diff --git a/plugin/pkg/auth/authorizer/rbac/rbac.go b/plugin/pkg/auth/authorizer/rbac/rbac.go index 47a789da3a8..b683e811e0e 100644 --- a/plugin/pkg/auth/authorizer/rbac/rbac.go +++ b/plugin/pkg/auth/authorizer/rbac/rbac.go @@ -19,6 +19,7 @@ package rbac import ( "fmt" + "github.com/golang/glog" "k8s.io/apiserver/pkg/authentication/user" @@ -45,8 +46,29 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo return true, "", nil } - glog.V(2).Infof("RBAC DENY: user %q groups %v cannot %q on \"%v.%v/%v\"", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(), - requestAttributes.GetVerb(), requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource()) + // Build a detailed log of the denial. + // Make the whole block conditional so we don't do a lot of string-building we won't use. + if glog.V(2) { + var operation string + if requestAttributes.IsResourceRequest() { + operation = fmt.Sprintf( + "%q on \"%v.%v/%v\"", + requestAttributes.GetVerb(), + requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource(), + ) + } else { + operation = fmt.Sprintf("%q nonResourceURL %q", requestAttributes.GetVerb(), requestAttributes.GetPath()) + } + + var scope string + if ns := requestAttributes.GetNamespace(); len(ns) > 0 { + scope = fmt.Sprintf("in namespace %q", ns) + } else { + scope = "cluster-wide" + } + + glog.Infof("RBAC DENY: user %q groups %v cannot %s %s", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(), operation, scope) + } reason := "" if ruleResolutionError != nil { diff --git a/test/e2e/examples.go b/test/e2e/examples.go index 6c1dfe50b5b..6d9602f6ad9 100644 --- a/test/e2e/examples.go +++ b/test/e2e/examples.go @@ -75,7 +75,7 @@ var _ = framework.KubeDescribe("[Feature:Example]", func() { err := framework.WaitForAuthorizationUpdate(c.Authorization(), serviceaccount.MakeUsername(f.Namespace.Name, "default"), - "", "create", schema.GroupResource{Resource: "pods"}, true) + f.Namespace.Name, "create", schema.GroupResource{Resource: "pods"}, true) framework.ExpectNoError(err) })