Commit 38a023a9 authored by Fabrizio Furano's avatar Fabrizio Furano
Browse files

Better logging of the checkPermission decisions

parent 70cef557
......@@ -113,7 +113,7 @@ DmStatus mkdirminuspandcreate(SecurityContext ctx, DomeMySql &sql,
// But first check the permissions
// Need to be able to write to the parent
if (checkPermissions(&ctx, parentstat.acl, parentstat.stat, S_IWRITE) != 0)
return DmStatus(EPERM, SSTR("Need write access on '" << parentpath << "'"));
return DmStatus(EPERM, SSTR("Need write access on '" << parentpath << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
while (!todo.empty()) {
std::string p = todo.back();
......@@ -273,7 +273,7 @@ int DomeCore::dome_put(DomeReq &req, bool &success, struct DomeFsInfo *dest,
}
// Need to be able to read the parent
if (checkPermissions(&ctx, parent.acl, parent.stat, S_IWRITE) != 0)
return req.DomeReq::SendSimpleResp(403, SSTR("Need WRITE access on '" << parentPath << "'"));
return req.DomeReq::SendSimpleResp(403, SSTR("Need WRITE access on '" << parentPath << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
}
......@@ -949,7 +949,7 @@ int DomeCore::dome_create(DomeReq &req)
DmStatus ret = sql.getParent(parent, path, parentPath, name);
// Need to be able to write to the parent
if (checkPermissions(&ctx, parent.acl, parent.stat, S_IWRITE) != 0)
return req.DomeReq::SendSimpleResp(403, SSTR("Need write access on '" << parentPath << "'"));
return req.DomeReq::SendSimpleResp(403, SSTR("Need write access on '" << parentPath << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
ExtendedStat fstat;
// Check that the file does not exist, or it has no replicas. The query by parent fileid is faster
......@@ -1013,7 +1013,7 @@ int DomeCore::dome_create(DomeReq &req)
else {
if (ctx.user.getUnsigned("uid") != fstat.stat.st_uid &&
checkPermissions(&ctx, fstat.acl, fstat.stat, S_IWRITE) != 0)
return req.DomeReq::SendSimpleResp(403, SSTR("Not enough permissions to truncate '" << path << "'"));
return req.DomeReq::SendSimpleResp(403, SSTR("Not enough permissions to truncate '" << path << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
sql.setSize(fstat.stat.st_ino, 0);
}
......@@ -2613,7 +2613,7 @@ int DomeCore::dome_get(DomeReq &req) {
}
// Need to be able to read the parent
if (checkPermissions(&ctx, parent.acl, parent.stat, S_IREAD) != 0)
return req.DomeReq::SendSimpleResp(403, SSTR("Need READ access on '" << parentPath << "'"));
return req.DomeReq::SendSimpleResp(403, SSTR("Need READ access on '" << parentPath << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
}
......@@ -3608,10 +3608,9 @@ int DomeCore::dome_delreplica(DomeReq &req) {
return req.DomeReq::SendSimpleResp(403, SSTR("Permission denied on fileid " << xstat.stat.st_ino
<< " of rfn: '" << rep.rfn << "' err: " << ret.code() << " what: '" << ret.what() << "'"));
}
if (checkPermissions(&ctx, xstat.acl, xstat.stat, S_IWRITE) != 0)
if (!ret.ok()) {
if (checkPermissions(&ctx, xstat.acl, xstat.stat, S_IWRITE) != 0) {
return req.DomeReq::SendSimpleResp(403, SSTR("Cannot modify file " << xstat.stat.st_ino
<< " of rfn: '" << rep.rfn << "' err: " << ret.code() << " what: '" << ret.what() << "'"));
<< " of rfn: '" << rep.rfn << "' err: " << ret.code() << " what: '" << ret.what() << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
}
......@@ -4488,7 +4487,7 @@ int DomeCore::dome_getdir(DomeReq &req) {
}
// Need to be able to read the parent
if (checkPermissions(&ctx, parent.acl, parent.stat, S_IREAD | S_IEXEC) != 0)
return req.DomeReq::SendSimpleResp(403, SSTR("Need READ access on '" << parentPath << "'"));
return req.DomeReq::SendSimpleResp(403, SSTR("Need READ access on '" << parentPath << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
}
......@@ -5344,7 +5343,7 @@ int DomeCore::dome_removedir(DomeReq &req) {
else {
// No sticky bit
if (checkPermissions(&ctx, parent.acl, parent.stat, S_IWRITE) != 0)
return req.DomeReq::SendSimpleResp(403, SSTR("Not enough permissions to remove " << path));
return req.DomeReq::SendSimpleResp(403, SSTR("Not enough permissions to remove '" << path << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
}
ret = sql.unlink(entry.stat.st_ino);
......@@ -5401,17 +5400,17 @@ int DomeCore::dome_rename(DomeReq &req) {
// Need write permissions in both origin and destination
if (checkPermissions(&ctx, oldParent.acl, oldParent.stat, S_IWRITE) != 0)
return req.DomeReq::SendSimpleResp(403,
SSTR("Not enough permissions on origin path '" << oldParentPath << "'"));
SSTR("Not enough permissions on origin path '" << oldParentPath << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
if (checkPermissions(&ctx, newParent.acl, newParent.stat, S_IWRITE) != 0)
return req.DomeReq::SendSimpleResp(403,
SSTR("Not enough permissions on destination path '" << newParentPath << "'"));
SSTR("Not enough permissions on destination path '" << newParentPath << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
// If source is a directory, need write permissions there too
if (S_ISDIR(old.stat.st_mode)) {
if (checkPermissions(&ctx, old.acl, old.stat, S_IWRITE) != 0)
return req.DomeReq::SendSimpleResp(403,
SSTR("Not enough permissions on path '" << oldPath << "'"));
SSTR("Not enough permissions on path '" << oldPath << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
// AND destination can not be a child
ExtendedStat aux = newParent;
......@@ -5774,7 +5773,7 @@ int DomeCore::dome_setsize(DomeReq &req) {
if (ctx.user.getUnsigned("uid") != meta.stat.st_uid &&
checkPermissions(&ctx, meta.acl, meta.stat, S_IWRITE) != 0)
return req.DomeReq::SendSimpleResp(403, SSTR("Can not set the size of '" << path << "'"));
return req.DomeReq::SendSimpleResp(403, SSTR("Can not set the size of '" << path << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
DmStatus dmst = sql.setSize(meta.stat.st_ino, newSize);
if (dmst.ok())
......@@ -5813,7 +5812,7 @@ int DomeCore::dome_symlink(DomeReq &req) {
// Check we have write access for the parent
if (checkPermissions(&ctx, parent.acl, parent.stat, S_IWRITE | S_IEXEC) != 0)
return req.DomeReq::SendSimpleResp(403, SSTR("Not enough permissions on '" << parentPath << "'"));
return req.DomeReq::SendSimpleResp(403, SSTR("Not enough permissions on '" << parentPath << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
// Effective gid
gid_t egid;
......@@ -5896,7 +5895,7 @@ int DomeCore::dome_unlink(DomeReq &req) {
// Check we have write access for the parent
if (checkPermissions(&ctx, parent.acl, parent.stat, S_IEXEC) != 0)
return req.DomeReq::SendSimpleResp(403, SSTR("Not enough permissions to list on '" << parentPath << "'"));
return req.DomeReq::SendSimpleResp(403, SSTR("Not enough permissions to list on '" << parentPath << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
ExtendedStat file;
ret = sql.getStatbyParentFileid(file, parent.stat.st_ino, name);
......@@ -5925,7 +5924,7 @@ int DomeCore::dome_unlink(DomeReq &req) {
} else {
// No sticky bit
if (checkPermissions(&ctx, parent.acl, parent.stat, S_IWRITE) != 0)
return req.DomeReq::SendSimpleResp(403, SSTR("Not enough permissions to unlink '" << path << "'"));
return req.DomeReq::SendSimpleResp(403, SSTR("Not enough permissions to unlink '" << path << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
}
}
......@@ -6147,7 +6146,7 @@ int DomeCore::dome_updatereplica(DomeReq &req) {
if (checkPermissions(&ctx, meta.acl, meta.stat, S_IWRITE) != 0)
if (!ret.ok()) {
return req.DomeReq::SendSimpleResp(403, SSTR("Cannot modify fileid " << rdata.fileid
<< " of rfn: '" << r.rfn << "' err: " << ret.code() << " what: '" << ret.what() << "'"));
<< " of rfn: '" << r.rfn << "' err: " << ret.code() << " what: '" << ret.what() << "' msg: '" << ctx.AuthNprocessing_msg << "'"));
}
// Note, we can't modify the ids
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment