Add debug log when encounters permission check failure (opensearch-pr…

…oject#125) * Add debug log when encounters permission check failure Signed-off-by: gaobinlong <gbinlong@amazon.com> * Use template string for debug log Signed-off-by: gaobinlong <gbinlong@amazon.com> * Only log saved object which have no permission Signed-off-by: gaobinlong <gbinlong@amazon.com> --------- Signed-off-by: gaobinlong <gbinlong@amazon.com>
Hailong-am · Sep 15, 2023 · 8fe771c · 8fe771c
1 parent d17a233
commit 8fe771c
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 17 deletions.
diff --git a/src/core/server/saved_objects/permission_control/client.ts b/src/core/server/saved_objects/permission_control/client.ts
@@ -8,6 +8,7 @@ import { ensureRawRequest } from '../../http/router';
 import { SavedObjectsServiceStart } from '../saved_objects_service';
 import { SavedObjectsBulkGetObject, SavedObjectsRepository, SavedObjectsUtils } from '../service';
 import { ACL, Principals, TransformedPermission, PrincipalType } from './acl';
+import { Logger } from '../../logging';
 
 export type SavedObjectsPermissionControlContract = Pick<
   SavedObjectsPermissionControl,
@@ -22,10 +23,16 @@ export interface AuthInfo {
 }
 
 export class SavedObjectsPermissionControl {
+  private readonly logger: Logger;
   private createInternalRepository?: SavedObjectsServiceStart['createInternalRepository'];
   private getInternalRepository() {
     return this.createInternalRepository?.();
   }
+
+  constructor(logger: Logger) {
+    this.logger = logger;
+  }
+
   public getPrincipalsFromRequest(request: OpenSearchDashboardsRequest): Principals {
     const rawRequest = ensureRawRequest(request);
     const authInfo = rawRequest?.auth?.credentials?.authInfo as AuthInfo | null;
@@ -85,27 +92,56 @@ export class SavedObjectsPermissionControl {
     permissionModes: SavedObjectsPermissionModes
   ) {
     const savedObjectsGet = await this.bulkGetSavedObjects(request, savedObjects);
-    if (savedObjectsGet) {
-      const principals = this.getPrincipalsFromRequest(request);
-      const hasAllPermission = savedObjectsGet.every((item) => {
-        // for object that doesn't contain ACL like config, return true
-        if (!item.permissions) {
-          return true;
-        }
-        const aclInstance = new ACL(item.permissions);
-        return aclInstance.hasPermission(permissionModes, principals);
-      });
+    if (!savedObjectsGet) {
+      return {
+        success: false,
+        error: i18n.translate('savedObjects.permission.notFound', {
+          defaultMessage: 'Can not find target saved objects.',
+        }),
+      };
+    }
+
+    if (savedObjectsGet.length === 1 && !!savedObjectsGet[0].error) {
       return {
-        success: true,
-        result: hasAllPermission,
+        success: false,
+        error: savedObjectsGet[0].error,
       };
     }
 
+    const principals = this.getPrincipalsFromRequest(request);
+    let savedObjectsBasicInfo: any[] = [];
+    const hasAllPermission = savedObjectsGet.every((item) => {
+      // for object that doesn't contain ACL like config, return true
+      if (!item.permissions) {
+        return true;
+      }
+      const aclInstance = new ACL(item.permissions);
+      const hasPermission = aclInstance.hasPermission(permissionModes, principals);
+      if (!hasPermission) {
+        savedObjectsBasicInfo = [
+          ...savedObjectsBasicInfo,
+          {
+            id: item.id,
+            type: item.type,
+            workspaces: item.workspaces,
+            permissions: item.permissions,
+          },
+        ];
+      }
+      return hasPermission;
+    });
+    if (!hasAllPermission) {
+      this.logger.debug(
+        `Authorization failed, principals: ${JSON.stringify(
+          principals
+        )} has no [${permissionModes}] permissions on the requested saved object: ${JSON.stringify(
+          savedObjectsBasicInfo
+        )}`
+      );
+    }
     return {
-      success: false,
-      error: i18n.translate('savedObjects.permission.notFound', {
-        defaultMessage: 'Can not find target saved objects.',
-      }),
+      success: true,
+      result: hasAllPermission,
     };
   }
 

diff --git a/src/core/server/saved_objects/saved_objects_service.ts b/src/core/server/saved_objects/saved_objects_service.ts
@@ -349,7 +349,7 @@ export class SavedObjectsService
       migratorPromise: this.migrator$.pipe(first()).toPromise(),
     });
 
-    this.permissionControl = new SavedObjectsPermissionControl();
+    this.permissionControl = new SavedObjectsPermissionControl(this.logger);
 
     registerPermissionCheckRoutes({
       http: setupDeps.http,