-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Populate XrdSciTokens with more detailed log messages. #1644
Conversation
This introduces configuration-file-controlled tracing of SciTokens- related messages and a number of detailed log messages. As typical, this is controlled by a new config variable: ``` scitokens.trace [level] [level] ... ``` Where level can be one of `all`, `none`, `debug`, `info`, `warning`, or `error`. Roughly, the levels imply: - Error: fatal issue in plugin configuration - Warning: Potentially-problematic configuration or token that is invalid - Info: Informational messages about the plugin. Shouldn't have any logging per-request - Debug: Verbose, per-request details about the tokens. The default is error + warning; debug is not recommended for continuous production settings but is immensely helpful in solving problems.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks OK. Two things: 1) possible mislabeling a message, and 2) I'd prefer you use the new way of compactly handling the config file so we don't have code splatter.
(Just as a quick update - no disagreements with the PR feedback above. I was just on vacation for a week and haven't had time to cycle back to this.) |
Ok, I think the various requested changes are in. Please re-review! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nothing that would stop the merge but three suggestions to improve the code which I would appreciate you revisit and apply the suggested improvements.
@@ -296,7 +391,7 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper | |||
pthread_rwlock_init(&m_config_lock, nullptr); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should consider using XrdSysRWLock as this would be very helpful in debugging lock/unlock problems in the future.
@@ -465,7 +574,7 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper | |||
pthread_rwlock_unlock(&m_config_lock); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
XrdSysRWLock
@@ -602,7 +712,7 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper | |||
auto enf = enforcer_create(token_issuer.c_str(), &m_audiences_array[0], &err_msg); | |||
pthread_rwlock_unlock(&m_config_lock); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
XrdSysRWLock
@@ -636,15 +746,15 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper | |||
auto iter = m_issuers.find(token_issuer); | |||
if (iter == m_issuers.end()) { | |||
pthread_rwlock_unlock(&m_config_lock); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
XrdSysRWLock
@@ -636,15 +746,15 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper | |||
auto iter = m_issuers.find(token_issuer); | |||
if (iter == m_issuers.end()) { | |||
pthread_rwlock_unlock(&m_config_lock); | |||
m_log.Emsg("GenerateAcls", "Authorized issuer without a config."); | |||
m_log.Log(LogMask::Warning, "GenerateAcls", "Authorized issuer without a config."); | |||
scitoken_destroy(token); | |||
return false; | |||
} | |||
const auto &config = iter->second; | |||
value = nullptr; | |||
if (scitoken_get_claim_string(token, "sub", &value, &err_msg)) { | |||
pthread_rwlock_unlock(&m_config_lock); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
XrdSysRWLock
@@ -942,7 +1093,7 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper | |||
} | |||
|
|||
if (issuers.empty()) { | |||
m_log.Emsg("Reconfig", "No issuers configured."); | |||
m_log.Log(LogMask::Warning, "Reconfig", "No issuers configured."); | |||
} | |||
|
|||
pthread_rwlock_wrlock(&m_config_lock); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
XrdSysRWLock
@@ -87,6 +122,46 @@ XrdAccPrivs AddPriv(Access_Operation op, XrdAccPrivs privs) | |||
return static_cast<XrdAccPrivs>(new_privs); | |||
} | |||
|
|||
const std::string OpToName(Access_Operation op) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Likely this should be made a generic utility in XrdAcc as another implementation of the same thing exists there. Something to put in the todo list.
@@ -29,6 +32,38 @@ XrdVERSIONINFO(XrdAccAuthorizeObjAdd, XrdAccSciTokens); | |||
|
|||
namespace { | |||
|
|||
enum LogMask { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has gotten a life of its own and I see the same implementation in three other modules (XrdMacaroonsHandler.hh, XrdTpcTPC.hh, and XrdVomsMapfile.hh) making this the fourth sych implementation. Shouldn't this be abstracted into a utility function?
… more detailed log messages") git-svn-id: https://vdt.cs.wisc.edu/svn/native/redhat/branches/osg-3.6@27029 4e558342-562e-0410-864c-e07659590f8c
This introduces configuration-file-controlled tracing of SciTokens-related messages and a number of detailed log messages.
As typical, this is controlled by a new config variable:
Where level can be one of
all
,none
,debug
,info
,warning
, orerror
.Roughly, the levels imply:
The default is error + warning; debug is not recommended for continuous production settings but is immensely helpful in solving problems.