35b6f4acce
A very common support issue is helping users to find out which permissions they are missing in order to perform a certain operation. To let host admin investigate such issues the CheckAccess REST endpoint has been added, however often it doesn't provide enough information for host admins to understand why a permission is denied or allowed. If a request is traced detailed information about which ACL rule denied/granted the permission is available in the trace, but it requires a server admin to look at the trace. This change makes the logs that are relevant for ACLs available to callers of the CheckAccess REST endpoint. It's okay to return these logs from this REST endpoint since it requires the global Check Access capability which should only be granted to trusted users (aka host admins). To make ACL logs available to the CheckAccess REST endpoint they are collected in memory in the LoggingContext, similar to how the LoggingContext stores performance logs. After triggering permission checks, the CheckAccess REST endpoint can retrieve the ACL logs from the LoggingContext and include them into the response to the client. The collection of ACL log records is only enabled for the CheckAccess REST endpoint, and is disabled for any other REST endpoint. I tried to add a new method to the fluent logging API that allows to send a log into the server logs and into the ACL logs at the same time, e.g. logger.atFine().includeIntoAclLog().log(...) but it turned out that this is not possible with Flogger (we can add new methods to the logging API, but we have no access to the logged message to send it to the LoggingContext). Anyway it turned out that for the permission checks the message that we want to log in the server logs and the message that we want to include into the ACL logs is slightly different, so that we wouldn't have benefited much from such a new method in the logging API. Change-Id: If82eb586272adecda445949989a314614cdd1072 Signed-off-by: Edwin Kempin <ekempin@google.com>
29 lines
978 B
Java
29 lines
978 B
Java
// Copyright (C) 2017 The Android Open Source Project
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package com.google.gerrit.extensions.api.config;
|
|
|
|
import java.util.List;
|
|
|
|
public class AccessCheckInfo {
|
|
public String message;
|
|
// HTTP status code
|
|
public int status;
|
|
|
|
/** Debug logs that may help to understand why a permission is denied or allowed. */
|
|
public List<String> debugLogs;
|
|
|
|
// for future extension, we may add inputs / results for bulk checks.
|
|
}
|