Add useful debug logging when policy checks fail
When a policy check fails it is easy enough to recreate the target from request information that's available, but the credentials used can not easily be determined without asking the user. This logs the non sensitive credentials when a policy check fails. Things like project_id, user_id, and roles. Change-Id: I599660386286529ec0914a18c44d5e2939b18ccd
This commit is contained in:
parent
f75fea973c
commit
e4532efcfe
|
@ -15,10 +15,15 @@
|
||||||
|
|
||||||
"""Policy Engine For Nova."""
|
"""Policy Engine For Nova."""
|
||||||
|
|
||||||
|
import logging
|
||||||
|
|
||||||
|
from oslo_utils import excutils
|
||||||
|
|
||||||
from nova import exception
|
from nova import exception
|
||||||
from nova.openstack.common import policy
|
from nova.openstack.common import policy
|
||||||
|
|
||||||
|
|
||||||
|
LOG = logging.getLogger(__name__)
|
||||||
_ENFORCER = None
|
_ENFORCER = None
|
||||||
|
|
||||||
|
|
||||||
|
@ -88,8 +93,16 @@ def enforce(context, action, target, do_raise=True, exc=None):
|
||||||
credentials = context.to_dict()
|
credentials = context.to_dict()
|
||||||
if not exc:
|
if not exc:
|
||||||
exc = exception.PolicyNotAuthorized
|
exc = exception.PolicyNotAuthorized
|
||||||
return _ENFORCER.enforce(action, target, credentials, do_raise=do_raise,
|
try:
|
||||||
exc=exc, action=action)
|
result = _ENFORCER.enforce(action, target, credentials,
|
||||||
|
do_raise=do_raise, exc=exc, action=action)
|
||||||
|
except Exception:
|
||||||
|
credentials.pop('auth_token', None)
|
||||||
|
with excutils.save_and_reraise_exception():
|
||||||
|
LOG.debug('Policy check for %(action)s failed with credentials '
|
||||||
|
'%(credentials)s',
|
||||||
|
{'action': action, 'credentials': credentials})
|
||||||
|
return result
|
||||||
|
|
||||||
|
|
||||||
def check_is_admin(context):
|
def check_is_admin(context):
|
||||||
|
|
Loading…
Reference in New Issue