Log auth verify requests (#1422)
* More auth debugging * More auth debugging Co-authored-by: Ben Toogood <ben@micro.mu>
This commit is contained in:
ben-toogood
GitHub
parent
62f9a054a4
commit
c905df3be6
@ -124,6 +124,8 @@ func (s *svc) Revoke(role string, res *auth.Resource) error {
|
|||||||
|
|
||||||
// Verify an account has access to a resource
|
// Verify an account has access to a resource
|
||||||
func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
|
func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
|
||||||
|
log.Infof("%v requesting access to %v:%v:%v", acc.ID, res.Type, res.Name, res.Endpoint)
|
||||||
|
|
||||||
queries := [][]string{
|
queries := [][]string{
|
||||||
{res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule)
|
{res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule)
|
||||||
{res.Type, res.Name, "*"}, // check for wildcard endpoint, e.g. service.foo*
|
{res.Type, res.Name, "*"}, // check for wildcard endpoint, e.g. service.foo*
|
||||||
@ -146,14 +148,17 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
|
|||||||
case rulePb.Access_UNKNOWN:
|
case rulePb.Access_UNKNOWN:
|
||||||
continue // rule did not specify access, check the next rule
|
continue // rule did not specify access, check the next rule
|
||||||
case rulePb.Access_GRANTED:
|
case rulePb.Access_GRANTED:
|
||||||
|
log.Infof("%v granted access to %v:%v:%v by rule %v", acc.ID, res.Type, res.Name, res.Endpoint, rule.Id)
|
||||||
return nil // rule grants the account access to the resource
|
return nil // rule grants the account access to the resource
|
||||||
case rulePb.Access_DENIED:
|
case rulePb.Access_DENIED:
|
||||||
return auth.ErrForbidden // reule denies access to the resource
|
log.Infof("%v denied access to %v:%v:%v by rule %v", acc.ID, res.Type, res.Name, res.Endpoint, rule.Id)
|
||||||
|
return auth.ErrForbidden // rule denies access to the resource
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// no rules were found for the resource, default to denying access
|
// no rules were found for the resource, default to denying access
|
||||||
|
log.Infof("%v denied access to %v:%v:%v by lack of rule", acc.ID, res.Type, res.Name, res.Endpoint)
|
||||||
return auth.ErrForbidden
|
return auth.ErrForbidden
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -241,7 +246,7 @@ func (s *svc) listRules(filters ...string) []*rulePb.Rule {
|
|||||||
|
|
||||||
// loadRules retrieves the rules from the auth service
|
// loadRules retrieves the rules from the auth service
|
||||||
func (s *svc) loadRules() {
|
func (s *svc) loadRules() {
|
||||||
log.Infof("Loading rules from auth service\n")
|
log.Infof("Loading rules from auth service")
|
||||||
rsp, err := s.rule.List(context.TODO(), &rulePb.ListRequest{})
|
rsp, err := s.rule.List(context.TODO(), &rulePb.ListRequest{})
|
||||||
s.Lock()
|
s.Lock()
|
||||||
defer s.Unlock()
|
defer s.Unlock()
|
||||||
@ -251,7 +256,7 @@ func (s *svc) loadRules() {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Infof("Loaded %v rules from the auth service\n", len(rsp.Rules))
|
log.Infof("Loaded %v rules from the auth service", len(rsp.Rules))
|
||||||
s.rules = rsp.Rules
|
s.rules = rsp.Rules
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user