[jira] [Commented] (OAK-2981) Access control logging

Fri, 12 Jun 2015 00:29:25 -0700 

    [ 
https://issues.apache.org/jira/browse/OAK-2981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14583099#comment-14583099
 ] 

Bertrand Delacretaz commented on OAK-2981:
------------------------------------------

Looks useful to me. 

If the log4j APIs used are recent enough it might be good to add an slf4j 
Marker in the logAccess(...) method, to help focus on those messages when 
needed. Something like

{code}
  private final static Marker AC_MARKER = 
MarkerFactory.getMarker("Oak.AccessControl");
  ...
  private void logAccess(String path, AccessResult isGranted, String... 
permissions) {
        log.trace(
              AC_MARKER,
            "[{}] {} {} [{}]",
            user,
...
{code}

> Access control logging
> ----------------------
>
>                 Key: OAK-2981
>                 URL: https://issues.apache.org/jira/browse/OAK-2981
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: security
>            Reporter: Alexander Klimetschek
>
> For debugging application behavior and designing ACLs it is useful to have a 
> logging of JCR operations and also see if access was granted or not.
> I hacked a quick solution that gives this result:
> {noformat}
> 10.06.2015 15:29:43.658 [admin] ALLOWED 
> /jcr:system/rep:namespaces/rep:nsdata/http%3A%2F%2Fsling.apache.org%2Fjcr%2Fevent%2F1.0
>  [read property]
> 10.06.2015 15:29:43.658 [admin] ALLOWED 
> /var/eventing/jobs/assigned/862f413b-6f03-40a1-aa10-550af9970254 [read]
> 10.06.2015 15:29:43.658 [admin] ALLOWED 
> /var/eventing/jobs/assigned/862f413b-6f03-40a1-aa10-550af9970254/jcr:primaryType
>  [read property]
> 10.06.2015 15:30:10.484 [aklim...@adobe.com] DENIED  
> /libs/wcm/core/content/contentfinder [read]
> 10.06.2015 15:25:12.421 [admin] ALLOWED 
> /var/classes/862f413b-6f03-40a1-aa10-550af9970254/sightly/1.0.2/apps/ccebasic/ui/commons/breadcrumbs/SightlyJava_breadcrumbs.java/jcr:content/jcr:content
>  [REMOVE_NODE,ADD_NODE]
> {noformat}
> See on my github fork: 
> https://github.com/alexkli/jackrabbit-oak/commit/f4ecf7ca6b7d8c7e1d6967d409be4045a634efe2
> Change against the 1.2 branch. [As patch 
> file|https://github.com/alexkli/jackrabbit-oak/commit/f4ecf7ca6b7d8c7e1d6967d409be4045a634efe2.patch].



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to