PingAuthorize

Configuring policy query debug logging in the Policy Editor

You can configure the granularity of policy query audit log entries when developing and testing policy queries in external policy decision point (PDP) mode.

Policy queries enable you to pose open-ended authorization questions to the JSON PDP API with the /query endpoint. For example, instead of being limited to questions like "Can John Smith edit account1?" you can ask "Which accounts can John Smith edit?" or "Which actions can John Smith perform on account1?"

When testing query requests, you can enrich the level of detail in the policy query audit log for enhanced debugging capabilities.

By default, the policy query audit log file is located at PingAuthorize-PAP/logs/query-audit.log.

In debug mode, a policy query audit log entry includes the following fields:

  • requestId: A unique identifier for the query request

  • permutationId: A unique identifier for the query permutation

    A query permutation is a combination of query attributes used for a decision in the final query response. Use this identifier and the requestId for increased visibility of query request information across your logging system. For example, a logged call to an external information point would include identifiers for the request and permutation that invoked that service.

  • permutation: A query permutation as an array of JSON objects containing each query attribute and its value

  • response: The complete, high-verbosity response for a query permutation’s associated decision, including expanded errors and other helpful information

    By default, this field includes details about the resolution and policy dependencies of each attribute involved in the permutation’s corresponding decision, along with details about any external service used in that decision.

    You can increase the response field’s level of detail by controlling the query permutation view. Learn more in Configuring the query permutation view.

Enabling debug logging

Steps

  1. Stop the Policy Editor.

    $ bin/stop-server

  2. In the PingAuthorize-PAP/config/configuration.yml file, change the policy query audit log level to DEBUG:

    logging:
  level: "INFO"
  loggers:
    QUERY_AUDIT_LOG:
      level: "DEBUG"

  3. Save your changes and restart the Policy Editor.

    $ bin/start-server

You can now view resolution and policy dependency information for each possible combination of the attributes included in the query request, as well as each combination’s corresponding decision response.

Configuring the query permutation view

In addition to enabling query permutations in the policy query audit log, you can specify additional levels of detail to include in each permutation’s response field. The policy query audit log provides the following additional views:

  • request: Includes the decision request object for each query permutation

  • decisionTree: Includes details of the policy tree’s evaluation flow

  • attributes: Includes details of attributes used during policy evaluation, including the attribute’s value and type

    Specifying this view overrides any logged attributes configuration.

  • services: Includes details of services invoked during policy evaluation

Steps

  1. Stop the Policy Editor.

    $ bin/stop-server

  2. In the PingAuthorize-PAP/config/configuration.yml file, add a new top-level auditLogging section, and specify additional query permutation views with the queryDebugLogView configuration property:

    auditLogging:
  queryDebugLogView: attributes, services, decisionTree

  3. Save your changes and restart the Policy Editor.

    $ bin/start-server

Configuring logged attributes

With the loggedAttributes configuration property, you can exercise control over which attributes get logged as part of the decision response. This includes details about the attribute’s value and type.

Steps

  1. Stop the Policy Editor.

    $ bin/stop-server

  2. In the PingAuthorize-PAP/config/configuration.yml file, add a new top-level loggedAttributes configuration property, and provide a list of full names of the attributes you want logged:

    loggedAttributes:
  - name: <attribute1>
  - name: <attribute2>
    The name key is case-sensitive.

  3. Save your changes and restart the Policy Editor.

    $ bin/start-server

Attributes specified using this configuration property are only logged if they get evaluated as part of the decision request. Enabling the attributes query permutation view will override the loggedattributes configuration and log all evaluated attributes.

You can also configure policy query logging for decisions executed in embedded PDP mode. Learn more in Policy query logging.