You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Kevin Duling (JIRA)" <ji...@apache.org> on 2016/11/14 18:02:59 UTC
[jira] [Commented] (GEODE-2066) Log UnauthorizedException message
at INFO and stack at DEBUG
[ https://issues.apache.org/jira/browse/GEODE-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15664559#comment-15664559 ]
Kevin Duling commented on GEODE-2066:
-------------------------------------
We ought to adopt this as a general coding practice. Usually, one doesn't expect to see a stack trace unless debugging is enabled. Sometimes, it can confuse the reader if the message is benign.
> Log UnauthorizedException message at INFO and stack at DEBUG
> ------------------------------------------------------------
>
> Key: GEODE-2066
> URL: https://issues.apache.org/jira/browse/GEODE-2066
> Project: Geode
> Issue Type: Sub-task
> Components: security
> Reporter: Jinmei Liao
>
> 1. First, a similar Stack Trace appears at the INFO log-level every time a security violation (e.g. authentication or authorization failure) occurs...
> [info 2016/10/25 21:09:08.339 PDT <RMI TCP Connection(2)-10.99.199.3> tid=0x24] (tid=36 msgId=0) Could not execute "list members".
> org.apache.geode.security.NotAuthorizedException: guest not authorized for CLUSTER:READ
> at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:303)
> at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:280)
> at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:275)
> at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:217)
> at org.apache.geode.management.internal.cli.remote.CommandProcessor.executeCommand(CommandProcessor.java:116)
> at org.apache.geode.management.internal.cli.remote.CommandStatementImpl.process(CommandStatementImpl.java:66)
> at org.apache.geode.management.internal.cli.remote.MemberCommandService.processCommand(MemberCommandService.java:54)
> at org.apache.geode.management.internal.beans.MemberMBeanBridge.processCommand(MemberMBeanBridge.java:1690)
> at org.apache.geode.management.internal.beans.MemberMBean.processCommand(MemberMBean.java:406)
> at org.apache.geode.management.internal.beans.MemberMBean.processCommand(MemberMBean.java:399)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:71)
> at sun.reflect.GeneratedMethodAccessor8.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:275)
> at com.sun.jmx.mbeanserver.ConvertingMethod.invokeWithOpenReturn(ConvertingMethod.java:193)
> at com.sun.jmx.mbeanserver.ConvertingMethod.invokeWithOpenReturn(ConvertingMethod.java:175)
> at com.sun.jmx.mbeanserver.MXBeanIntrospector.invokeM2(MXBeanIntrospector.java:117)
> at com.sun.jmx.mbeanserver.MXBeanIntrospector.invokeM2(MXBeanIntrospector.java:54)
> at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:237)
> at com.sun.jmx.mbeanserver.PerInterface.invoke(PerInterface.java:138)
> at com.sun.jmx.mbeanserver.MBeanSupport.invoke(MBeanSupport.java:252)
> at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
> at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801)
> at org.apache.geode.management.internal.security.MBeanServerWrapper.invoke(MBeanServerWrapper.java:208)
> at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1471)
> at javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76)
> at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1312)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1411)
> at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:832)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:323)
> at sun.rmi.transport.Transport$1.run(Transport.java:200)
> at sun.rmi.transport.Transport$1.run(Transport.java:197)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
> at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:568)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:826)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$256(TCPTransport.java:683)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:682)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [CLUSTER:READ]
> at org.apache.shiro.authz.ModularRealmAuthorizer.checkPermission(ModularRealmAuthorizer.java:334)
> at org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:141)
> at org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:210)
> at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:298)
> ... 51 more
> It is probably sufficient to log just the security exception "message" at INFO level or higher. Though, I would not mind seeing a Stack Trace if I explicitly set the log-level to DEBUG/FINE. Given all the possible concurrent requests from a multitude of application clients/users, the Geode log file is going to fill up with these Stack Traces quite quickly.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)