Merge pull request #13151 from zhongwencool/authz-trace-log
chore: make authz's logs easier to understand
This commit is contained in:
zhongwencool
GitHub
commit
a8a67a2ac9
|
|
@ -486,8 +486,8 @@ source_for_logging(Type, _) ->
|
||||||
|
|
||||||
do_authorize(_Client, _PubSub, _Topic, []) ->
|
do_authorize(_Client, _PubSub, _Topic, []) ->
|
||||||
nomatch;
|
nomatch;
|
||||||
do_authorize(Client, PubSub, Topic, [#{enable := false} | Rest]) ->
|
do_authorize(Client, PubSub, Topic, [#{enable := false} | Tail]) ->
|
||||||
do_authorize(Client, PubSub, Topic, Rest);
|
do_authorize(Client, PubSub, Topic, Tail);
|
||||||
do_authorize(
|
do_authorize(
|
||||||
#{
|
#{
|
||||||
username := Username
|
username := Username
|
||||||
|
|
@ -501,16 +501,8 @@ do_authorize(
|
||||||
try Module:authorize(Client, PubSub, Topic, Connector) of
|
try Module:authorize(Client, PubSub, Topic, Connector) of
|
||||||
nomatch ->
|
nomatch ->
|
||||||
emqx_metrics_worker:inc(authz_metrics, Type, nomatch),
|
emqx_metrics_worker:inc(authz_metrics, Type, nomatch),
|
||||||
?TRACE("AUTHZ", "authorization_module_nomatch", #{
|
?TRACE("AUTHZ", "authorization_nomatch", #{
|
||||||
module => Module,
|
authorize_type => Type,
|
||||||
username => Username,
|
|
||||||
topic => Topic,
|
|
||||||
action => emqx_access_control:format_action(PubSub)
|
|
||||||
}),
|
|
||||||
do_authorize(Client, PubSub, Topic, Tail);
|
|
||||||
%% {matched, allow | deny | ignore}
|
|
||||||
{matched, ignore} ->
|
|
||||||
?TRACE("AUTHZ", "authorization_module_match_ignore", #{
|
|
||||||
module => Module,
|
module => Module,
|
||||||
username => Username,
|
username => Username,
|
||||||
topic => Topic,
|
topic => Topic,
|
||||||
|
|
@ -518,15 +510,40 @@ do_authorize(
|
||||||
}),
|
}),
|
||||||
do_authorize(Client, PubSub, Topic, Tail);
|
do_authorize(Client, PubSub, Topic, Tail);
|
||||||
ignore ->
|
ignore ->
|
||||||
?TRACE("AUTHZ", "authorization_module_ignore", #{
|
?TRACE("AUTHZ", "authorization_ignore", #{
|
||||||
|
authorize_type => Type,
|
||||||
module => Module,
|
module => Module,
|
||||||
username => Username,
|
username => Username,
|
||||||
topic => Topic,
|
topic => Topic,
|
||||||
action => emqx_access_control:format_action(PubSub)
|
action => emqx_access_control:format_action(PubSub)
|
||||||
}),
|
}),
|
||||||
do_authorize(Client, PubSub, Topic, Tail);
|
do_authorize(Client, PubSub, Topic, Tail);
|
||||||
%% {matched, allow | deny}
|
{matched, ignore} ->
|
||||||
Matched ->
|
?TRACE("AUTHZ", "authorization_matched_ignore", #{
|
||||||
|
authorize_type => Type,
|
||||||
|
module => Module,
|
||||||
|
username => Username,
|
||||||
|
topic => Topic,
|
||||||
|
action => emqx_access_control:format_action(PubSub)
|
||||||
|
}),
|
||||||
|
do_authorize(Client, PubSub, Topic, Tail);
|
||||||
|
{matched, allow} = Matched ->
|
||||||
|
?TRACE("AUTHZ", "authorization_matched_allow", #{
|
||||||
|
authorize_type => Type,
|
||||||
|
module => Module,
|
||||||
|
username => Username,
|
||||||
|
topic => Topic,
|
||||||
|
action => emqx_access_control:format_action(PubSub)
|
||||||
|
}),
|
||||||
|
{Matched, Type};
|
||||||
|
{matched, deny} = Matched ->
|
||||||
|
?TRACE("AUTHZ", "authorization_matched_deny", #{
|
||||||
|
authorize_type => Type,
|
||||||
|
module => Module,
|
||||||
|
username => Username,
|
||||||
|
topic => Topic,
|
||||||
|
action => emqx_access_control:format_action(PubSub)
|
||||||
|
}),
|
||||||
{Matched, Type}
|
{Matched, Type}
|
||||||
catch
|
catch
|
||||||
Class:Reason:Stacktrace ->
|
Class:Reason:Stacktrace ->
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,7 @@
|
||||||
-type source_type() :: atom().
|
-type source_type() :: atom().
|
||||||
-type source() :: #{type => source_type(), _ => _}.
|
-type source() :: #{type => source_type(), _ => _}.
|
||||||
-type raw_source() :: map().
|
-type raw_source() :: map().
|
||||||
-type match_result() :: {matched, allow} | {matched, deny} | nomatch.
|
-type match_result() :: {matched, allow | deny | ignore} | nomatch | ignore.
|
||||||
|
|
||||||
-export_type([
|
-export_type([
|
||||||
source_type/0,
|
source_type/0,
|
||||||
|
|
|
||||||
|
|
@ -59,10 +59,10 @@ update(Source) ->
|
||||||
|
|
||||||
destroy(_Source) -> ok.
|
destroy(_Source) -> ok.
|
||||||
|
|
||||||
%% @doc Authorize based on cllientinfo enriched with `acl' data.
|
%% @doc Authorize based on client info enriched with `acl' data.
|
||||||
%% e.g. From JWT.
|
%% e.g. From JWT.
|
||||||
%%
|
%%
|
||||||
%% Supproted rules formats are:
|
%% Supported rules formats are:
|
||||||
%%
|
%%
|
||||||
%% v1: (always deny when no match)
|
%% v1: (always deny when no match)
|
||||||
%%
|
%%
|
||||||
|
|
@ -116,7 +116,7 @@ authorize(#{acl := Acl} = Client, PubSub, Topic, _Source) ->
|
||||||
MatchResult
|
MatchResult
|
||||||
end;
|
end;
|
||||||
authorize(_Client, _PubSub, _Topic, _Source) ->
|
authorize(_Client, _PubSub, _Topic, _Source) ->
|
||||||
nomatch.
|
ignore.
|
||||||
|
|
||||||
%%--------------------------------------------------------------------
|
%%--------------------------------------------------------------------
|
||||||
%% Internal functions
|
%% Internal functions
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue