Google Git
Sign in
gerrit / gerrit / 35b6f4acce48315f0840e2ff9d4051245dd9a6cd
commit35b6f4acce48315f0840e2ff9d4051245dd9a6cd[log] [tgz]
authorEdwin Kempin <ekempin@google.com>Fri Feb 14 13:33:45 2020 +0100
committerEdwin Kempin <ekempin@google.com>Fri Oct 02 12:43:50 2020 +0200
treea045a034e40c4da54bc3555e47f9c6a86b1785a7
parentf854f1897ee2c6536157d227c1cc5f9ba09011a1 [diff]
CheckAccess: Return ACL debug logs

A very common support issue is helping users to find out which
permissions they are missing in order to perform a certain operation.

To let host admin investigate such issues the CheckAccess REST endpoint
has been added, however often it doesn't provide enough information for
host admins to understand why a permission is denied or allowed.

If a request is traced detailed information about which ACL rule
denied/granted the permission is available in the trace, but it requires
a server admin to look at the trace.

This change makes the logs that are relevant for ACLs available to
callers of the CheckAccess REST endpoint. It's okay to return these logs
from this REST endpoint since it requires the global Check Access
capability which should only be granted to trusted users (aka host
admins).

To make ACL logs available to the CheckAccess REST endpoint they are
collected in memory in the LoggingContext, similar to how the
LoggingContext stores performance logs. After triggering permission
checks, the CheckAccess REST endpoint can retrieve the ACL logs from the
LoggingContext and include them into the response to the client.

The collection of ACL log records is only enabled for the CheckAccess
REST endpoint, and is disabled for any other REST endpoint.

I tried to add a new method to the fluent logging API that allows to
send a log into the server logs and into the ACL logs at the same time,
e.g. logger.atFine().includeIntoAclLog().log(...) but it turned out that
this is not possible with Flogger (we can add new methods to the logging
API, but we have no access to the logged message to send it to the
LoggingContext). Anyway it turned out that for the permission checks the
message that we want to log in the server logs and the message that we
want to include into the ACL logs is slightly different, so that we
wouldn't have benefited much from such a new method in the logging API.

Change-Id: If82eb586272adecda445949989a314614cdd1072
Signed-off-by: Edwin Kempin <ekempin@google.com>
10 files changed
tree: a045a034e40c4da54bc3555e47f9c6a86b1785a7
  1. .settings/
  2. .ts-out/
  3. antlr3/
  4. contrib/
  5. Documentation/
  6. e2e-tests/
  7. java/
  8. javatests/
  9. lib/
  10. modules/
  11. plugins/
  12. polygerrit-ui/
  13. prolog/
  14. prologtests/
  15. proto/
  16. resources/
  17. tools/
  18. webapp/
  19. polymer-bridges
  20. .bazelignore
  21. .bazelproject
  22. .bazelrc
  23. .bazelversion
  24. .editorconfig
  25. .git-blame-ignore-revs
  26. .gitignore
  27. .gitmodules
  28. .gitreview
  29. .mailmap
  30. .pydevproject
  31. .zuul.yaml
  32. BUILD
  33. COPYING
  34. INSTALL
  35. Jenkinsfile
  36. package.json
  37. README.md
  38. SUBMITTING_PATCHES
  39. version.bzl
  40. WORKSPACE
  41. yarn.lock
README.md

Gerrit Code Review

Gerrit is a code review and project management tool for Git based projects.

Build Status Maven Central

Objective

Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.

Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer.

Documentation

For information about how to install and use Gerrit, refer to the documentation.

Source

Our canonical Git repository is located on googlesource.com. There is a mirror of the repository on Github.

Reporting bugs

Please report bugs on the issue tracker.

Contribute

Gerrit is the work of hundreds of contributors. We appreciate your help!

Please read the contribution guidelines.

Note that we do not accept Pull Requests via the Github mirror.

Getting in contact

The Developer Mailing list is repo-discuss on Google Groups.

License

Gerrit is provided under the Apache License 2.0.

Build

Install Bazel and run the following:

    git clone --recurse-submodules https://gerrit.googlesource.com/gerrit
    cd gerrit && bazel build release

Install binary packages (Deb/Rpm)

The instruction how to configure GerritForge/BinTray repositories is here

On Debian/Ubuntu run:

    apt-get update & apt-get install gerrit=<version>-<release>

NOTE: release is a counter that starts with 1 and indicates the number of packages that have been released with the same version of the software.

On CentOS/RedHat run:

    yum clean all && yum install gerrit-<version>[-<release>]

On Fedora run:

    dnf clean all && dnf install gerrit-<version>[-<release>]

Use pre-built Gerrit images on Docker

Docker images of Gerrit are available on DockerHub

To run a CentOS 8 based Gerrit image:

    docker run -p 8080:8080 gerritcodereview/gerrit[:version]-centos8

To run a Ubuntu 20.04 based Gerrit image:

    docker run -p 8080:8080 gerritcodereview/gerrit[:version]-ubuntu20

NOTE: release is optional. Last released package of the version is installed if the release number is omitted.