diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2022-02-21 16:31:21 +0100 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2022-02-21 16:31:21 +0100 |
commit | 392dbf9196d6671a4467f57e62434cb8218d9997 (patch) | |
tree | b5f2146032ca914a9f89ffe526c6b9374964dba0 /controller-api | |
parent | fb51ad92a41b520820b521598076fcab4aab0f1f (diff) |
Add logging for controller role filters
Diffstat (limited to 'controller-api')
-rw-r--r-- | controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java index eaab4f2b134..84217e4107f 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java @@ -4,6 +4,10 @@ package com.yahoo.vespa.hosted.controller.api.role; import com.yahoo.config.provision.SystemName; import java.net.URI; +import java.util.List; +import java.util.logging.Level; +import java.util.logging.Logger; +import java.util.stream.Collectors; /** * Checks whether {@link Role}s have the required {@link Privilege}s to perform {@link Action}s on given {@link java.net.URI}s. @@ -12,15 +16,24 @@ import java.net.URI; */ public class Enforcer { - private final SystemName system; + private static final Logger logger = Logger.getLogger(Enforcer.class.getName()); + private final SystemName system; public Enforcer(SystemName system) { this.system = system; } /** Returns whether {@code role} has permission to perform {@code action} on {@code resource}, in this enforcer's system. */ public boolean allows(Role role, Action action, URI resource) { - return role.definition().policies().stream().anyMatch(policy -> policy.evaluate(action, resource, role.context, system)); + List<Policy> matchingPolicies = role.definition().policies().stream() + .filter(policy -> policy.evaluate(action, resource, role.context, system)) + .collect(Collectors.toList()); + logger.log(Level.FINE, "Matching policies for " + + "role: " + role.definition().name() + ", "+ + "action " + action.name() + ", " + + resource.getPath() + " : " + + matchingPolicies.stream().map(Enum::name).collect(Collectors.joining())); + return !matchingPolicies.isEmpty(); } } |