gRPC-C++: Logging policy based Authorization failures

238 views
Skip to first unread message

Rameshreddy Mudhireddy

unread,
Jan 15, 2025, 6:07:26 PMJan 15
to grpc.io
Hi Dev team,

Is there a way to log policy based authorization failures using grpc-c++ libs. 
Typical flow includes

std::shared_ptr<grpc::experimental::AuthorizationPolicyProviderInterface> provider = grpc::experimental::FileWatcherAuthorizationPolicyProvider::Create(policyFile, 10, &status)
builder.experimental().SetAuthorizationPolicyProvider(provider);

This will load the policy file and authorize the incoming rpc requests. Are there any hooks available to interact with the policy engine to log the denied rpcs requests?

Appreciate your feedback, Thank you.

Mark D. Roth

unread,
Jan 27, 2025, 3:02:44 PMJan 27
to grpc.io
There is an experimental audit logging API you can use for this.  See gRFC A59 for details.  The actual exposed C++ API for you to use is here.

Rameshreddy Mudhireddy

unread,
Jan 31, 2025, 11:27:52 AMJan 31
to grpc.io
Thank you Mark for the information. This is very useful but unfortunately it doesn't give all the details that are needed for my use case. I am looking for specifically details like client ip where the rpc is originated from, user who issued the rpc, client certificate to read commonName, etc.

on mtls(other cases work), audit logging api is hitting a GPR_ASSERT, any idea what could be missing ?
 [audit_logging.cc:57]                  ASSERTION FAILED: registry->logger_factories_map_.emplace(name, std::move(factory)).second

Once again thank you for all your input, I really appreciate it.

Rameshreddy Mudhireddy

unread,
Jan 31, 2025, 5:56:00 PMJan 31
to grpc.io
please ignore the GPR_ASSERT issue, that was my bad in setting up RegisterAuditLoggerFactory, that works.

Luwei Ge

unread,
Feb 4, 2025, 3:25:44 PMFeb 4
to grpc.io
Hi Rameshreddy,

Looks like you want to log things that are not currently available in the audit context we have defined. Would you mind opening an issue on GitHub for such a feature request?

Best,
Luwei

Rameshreddy Mudhireddy

unread,
Feb 9, 2025, 3:27:00 PMFeb 9
to grpc.io
Thanks Luwei, opened feature request https://github.com/grpc/grpc/issues/38708

Rameshreddy Mudhireddy

unread,
Jul 10, 2025, 12:17:46 PMJul 10
to grpc.io
Hi Mark,

Can you please provide your input on the following audit logging API query

Best Regards,
Ramesh

Reply all
Reply to author
Forward
0 new messages