Add logging for controller role filters

author: Morten Tokle <mortent@verizonmedia.com> 2022-02-21 16:31:21 +0100
committer: Morten Tokle <mortent@verizonmedia.com> 2022-02-21 16:31:21 +0100
commit: 392dbf9196d6671a4467f57e62434cb8218d9997 (patch)
tree: b5f2146032ca914a9f89ffe526c6b9374964dba0 /controller-api
parent: fb51ad92a41b520820b521598076fcab4aab0f1f (diff)
1 files changed, 15 insertions, 2 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java
index eaab4f2b134..84217e4107f 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Enforcer.java
@@ -4,6 +4,10 @@ package com.yahoo.vespa.hosted.controller.api.role;
 import com.yahoo.config.provision.SystemName;
 
 import java.net.URI;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.stream.Collectors;
 
 /**
  * Checks whether {@link Role}s have the required {@link Privilege}s to perform {@link Action}s on given {@link java.net.URI}s.
@@ -12,15 +16,24 @@ import java.net.URI;
  */
 public class Enforcer {
 
-    private final SystemName system;
+    private static final Logger logger = Logger.getLogger(Enforcer.class.getName());
 
+    private final SystemName system;
     public Enforcer(SystemName system) {
         this.system = system;
     }
 
     /** Returns whether {@code role} has permission to perform {@code action} on {@code resource}, in this enforcer's system. */
     public boolean allows(Role role, Action action, URI resource) {
-        return role.definition().policies().stream().anyMatch(policy -> policy.evaluate(action, resource, role.context, system));
+        List<Policy> matchingPolicies = role.definition().policies().stream()
+                .filter(policy -> policy.evaluate(action, resource, role.context, system))
+                .collect(Collectors.toList());
+        logger.log(Level.FINE, "Matching policies for " +
+                               "role: " + role.definition().name() + ", "+
+                               "action " + action.name() + ", " +
+                               resource.getPath() + " : " +
+                               matchingPolicies.stream().map(Enum::name).collect(Collectors.joining()));
+        return !matchingPolicies.isEmpty();
     }
 
 }
author	Morten Tokle <mortent@verizonmedia.com>	2022-02-21 16:31:21 +0100
committer	Morten Tokle <mortent@verizonmedia.com>	2022-02-21 16:31:21 +0100
commit	392dbf9196d6671a4467f57e62434cb8218d9997 (patch)
tree	b5f2146032ca914a9f89ffe526c6b9374964dba0 /controller-api
parent	fb51ad92a41b520820b521598076fcab4aab0f1f (diff)