Merge "Fully log RBAC enforcement data"

This commit is contained in:
Zuul 2018-12-03 23:31:44 +00:00 committed by Gerrit Code Review
commit f1505dd407
2 changed files with 33 additions and 0 deletions

View File

@ -230,6 +230,7 @@ import warnings
from oslo_config import cfg
from oslo_context import context
from oslo_serialization import jsonutils
from oslo_utils import strutils
import six
import yaml
@ -838,6 +839,37 @@ class Enforcer(object):
)
raise InvalidContextObject(msg)
if LOG.isEnabledFor(logging.DEBUG):
try:
# NOTE(jdennis) Although a MutableMapping behaves like
# a dict oslo.strutils.mask_dict_password() requires a
# dict. Bug #1804528 was opened to fix this, once that
# bug is fixed the conversion to dict can be removed.
if isinstance(creds, dict):
creds_dict = creds
elif isinstance(creds, collections.MutableMapping):
creds_dict = dict(creds)
else:
raise TypeError('unexpected type %(creds_type)s' %
{'creds_type': type(creds)})
creds_dict = strutils.mask_dict_password(creds_dict)
creds_msg = jsonutils.dumps(creds_dict,
skipkeys=True, sort_keys=True)
except Exception as e:
creds_msg = ('cannot format data, exception: %(exp)s' %
{'exp': e})
try:
target_msg = jsonutils.dumps(target,
skipkeys=True, sort_keys=True)
except Exception as e:
target_msg = ('cannot format data, exception: %(exp)s' %
{'exp': e})
LOG.debug('enforce: rule=%s creds=%s target=%s',
rule.__class__ if isinstance(rule, _checks.BaseCheck)
else '"%s"' % rule, creds_msg, target_msg)
# Allow the rule to be a Check tree
if isinstance(rule, _checks.BaseCheck):
# If the thing we're given is a Check, we don't know the

View File

@ -773,6 +773,7 @@ class EnforcerTest(base.PolicyBaseTestCase):
@mock.patch.object(policy.Enforcer, '_map_context_attributes_into_creds')
def test_enforcer_call_map_context_attributes(self, map_mock):
map_mock.return_value = {}
rule = policy.RuleDefault(name='fake_rule', check_str='role:test')
self.enforcer.register_default(rule)