diff options
author | Tor Brede Vekterli <vekterli@yahooinc.com> | 2022-07-11 10:55:25 +0000 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@yahooinc.com> | 2022-07-11 10:55:25 +0000 |
commit | 521fcd62bd25ce159187b68e2845e3615fcd393e (patch) | |
tree | 463160fddc68302cd46dffe215ef74c641650ff1 /fnet | |
parent | 3454ae8734f5440d9b9d8faacf9d76832411b537 (diff) |
Add buffered logging of capability filter authz failures
Buffering is done using peer spec as token to ensure we don't miss
any distinct peer permission failures, but avoid swamping the log
since this is triggered per RPC call.
Diffstat (limited to 'fnet')
-rw-r--r-- | fnet/src/vespa/fnet/frt/require_capabilities.cpp | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/fnet/src/vespa/fnet/frt/require_capabilities.cpp b/fnet/src/vespa/fnet/frt/require_capabilities.cpp index c74e9ad648a..fc64621717f 100644 --- a/fnet/src/vespa/fnet/frt/require_capabilities.cpp +++ b/fnet/src/vespa/fnet/frt/require_capabilities.cpp @@ -5,9 +5,25 @@ #include <vespa/fnet/connection.h> #include <vespa/vespalib/net/connection_auth_context.h> +#include <vespa/log/bufferedlogger.h> +LOG_SETUP(".fnet.frt.require_capabilities"); + +using namespace vespalib::net::tls; + bool FRT_RequireCapabilities::allow(FRT_RPCRequest& req) const noexcept { const auto& auth_ctx = req.GetConnection()->auth_context(); - return auth_ctx.capabilities().contains_all(_required_capabilities); + const bool is_authorized = auth_ctx.capabilities().contains_all(_required_capabilities); + if (!is_authorized) { + auto peer_spec = req.GetConnection()->GetPeerSpec(); + std::string method_name(req.GetMethodName(), req.GetMethodNameLen()); + LOGBT(warning, peer_spec, "Permission denied for RPC method '%s'. " + "Peer at %s with %s. Call requires %s, but peer has %s", + method_name.c_str(), peer_spec.c_str(), + to_string(auth_ctx.peer_credentials()).c_str(), + _required_capabilities.to_string().c_str(), + auth_ctx.capabilities().to_string().c_str()); + } + return is_authorized; } |