Speaks For ugly log message in am_method_context #870
Description
am_method_context replaces the caller cert before calling the authorizer. The result is that the authorizer does not see the original caller cert, but does see the speaks for option. And so it prints a warning. The call goes on to be authorized, so nothing is broken. But it looks ugly.
EG:
INFO:gcf.am2:Speaks-for invocation: urn:publicid:IDN+ch-ah.gpolab.bbn.com+user+ahelsing for urn:publicid:IDN+ch-ah.gpolab.bbn.com+user+phelin01
INFO:cred-verifier:Got speaks-for option but not a valid speaks_for with this credential: ABAC statement doesn't assert U.speaks_for(U)<-T ([ABAC cred: urn:publicid:IDN+ch-ah.gpolab.bbn.com+user+phelin01 (7e5c5b66579e7a1e33793c64ac29dd656e9ee4d1).speaks_for_7e5c5b66579e7a1e33793c64ac29dd656e9ee4d1<-urn:publicid:IDN+ch-ah.gpolab.bbn.com+user+ahelsing (a2e4d4dc3c39993c652c8446be9e5a9c43daefd1)])
INFO:gcf.am2:CreateSliver('urn:publicid:IDN+ch-ah.gpolab.bbn.com:ahtest+slice+ahtest')
INFO:cred-verifier:Speaks-for Invocation: urn:publicid:IDN+ch-ah.gpolab.bbn.com+user+ahelsing speaking for urn:publicid:IDN+ch-ah.gpolab.bbn.com+user+phelin01
We could avoid this ugliness in a couple ways:
- pass in the original caller cert to the
authorizer.authorizecall inam_method_context - maybe do the authorize before handling speaks for? Not sure that would work with all authorizers
- remove the
geni_speaking_foroption from the options passed toauthorizer.authorize