Log auth verify requests (#1422)

* More auth debugging

* More auth debugging

Co-authored-by: Ben Toogood <ben@micro.mu>
This commit is contained in:
ben-toogood 2020-03-26 17:35:28 +00:00 committed by GitHub
parent 62f9a054a4
commit c905df3be6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -124,6 +124,8 @@ func (s *svc) Revoke(role string, res *auth.Resource) error {
// Verify an account has access to a resource // Verify an account has access to a resource
func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error { func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
log.Infof("%v requesting access to %v:%v:%v", acc.ID, res.Type, res.Name, res.Endpoint)
queries := [][]string{ queries := [][]string{
{res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule) {res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule)
{res.Type, res.Name, "*"}, // check for wildcard endpoint, e.g. service.foo* {res.Type, res.Name, "*"}, // check for wildcard endpoint, e.g. service.foo*
@ -146,14 +148,17 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
case rulePb.Access_UNKNOWN: case rulePb.Access_UNKNOWN:
continue // rule did not specify access, check the next rule continue // rule did not specify access, check the next rule
case rulePb.Access_GRANTED: case rulePb.Access_GRANTED:
log.Infof("%v granted access to %v:%v:%v by rule %v", acc.ID, res.Type, res.Name, res.Endpoint, rule.Id)
return nil // rule grants the account access to the resource return nil // rule grants the account access to the resource
case rulePb.Access_DENIED: case rulePb.Access_DENIED:
return auth.ErrForbidden // reule denies access to the resource log.Infof("%v denied access to %v:%v:%v by rule %v", acc.ID, res.Type, res.Name, res.Endpoint, rule.Id)
return auth.ErrForbidden // rule denies access to the resource
} }
} }
} }
// no rules were found for the resource, default to denying access // no rules were found for the resource, default to denying access
log.Infof("%v denied access to %v:%v:%v by lack of rule", acc.ID, res.Type, res.Name, res.Endpoint)
return auth.ErrForbidden return auth.ErrForbidden
} }
@ -241,7 +246,7 @@ func (s *svc) listRules(filters ...string) []*rulePb.Rule {
// loadRules retrieves the rules from the auth service // loadRules retrieves the rules from the auth service
func (s *svc) loadRules() { func (s *svc) loadRules() {
log.Infof("Loading rules from auth service\n") log.Infof("Loading rules from auth service")
rsp, err := s.rule.List(context.TODO(), &rulePb.ListRequest{}) rsp, err := s.rule.List(context.TODO(), &rulePb.ListRequest{})
s.Lock() s.Lock()
defer s.Unlock() defer s.Unlock()
@ -251,7 +256,7 @@ func (s *svc) loadRules() {
return return
} }
log.Infof("Loaded %v rules from the auth service\n", len(rsp.Rules)) log.Infof("Loaded %v rules from the auth service", len(rsp.Rules))
s.rules = rsp.Rules s.rules = rsp.Rules
} }