From e4532efcfe52a9d99a2286045a3304f7ff880bc5 Mon Sep 17 00:00:00 2001 From: Andrew Laski Date: Mon, 23 Feb 2015 13:52:11 -0500 Subject: [PATCH] Add useful debug logging when policy checks fail When a policy check fails it is easy enough to recreate the target from request information that's available, but the credentials used can not easily be determined without asking the user. This logs the non sensitive credentials when a policy check fails. Things like project_id, user_id, and roles. Change-Id: I599660386286529ec0914a18c44d5e2939b18ccd --- nova/policy.py | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/nova/policy.py b/nova/policy.py index 124efe85d04a..33b8364e719e 100644 --- a/nova/policy.py +++ b/nova/policy.py @@ -15,10 +15,15 @@ """Policy Engine For Nova.""" +import logging + +from oslo_utils import excutils + from nova import exception from nova.openstack.common import policy +LOG = logging.getLogger(__name__) _ENFORCER = None @@ -88,8 +93,16 @@ def enforce(context, action, target, do_raise=True, exc=None): credentials = context.to_dict() if not exc: exc = exception.PolicyNotAuthorized - return _ENFORCER.enforce(action, target, credentials, do_raise=do_raise, - exc=exc, action=action) + try: + result = _ENFORCER.enforce(action, target, credentials, + do_raise=do_raise, exc=exc, action=action) + except Exception: + credentials.pop('auth_token', None) + with excutils.save_and_reraise_exception(): + LOG.debug('Policy check for %(action)s failed with credentials ' + '%(credentials)s', + {'action': action, 'credentials': credentials}) + return result def check_is_admin(context):