The availability guarantees necessary for basic authorization are far more strict than auditing. Auth fails closed, audit fails open.
Anything that can be stripped out of auth should be, even if we're talking about a best effort extra rpc from the auth service.
Auditing typically needs more information than auth as well, and making the auth pipe wide is a risk.
The availability guarantees necessary for basic authorization are far more strict than auditing. Auth fails closed, audit fails open.
Anything that can be stripped out of auth should be, even if we're talking about a best effort extra rpc from the auth service.
Auditing typically needs more information than auth as well, and making the auth pipe wide is a risk.