Add useful debug logging when policy checks fail

When a policy check fails it is easy enough to recreate the target from
request information that's available, but the credentials used can not
easily be determined without asking the user.  This logs the non
sensitive credentials when a policy check fails.  Things like
project_id, user_id, and roles.

Change-Id: I599660386286529ec0914a18c44d5e2939b18ccd
This commit is contained in:
Andrew Laski 2015-02-23 13:52:11 -05:00
parent f75fea973c
commit e4532efcfe
1 changed files with 15 additions and 2 deletions

View File

@ -15,10 +15,15 @@
"""Policy Engine For Nova."""
import logging
from oslo_utils import excutils
from nova import exception
from nova.openstack.common import policy
LOG = logging.getLogger(__name__)
_ENFORCER = None
@ -88,8 +93,16 @@ def enforce(context, action, target, do_raise=True, exc=None):
credentials = context.to_dict()
if not exc:
exc = exception.PolicyNotAuthorized
return _ENFORCER.enforce(action, target, credentials, do_raise=do_raise,
exc=exc, action=action)
try:
result = _ENFORCER.enforce(action, target, credentials,
do_raise=do_raise, exc=exc, action=action)
except Exception:
credentials.pop('auth_token', None)
with excutils.save_and_reraise_exception():
LOG.debug('Policy check for %(action)s failed with credentials '
'%(credentials)s',
{'action': action, 'credentials': credentials})
return result
def check_is_admin(context):