Index: scheduler/appengine/acl/acl.go |
diff --git a/scheduler/appengine/acl/acl.go b/scheduler/appengine/acl/acl.go |
index 22e791e0026fa55b44a826ece41f9c7c3a7d5998..a1b8a2d1b4d82d97f9e414ca490528cc38ee50dd 100644 |
--- a/scheduler/appengine/acl/acl.go |
+++ b/scheduler/appengine/acl/acl.go |
@@ -22,6 +22,7 @@ import ( |
"github.com/luci/luci-go/common/data/stringset" |
"github.com/luci/luci-go/common/errors" |
+ "github.com/luci/luci-go/common/logging" |
"github.com/luci/luci-go/common/retry/transient" |
"github.com/luci/luci-go/scheduler/appengine/messages" |
"github.com/luci/luci-go/server/auth" |
@@ -44,6 +45,7 @@ func (g *GrantsByRole) IsReader(c context.Context) (bool, error) { |
// This is here for backwards compatiblity before ACLs were introduced. |
// If Job doesn't specify READERs nor OWNERS explicitely, everybody can read. |
// TODO(tAndrii): remove once every Job/Trigger has ACLs specified. |
+ logging.Warningf(c, "Granting READ rights to all because no ACLs specified") |
return true, nil |
} |
return hasGrant(c, g.Owners, g.Readers, groupsAdministrators) |
@@ -182,6 +184,7 @@ func hasGrant(c context.Context, grantsList ...[]string) (bool, error) { |
grantedIdentity = identity.Identity("user:" + grant) |
} |
if grantedIdentity == currentIdentity { |
+ logging.Debugf(c, "Found grant %s for %s", currentIdentity) |
return true, nil |
} |
} |
@@ -189,6 +192,7 @@ func hasGrant(c context.Context, grantsList ...[]string) (bool, error) { |
if isMember, err := auth.IsMember(c, groups...); err != nil { |
return false, transient.Tag.Apply(err) |
} else { |
+ logging.Debugf(c, "Result of group membership of %s in %s: %t", currentIdentity, groups, isMember) |
return isMember, nil |
} |
} |