Merge "Add debug level logs for TempAuth.authorize."

swift/common/middleware/tempauth.py

@@ -245,38 +245,65 @@ class TempAuth(object):
         except ValueError:
             self.logger.increment('errors')
             return HTTPNotFound(request=req)
+
         if not account or not account.startswith(self.reseller_prefix):
+            self.logger.debug("Account name: %s doesn't start with "
+                              "reseller_prefix: %s."
+                              % (account, self.reseller_prefix))
             return self.denied_response(req)
+
         user_groups = (req.remote_user or '').split(',')
+        account_user = user_groups[1] if len(user_groups) > 1 else None
+
         if '.reseller_admin' in user_groups and \
                 account != self.reseller_prefix and \
                 account[len(self.reseller_prefix)] != '.':
             req.environ['swift_owner'] = True
+            self.logger.debug("User %s has reseller admin authorizing."
+                              % account_user)
             return None
+
         if account in user_groups and \
                 (req.method not in ('DELETE', 'PUT') or container):
             # If the user is admin for the account and is not trying to do an
             # account DELETE or PUT...
             req.environ['swift_owner'] = True
+            self.logger.debug("User %s has admin authorizing."
+                              % account_user)
             return None
+
         if (req.environ.get('swift_sync_key')
                 and (req.environ['swift_sync_key'] ==
                      req.headers.get('x-container-sync-key', None))
                 and 'x-timestamp' in req.headers):
+            self.logger.debug("Allow request with container sync-key: %s."
+                              % req.environ['swift_sync_key'])
             return None
+
         if req.method == 'OPTIONS':
             #allow OPTIONS requests to proceed as normal
+            self.logger.debug("Allow OPTIONS request.")
             return None
+
         referrers, groups = parse_acl(getattr(req, 'acl', None))
         if referrer_allowed(req.referer, referrers):
             if obj or '.rlistings' in groups:
+                self.logger.debug("Allow authorizing %s via referer ACL."
+                                  % req.referer)
                 return None
+            self.logger.debug("Disallow authorizing %s via referer ACL."
+                              % req.referer)
             return self.denied_response(req)
+
         if not req.remote_user:
             return self.denied_response(req)
+
         for user_group in user_groups:
             if user_group in groups:
+                self.logger.debug("User %s allowed in ACL: %s authorizing."
+                                  % (account_user, user_group))
                 return None
+
         return self.denied_response(req)
 
     def denied_response(self, req):