scheduler ACLs: Add debug lines.

scheduler/appengine/acl/acl.go

Index: scheduler/appengine/acl/acl.go
diff --git a/scheduler/appengine/acl/acl.go b/scheduler/appengine/acl/acl.go
index 22e791e0026fa55b44a826ece41f9c7c3a7d5998..a1b8a2d1b4d82d97f9e414ca490528cc38ee50dd 100644
--- a/scheduler/appengine/acl/acl.go
+++ b/scheduler/appengine/acl/acl.go
@@ -22,6 +22,7 @@ import (
 
 	"github.com/luci/luci-go/common/data/stringset"
 	"github.com/luci/luci-go/common/errors"
+	"github.com/luci/luci-go/common/logging"
 	"github.com/luci/luci-go/common/retry/transient"
 	"github.com/luci/luci-go/scheduler/appengine/messages"
 	"github.com/luci/luci-go/server/auth"
@@ -44,6 +45,7 @@ func (g *GrantsByRole) IsReader(c context.Context) (bool, error) {
 		// This is here for backwards compatiblity before ACLs were introduced.
 		// If Job doesn't specify READERs nor OWNERS explicitely, everybody can read.
 		// TODO(tAndrii): remove once every Job/Trigger has ACLs specified.
+		logging.Warningf(c, "Granting READ rights to all because no ACLs specified")
 		return true, nil
 	}
 	return hasGrant(c, g.Owners, g.Readers, groupsAdministrators)
@@ -182,6 +184,7 @@ func hasGrant(c context.Context, grantsList ...[]string) (bool, error) {
 				grantedIdentity = identity.Identity("user:" + grant)
 			}
 			if grantedIdentity == currentIdentity {
+				logging.Debugf(c, "Found grant %s for %s", currentIdentity)
 				return true, nil
 			}
 		}
@@ -189,6 +192,7 @@ func hasGrant(c context.Context, grantsList ...[]string) (bool, error) {
 	if isMember, err := auth.IsMember(c, groups...); err != nil {
 		return false, transient.Tag.Apply(err)
 	} else {
+		logging.Debugf(c, "Result of group membership of %s in %s: %t", currentIdentity, groups, isMember)
 		return isMember, nil
 	}
 }