From: Casey Bodley <cbodley@redhat.com>
Date: Wed, 6 Mar 2024 23:37:37 +0000 (-0500)
Subject: rgw/auth: log each policy that returns Allow or Deny
X-Git-Tag: v19.1.0~99^2~32
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=900709817ee88b2fa4ce1c45652bc2f79b6d687a;p=ceph.git

rgw/auth: log each policy that returns Allow or Deny

makes it much easier to debug authorization issues when you can see
exactly which policies led to success/failure

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 9057e70d60bf3c22845f2b5e38a2a2633dfbb322)
---

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 21df28045849..7786056199ae 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1136,12 +1136,16 @@ Effect eval_identity_or_session_policies(const DoutPrefixProvider* dpp,
                           const ARN& arn) {
   auto policy_res = Effect::Pass, prev_res = Effect::Pass;
   for (auto& policy : policies) {
-    if (policy_res = eval_or_pass(dpp, policy, env, boost::none, op, arn); policy_res == Effect::Deny)
+    if (policy_res = eval_or_pass(dpp, policy, env, boost::none, op, arn);
+        policy_res == Effect::Deny) {
+      ldpp_dout(dpp, 10) << __func__ << " Deny from " << policy << dendl;
       return policy_res;
-    else if (policy_res == Effect::Allow)
+    } else if (policy_res == Effect::Allow) {
+      ldpp_dout(dpp, 20) << __func__ << " Allow from " << policy << dendl;
       prev_res = Effect::Allow;
-    else if (policy_res == Effect::Pass && prev_res == Effect::Allow)
+    } else if (policy_res == Effect::Pass && prev_res == Effect::Allow) {
       policy_res = Effect::Allow;
+    }
   }
   return policy_res;
 }