aboutsummaryrefslogtreecommitdiffstats
path: root/fnet
diff options
context:
space:
mode:
Diffstat (limited to 'fnet')
-rw-r--r--fnet/src/vespa/fnet/frt/require_capabilities.cpp18
1 files changed, 17 insertions, 1 deletions
diff --git a/fnet/src/vespa/fnet/frt/require_capabilities.cpp b/fnet/src/vespa/fnet/frt/require_capabilities.cpp
index c74e9ad648a..fc64621717f 100644
--- a/fnet/src/vespa/fnet/frt/require_capabilities.cpp
+++ b/fnet/src/vespa/fnet/frt/require_capabilities.cpp
@@ -5,9 +5,25 @@
#include <vespa/fnet/connection.h>
#include <vespa/vespalib/net/connection_auth_context.h>
+#include <vespa/log/bufferedlogger.h>
+LOG_SETUP(".fnet.frt.require_capabilities");
+
+using namespace vespalib::net::tls;
+
bool
FRT_RequireCapabilities::allow(FRT_RPCRequest& req) const noexcept
{
const auto& auth_ctx = req.GetConnection()->auth_context();
- return auth_ctx.capabilities().contains_all(_required_capabilities);
+ const bool is_authorized = auth_ctx.capabilities().contains_all(_required_capabilities);
+ if (!is_authorized) {
+ auto peer_spec = req.GetConnection()->GetPeerSpec();
+ std::string method_name(req.GetMethodName(), req.GetMethodNameLen());
+ LOGBT(warning, peer_spec, "Permission denied for RPC method '%s'. "
+ "Peer at %s with %s. Call requires %s, but peer has %s",
+ method_name.c_str(), peer_spec.c_str(),
+ to_string(auth_ctx.peer_credentials()).c_str(),
+ _required_capabilities.to_string().c_str(),
+ auth_ctx.capabilities().to_string().c_str());
+ }
+ return is_authorized;
}