[#1574] container: Introduce debug logging for APE check failures

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2025-02-25 16:27:47 +03:00 · 2025-02-25 16:27:47 +03:00 · bd30e4838f
commit bd30e4838f
parent 6b2bce21d1
2 changed files with 28 additions and 9 deletions
--- a/cmd/frostfs-node/container.go
+++ b/cmd/frostfs-node/container.go
@ -56,7 +56,7 @@ func initContainerService(_ context.Context, c *cfg) {
 	)
 	service := containerService.NewSignService(
 		&c.key.PrivateKey,
-		containerService.NewAPEServer(defaultChainRouter, cnrRdr,
+		containerService.NewAPEServer(c.log, defaultChainRouter, cnrRdr,
 			newCachedIRFetcher(createInnerRingFetcher(c)), c.netMapSource, c.shared.frostfsidClient,
 			containerService.NewSplitterService(
 				c.cfgContainer.containerBatchSize, c.respSvc,
--- a/pkg/services/container/ape.go
+++ b/pkg/services/container/ape.go
@ -12,10 +12,13 @@ import (
 	"net"
 	"strings"

+	"git.frostfs.info/TrueCloudLab/frostfs-node/internal/logs"
 	aperequest "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/ape/request"
 	containercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
 	frostfsidcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/frostfsid"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
+	apecommon "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/common/ape"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
 	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/refs"
@ -31,6 +34,7 @@ import (
 	commonschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
 	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"go.uber.org/zap"
 	"google.golang.org/grpc/peer"
 )

@ -57,6 +61,7 @@ type containers interface {
 }

 type apeChecker struct {
+	logger *logger.Logger
 	router policyengine.ChainRouter
 	reader containers
 	ir     ir
@ -67,8 +72,9 @@ type apeChecker struct {
 	next Server
 }

-func NewAPEServer(router policyengine.ChainRouter, reader containers, ir ir, nm netmap.Source, frostFSIDClient frostfsidcore.SubjectProvider, srv Server) Server {
+func NewAPEServer(logger *logger.Logger, router policyengine.ChainRouter, reader containers, ir ir, nm netmap.Source, frostFSIDClient frostfsidcore.SubjectProvider, srv Server) Server {
 	return &apeChecker{
+		logger:          logger,
 		router:          router,
 		reader:          reader,
 		ir:              ir,
@ -172,7 +178,10 @@ func (ac *apeChecker) List(ctx context.Context, req *container.ListRequest) (*co
 		return ac.next.List(ctx, req)
 	}

-	return nil, apeErr(nativeschema.MethodListContainers, s)
+	chRouterErr := apecommon.NewChainRouterError(rt, request, s)
+	ac.logger.Debug(ctx, logs.APECheckDeniedRequest, zap.Object("details", chRouterErr))
+
+	return nil, apeErr(chRouterErr)
 }

 func (ac *apeChecker) ListStream(req *container.ListStreamRequest, stream ListStream) error {
@ -245,7 +254,10 @@ func (ac *apeChecker) ListStream(req *container.ListStreamRequest, stream ListSt
 		return ac.next.ListStream(req, stream)
 	}

-	return apeErr(nativeschema.MethodListContainers, s)
+	chRouterErr := apecommon.NewChainRouterError(rt, request, s)
+	ac.logger.Debug(ctx, logs.APECheckDeniedRequest, zap.Object("details", chRouterErr))
+
+	return apeErr(chRouterErr)
 }

 func (ac *apeChecker) Put(ctx context.Context, req *container.PutRequest) (*container.PutResponse, error) {
@ -318,7 +330,10 @@ func (ac *apeChecker) Put(ctx context.Context, req *container.PutRequest) (*cont
 		return ac.next.Put(ctx, req)
 	}

-	return nil, apeErr(nativeschema.MethodPutContainer, s)
+	chRouterErr := apecommon.NewChainRouterError(rt, request, s)
+	ac.logger.Debug(ctx, logs.APECheckDeniedRequest, zap.Object("details", chRouterErr))
+
+	return nil, apeErr(chRouterErr)
 }

 func (ac *apeChecker) getRoleWithoutContainerID(ctx context.Context, oID *refs.OwnerID, mh *session.RequestMetaHeader, vh *session.RequestVerificationHeader) (string, *keys.PublicKey, error) {
@ -400,8 +415,9 @@ func (ac *apeChecker) validateContainerBoundedOperation(ctx context.Context, con
 		reqProps,
 	)

+	rt := policyengine.NewRequestTargetExtended(namespace, id.EncodeToString(), fmt.Sprintf("%s:%s", namespace, pk.Address()), groups)
 	s, found, err := ac.router.IsAllowed(apechain.Ingress,
-		policyengine.NewRequestTargetExtended(namespace, id.EncodeToString(), fmt.Sprintf("%s:%s", namespace, pk.Address()), groups),
+		rt,
 		request)
 	if err != nil {
 		return err
@ -411,12 +427,15 @@ func (ac *apeChecker) validateContainerBoundedOperation(ctx context.Context, con
 		return nil
 	}

-	return apeErr(op, s)
+	chRouterErr := apecommon.NewChainRouterError(rt, request, s)
+	ac.logger.Debug(ctx, logs.APECheckDeniedRequest, zap.Object("details", chRouterErr))
+
+	return apeErr(chRouterErr)
 }

-func apeErr(operation string, status apechain.Status) error {
+func apeErr(err error) error {
 	errAccessDenied := &apistatus.ObjectAccessDenied{}
-	errAccessDenied.WriteReason(fmt.Sprintf("access to container operation %s is denied by access policy engine: %s", operation, status.String()))
+	errAccessDenied.WriteReason(err.Error())
 	return errAccessDenied
 }