RBAC: add debug log for permission evaluation (#83880)

* fix: add debug log when evaluating permissions that includes target permissions

pkg/services/accesscontrol/acimpl/accesscontrol.go

@@ -38,18 +38,17 @@ func (a *AccessControl) Evaluate(ctx context.Context, user identity.Requester, e
 		return false, nil
 	}
 
-	namespace, identifier := user.GetNamespacedID()
-
 	// If the user is in no organization, then the evaluation must happen based on the user's global permissions
 	permissions := user.GetPermissions()
 	if user.GetOrgID() == accesscontrol.NoOrgID {
 		permissions = user.GetGlobalPermissions()
 	}
 	if len(permissions) == 0 {
-		a.log.Debug("No permissions set for entity", "namespace", namespace, "id", identifier, "orgID", user.GetOrgID(), "login", user.GetLogin())
+		a.debug(ctx, user, "No permissions set", evaluator)
 		return false, nil
 	}
 
+	a.debug(ctx, user, "Evaluating permissions", evaluator)
 	// Test evaluation without scope resolver first, this will prevent 403 for wildcard scopes when resource does not exist
 	if evaluator.Evaluate(permissions) {
 		return true, nil
@@ -63,9 +62,15 @@ func (a *AccessControl) Evaluate(ctx context.Context, user identity.Requester, e
 		return false, err
 	}
 
+	a.debug(ctx, user, "Evaluating resolved permissions", resolvedEvaluator)
 	return resolvedEvaluator.Evaluate(permissions), nil
 }
 
 func (a *AccessControl) RegisterScopeAttributeResolver(prefix string, resolver accesscontrol.ScopeAttributeResolver) {
 	a.resolvers.AddScopeAttributeResolver(prefix, resolver)
 }
+
+func (a *AccessControl) debug(ctx context.Context, ident identity.Requester, msg string, eval accesscontrol.Evaluator) {
+	namespace, id := ident.GetNamespacedID()
+	a.log.FromContext(ctx).Debug(msg, "namespace", namespace, "id", id, "orgID", ident.GetOrgID(), eval.GoString())
+}