github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 14:37:00 +00:00
Code Issues Projects Releases Wiki Activity

Improve RBAC denial audit logging

Browse Source
This commit is contained in:
Jordan Liggitt 2017-01-14 17:22:57 -05:00
parent 07e52481e9
commit 7f81e2e4ac
No known key found for this signature in database
GPG Key ID: 24E7ADF9A3B42012
1 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
plugin/pkg/auth/authorizer/rbac/rbac.go
View File

@ -19,6 +19,7 @@ package rbac
import (
"fmt"
"github.com/golang/glog"
"k8s.io/apiserver/pkg/authentication/user"
@ -45,8 +46,29 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo
return true, "", nil
}
glog.V(2).Infof("RBAC DENY: user %q groups %v cannot %q on \"%v.%v/%v\"", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(),
requestAttributes.GetVerb(), requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource())
// Build a detailed log of the denial.
// Make the whole block conditional so we don't do a lot of string-building we won't use.
if glog.V(2) {
var operation string
if requestAttributes.IsResourceRequest() {
operation = fmt.Sprintf(
"%q on \"%v.%v/%v\"",
requestAttributes.GetVerb(),
requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource(),
)
} else {
operation = fmt.Sprintf("%q nonResourceURL %q", requestAttributes.GetVerb(), requestAttributes.GetPath())
}
var scope string
if ns := requestAttributes.GetNamespace(); len(ns) > 0 {
scope = fmt.Sprintf("in namespace %q", ns)
} else {
scope = "cluster-wide"
}
glog.Infof("RBAC DENY: user %q groups %v cannot %s %s", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(), operation, scope)
}
reason := ""
if ruleResolutionError != nil {