You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Jonathan Ellis (JIRA)" <ji...@apache.org> on 2012/10/08 18:00:03 UTC

[jira] [Commented] (CASSANDRA-2485) improve authentication log

    [ https://issues.apache.org/jira/browse/CASSANDRA-2485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13471629#comment-13471629 ] 

Jonathan Ellis commented on CASSANDRA-2485:
-------------------------------------------

would prefer leaving both as debug; those who wish can enable the logging, otherwise we don't fill the log with noise.  (can give example in log4j-server.yaml if you want to make it more obvious.)

is there a reason to catch RuntimeException?  those are typically bugs, not login failures.
                
> improve authentication log
> --------------------------
>
>                 Key: CASSANDRA-2485
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-2485
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 0.7.4
>         Environment: linux
>            Reporter: Shotaro Kamio
>            Assignee: Dave Brosius
>             Fix For: 1.2.0 beta 2
>
>         Attachments: 2485.txt
>
>
> Cassandra should have better authentication log when authenticator is used. At least in login failure, the log should contain login failure message and its reason.
> What we have now is DEBUG log in org.apache.cassandra.service.ClientState.
> I think there are 5 cases to be logged:
> 1. Login failure (No credential is given)
> 2. Login failure (Unknown user)
> 3. Login failure (Valid user, but wrong password)
> 4. Invalid request (Valid user, but no permission for the operation)
> 5. Login success
> Followings are current logs and problems.
> 1. Login failure (No credential is given)
> Client will get InvalidRequestException in this case. But log on cassandra server is just as follows:
>  DEBUG [pool-1-thread-1] 2011-04-15 17:59:40,094 ClientState.java (line 91) logged out: null
> It must be useful if it contains login failure and its reason.
> 2. Login failure (Unknown user)
> I'm not sure what client receives in this case. (pycassa raises AllServersUnavailable exception.)
> The server log shows ERROR as follows. But I think that it is ERROR for client, but not for server. The server log should be INFO or WARNING with some detail.
> ERROR [pool-1-thread-3] 2011-04-15 18:00:18,236 Cassandra.java (line 2583) Internal error processing login
> java.lang.RuntimeException: Unexpected authentication problem
>         at org.apache.cassandra.auth.SimpleAuthenticator.authenticate(SimpleAuthenticator.java:125)
>         at org.apache.cassandra.service.ClientState.login(ClientState.java:82)
>         at org.apache.cassandra.thrift.CassandraServer.login(CassandraServer.java:609)
>         at org.apache.cassandra.thrift.Cassandra$Processor$login.process(Cassandra.java:2577)
>         at org.apache.cassandra.thrift.Cassandra$Processor.process(Cassandra.java:2555)
>         at org.apache.cassandra.thrift.CustomTThreadPoolServer$WorkerProcess.run(CustomTThreadPoolServer.java:206)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>         at java.lang.Thread.run(Thread.java:662)
> Caused by: AuthenticationException(why:Given password in password mode PLAIN could not be validated for user jsmith22)
>         at org.apache.cassandra.auth.SimpleAuthenticator.authenticate(SimpleAuthenticator.java:106)
>         ... 8 more
> DEBUG [pool-1-thread-2] 2011-04-15 18:00:18,238 ClientState.java (line 91) logged out: null
> 3. Login failure (Valid user, but wrong password)
> Client gets AuthenticationException. But server doesn't have any informative log. Just says "logged out". This log should be INFO or WARNING with user name for debug purpose.
> DEBUG [pool-1-thread-4] 2011-04-15 18:04:02,169 ClientState.java (line 91) logged out: null
> 4. Invalid request (Valid user, but no permission for the operation)
> The log is the same with the login success case below. Cassandra should logs about no permission with INFO or WARN level.
> DEBUG [pool-1-thread-3] 2011-04-15 18:11:31,350 ClientState.java (line 84) logged in: #<User jsmith groups=[]>
> DEBUG [pool-1-thread-3] 2011-04-15 18:11:31,397 ClientState.java (line 91) logged out: #<User jsmith groups=[]>
> 5. Login success (valid user and password)
> This log is ok because we can choose DEBUG level if we want to log all the success logins.
> DEBUG [pool-1-thread-4] 2011-04-15 18:14:09,451 ClientState.java (line 84) logged in: #<User jsmith groups=[]>
> DEBUG [pool-1-thread-4] 2011-04-15 18:14:09,494 ClientState.java (line 91) logged out: #<User jsmith groups=[]>

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira