Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authz: add additional logs to sdk authz #5094

Merged
merged 8 commits into from Feb 18, 2022
Merged

authz: add additional logs to sdk authz #5094

Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
f94882c
Adds additional logs to sdk authz
ashithasantosh Dec 28, 2021
16be6b7
resolve comment
ashithasantosh Jan 7, 2022
70237f0
adds logs displaying request details
ashithasantosh Jan 11, 2022
57186fb
remove sdk_server_interceptor log
ashithasantosh Jan 12, 2022
d0615bf
log subset of rpcData
ashithasantosh Feb 10, 2022
6a59149
Merge remote-tracking branch 'upstream/master' into add_logs
ashithasantosh Feb 15, 2022
f9afb06
resolving comment
ashithasantosh Feb 15, 2022
555e913
format log message
ashithasantosh Feb 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 12 additions & 0 deletions internal/xds/rbac/rbac_engine.go
View file
Open in desktop
Expand Up @@ -65,6 +65,16 @@ func NewChainEngine(policies []*v3rbacpb.RBAC) (*ChainEngine, error) {
return &ChainEngine{chainedEngines: engines}, nil
}

func (cre *ChainEngine) logRequestDetails(rpcData *rpcData) {
if logger.V(logLevel) {
ashithasantosh marked this conversation as resolved.
Show resolved Hide resolved
logger.Infof("checking request: url path=%s", rpcData.fullMethod)
if len(rpcData.certs) > 0 {
cert := rpcData.certs[0]
logger.Infof("uri sans=%q, dns sans=%q, subject=%v", cert.URIs, cert.DNSNames, cert.Subject)
}
}
}

// IsAuthorized determines if an incoming RPC is authorized based on the chain of RBAC
// engines and their associated actions.
//
Expand All @@ -85,8 +95,10 @@ func (cre *ChainEngine) IsAuthorized(ctx context.Context) error {

switch {
case engine.action == v3rbacpb.RBAC_ALLOW && !ok:
cre.logRequestDetails(rpcData)
dfawley marked this conversation as resolved.
Show resolved Hide resolved
return status.Errorf(codes.PermissionDenied, "incoming RPC did not match an allow policy")
case engine.action == v3rbacpb.RBAC_DENY && ok:
cre.logRequestDetails(rpcData)
return status.Errorf(codes.PermissionDenied, "incoming RPC matched a deny policy %q", matchingPolicyName)
}
// Every policy in the engine list must be queried. Thus, iterate to the
Expand Down