Merge pull request #13151 from zhongwencool/authz-trace-log

chore: make authz's logs easier to understand

apps/emqx_auth/src/emqx_authz/emqx_authz.erl

@@ -486,8 +486,8 @@ source_for_logging(Type, _) ->
 
 do_authorize(_Client, _PubSub, _Topic, []) ->
     nomatch;
-do_authorize(Client, PubSub, Topic, [#{enable := false} | Rest]) ->
-    do_authorize(Client, PubSub, Topic, Rest);
+do_authorize(Client, PubSub, Topic, [#{enable := false} | Tail]) ->
+    do_authorize(Client, PubSub, Topic, Tail);
 do_authorize(
     #{
         username := Username
@@ -501,32 +501,49 @@ do_authorize(
     try Module:authorize(Client, PubSub, Topic, Connector) of
         nomatch ->
             emqx_metrics_worker:inc(authz_metrics, Type, nomatch),
-            ?TRACE("AUTHZ", "authorization_module_nomatch", #{
+            ?TRACE("AUTHZ", "authorization_nomatch", #{
+                authorize_type => Type,
                 module => Module,
                 username => Username,
                 topic => Topic,
                 action => emqx_access_control:format_action(PubSub)
             }),
             do_authorize(Client, PubSub, Topic, Tail);
-        %% {matched, allow | deny | ignore}
-        {matched, ignore} ->
-            ?TRACE("AUTHZ", "authorization_module_match_ignore", #{
+        ignore ->
+            ?TRACE("AUTHZ", "authorization_ignore", #{
+                authorize_type => Type,
                 module => Module,
                 username => Username,
                 topic => Topic,
                 action => emqx_access_control:format_action(PubSub)
             }),
             do_authorize(Client, PubSub, Topic, Tail);
-        ignore ->
-            ?TRACE("AUTHZ", "authorization_module_ignore", #{
+        {matched, ignore} ->
+            ?TRACE("AUTHZ", "authorization_matched_ignore", #{
+                authorize_type => Type,
                 module => Module,
                 username => Username,
                 topic => Topic,
                 action => emqx_access_control:format_action(PubSub)
             }),
             do_authorize(Client, PubSub, Topic, Tail);
-        %% {matched, allow | deny}
-        Matched ->
+        {matched, allow} = Matched ->
+            ?TRACE("AUTHZ", "authorization_matched_allow", #{
+                authorize_type => Type,
+                module => Module,
+                username => Username,
+                topic => Topic,
+                action => emqx_access_control:format_action(PubSub)
+            }),
+            {Matched, Type};
+        {matched, deny} = Matched ->
+            ?TRACE("AUTHZ", "authorization_matched_deny", #{
+                authorize_type => Type,
+                module => Module,
+                username => Username,
+                topic => Topic,
+                action => emqx_access_control:format_action(PubSub)
+            }),
             {Matched, Type}
     catch
         Class:Reason:Stacktrace ->

apps/emqx_auth/src/emqx_authz/emqx_authz_source.erl

@@ -19,7 +19,7 @@
 -type source_type() :: atom().
 -type source() :: #{type => source_type(), _ => _}.
 -type raw_source() :: map().
--type match_result() :: {matched, allow} | {matched, deny} | nomatch.
+-type match_result() :: {matched, allow | deny | ignore} | nomatch | ignore.
 
 -export_type([
     source_type/0,

apps/emqx_auth/src/emqx_authz/sources/emqx_authz_client_info.erl

@@ -59,10 +59,10 @@ update(Source) ->
 
 destroy(_Source) -> ok.
 
-%% @doc Authorize based on cllientinfo enriched with `acl' data.
+%% @doc Authorize based on client info enriched with `acl' data.
 %% e.g. From JWT.
 %%
-%% Supproted rules formats are:
+%% Supported rules formats are:
 %%
 %% v1: (always deny when no match)
 %%
@@ -116,7 +116,7 @@ authorize(#{acl := Acl} = Client, PubSub, Topic, _Source) ->
             MatchResult
     end;
 authorize(_Client, _PubSub, _Topic, _Source) ->
-    nomatch.
+    ignore.
 
 %%--------------------------------------------------------------------
 %% Internal functions