Log auth verify requests (#1422)

* More auth debugging * More auth debugging Co-authored-by: Ben Toogood <ben@micro.mu>
2020-03-26 17:35:28 +00:00
parent 62f9a054a4
commit c905df3be6
1 changed files with 8 additions and 3 deletions
--- a/auth/service/service.go
+++ b/auth/service/service.go
@@ -124,6 +124,8 @@ func (s *svc) Revoke(role string, res *auth.Resource) error {

 // Verify an account has access to a resource
 func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
+	log.Infof("%v requesting access to %v:%v:%v", acc.ID, res.Type, res.Name, res.Endpoint)
+
 	queries := [][]string{
 		{res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule)
 		{res.Type, res.Name, "*"},          // check for wildcard endpoint, e.g. service.foo*
@@ -146,14 +148,17 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
 			case rulePb.Access_UNKNOWN:
 				continue // rule did not specify access, check the next rule
 			case rulePb.Access_GRANTED:
+				log.Infof("%v granted access to %v:%v:%v by rule %v", acc.ID, res.Type, res.Name, res.Endpoint, rule.Id)
 				return nil // rule grants the account access to the resource
 			case rulePb.Access_DENIED:
-				return auth.ErrForbidden // reule denies access to the resource
+				log.Infof("%v denied access to %v:%v:%v by rule %v", acc.ID, res.Type, res.Name, res.Endpoint, rule.Id)
+				return auth.ErrForbidden // rule denies access to the resource
 			}
 		}
 	}

 	// no rules were found for the resource, default to denying access
+	log.Infof("%v denied access to %v:%v:%v by lack of rule", acc.ID, res.Type, res.Name, res.Endpoint)
 	return auth.ErrForbidden
 }

@@ -241,7 +246,7 @@ func (s *svc) listRules(filters ...string) []*rulePb.Rule {

 // loadRules retrieves the rules from the auth service
 func (s *svc) loadRules() {
-	log.Infof("Loading rules from auth service\n")
+	log.Infof("Loading rules from auth service")
 	rsp, err := s.rule.List(context.TODO(), &rulePb.ListRequest{})
 	s.Lock()
 	defer s.Unlock()
@@ -251,7 +256,7 @@ func (s *svc) loadRules() {
 		return
 	}

-	log.Infof("Loaded %v rules from the auth service\n", len(rsp.Rules))
+	log.Infof("Loaded %v rules from the auth service", len(rsp.Rules))
 	s.rules = rsp.Rules
 }