Added better logging and messages for auth handling (#2083)

* Added better logging and messages for auth handling * Set maven version for gitlab
NationalSecurityAgency · Sep 26, 2023 · e808eca · e808eca
1 parent e2deec0
commit e808eca
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -37,6 +37,8 @@ jobs:
         restore-keys: |
           ${{ runner.os }}-maven-format-
           ${{ runner.os }}-maven-
+        maven-version: 3.8.7
+        cache: 'maven'
     - name: Format code
       run: |
         mvn -V -B -e clean formatter:format sortpom:sort -Pautoformat
@@ -62,6 +64,8 @@ jobs:
           ${{ runner.os }}-maven-build-
           ${{ runner.os }}-maven-format-
           ${{ runner.os }}-maven-
+        maven-version: 3.8.7
+        cache: 'maven'
     - name: Build and Run Unit Tests
       run: |
         RUN_TESTS="mvn -V -B -e -Pdev,examples,assemble,spotbugs -Ddeploy -Ddist -T1C clean verify"
@@ -79,6 +83,8 @@ jobs:
       with:
         distribution: ${{env.JAVA_DISTRIBUTION}}
         java-version: ${{env.JAVA_VERSION}}
+        maven-version: 3.8.7
+        cache: 'maven'
     # Allow us to use the "--squash" option below
     - name: Turn on Docker experimental features and move Docker data root
       run: |

diff --git a/web-services/common-util/src/main/java/datawave/security/util/AuthorizationsUtil.java b/web-services/common-util/src/main/java/datawave/security/util/AuthorizationsUtil.java
@@ -178,7 +178,9 @@ private static Authorizations getUserAuthorizations(String requestedAuths, Dataw
 
         // validate that the query user is actually a subset of the primary user
         if (!primaryUser.getAuths().containsAll(queryUser.getAuths())) {
-            throw new IllegalArgumentException("System Error.  Unexpected authorization mismatch.  Please try again.");
+            Set<String> auths = new HashSet<>(queryUser.getAuths());
+            auths.removeAll(primaryUser.getAuths());
+            throw new IllegalArgumentException("System Error. Overall primary user missing auths " + auths + ". Please try again.");
         }
 
         // validate that the requestedAuths do not include anything outside of the principal's auths

diff --git a/...es/query/src/main/java/datawave/webservice/query/logic/composite/CompositeQueryLogic.java b/...es/query/src/main/java/datawave/webservice/query/logic/composite/CompositeQueryLogic.java
@@ -209,7 +209,14 @@ public Set<Authorizations> updateRuntimeAuthorizationsAndQueryAuths(QueryLogic<?
         settings.setQueryAuthorizations(validQueryAuthorizations);
 
         // recalculate the runtime query authorizations (no need to pass in userService as we have already recalculated the principal)
-        return AuthorizationsUtil.getDowngradedAuthorizations(validQueryAuthorizations, principal, queryPrincipal);
+        Set<Authorizations> downgradedAuths = AuthorizationsUtil.getDowngradedAuthorizations(validQueryAuthorizations, principal, queryPrincipal);
+        if (log.isTraceEnabled()) {
+            log.trace("Principal auths for user " + principal.getPrimaryUser().getCommonName() + " are " + principal.getPrimaryUser().getAuths());
+            log.trace("Query principal auths for " + logic.getLogicName() + " are " + validAuths);
+            log.trace("Requested auths were " + requestedAuths + " of which the valid query auths are " + validQueryAuthorizations);
+            log.trace("Downgraded auths are " + downgradedAuths);
+        }
+        return downgradedAuths;
     }
 
     @Override