From 0836f50dc1c805acc72875974443c2df88b124a2 Mon Sep 17 00:00:00 2001 From: Anton Miniailo Date: Fri, 5 May 2023 13:54:52 -0400 Subject: [PATCH] Add logger to the authorizer. --- constants.go | 3 +++ lib/authz/permissions.go | 10 ++++++++-- lib/service/db.go | 1 + lib/service/desktop.go | 1 + lib/service/kubernetes.go | 1 + lib/service/service.go | 8 ++++++++ 6 files changed, 22 insertions(+), 2 deletions(-) diff --git a/constants.go b/constants.go index b5d84d9b96aab..dc31083158696 100644 --- a/constants.go +++ b/constants.go @@ -264,6 +264,9 @@ const ( // ComponentAthena represents athena clients. ComponentAthena = "athena" + // ComponentProxySecureGRPC represents secure gRPC server running on Proxy (used for Kube). + ComponentProxySecureGRPC = "proxy:secure-grpc" + // VerboseLogEnvVar forces all logs to be verbose (down to DEBUG level) VerboseLogsEnvVar = "TELEPORT_DEBUG" diff --git a/lib/authz/permissions.go b/lib/authz/permissions.go index ecd204c0538c4..8d98e8db759df 100644 --- a/lib/authz/permissions.go +++ b/lib/authz/permissions.go @@ -59,6 +59,7 @@ type AuthorizerOpts struct { ClusterName string AccessPoint AuthorizerAccessPoint LockWatcher *services.LockWatcher + Logger logrus.FieldLogger // DisableDeviceAuthorization disables device authorization via [Authorizer]. // It is meant for services that do explicit device authorization, like the @@ -74,10 +75,15 @@ func NewAuthorizer(opts AuthorizerOpts) (Authorizer, error) { if opts.AccessPoint == nil { return nil, trace.BadParameter("missing parameter accessPoint") } + logger := opts.Logger + if logger == nil { + logger = logrus.WithFields(logrus.Fields{trace.Component: "authorizer"}) + } return &authorizer{ clusterName: opts.ClusterName, accessPoint: opts.AccessPoint, lockWatcher: opts.LockWatcher, + logger: logger, disableDeviceAuthorization: opts.DisableDeviceAuthorization, }, nil } @@ -132,6 +138,7 @@ type authorizer struct { accessPoint AuthorizerAccessPoint lockWatcher *services.LockWatcher disableDeviceAuthorization bool + logger logrus.FieldLogger } // Context is authorization context @@ -232,8 +239,7 @@ func (a *authorizer) Authorize(ctx context.Context) (*Context, error) { return nil, trace.Wrap(err) } - if err := CheckIPPinning(ctx, authContext.Identity.GetIdentity(), authContext.Checker.PinSourceIP(), - logrus.WithFields(logrus.Fields{trace.Component: "authorizer"})); err != nil { + if err := CheckIPPinning(ctx, authContext.Identity.GetIdentity(), authContext.Checker.PinSourceIP(), a.logger); err != nil { return nil, trace.Wrap(err) } diff --git a/lib/service/db.go b/lib/service/db.go index 85c5e3bcaf3d1..ff8bee1ce08d3 100644 --- a/lib/service/db.go +++ b/lib/service/db.go @@ -100,6 +100,7 @@ func (process *TeleportProcess) initDatabaseService() (retErr error) { ClusterName: clusterName, AccessPoint: accessPoint, LockWatcher: lockWatcher, + Logger: log, }) if err != nil { return trace.Wrap(err) diff --git a/lib/service/desktop.go b/lib/service/desktop.go index b1cef052c2031..e184f1773fd3f 100644 --- a/lib/service/desktop.go +++ b/lib/service/desktop.go @@ -156,6 +156,7 @@ func (process *TeleportProcess) initWindowsDesktopServiceRegistered(log *logrus. ClusterName: clusterName, AccessPoint: accessPoint, LockWatcher: lockWatcher, + Logger: log, // Device authorization breaks browser-based access. DisableDeviceAuthorization: true, }) diff --git a/lib/service/kubernetes.go b/lib/service/kubernetes.go index 4ca205e5a1adb..a43a3335ab256 100644 --- a/lib/service/kubernetes.go +++ b/lib/service/kubernetes.go @@ -182,6 +182,7 @@ func (process *TeleportProcess) initKubernetesService(log *logrus.Entry, conn *C ClusterName: teleportClusterName, AccessPoint: accessPoint, LockWatcher: lockWatcher, + Logger: log, }) if err != nil { return trace.Wrap(err) diff --git a/lib/service/service.go b/lib/service/service.go index c6b7718403af3..a32b0e7ccef21 100644 --- a/lib/service/service.go +++ b/lib/service/service.go @@ -1701,6 +1701,7 @@ func (process *TeleportProcess) initAuthService() error { ClusterName: clusterName, AccessPoint: authServer, LockWatcher: lockWatcher, + Logger: log, // Auth Server does explicit device authorization. // Various Auth APIs must allow access to unauthorized devices, otherwise it // is not possible to acquire device-aware certificates in the first place. @@ -3891,6 +3892,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error { ClusterName: clusterName, AccessPoint: accessPoint, LockWatcher: lockWatcher, + Logger: log, }) if err != nil { return trace.Wrap(err) @@ -4035,6 +4037,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error { ClusterName: clusterName, AccessPoint: accessPoint, LockWatcher: lockWatcher, + Logger: log, }) if err != nil { return trace.Wrap(err) @@ -4110,6 +4113,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error { ClusterName: clusterName, AccessPoint: accessPoint, LockWatcher: lockWatcher, + Logger: log, }) if err != nil { return trace.Wrap(err) @@ -4855,6 +4859,7 @@ func (process *TeleportProcess) initApps() { ClusterName: clusterName, AccessPoint: accessPoint, LockWatcher: lockWatcher, + Logger: log, // Device authorization breaks browser-based access. DisableDeviceAuthorization: true, }) @@ -5496,6 +5501,9 @@ func (process *TeleportProcess) initSecureGRPCServer(cfg initSecureGRPCServerCfg ClusterName: clusterName, AccessPoint: cfg.accessPoint, LockWatcher: cfg.lockWatcher, + Logger: process.log.WithFields(logrus.Fields{ + trace.Component: teleport.Component(teleport.ComponentProxySecureGRPC, process.id), + }), }) if err != nil { return nil, trace.Wrap(err)