diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2022-02-21 16:36:25 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-02-21 16:36:25 +0100 |
commit | 1e8eaa98bb490f99f4b085256ce232aff1a95aca (patch) | |
tree | b5f2146032ca914a9f89ffe526c6b9374964dba0 | |
parent | fb51ad92a41b520820b521598076fcab4aab0f1f (diff) | |
parent | 392dbf9196d6671a4467f57e62434cb8218d9997 (diff) |
Merge pull request #21292 from vespa-engine/mortent/controller-filter-logs
Add logging for controller role filters
2 files changed, 23 insertions, 7 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java index eaab4f2b134..84217e4107f 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java @@ -4,6 +4,10 @@ package com.yahoo.vespa.hosted.controller.api.role; import com.yahoo.config.provision.SystemName; import java.net.URI; +import java.util.List; +import java.util.logging.Level; +import java.util.logging.Logger; +import java.util.stream.Collectors; /** * Checks whether {@link Role}s have the required {@link Privilege}s to perform {@link Action}s on given {@link java.net.URI}s. @@ -12,15 +16,24 @@ import java.net.URI; */ public class Enforcer { - private final SystemName system; + private static final Logger logger = Logger.getLogger(Enforcer.class.getName()); + private final SystemName system; public Enforcer(SystemName system) { this.system = system; } /** Returns whether {@code role} has permission to perform {@code action} on {@code resource}, in this enforcer's system. */ public boolean allows(Role role, Action action, URI resource) { - return role.definition().policies().stream().anyMatch(policy -> policy.evaluate(action, resource, role.context, system)); + List<Policy> matchingPolicies = role.definition().policies().stream() + .filter(policy -> policy.evaluate(action, resource, role.context, system)) + .collect(Collectors.toList()); + logger.log(Level.FINE, "Matching policies for " + + "role: " + role.definition().name() + ", "+ + "action " + action.name() + ", " + + resource.getPath() + " : " + + matchingPolicies.stream().map(Enum::name).collect(Collectors.joining())); + return !matchingPolicies.isEmpty(); } } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index 411e9ec6070..8c3dd74d664 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -10,11 +10,6 @@ import com.yahoo.config.provision.TenantName; import com.yahoo.config.provision.Zone; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.jdisc.http.filter.security.base.JsonSecurityRequestFilterBase; - -import java.security.cert.X509Certificate; -import java.time.Instant; -import java.util.Date; -import java.util.logging.Level; import com.yahoo.restapi.Path; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; @@ -35,7 +30,10 @@ import com.yahoo.yolean.Exceptions; import java.net.URI; import java.security.Principal; +import java.security.cert.X509Certificate; +import java.time.Instant; import java.util.ArrayList; +import java.util.Date; import java.util.List; import java.util.Optional; import java.util.Set; @@ -44,7 +42,9 @@ import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; import java.util.concurrent.Future; import java.util.concurrent.TimeUnit; +import java.util.logging.Level; import java.util.logging.Logger; +import java.util.stream.Collectors; import static com.yahoo.vespa.hosted.controller.athenz.HostedAthenzIdentities.SCREWDRIVER_DOMAIN; @@ -171,6 +171,9 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { for (Future<?> future : futures) future.get(30, TimeUnit.SECONDS); + logger.log(Level.FINE, () -> "Roles for principal (" + principal.getName() + "): " + + roleMemberships.stream().map(role -> role.definition().name()).collect(Collectors.joining())); + return roleMemberships.isEmpty() ? Set.of(Role.everyone()) : Set.copyOf(roleMemberships); |