Need more helpful error messages when authorization is denied

[DrDaveD]

Currently if I attempt to access /cvmfs/ligo.osgstorage.org with a x.509 proxy not in the list of authorized proxies I see the following in /var/log/messages:

May  6 14:44:05 dwdosgdev cvmfs2: (ligo.osgstorage.org) CernVM-FS: linking /cvmfs/ligo.osgstorage.org to repository ligo.osgstorage.org
May  6 14:44:05 dwdosgdev cvmfs2: (ligo.osgstorage.org) starting authz helper /cvmfs/config-osg.opensciencegrid.org/libexec/authz/cvmfs_x509_helper
May  6 14:44:05 dwdosgdev cvmfs_x509_helper: (ligo.osgstorage.org) Support for Globus authz is enabled.
May  6 14:44:05 dwdosgdev cvmfs_x509_helper: (ligo.osgstorage.org) Support for VOMS authz is enabled.
May  6 14:44:05 dwdosgdev cvmfs_x509_helper: (ligo.osgstorage.org) x509 authz helper invoked, connected to cvmfs process 29315
May  6 14:44:05 dwdosgdev cvmfs2: (ligo.osgstorage.org) No auth token found in returned JSON from Authz helper /cvmfs/config-osg.opensciencegrid.org/libexec/authz/cvmfs_x509_helper

I would like to see a more detailed message from cvmfs_x509_helper saying why it is rejecting authorization, one of any number of things that could go wrong.

[efajardo]

@bbockelm @djw8605 Let me know how you want to go about this? I can try to take a stab at it.

[djw8605]

@DrDaveD we are logging all of the errors. They are just not being propagated. Are we logging wrong?

For example, every single scitoken error case has a log line associated with it:
https://github.com/cvmfs-contrib/cvmfs-x509-helper/blob/master/src/scitoken_helper_check.cc

But, I don't know why those lines are not being logged. Even when debug logging is turned on.

[DrDaveD]

It will take some investigation & debugging. Three lines are getting to the syslog from cvmfs_x509_helper and I don't know why the others aren't.

[DrDaveD]

#29 fixed the reason why debug logging wasn't working in scitoken_helper_check.cc. That helps if debug logging is enabled, but otherwise it doesn't help. It doesn't impact syslog logging.