Mask data in decision log, but not /v1/data response. #2752
Labels
Comments
|
This sounds like a bug. The result sent to the caller should not be mutated by the decision log mask--the decision logger will need to make a deep copy of the result before applying the mask (if the mask doesn't refer to the result, we can avoid the copy for performance.) |
tsandall
pushed a commit
that referenced
this issue
Oct 27, 2020
When mask rules targeted /result, it was modifying both the result in the decision logs (intended) and the result in the API response (unintended). Added a step to deep copy the result only once, if there is at least one mask rule targeting the result. Fixes #2752 Signed-off-by: Grant Shively <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
When input/result is masked, e.g.
mask["/result/something_sensitive"], it should be removed from the decision logs, but not from the/v1/dataAPI response (optionally?). Decision logs tend to be shipped centrally, and sensitive data should be removed from those, but the/v1/dataAPI response should still contain that data so that calling apps can use it as needed.Actual Behavior
When
maskis used, it impacts both the decision logs and the/v1/dataAPI response.Steps to Reproduce the Problem
OPA version: 0.24.0-dev
The text was updated successfully, but these errors were encountered: