cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Ellis (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-2485) improve authentication log
Date Mon, 08 Oct 2012 16:00:03 GMT


Jonathan Ellis commented on CASSANDRA-2485:

would prefer leaving both as debug; those who wish can enable the logging, otherwise we don't
fill the log with noise.  (can give example in log4j-server.yaml if you want to make it more

is there a reason to catch RuntimeException?  those are typically bugs, not login failures.
> improve authentication log
> --------------------------
>                 Key: CASSANDRA-2485
>                 URL:
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 0.7.4
>         Environment: linux
>            Reporter: Shotaro Kamio
>            Assignee: Dave Brosius
>             Fix For: 1.2.0 beta 2
>         Attachments: 2485.txt
> Cassandra should have better authentication log when authenticator is used. At least
in login failure, the log should contain login failure message and its reason.
> What we have now is DEBUG log in org.apache.cassandra.service.ClientState.
> I think there are 5 cases to be logged:
> 1. Login failure (No credential is given)
> 2. Login failure (Unknown user)
> 3. Login failure (Valid user, but wrong password)
> 4. Invalid request (Valid user, but no permission for the operation)
> 5. Login success
> Followings are current logs and problems.
> 1. Login failure (No credential is given)
> Client will get InvalidRequestException in this case. But log on cassandra server is
just as follows:
>  DEBUG [pool-1-thread-1] 2011-04-15 17:59:40,094 (line 91) logged out:
> It must be useful if it contains login failure and its reason.
> 2. Login failure (Unknown user)
> I'm not sure what client receives in this case. (pycassa raises AllServersUnavailable
> The server log shows ERROR as follows. But I think that it is ERROR for client, but not
for server. The server log should be INFO or WARNING with some detail.
> ERROR [pool-1-thread-3] 2011-04-15 18:00:18,236 (line 2583) Internal error
processing login
> java.lang.RuntimeException: Unexpected authentication problem
>         at org.apache.cassandra.auth.SimpleAuthenticator.authenticate(
>         at org.apache.cassandra.service.ClientState.login(
>         at org.apache.cassandra.thrift.CassandraServer.login(
>         at org.apache.cassandra.thrift.Cassandra$Processor$login.process(
>         at org.apache.cassandra.thrift.Cassandra$Processor.process(
>         at org.apache.cassandra.thrift.CustomTThreadPoolServer$
>         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(
>         at java.util.concurrent.ThreadPoolExecutor$
>         at
> Caused by: AuthenticationException(why:Given password in password mode PLAIN could not
be validated for user jsmith22)
>         at org.apache.cassandra.auth.SimpleAuthenticator.authenticate(
>         ... 8 more
> DEBUG [pool-1-thread-2] 2011-04-15 18:00:18,238 (line 91) logged out:
> 3. Login failure (Valid user, but wrong password)
> Client gets AuthenticationException. But server doesn't have any informative log. Just
says "logged out". This log should be INFO or WARNING with user name for debug purpose.
> DEBUG [pool-1-thread-4] 2011-04-15 18:04:02,169 (line 91) logged out:
> 4. Invalid request (Valid user, but no permission for the operation)
> The log is the same with the login success case below. Cassandra should logs about no
permission with INFO or WARN level.
> DEBUG [pool-1-thread-3] 2011-04-15 18:11:31,350 (line 84) logged in:
#<User jsmith groups=[]>
> DEBUG [pool-1-thread-3] 2011-04-15 18:11:31,397 (line 91) logged out:
#<User jsmith groups=[]>
> 5. Login success (valid user and password)
> This log is ok because we can choose DEBUG level if we want to log all the success logins.
> DEBUG [pool-1-thread-4] 2011-04-15 18:14:09,451 (line 84) logged in:
#<User jsmith groups=[]>
> DEBUG [pool-1-thread-4] 2011-04-15 18:14:09,494 (line 91) logged out:
#<User jsmith groups=[]>

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message