cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Brosius (JIRA)" <>
Subject [jira] [Updated] (CASSANDRA-2485) improve authentication log
Date Sun, 07 Oct 2012 14:16:02 GMT


Dave Brosius updated CASSANDRA-2485:

    Attachment: 2485.txt

unfortunately the authentication module is purposely flexible, perhaps overly so, so getting
meaningful reasons is up to the authenticator in question. That being said, this patch at
least attempts to log login events.

successful attempts at INFO
failure attempts at WARN
> improve authentication log
> --------------------------
>                 Key: CASSANDRA-2485
>                 URL:
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 0.7.4
>         Environment: linux
>            Reporter: Shotaro Kamio
>            Assignee: Dave Brosius
>             Fix For: 1.2.0 beta 2
>         Attachments: 2485.txt
> Cassandra should have better authentication log when authenticator is used. At least
in login failure, the log should contain login failure message and its reason.
> What we have now is DEBUG log in org.apache.cassandra.service.ClientState.
> I think there are 5 cases to be logged:
> 1. Login failure (No credential is given)
> 2. Login failure (Unknown user)
> 3. Login failure (Valid user, but wrong password)
> 4. Invalid request (Valid user, but no permission for the operation)
> 5. Login success
> Followings are current logs and problems.
> 1. Login failure (No credential is given)
> Client will get InvalidRequestException in this case. But log on cassandra server is
just as follows:
>  DEBUG [pool-1-thread-1] 2011-04-15 17:59:40,094 (line 91) logged out:
> It must be useful if it contains login failure and its reason.
> 2. Login failure (Unknown user)
> I'm not sure what client receives in this case. (pycassa raises AllServersUnavailable
> The server log shows ERROR as follows. But I think that it is ERROR for client, but not
for server. The server log should be INFO or WARNING with some detail.
> ERROR [pool-1-thread-3] 2011-04-15 18:00:18,236 (line 2583) Internal error
processing login
> java.lang.RuntimeException: Unexpected authentication problem
>         at org.apache.cassandra.auth.SimpleAuthenticator.authenticate(
>         at org.apache.cassandra.service.ClientState.login(
>         at org.apache.cassandra.thrift.CassandraServer.login(
>         at org.apache.cassandra.thrift.Cassandra$Processor$login.process(
>         at org.apache.cassandra.thrift.Cassandra$Processor.process(
>         at org.apache.cassandra.thrift.CustomTThreadPoolServer$
>         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(
>         at java.util.concurrent.ThreadPoolExecutor$
>         at
> Caused by: AuthenticationException(why:Given password in password mode PLAIN could not
be validated for user jsmith22)
>         at org.apache.cassandra.auth.SimpleAuthenticator.authenticate(
>         ... 8 more
> DEBUG [pool-1-thread-2] 2011-04-15 18:00:18,238 (line 91) logged out:
> 3. Login failure (Valid user, but wrong password)
> Client gets AuthenticationException. But server doesn't have any informative log. Just
says "logged out". This log should be INFO or WARNING with user name for debug purpose.
> DEBUG [pool-1-thread-4] 2011-04-15 18:04:02,169 (line 91) logged out:
> 4. Invalid request (Valid user, but no permission for the operation)
> The log is the same with the login success case below. Cassandra should logs about no
permission with INFO or WARN level.
> DEBUG [pool-1-thread-3] 2011-04-15 18:11:31,350 (line 84) logged in:
#<User jsmith groups=[]>
> DEBUG [pool-1-thread-3] 2011-04-15 18:11:31,397 (line 91) logged out:
#<User jsmith groups=[]>
> 5. Login success (valid user and password)
> This log is ok because we can choose DEBUG level if we want to log all the success logins.
> DEBUG [pool-1-thread-4] 2011-04-15 18:14:09,451 (line 84) logged in:
#<User jsmith groups=[]>
> DEBUG [pool-1-thread-4] 2011-04-15 18:14:09,494 (line 91) logged out:
#<User jsmith groups=[]>

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message