From 7f81e2e4ac8a125a3149676366a8d2d90a7816d1 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Sat, 14 Jan 2017 17:22:57 -0500 Subject: [PATCH] Improve RBAC denial audit logging --- plugin/pkg/auth/authorizer/rbac/rbac.go | 26 +++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/rbac.go b/plugin/pkg/auth/authorizer/rbac/rbac.go index 47a789da3a8..b683e811e0e 100644 --- a/plugin/pkg/auth/authorizer/rbac/rbac.go +++ b/plugin/pkg/auth/authorizer/rbac/rbac.go @@ -19,6 +19,7 @@ package rbac import ( "fmt" + "github.com/golang/glog" "k8s.io/apiserver/pkg/authentication/user" @@ -45,8 +46,29 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo return true, "", nil } - glog.V(2).Infof("RBAC DENY: user %q groups %v cannot %q on \"%v.%v/%v\"", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(), - requestAttributes.GetVerb(), requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource()) + // Build a detailed log of the denial. + // Make the whole block conditional so we don't do a lot of string-building we won't use. + if glog.V(2) { + var operation string + if requestAttributes.IsResourceRequest() { + operation = fmt.Sprintf( + "%q on \"%v.%v/%v\"", + requestAttributes.GetVerb(), + requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource(), + ) + } else { + operation = fmt.Sprintf("%q nonResourceURL %q", requestAttributes.GetVerb(), requestAttributes.GetPath()) + } + + var scope string + if ns := requestAttributes.GetNamespace(); len(ns) > 0 { + scope = fmt.Sprintf("in namespace %q", ns) + } else { + scope = "cluster-wide" + } + + glog.Infof("RBAC DENY: user %q groups %v cannot %s %s", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(), operation, scope) + } reason := "" if ruleResolutionError != nil {