Piotr Kliczewski has uploaded a new change for review. Change subject: core: Enhanced permissions logging ......................................................................
core: Enhanced permissions logging During permission check when logging level is set to DEBUG there is more information about which user is being checked and on which objects. When permission is not found it is logged to INFO level. Bug-Url: https://bugzilla.redhat.com/1121617 Change-Id: I4ba8fa00b8d28679b9896fe707623af89ac3c01f Signed-off-by: pkliczewski <[email protected]> --- M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java 2 files changed, 53 insertions(+), 14 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/75/31175/1 diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java index a9308c4..cf29108 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java @@ -923,6 +923,14 @@ final VdcObjectType type, final boolean ignoreEveryone) { // Grant if there is matching permission in the database: + if (log.isDebugEnabled()) { + log.debugFormat("Checking whether user {0} or groups {1} have action group {3} on object type {4}", + userId, + StringUtils.join(groupIds, ","), + actionGroup, + object, + type.name()); + } final Guid permId = getPermissionDAO().getEntityPermissionsForUserAndGroups(userId, StringUtils.join(groupIds, ","), actionGroup, object, type, ignoreEveryone); if (permId != null) { @@ -987,11 +995,20 @@ log.debugFormat("The set of objects to check is null or empty for action {0}.", getActionType()); } addCanDoActionMessage(VdcBllMessages.USER_NOT_AUTHORIZED_TO_PERFORM_ACTION); + return false; } if (isQuotaDependant()) { addQuotaPermissionSubject(permSubjects); + } + + if (log.isDebugEnabled()) { + StringBuilder builder = getPermissionSubjectsAsStringBuilder(permSubjects); + + log.debugFormat("Checking whether user {0} or one of the groups he is member of, have the following permissions: {1}", + getCurrentUser().getId(), + builder.toString()); } // If we are here then we should grant the permission: @@ -1001,6 +1018,15 @@ protected boolean checkPermissions(final List<PermissionSubject> permSubjects) { for (PermissionSubject permSubject : permSubjects) { if (!checkSinglePermission(permSubject, getReturnValue().getCanDoActionMessages())) { + log.infoFormat("No permission found for user {0} or one of the groups he is member of," + + " when running action {1}, Required permissions are: Action type: {2} Action group: {3}" + + " Object type: {4} Object ID: {5}.", + getCurrentUser().getId(), + getActionType(), + permSubject.getActionGroup().getRoleType().name(), + permSubject.getActionGroup().name(), + permSubject.getObjectType().getVdcObjectTranslation(), + permSubject.getObjectId()); return false; } } @@ -1217,20 +1243,7 @@ // Log if there is entry in the permission map. if (permissionSubjectList != null && !permissionSubjectList.isEmpty()) { // Build entities string for entities affected by this operation. - StringBuilder logEntityIdsInfo = new StringBuilder(); - - // Iterate all over the entities , which should be affected. - for (PermissionSubject permSubject : permissionSubjectList) { - if (permSubject.getObjectId() != null) { - // Add comma when there are more then one entity - // affected. - if (logEntityIdsInfo.length() != 0) { - logEntityIdsInfo.append(", "); - } - logEntityIdsInfo.append(" ID: ").append(permSubject.getObjectId()) - .append(" Type: ").append(permSubject.getObjectType()); - } - } + StringBuilder logEntityIdsInfo = getPermissionSubjectsAsStringBuilder(permissionSubjectList); // If found any entities, add the log to the logInfo. if (logEntityIdsInfo.length() != 0) { @@ -1244,6 +1257,27 @@ log.info(logInfo); } + private StringBuilder getPermissionSubjectsAsStringBuilder(List<PermissionSubject> permissionSubjects) { + StringBuilder builder = new StringBuilder(); + + // Iterate all over the entities , which should be affected. + for (PermissionSubject permSubject : permissionSubjects) { + if (permSubject.getObjectId() != null) { + // Add comma when there are more then one entity + // affected. + if (builder.length() != 0) { + builder.append(", "); + } + builder.append(" ID: ").append(permSubject.getObjectId()) + .append(" Type: ").append(permSubject.getObjectType()); + if (permSubject.getActionGroup() != null) { + builder.append(permSubject.getActionGroup().toString()); + } + } + } + return builder; + } + private void executeActionInTransactionScope() { if (TransactionSupport.current() != null) { TransactionSupport.registerRollbackHandler(CommandBase.this); diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java index 5aeec1e..9d1c9e9 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java @@ -179,4 +179,9 @@ public int getAvailableInModes() { return applicationMode; } + + @Override + public String toString() { + return "Action group " + this.name() + " with role type " + this.roleType.name(); + } } -- To view, visit http://gerrit.ovirt.org/31175 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I4ba8fa00b8d28679b9896fe707623af89ac3c01f Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: ovirt-engine-3.5 Gerrit-Owner: Piotr Kliczewski <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
