opendev/gerrit
Code Issues Proposed changes

CheckAccess: Return ACL debug logs

Browse Source 
A very common support issue is helping users to find out which
permissions they are missing in order to perform a certain operation.

To let host admin investigate such issues the CheckAccess REST endpoint
has been added, however often it doesn't provide enough information for
host admins to understand why a permission is denied or allowed.

If a request is traced detailed information about which ACL rule
denied/granted the permission is available in the trace, but it requires
a server admin to look at the trace.

This change makes the logs that are relevant for ACLs available to
callers of the CheckAccess REST endpoint. It's okay to return these logs
from this REST endpoint since it requires the global Check Access
capability which should only be granted to trusted users (aka host
admins).

To make ACL logs available to the CheckAccess REST endpoint they are
collected in memory in the LoggingContext, similar to how the
LoggingContext stores performance logs. After triggering permission
checks, the CheckAccess REST endpoint can retrieve the ACL logs from the
LoggingContext and include them into the response to the client.

The collection of ACL log records is only enabled for the CheckAccess
REST endpoint, and is disabled for any other REST endpoint.

I tried to add a new method to the fluent logging API that allows to
send a log into the server logs and into the ACL logs at the same time,
e.g. logger.atFine().includeIntoAclLog().log(...) but it turned out that
this is not possible with Flogger (we can add new methods to the logging
API, but we have no access to the logged message to send it to the
LoggingContext). Anyway it turned out that for the permission checks the
message that we want to log in the server logs and the message that we
want to include into the ACL logs is slightly different, so that we
wouldn't have benefited much from such a new method in the logging API.

Change-Id: If82eb586272adecda445949989a314614cdd1072
Signed-off-by: Edwin Kempin <ekempin@google.com>
This commit is contained in:
Edwin Kempin
2020-02-14 13:33:45 +01:00
parent f854f1897e
commit 35b6f4acce
10 changed files with 427 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
java/com/google/gerrit/extensions/api/config/AccessCheckInfo.java
View File

@@ -14,10 +14,15 @@
package com.google.gerrit.extensions.api.config;
import java.util.List;
public class AccessCheckInfo {
public String message;
// HTTP status code
public int status;
/** Debug logs that may help to understand why a permission is denied or allowed. */
public List<String> debugLogs;
// for future extension, we may add inputs / results for bulk checks.
}