rbac: fix status code PERMISSION_DENIED (#8578)
RBAC should fail with PERMISSION_DENIED, fix https://github.com/grpc/grpc-java/issues/8576
diff --git a/xds/src/main/java/io/grpc/xds/RbacFilter.java b/xds/src/main/java/io/grpc/xds/RbacFilter.java
index 387afac..0f5ac10 100644
--- a/xds/src/main/java/io/grpc/xds/RbacFilter.java
+++ b/xds/src/main/java/io/grpc/xds/RbacFilter.java
@@ -177,14 +177,13 @@
final ServerCall<ReqT, RespT> call,
final Metadata headers, ServerCallHandler<ReqT, RespT> next) {
AuthDecision authResult = authEngine.evaluate(headers, call);
- if (logger.isLoggable(Level.FINER)) {
- logger.log(Level.FINER,
+ if (logger.isLoggable(Level.FINE)) {
+ logger.log(Level.FINE,
"Authorization result for serverCall {0}: {1}, matching policy: {2}.",
new Object[]{call, authResult.decision(), authResult.matchingPolicyName()});
}
if (GrpcAuthorizationEngine.Action.DENY.equals(authResult.decision())) {
- Status status = Status.UNAUTHENTICATED.withDescription(
- "Access Denied, matching policy: " + authResult.matchingPolicyName());
+ Status status = Status.PERMISSION_DENIED.withDescription("Access Denied");
call.close(status, new Metadata());
return new ServerCall.Listener<ReqT>(){};
}
diff --git a/xds/src/test/java/io/grpc/xds/RbacFilterTest.java b/xds/src/test/java/io/grpc/xds/RbacFilterTest.java
index c97ca5c..da42ec1 100644
--- a/xds/src/test/java/io/grpc/xds/RbacFilterTest.java
+++ b/xds/src/test/java/io/grpc/xds/RbacFilterTest.java
@@ -256,7 +256,8 @@
verify(mockHandler, never()).startCall(eq(mockServerCall), any(Metadata.class));
ArgumentCaptor<Status> captor = ArgumentCaptor.forClass(Status.class);
verify(mockServerCall).close(captor.capture(), any(Metadata.class));
- assertThat(captor.getValue().getCode()).isEqualTo(Status.UNAUTHENTICATED.getCode());
+ assertThat(captor.getValue().getCode()).isEqualTo(Status.PERMISSION_DENIED.getCode());
+ assertThat(captor.getValue().getDescription()).isEqualTo("Access Denied");
verify(mockServerCall).getAttributes();
verifyNoMoreInteractions(mockServerCall);
