From aa90f2598ae9b5bb1ef9676ecb68f951ada6599a Mon Sep 17 00:00:00 2001 From: Florent Poinsard Date: Tue, 21 Sep 2021 07:52:05 +0200 Subject: [PATCH] Addition of user's groups in ACL Check error Signed-off-by: Florent Poinsard --- go/vt/vttablet/tabletserver/query_executor.go | 6 +++++- go/vt/vttablet/tabletserver/query_executor_test.go | 6 ++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/go/vt/vttablet/tabletserver/query_executor.go b/go/vt/vttablet/tabletserver/query_executor.go index 8994ab22901..38b2e30f312 100644 --- a/go/vt/vttablet/tabletserver/query_executor.go +++ b/go/vt/vttablet/tabletserver/query_executor.go @@ -444,7 +444,11 @@ func (qre *QueryExecutor) checkAccess(authorized *tableacl.ACLResult, tableName } if qre.tsv.qe.strictTableACL { - errStr := fmt.Sprintf("%s command denied to user '%s' for table '%s' (ACL check error)", qre.plan.PlanID.String(), callerID.Username, tableName) + groupStr := "" + if len(callerID.Groups) > 0 { + groupStr = fmt.Sprintf(", in groups [%s],", strings.Join(callerID.Groups, ", ")) + } + errStr := fmt.Sprintf("%s command denied to user '%s'%s for table '%s' (ACL check error)", qre.plan.PlanID.String(), callerID.Username, groupStr, tableName) qre.tsv.Stats().TableaclDenied.Add(statsKey, 1) qre.tsv.qe.accessCheckerLogger.Infof("%s", errStr) return vterrors.Errorf(vtrpcpb.Code_PERMISSION_DENIED, "%s", errStr) diff --git a/go/vt/vttablet/tabletserver/query_executor_test.go b/go/vt/vttablet/tabletserver/query_executor_test.go index 56c1c4b32ce..ce5a0b5c26d 100644 --- a/go/vt/vttablet/tabletserver/query_executor_test.go +++ b/go/vt/vttablet/tabletserver/query_executor_test.go @@ -822,6 +822,7 @@ func TestQueryExecutorMessageStreamACL(t *testing.T) { callerID = &querypb.VTGateCallerID{ Username: "u2", + Groups: []string{"non-admin"}, } qre.ctx = callerid.NewContext(context.Background(), nil, callerID) // Should fail because u2 does not have permission. @@ -829,7 +830,7 @@ func TestQueryExecutorMessageStreamACL(t *testing.T) { return io.EOF }) - assert.EqualError(t, err, `MessageStream command denied to user 'u2' for table 'msg' (ACL check error)`) + assert.EqualError(t, err, `MessageStream command denied to user 'u2', in groups [non-admin], for table 'msg' (ACL check error)`) if code := vterrors.Code(err); code != vtrpcpb.Code_PERMISSION_DENIED { t.Fatalf("qre.Execute: %v, want %v", code, vtrpcpb.Code_PERMISSION_DENIED) } @@ -1009,6 +1010,7 @@ func TestQueryExecutorTableAclExemptACL(t *testing.T) { username := "u2" callerID := &querypb.VTGateCallerID{ Username: username, + Groups: []string{"eng", "beta"}, } ctx := callerid.NewContext(context.Background(), nil, callerID) @@ -1034,7 +1036,7 @@ func TestQueryExecutorTableAclExemptACL(t *testing.T) { if code := vterrors.Code(err); code != vtrpcpb.Code_PERMISSION_DENIED { t.Fatalf("qre.Execute: %v, want %v", code, vtrpcpb.Code_PERMISSION_DENIED) } - assert.EqualError(t, err, `Select command denied to user 'u2' for table 'test_table' (ACL check error)`) + assert.EqualError(t, err, `Select command denied to user 'u2', in groups [eng, beta], for table 'test_table' (ACL check error)`) // table acl should be ignored since this is an exempt user. username = "exempt-acl"