PingAuthorize

Policy query logging

Policy query information is written to the following logs:

policy-query.log

Similar to the Policy Decision Logger, this file-based log publisher records query responses in embedded PDP mode.

debug-trace.log

Records detailed information about the processing of HTTP requests and responses in embedded PDP mode.

To include query requests and responses in debug-trace.log:

  1. In the administrative console, go to Logging, Monitoring, and Notifications and click Log Publishers.

  2. Click Debug Trace Logger.

  3. In the Log Messages to Include section, on the Debug Message Type row, select policy-query-request-and-response and click the arrow button.

    Screen capture of the Debug Message Type option under Log Messages to Include for the Debug Trace Logger, with the policy-query-request-and-response message type highlighted.

    query-audit.log

    Records query responses in external PDP mode.

Enabling debug logging in embedded PDP mode

Enable debug logging to provide detailed information when query requests produce errors or unexpected results. In addition to logging the full query request and response, debug logging records details about the resolution and policy dependencies of each attribute included in the query request. This level of detail can be necessary to troubleshoot the individual decision requests that make up a single query request.

Debug logging could log sensitive and personally identifiable information (PII). Enable debug logging only during troubleshooting and disable it afterward.

In debug mode, a policy query audit log entry includes the following fields:

  • requestId: A unique identifier for the query request

  • permutationId: A unique identifier for the query permutation

    A query permutation is a combination of query attributes used for a decision in the final query response. Use this identifier and the requestId for increased visibility of query request information across your logging system. For example, a logged call to an external information point would include identifiers for the request and permutation that invoked that service.

  • permutation: A query permutation as an array of JSON objects containing each query attribute and its value

  • response: The complete, high-verbosity response for a query permutation’s associated decision, including expanded errors and other helpful information

    By default, this field includes details about the resolution and policy dependencies of each attribute involved in the permutation’s corresponding decision, along with details about any external service used in that decision.

    You can increase the response field’s level of detail by controlling the query permutation view. Learn more in Configuring the query permutation view.

The following is an example of a query request body and its associated policy query audit log message. The response field is shortened for the sake of brevity.

{
    "query": [
        {
            "attribute": "User"
        },
        {
            "attribute": "Action",
            "values": ["view"]
        },
        {
            "attribute": "Resource",
            "values": ["account"]
        }
    ]
}
[2024-08-26 16:28:19,173] {"requestId": "20f9adb8-f07a-4dbe-a7e0-6734ab7e12f7", "permutationId": "7cffcc00-eab9-4992-be24-15c554e9fc70","permutation": [{"attribute":"User","value":"{\"id\":1}"},{"attribute":"Action","value":"view"},{"attribute":"Resource","value":"account"}],"response":{"id":"7cffcc00-eab9-4992-be2f-15c554e9fc70","...":"..."}},
{"requestId": "20f9adb8-f07a-4dbe-a7e0-6734ab7e12f7", "permutationId": "3769e5e4-4d35-4385-b15f-299bd0b34d9a", "permutation": [{"attribute":"User", "value":"{\"id\":2}"}, {"attribute":"Action","value":"view"},{"attribute":"Resource","value":"account"}], "response":{"id":"e9118333-eb00-48bc-b25e-2ab9a8deecc3","...":"..."},{"requestId": "20f9adb8-f07a-4dbe-a7e0-6734ab7e12f7", "permutationId": "2784e5e4-4d35-4385-b15f-299bd0b12d9a", "permutation": [{"attribute":"User", "value":"{\"id\":3}"}, {"attribute":"Action","value":"view"},{"attribute":"Resource","value":"account"}], "response":{"id":"e9118333-eb00-48bc-b25e-2ab9a8deecc3","...":"..."}}

In this example, each possible combination of the query attributes is represented as a distinct permutation with its own identifier and decision response details. These permutations are correlated by a common requestId.

You can enable debug logging for the policy query audit log in the administrative console or with dsconfig.

By default, the policy query audit log is located at PingAuthorize/logs/policy-query.log.

  • Admin console

  • dsconfig

Enabling policy query debug logging in the administrative console

Steps

  1. Go to Logging, Monitoring, and Notifications and click Log Publishers.

  2. Click Policy Query Logger.

  3. Select the Include Query Permutations checkbox.

    Screen capture of the Policy Query Logger configuration page with the Enable Query Permutations check box selected.

  4. Click Save to PingAuthorize Server Cluster.

Enabling policy query debug logging with dsconfig

Steps

  1. Enable the file-based Policy Query Logger.

    dsconfig set-log-publisher-prop
  --publisher-name "Policy Query Logger"
  --set enabled:true

  2. Use the dsconfig set-log-publisher-prop command with the following arguments:

    dsconfig set-log-publisher-prop
  --publisher-name "Policy Query Logger"
  --set include-query-permutations:true

Configuring the query permutation view

In addition to enabling query permutations in the Policy Query Logger, you can specify additional levels of detail to include in each permutation’s response field. The Policy Query Logger provides the following additional views:

  • request: Includes the decision request object

  • decision-tree: Includes details of the policy tree’s evaluation flow

  • attributes: Includes details of attributes used during policy evaluation, including the attribute’s value and type

    Specifying this view overrides any attribute logging configured for embedded mode.

  • services: Includes details of services invoked during policy evaluation

Specifying additional views will impact performance. Use these views for troubleshooting purposes and disable them afterward.

You can configure the query permutation view in the administrative console or with dsconfig.

  • Admin console

  • dsconfig

Configuring the query permutation view in the administrative console

Before you begin

Create a Policy Query Logger with debug logging enabled.

Steps

  1. Go to Authorization and Policies and click Policy Decision Service.

  2. In the Policy Query Configuration section, change the Selected views included for Query Logger Permutation View and click the arrow button.

    Screen capture of the Policy Query Configuration section with the request permutation logger view highlighted.

  3. Click Save to PingAuthorize Server Cluster.

Configuring the query permutation view with dsconfig

Before you begin

Create a Policy Query Logger with debug logging enabled.

Steps

  • Use the dsconfig set-policy-decision-service-prop command with the --add query-logger-permutation-view argument to add query permutation views:

    dsconfig set-log-publisher-prop
  --add query-logger-permutation-view:attributes
  --add query-logger-permutation-view:services

  • Use the dsconfig set-policy-decision-service-prop command with the --remove query-logger-permutation-view argument to remove query permutation views:

    dsconfig set-log-publisher-prop
  --remove query-logger-permutation-view:attributes

You can also configure policy query debug logging for policy development and testing in the Policy Editor. Learn more in Configuring policy query debug logging in the Policy Editor.