decision log should include values from non-deterministic built-in functions like time.now_ns #1514
Comments
Built-in Functions with non-deterministic outputs
Based on a cursory look through the built-ins list, these are the functions I found that have obvious non-deterministic behavior. The rest should be deterministic. |
|
FWIW the RNG source should come from the BuiltinContext. We've had to bend |
|
Interesting. I guess it makes sense for consistency, but do users really want reproducible token signing? Would that not entail having their private keys logged with each decision? 🤔 |
|
Hah, good point. I guess it would make sense to not worry about the But thinking about this again, we also can't ever control |
|
Agreed, persisting the output of those rather than the input seems like a better approach 👍 |
|
I'm considering a simple K/V cache for implementing aspects of this. Do we want a max size restriction on the cache? I'd assume that if someone enables recording non-deterministic builtin results that memory consumption isn't exactly a great concern, since you wouldn't turn it on unless you wanted to get a potentially large pile of results. 🤔 |
|
Also, because this feature will potentially result in massive additional memory consumption (and equally massive decision logs in some cases!), I am planning to gate this feature of decision logging behind a config file option, like |
|
Would it be that much, though? One time ns integer if time us used, one string for each encode_sign call... I suppose it would go into the decision logs entry, so we don't need to hold onto it anywhere else. 🤔 IIRC decision logs are flushed when their buffer is full, and that would then occur more often...? |
|
Hmm http.send is different, though. Those response payloads can be very large. |
Right, I'm thinking of the cases where a user hits several unique webpages.
This would definitely increase how often those buffers flush, to such a degree that I think it's worth feature-gating behind a config option, with the default being to leave it turned off. 😰 |
|
My current plan (I'm copying this over from the design doc) is to only cache the first result from a non-deterministic builtin. That at least bounds how much memory we're burning to cache stuff. The main builtins that might be affected by this behavior are probably I think this is a reasonable, scope-limiting behavior decision because if a single webpage gives back different results each time it's queried with |
I don't think we'd notice 🙃 We shouldn't do two requests for p {
obj := {"method": "GET", "url": "https://example.com"}
http.send(obj)
http.send(obj)
}so intra-query caching should make us not send two requests here (even if it was different rules etc; same input to Same for |
|
Well, that's perfect then! Since we already have caching in place for these things, it's mostly going to be an exercise in plumbing work to get those cached values up to where they need to go for decision logging. |
This commit includes evaluator support for an opt-in, non-deterministic builtins caching system, designed to help with future replay of decision logs. The cache allows early-exit in the evaluator if the builtin is non-deterministic, and has already cached a result. Since the cache can be pre-populated by `rego` module users, this should make offline policy testing and future work around decision replay more straightforward. Fixes: open-policy-agent#1514 Signed-off-by: Philip Conrad <[email protected]>
This commit includes evaluator support for an opt-in, non-deterministic builtins caching system, designed to help with future replay of decision logs. The cache allows early-exit in the evaluator if the builtin is non-deterministic, and has already cached a result. Since the cache can be pre-populated by `rego` module users, this should make offline policy testing and future work around decision replay more straightforward. Fixes: #1514 Signed-off-by: Philip Conrad <[email protected]>
|
Is this fixed already? I thought the merged PR was the first step.... |
|
Ah, nuts. I accidentally left in the |
|
We'll put this zombie issue back to rest when decision logging integrates the non-deterministic builtin cache work from #4926. 🧟 |
This commit integrates the ND builtins caching system into decision
logging, both in the server and sdk packages. Some reworking of the
NDBCache's serialization format were required to accommodate this.
The feature is disabled by default, and must be opted into by user
configuration.
The feature can be enabled via a top-level config key:
nd_builtin_cache=true
The NDBCache is exposed to the masking system under the
`/nd_builtin_cache` path, which allows masking or dropping sensitive
values from decision logs selectively.
Note: If a decision log event exceeds the `upload_size_limit_bytes`
value for the OPA instance, OPA will reattempt uploading it, after
dropping the NDBCache from the event. This behavior will trigger a log
error, and will increment the `decision_logs_nd_builtin_cache_dropped`
metrics counter.
Fixes: open-policy-agent#1514
Signed-off-by: Philip Conrad <[email protected]>
This commit integrates the non-deterministic builtins caching system
into decision logging, both in the server and sdk packages. Some
reworking of the NDBCache's serialization format were required to
accommodate this. The feature is disabled by default, and must be
opted into by user configuration.
The feature can be enabled via a top-level config key:
nd_builtin_cache=true
The NDBCache is exposed to the masking system under the
`/nd_builtin_cache` path, which allows masking or dropping sensitive
values from decision logs selectively.
Note: If a decision log event exceeds the `upload_size_limit_bytes`
value for the OPA instance, OPA will reattempt uploading it, after
dropping the NDBCache from the event. This behavior will trigger a log
error, and will increment the `decision_logs_nd_builtin_cache_dropped`
metrics counter.
Fixes: #1514
Signed-off-by: Philip Conrad <[email protected]>
…olicy-agent#5147) This commit integrates the non-deterministic builtins caching system into decision logging, both in the server and sdk packages. Some reworking of the NDBCache's serialization format were required to accommodate this. The feature is disabled by default, and must be opted into by user configuration. The feature can be enabled via a top-level config key: nd_builtin_cache=true The NDBCache is exposed to the masking system under the `/nd_builtin_cache` path, which allows masking or dropping sensitive values from decision logs selectively. Note: If a decision log event exceeds the `upload_size_limit_bytes` value for the OPA instance, OPA will reattempt uploading it, after dropping the NDBCache from the event. This behavior will trigger a log error, and will increment the `decision_logs_nd_builtin_cache_dropped` metrics counter. Fixes: open-policy-agent#1514 Signed-off-by: Philip Conrad <[email protected]> Signed-off-by: Byron Lagrone <[email protected]>
Decision log events should include all of the information necessary to re-execute policy evaluation. Today if policies depend on time.now_ns() or other (custom) non-deterministic built-in functions, it is not easy to accurately re-execute policy evaluation. We should extend the decision log event structure to include additional values supplied to or computed during policy evaluation that are not contained in the input, policy, or contextual data (e.g., time.now_ns() result, opa.runtime() result, http.send() result, etc.)
The text was updated successfully, but these errors were encountered: