You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "kirby zhou (Jira)" <ji...@apache.org> on 2022/03/23 07:41:00 UTC

[jira] [Comment Edited] (RANGER-3672) Show better error messages during failed logins

    [ https://issues.apache.org/jira/browse/RANGER-3672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17511069#comment-17511069 ] 

kirby zhou edited comment on RANGER-3672 at 3/23/22, 7:40 AM:
--------------------------------------------------------------

I applied your patch at master branch.

SpringEventListener works as expected, 
{code:java}
2022-03-23 15:06:35,286 [http-nio-6080-exec-10] INFO [SpringEventListener.java:90] Login Unsuccessful:freeman | Ip Address:0:0:0:0:0:0:0:1 | Bad Credentials
2022-03-23 15:06:36,873 [http-nio-6080-exec-2] INFO [RangerAuthenticationProvider.java:174] Authentication with SHA-256 failed. Now trying with MD5.
2022-03-23 15:06:37,109 [http-nio-6080-exec-2] INFO [SpringEventListener.java:90] Login Unsuccessful:freeman | Ip Address:0:0:0:0:0:0:0:1 | Bad Credentials
2022-03-23 15:06:37,859 [http-nio-6080-exec-1] INFO [RangerAuthenticationProvider.java:174] Authentication with SHA-256 failed. Now trying with MD5.
2022-03-23 15:06:37,884 [http-nio-6080-exec-1] INFO [SpringEventListener.java:90] Login Unsuccessful:freeman | Ip Address:0:0:0:0:0:0:0:1 | Bad Credentials
2022-03-23 15:06:38,878 [http-nio-6080-exec-3] INFO [RangerAuthenticationProvider.java:174] Authentication with SHA-256 failed. Now trying with MD5.
2022-03-23 15:06:38,904 [http-nio-6080-exec-3] INFO [SpringEventListener.java:90] Login Unsuccessful:freeman | Ip Address:0:0:0:0:0:0:0:1 | Bad Credentials
2022-03-23 15:06:39,577 [http-nio-6080-exec-4] INFO [RangerAuthenticationProvider.java:174] Authentication with SHA-256 failed. Now trying with MD5.
2022-03-23 15:06:39,642 [http-nio-6080-exec-4] INFO [SpringEventListener.java:90] Login Unsuccessful:freeman | Ip Address:0:0:0:0:0:0:0:1 | Bad Credentials
2022-03-23 15:06:40,492 [http-nio-6080-exec-5] INFO [SpringEventListener.java:105] Login Unsuccessful:freeman | Ip Address:0:0:0:0:0:0:0:1 | User account is locked
{code}
RangerAuthFailureHandler.java do not works

There are  many problems:

1. Localized messages are not unified.
{code:java}
if (CLIUtil.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials",request).equalsIgnoreCase(msg)) {
   vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
   vXResponse.setMsgDesc("The username or password you entered is incorrect.");
   logger.info("Error Message : " + msg);
 {code}
When BadCredentialsException happens with Chinese locale, CLIUtil.getMessage returns localized messages "坏的凭据", bug msg is "用户名或密码错误", which are the same meaning but different expression.

2. Compare localized messages with non-localized messages.
{code:java}
} else if (CLIUtil.getMessage("AbstractUserDetailsAuthenticationProvider.locked",request).equalsIgnoreCase(msg)) {
   vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
   vXResponse.setMsgDesc("The user account is locked.");
}
{code}
When LockeException happens, CLIUtil.getMessage returns "用户帐号已被锁定", but msg is "User account freeman is locked".

3. Compare parameterized messages with nonparametric messages.

When LockeException happens, CLIUtil.getMessage returns nonparametric messages, but msg is parameterized messages ("freeman").

 

At least, it need a fallback to call vXResponse.setMsgDesc with unmodified msg if no branch is hit.


was (Author: kirbyzhou):
I applied your patch at master branch.

SpringEventListener works as expected, 
{code:java}
2022-03-23 15:06:35,286 [http-nio-6080-exec-10] INFO [SpringEventListener.java:90] Login Unsuccessful:freeman | Ip Address:0:0:0:0:0:0:0:1 | Bad Credentials
2022-03-23 15:06:36,873 [http-nio-6080-exec-2] INFO [RangerAuthenticationProvider.java:174] Authentication with SHA-256 failed. Now trying with MD5.
2022-03-23 15:06:37,109 [http-nio-6080-exec-2] INFO [SpringEventListener.java:90] Login Unsuccessful:freeman | Ip Address:0:0:0:0:0:0:0:1 | Bad Credentials
2022-03-23 15:06:37,859 [http-nio-6080-exec-1] INFO [RangerAuthenticationProvider.java:174] Authentication with SHA-256 failed. Now trying with MD5.
2022-03-23 15:06:37,884 [http-nio-6080-exec-1] INFO [SpringEventListener.java:90] Login Unsuccessful:freeman | Ip Address:0:0:0:0:0:0:0:1 | Bad Credentials
2022-03-23 15:06:38,878 [http-nio-6080-exec-3] INFO [RangerAuthenticationProvider.java:174] Authentication with SHA-256 failed. Now trying with MD5.
2022-03-23 15:06:38,904 [http-nio-6080-exec-3] INFO [SpringEventListener.java:90] Login Unsuccessful:freeman | Ip Address:0:0:0:0:0:0:0:1 | Bad Credentials
2022-03-23 15:06:39,577 [http-nio-6080-exec-4] INFO [RangerAuthenticationProvider.java:174] Authentication with SHA-256 failed. Now trying with MD5.
2022-03-23 15:06:39,642 [http-nio-6080-exec-4] INFO [SpringEventListener.java:90] Login Unsuccessful:freeman | Ip Address:0:0:0:0:0:0:0:1 | Bad Credentials
2022-03-23 15:06:40,492 [http-nio-6080-exec-5] INFO [SpringEventListener.java:105] Login Unsuccessful:freeman | Ip Address:0:0:0:0:0:0:0:1 | User account is locked
{code}
RangerAuthFailureHandler.java do not works

There are  many problems:

1. Localized messages are not unified.
{code:java}
if (CLIUtil.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials",request).equalsIgnoreCase(msg)) {
   vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
   vXResponse.setMsgDesc("The username or password you entered is incorrect.");
   logger.info("Error Message : " + msg);
 {code}
When BadCredentialsException happens with Chinese locale, CLIUtil.getMessage returns localized messages "坏的凭据", bug msg is "用户名或密码错误", which are the same meaning but different expression.

2. Compare localized messages with non-localized messages.
{code:java}
} else if (CLIUtil.getMessage("AbstractUserDetailsAuthenticationProvider.locked",request).equalsIgnoreCase(msg)) {
   vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
   vXResponse.setMsgDesc("The user account is locked.");
}
{code}
When LockeException happens, CLIUtil.getMessage returns "用户帐号已被锁定", but msg is "User account freeman is locked".

3. Compare parameterized messages with nonparametric messages.

When LockeException happens, CLIUtil.getMessage returns nonparametric messages, but msg is parameterized messages ("freeman").

 

I do not know the reason, why we compare text here instead check the type of exception?

 

 

 

 

 

 

> Show better error messages during failed logins
> -----------------------------------------------
>
>                 Key: RANGER-3672
>                 URL: https://issues.apache.org/jira/browse/RANGER-3672
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin
>    Affects Versions: 3.0.0, 2.3.0
>            Reporter: kirby zhou
>            Assignee: Bhavik Patel
>            Priority: Critical
>         Attachments: 0001-RANGER-3672-Show-better-error-messages-during-failed.patch, image-2022-03-23-09-08-15-529.png, image-2022-03-23-10-16-29-335.png, 截屏2022-03-21 12.07.03.jpg
>
>
> When login failure, There are no conspicuous error tips and reasons, just a small red triangle. Should give user a big error prompt box, tell him "The username or password you entered is incorrect..", "The user is disabled or locked for too many attempts. Try again 5 minutes later".
>  
> It seems RANGER-375 did some works before. But I can not see the text message now.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)