Merge pull request #21292 from vespa-engine/mortent/controller-filter-logs

Add logging for controller role filters
author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2022-02-21 16:36:25 +0100
committer: GitHub <noreply@github.com> 2022-02-21 16:36:25 +0100
commit: 1e8eaa98bb490f99f4b085256ce232aff1a95aca (patch)
tree: b5f2146032ca914a9f89ffe526c6b9374964dba0
parent: fb51ad92a41b520820b521598076fcab4aab0f1f (diff)
parent: 392dbf9196d6671a4467f57e62434cb8218d9997 (diff)
2 files changed, 23 insertions, 7 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java
index eaab4f2b134..84217e4107f 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java
@@ -4,6 +4,10 @@ package com.yahoo.vespa.hosted.controller.api.role;
 import com.yahoo.config.provision.SystemName;
 
 import java.net.URI;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.stream.Collectors;
 
 /**
  * Checks whether {@link Role}s have the required {@link Privilege}s to perform {@link Action}s on given {@link java.net.URI}s.
@@ -12,15 +16,24 @@ import java.net.URI;
  */
 public class Enforcer {
 
-    private final SystemName system;
+    private static final Logger logger = Logger.getLogger(Enforcer.class.getName());
 
+    private final SystemName system;
     public Enforcer(SystemName system) {
         this.system = system;
     }
 
     /** Returns whether {@code role} has permission to perform {@code action} on {@code resource}, in this enforcer's system. */
     public boolean allows(Role role, Action action, URI resource) {
-        return role.definition().policies().stream().anyMatch(policy -> policy.evaluate(action, resource, role.context, system));
+        List<Policy> matchingPolicies = role.definition().policies().stream()
+                .filter(policy -> policy.evaluate(action, resource, role.context, system))
+                .collect(Collectors.toList());
+        logger.log(Level.FINE, "Matching policies for " +
+                               "role: " + role.definition().name() + ", "+
+                               "action " + action.name() + ", " +
+                               resource.getPath() + " : " +
+                               matchingPolicies.stream().map(Enum::name).collect(Collectors.joining()));
+        return !matchingPolicies.isEmpty();
     }
 
 }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 411e9ec6070..8c3dd74d664 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -10,11 +10,6 @@ import com.yahoo.config.provision.TenantName;
 import com.yahoo.config.provision.Zone;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
 import com.yahoo.jdisc.http.filter.security.base.JsonSecurityRequestFilterBase;
-
-import java.security.cert.X509Certificate;
-import java.time.Instant;
-import java.util.Date;
-import java.util.logging.Level;
 import com.yahoo.restapi.Path;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
@@ -35,7 +30,10 @@ import com.yahoo.yolean.Exceptions;
 
 import java.net.URI;
 import java.security.Principal;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
 import java.util.ArrayList;
+import java.util.Date;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
@@ -44,7 +42,9 @@ import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
 import java.util.concurrent.TimeUnit;
+import java.util.logging.Level;
 import java.util.logging.Logger;
+import java.util.stream.Collectors;
 
 import static com.yahoo.vespa.hosted.controller.athenz.HostedAthenzIdentities.SCREWDRIVER_DOMAIN;
 
@@ -171,6 +171,9 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
         for (Future<?> future : futures)
             future.get(30, TimeUnit.SECONDS);
 
+        logger.log(Level.FINE, () -> "Roles for principal (" + principal.getName() + "): " +
+                                     roleMemberships.stream().map(role -> role.definition().name()).collect(Collectors.joining()));
+
         return roleMemberships.isEmpty()
                 ? Set.of(Role.everyone())
                 : Set.copyOf(roleMemberships);
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2022-02-21 16:36:25 +0100
committer	GitHub <noreply@github.com>	2022-02-21 16:36:25 +0100
commit	1e8eaa98bb490f99f4b085256ce232aff1a95aca (patch)
tree	b5f2146032ca914a9f89ffe526c6b9374964dba0
parent	fb51ad92a41b520820b521598076fcab4aab0f1f (diff)
parent	392dbf9196d6671a4467f57e62434cb8218d9997 (diff)