Log auth verify requests (#1422)
* More auth debugging * More auth debugging Co-authored-by: Ben Toogood <ben@micro.mu>
This commit is contained in:
parent
62f9a054a4
commit
c905df3be6
@ -124,6 +124,8 @@ func (s *svc) Revoke(role string, res *auth.Resource) error {
|
||||
|
||||
// Verify an account has access to a resource
|
||||
func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
|
||||
log.Infof("%v requesting access to %v:%v:%v", acc.ID, res.Type, res.Name, res.Endpoint)
|
||||
|
||||
queries := [][]string{
|
||||
{res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule)
|
||||
{res.Type, res.Name, "*"}, // check for wildcard endpoint, e.g. service.foo*
|
||||
@ -146,14 +148,17 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
|
||||
case rulePb.Access_UNKNOWN:
|
||||
continue // rule did not specify access, check the next rule
|
||||
case rulePb.Access_GRANTED:
|
||||
log.Infof("%v granted access to %v:%v:%v by rule %v", acc.ID, res.Type, res.Name, res.Endpoint, rule.Id)
|
||||
return nil // rule grants the account access to the resource
|
||||
case rulePb.Access_DENIED:
|
||||
return auth.ErrForbidden // reule denies access to the resource
|
||||
log.Infof("%v denied access to %v:%v:%v by rule %v", acc.ID, res.Type, res.Name, res.Endpoint, rule.Id)
|
||||
return auth.ErrForbidden // rule denies access to the resource
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// no rules were found for the resource, default to denying access
|
||||
log.Infof("%v denied access to %v:%v:%v by lack of rule", acc.ID, res.Type, res.Name, res.Endpoint)
|
||||
return auth.ErrForbidden
|
||||
}
|
||||
|
||||
@ -241,7 +246,7 @@ func (s *svc) listRules(filters ...string) []*rulePb.Rule {
|
||||
|
||||
// loadRules retrieves the rules from the auth service
|
||||
func (s *svc) loadRules() {
|
||||
log.Infof("Loading rules from auth service\n")
|
||||
log.Infof("Loading rules from auth service")
|
||||
rsp, err := s.rule.List(context.TODO(), &rulePb.ListRequest{})
|
||||
s.Lock()
|
||||
defer s.Unlock()
|
||||
@ -251,7 +256,7 @@ func (s *svc) loadRules() {
|
||||
return
|
||||
}
|
||||
|
||||
log.Infof("Loaded %v rules from the auth service\n", len(rsp.Rules))
|
||||
log.Infof("Loaded %v rules from the auth service", len(rsp.Rules))
|
||||
s.rules = rsp.Rules
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user