cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Brosius (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-2485) improve authentication log
Date Tue, 09 Oct 2012 02:32:03 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-2485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13472082#comment-13472082
] 

Dave Brosius commented on CASSANDRA-2485:
-----------------------------------------

after thinking about it further, 

1) there really isn't enough information in ClientState to guarantee useful logging
2) client devs need to implement auth anyway, they can add loggging in their IAuthenticator
implementation that makes sense for them (and at what level)

3) Just remove the logging of 'user is logged in from ClientState, and let all logging happen
in the implementation.

patch at 2485_b.txt
                
> improve authentication log
> --------------------------
>
>                 Key: CASSANDRA-2485
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-2485
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 0.7.4
>         Environment: linux
>            Reporter: Shotaro Kamio
>            Assignee: Dave Brosius
>             Fix For: 1.2.0 beta 2
>
>         Attachments: 2485_b.txt, 2485.txt
>
>
> Cassandra should have better authentication log when authenticator is used. At least
in login failure, the log should contain login failure message and its reason.
> What we have now is DEBUG log in org.apache.cassandra.service.ClientState.
> I think there are 5 cases to be logged:
> 1. Login failure (No credential is given)
> 2. Login failure (Unknown user)
> 3. Login failure (Valid user, but wrong password)
> 4. Invalid request (Valid user, but no permission for the operation)
> 5. Login success
> Followings are current logs and problems.
> 1. Login failure (No credential is given)
> Client will get InvalidRequestException in this case. But log on cassandra server is
just as follows:
>  DEBUG [pool-1-thread-1] 2011-04-15 17:59:40,094 ClientState.java (line 91) logged out:
null
> It must be useful if it contains login failure and its reason.
> 2. Login failure (Unknown user)
> I'm not sure what client receives in this case. (pycassa raises AllServersUnavailable
exception.)
> The server log shows ERROR as follows. But I think that it is ERROR for client, but not
for server. The server log should be INFO or WARNING with some detail.
> ERROR [pool-1-thread-3] 2011-04-15 18:00:18,236 Cassandra.java (line 2583) Internal error
processing login
> java.lang.RuntimeException: Unexpected authentication problem
>         at org.apache.cassandra.auth.SimpleAuthenticator.authenticate(SimpleAuthenticator.java:125)
>         at org.apache.cassandra.service.ClientState.login(ClientState.java:82)
>         at org.apache.cassandra.thrift.CassandraServer.login(CassandraServer.java:609)
>         at org.apache.cassandra.thrift.Cassandra$Processor$login.process(Cassandra.java:2577)
>         at org.apache.cassandra.thrift.Cassandra$Processor.process(Cassandra.java:2555)
>         at org.apache.cassandra.thrift.CustomTThreadPoolServer$WorkerProcess.run(CustomTThreadPoolServer.java:206)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>         at java.lang.Thread.run(Thread.java:662)
> Caused by: AuthenticationException(why:Given password in password mode PLAIN could not
be validated for user jsmith22)
>         at org.apache.cassandra.auth.SimpleAuthenticator.authenticate(SimpleAuthenticator.java:106)
>         ... 8 more
> DEBUG [pool-1-thread-2] 2011-04-15 18:00:18,238 ClientState.java (line 91) logged out:
null
> 3. Login failure (Valid user, but wrong password)
> Client gets AuthenticationException. But server doesn't have any informative log. Just
says "logged out". This log should be INFO or WARNING with user name for debug purpose.
> DEBUG [pool-1-thread-4] 2011-04-15 18:04:02,169 ClientState.java (line 91) logged out:
null
> 4. Invalid request (Valid user, but no permission for the operation)
> The log is the same with the login success case below. Cassandra should logs about no
permission with INFO or WARN level.
> DEBUG [pool-1-thread-3] 2011-04-15 18:11:31,350 ClientState.java (line 84) logged in:
#<User jsmith groups=[]>
> DEBUG [pool-1-thread-3] 2011-04-15 18:11:31,397 ClientState.java (line 91) logged out:
#<User jsmith groups=[]>
> 5. Login success (valid user and password)
> This log is ok because we can choose DEBUG level if we want to log all the success logins.
> DEBUG [pool-1-thread-4] 2011-04-15 18:14:09,451 ClientState.java (line 84) logged in:
#<User jsmith groups=[]>
> DEBUG [pool-1-thread-4] 2011-04-15 18:14:09,494 ClientState.java (line 91) logged out:
#<User jsmith groups=[]>

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message