Skip to content

Commit

Permalink
authz: add additional logs to sdk authz (#5094)
Browse files Browse the repository at this point in the history
* Adds additional logs to sdk authz

* resolve comment

* adds logs displaying request details

* remove sdk_server_interceptor log

* log subset of rpcData

* resolving comment

* format log message
  • Loading branch information
ashithasantosh authored Feb 18, 2022
1 parent 18564ff commit 011544f
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 3 deletions.
6 changes: 6 additions & 0 deletions authz/grpc_authz_server_interceptors.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,9 @@ func (i *StaticInterceptor) UnaryInterceptor(ctx context.Context, req interface{
err := i.engines.IsAuthorized(ctx)
if err != nil {
if status.Code(err) == codes.PermissionDenied {
if logger.V(2) {
logger.Infof("unauthorized RPC request rejected: %v", err)
}
return nil, status.Errorf(codes.PermissionDenied, "unauthorized RPC request rejected")
}
return nil, err
Expand All @@ -76,6 +79,9 @@ func (i *StaticInterceptor) StreamInterceptor(srv interface{}, ss grpc.ServerStr
err := i.engines.IsAuthorized(ss.Context())
if err != nil {
if status.Code(err) == codes.PermissionDenied {
if logger.V(2) {
logger.Infof("unauthorized RPC request rejected: %v", err)
}
return status.Errorf(codes.PermissionDenied, "unauthorized RPC request rejected")
}
return err
Expand Down
16 changes: 13 additions & 3 deletions internal/xds/rbac/rbac_engine.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,6 @@ import (
"google.golang.org/grpc/status"
)

const logLevel = 2

var logger = grpclog.Component("rbac")

var getConnection = transport.GetConnection
Expand All @@ -65,6 +63,16 @@ func NewChainEngine(policies []*v3rbacpb.RBAC) (*ChainEngine, error) {
return &ChainEngine{chainedEngines: engines}, nil
}

func (cre *ChainEngine) logRequestDetails(rpcData *rpcData) {
if logger.V(2) {
logger.Infof("checking request: url path=%s", rpcData.fullMethod)
if len(rpcData.certs) > 0 {
cert := rpcData.certs[0]
logger.Infof("uri sans=%q, dns sans=%q, subject=%v", cert.URIs, cert.DNSNames, cert.Subject)
}
}
}

// IsAuthorized determines if an incoming RPC is authorized based on the chain of RBAC
// engines and their associated actions.
//
Expand All @@ -79,14 +87,16 @@ func (cre *ChainEngine) IsAuthorized(ctx context.Context) error {
}
for _, engine := range cre.chainedEngines {
matchingPolicyName, ok := engine.findMatchingPolicy(rpcData)
if logger.V(logLevel) && ok {
if logger.V(2) && ok {
logger.Infof("incoming RPC matched to policy %v in engine with action %v", matchingPolicyName, engine.action)
}

switch {
case engine.action == v3rbacpb.RBAC_ALLOW && !ok:
cre.logRequestDetails(rpcData)
return status.Errorf(codes.PermissionDenied, "incoming RPC did not match an allow policy")
case engine.action == v3rbacpb.RBAC_DENY && ok:
cre.logRequestDetails(rpcData)
return status.Errorf(codes.PermissionDenied, "incoming RPC matched a deny policy %q", matchingPolicyName)
}
// Every policy in the engine list must be queried. Thus, iterate to the
Expand Down

0 comments on commit 011544f

Please sign in to comment.