From 00e7804f965a4ad51413b11b6400a7ed4770f296 Mon Sep 17 00:00:00 2001 From: ben-toogood Date: Thu, 26 Mar 2020 16:30:31 +0000 Subject: [PATCH] Auth - Add debugging to loading rules (#1420) * Fix auth multi-rule edgecase * Add logging to auth rules Co-authored-by: Ben Toogood --- auth/service/service.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/auth/service/service.go b/auth/service/service.go index e6a4447b..7e9e77c9 100644 --- a/auth/service/service.go +++ b/auth/service/service.go @@ -125,11 +125,10 @@ func (s *svc) Revoke(role string, res *auth.Resource) error { // Verify an account has access to a resource func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error { queries := [][]string{ - {res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule) - {res.Type, res.Name, res.Endpoint, "*"}, // check for wildcard role, e.g. service.foo.ListFoo:* - {res.Type, res.Name, "*"}, // check for wildcard endpoint, e.g. service.foo* - {res.Type, "*"}, // check for wildcard name, e.g. service.* - {"*"}, // check for wildcard type, e.g. * + {res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule) + {res.Type, res.Name, "*"}, // check for wildcard endpoint, e.g. service.foo* + {res.Type, "*"}, // check for wildcard name, e.g. service.* + {"*"}, // check for wildcard type, e.g. * } // endpoint is a url which can have wildcard excludes, e.g. @@ -242,6 +241,7 @@ func (s *svc) listRules(filters ...string) []*rulePb.Rule { // loadRules retrieves the rules from the auth service func (s *svc) loadRules() { + log.Infof("Loading rules from auth service\n") rsp, err := s.rule.List(context.TODO(), &rulePb.ListRequest{}) s.Lock() defer s.Unlock() @@ -251,6 +251,7 @@ func (s *svc) loadRules() { return } + log.Infof("Loaded %v rules from the auth service\n", len(rsp.Rules)) s.rules = rsp.Rules }