Skip to main content

Introduction

Decision logs are records of authorization decisions Topaz makes. Decisions are made by the Topaz is API, each decision generates one log entry and each log entry has details about the decision including the context in which it was made.

Configuration

Topaz decision logs are implemented as an OPA plugin and can be configured in the Topaz configuration file by adding the plugin to the OPA runtime's configuration. For example, this adds to the default configuration generated by the Topaz CLI:


opa:
instance_id: "-"
graceful_shutdown_period_seconds: 2
local_bundles:
paths: []
skip_verification: true
config:
services:
ghcr:
url: https://ghcr.io/
type: "oci"
response_header_timeout_seconds: 5
bundles:
todo:
service: ghcr
resource: "ghcr.io/aserto-policies/policy-todo:latest"
persist: false
config:
polling:
min_delay_seconds: 60
max_delay_seconds: 120
// Add the decision logging plugin to the OPA runtime
plugins:
aserto_decision_log:
enabled: true

// Configure the file logger the plugin will log to
decision_logger:
type: "file"
config:
log_file_path: /tmp/topaz/decisions.log
max_file_size_mb: 20
max_file_count: 3