@ -211,10 +213,11 @@ operations ```ruby package system.log -mask[{"op": "upsert", "path": "/input/password", "value": x}] { - # conditionally upsert password if it existed in the original event - input.input.password - x := "**REDACTED**" +import rego.v1 + +mask contains {"op": "upsert", "path": "/input/password", "value": "**REDACTED**"} if { + # conditionally upsert password if it existed in the original event + input.input.password } ``` @@ -224,10 +227,10 @@ the following rule format can be used. ```ruby package system.log +import rego.v1 + # always upsert, no conditions in rule body -mask[{"op": "upsert", "path": "/input/password", "value": x}] { - x := "**REDACTED**" -} +mask contains {"op": "upsert", "path": "/input/password", "value": "**REDACTED**"} ``` The result of this mask operation on the decision log event produces