Add context options to the runtime

auth/auth.go

@@ -90,8 +90,6 @@ type Token struct {
 const (
 	// DefaultNamespace used for auth
 	DefaultNamespace = "go.micro"
-	// NamespaceKey is the key used when storing the namespace in metadata
-	NamespaceKey = "Micro-Namespace"
 	// MetadataKey is the key used when storing the account in metadata
 	MetadataKey = "auth-account"
 	// TokenCookieName is the name of the cookie which stores the auth token
@@ -133,11 +131,3 @@ func ContextWithAccount(ctx context.Context, account *Account) (context.Context,
 	// generate a new context with the MetadataKey set
 	return metadata.Set(ctx, MetadataKey, string(bytes)), nil
 }
-
-// NamespaceFromContext gets the namespace from the context
-func NamespaceFromContext(ctx context.Context) string {
-	if ns, ok := metadata.Get(ctx, NamespaceKey); ok {
-		return ns
-	}
-	return DefaultNamespace
-}

auth/service/service.go

@@ -53,8 +53,9 @@ func (s *svc) Init(opts ...auth.Option) {
 	}
 
 	// load rules periodically from the auth service
-	ruleTimer := time.NewTicker(time.Second * 30)
 	go func() {
+		ruleTimer := time.NewTicker(time.Second * 30)
+
 		// load rules immediately on startup
 		s.loadRules()
 
@@ -72,10 +73,11 @@ func (s *svc) Init(opts ...auth.Option) {
 	// we have client credentials and must load a new token
 	// periodically
 	if len(s.options.ID) > 0 || len(s.options.Secret) > 0 {
-		tokenTimer := time.NewTicker(time.Minute)
+		// get a token immediately
+		s.refreshToken()
 
 		go func() {
-			s.refreshToken()
+			tokenTimer := time.NewTicker(time.Minute)
 
 			for {
 				<-tokenTimer.C
@@ -178,11 +180,15 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
 		}
 	}
 
-	// set a default account id to log
+	// set a default account id / namespace to log
 	logID := acc.ID
 	if len(logID) == 0 {
 		logID = "[no account]"
 	}
+	logNamespace := acc.Namespace
+	if len(logNamespace) == 0 {
+		logNamespace = "[no namespace]"
+	}
 
 	for _, q := range queries {
 		for _, rule := range s.listRules(q...) {
@@ -190,17 +196,17 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
 			case pb.Access_UNKNOWN:
 				continue // rule did not specify access, check the next rule
 			case pb.Access_GRANTED:
-				log.Infof("%v:%v granted access to %v:%v:%v:%v by rule %v", acc.Namespace, logID, res.Namespace, res.Type, res.Name, res.Endpoint, rule.Id)
+				log.Tracef("%v:%v granted access to %v:%v:%v:%v by rule %v", logNamespace, logID, res.Namespace, res.Type, res.Name, res.Endpoint, rule.Id)
 				return nil // rule grants the account access to the resource
 			case pb.Access_DENIED:
-				log.Infof("%v:%v denied access to %v:%v:%v:%v by rule %v", acc.Namespace, logID, res.Namespace, res.Type, res.Name, res.Endpoint, rule.Id)
+				log.Tracef("%v:%v denied access to %v:%v:%v:%v by rule %v", logNamespace, logID, res.Namespace, res.Type, res.Name, res.Endpoint, rule.Id)
 				return auth.ErrForbidden // rule denies access to the resource
 			}
 		}
 	}
 
 	// no rules were found for the resource, default to denying access
-	log.Infof("%v:%v denied access to %v:%v:%v:%v by lack of rule (%v rules found for namespace)", acc.Namespace, logID, res.Namespace, res.Type, res.Name, res.Endpoint, len(s.listRules(res.Namespace)))
+	log.Tracef("%v:%v denied access to %v:%v:%v:%v by lack of rule (%v rules found for namespace)", logNamespace, logID, res.Namespace, res.Type, res.Name, res.Endpoint, len(s.listRules(res.Namespace)))
 	return auth.ErrForbidden
 }