feat: Add user's email in the server gatekeeper logs (argoproj#7062)

Signed-off-by: Julien Duchesne <[email protected]>
sarabala1979 · Oct 26, 2021 · 60f2ae9 · 60f2ae9
1 parent 31bf57b
commit 60f2ae9
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/server/auth/gatekeeper.go b/server/auth/gatekeeper.go
@@ -182,7 +182,7 @@ func (s gatekeeper) getClients(ctx context.Context) (*servertypes.Clients, *type
  return clients, claims, nil
  } else {
  // important! write an audit entry (i.e. log entry) so we know which user performed an operation
- log.WithFields(log.Fields{"subject": claims.Subject}).Info("using the default service account for user")
+ log.WithFields(addClaimsLogFields(claims, nil)).Info("using the default service account for user")
  return s.clients, claims, nil
  }
  default:
@@ -235,7 +235,7 @@ func (s *gatekeeper) rbacAuthorization(ctx context.Context, claims *types.Claims
  }
  claims.ServiceAccountName = serviceAccount.Name
  // important! write an audit entry (i.e. log entry) so we know which user performed an operation
- log.WithFields(log.Fields{"serviceAccount": serviceAccount.Name, "subject": claims.Subject}).Info("selected SSO RBAC service account for user")
+ log.WithFields(addClaimsLogFields(claims, log.Fields{"serviceAccount": serviceAccount.Name})).Info("selected SSO RBAC service account for user")
  return clients, nil
  }
  return nil, fmt.Errorf("no service account rule matches")
@@ -256,6 +256,17 @@ func (s *gatekeeper) authorizationForServiceAccount(ctx context.Context, service
  return "Bearer " + string(secret.Data["token"]), nil
 }
 
+func addClaimsLogFields(claims *types.Claims, fields log.Fields) log.Fields {
+ if fields == nil {
+ fields = log.Fields{}
+ }
+ fields["subject"] = claims.Subject
+ if claims.Email != "" {
+ fields["email"] = claims.Email
+ }
+ return fields
+}
+
 func DefaultClientForAuthorization(authorization string) (*rest.Config, *servertypes.Clients, error) {
  restConfig, err := kubeconfig.GetRestConfig(authorization)
  if err != nil {