You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by "Beibei Zhao (Jira)" <ji...@apache.org> on 2022/12/23 09:18:00 UTC
[jira] [Resolved] (HBASE-27526) NettyHBaseSaslRpcServerHandler.channelRead0 forget to record "AUTH_FAILED_FOR" auditlog for an exception.
[ https://issues.apache.org/jira/browse/HBASE-27526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Beibei Zhao resolved HBASE-27526.
---------------------------------
Resolution: Not A Problem
> NettyHBaseSaslRpcServerHandler.channelRead0 forget to record "AUTH_FAILED_FOR" auditlog for an exception.
> ---------------------------------------------------------------------------------------------------------
>
> Key: HBASE-27526
> URL: https://issues.apache.org/jira/browse/HBASE-27526
> Project: HBase
> Issue Type: Bug
> Reporter: Beibei Zhao
> Priority: Major
>
> In other methods such as SimpleServerRpcConnection.saslReadAndProcess, they always record "AUTH_FAILED_FOR" for an exception, and "AUTH_SUCCESSFUL_FOR" after task is completed like this:
> {code:java}
> private void saslReadAndProcess(ByteBuff saslToken) throws IOException, InterruptedException {
> ......
> } catch (IOException e) {
> ......
> // attempting user could be null
> RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, clientIP,
> saslServer.getAttemptingUser());
> throw e;
> }
> ......
> if (saslServer.isComplete()) {
> ......
> RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi);
> ......
> }
> }
> }
> {code}
> but NettyHBaseSaslRpcServerHandler.channelRead0 only record "AUTH_SUCCESSFUL_FOR" in finishSaslNegotiation, and just throw Exception without record "AUTH_FAILED_FOR":
> {code:java}
> protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {
> ......
> if (saslServer.isComplete()) {
> conn.finishSaslNegotiation();
> ......
> }
> }
> void finishSaslNegotiation() throws IOException {
> ......
> RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi);
> }
> {code}
> So I think an exceptionCaught should be called here:
> {code:java}
> public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
> LOG.error("Error when doing SASL handshade, provider={}", conn.provider, cause);
> Throwable sendToClient = HBaseSaslRpcServer.unwrap(cause);
> doResponse(ctx, SaslStatus.ERROR, null, sendToClient.getClass().getName(),
> sendToClient.getLocalizedMessage());
> rpcServer.metrics.authenticationFailure();
> String clientIP = this.toString();
> // attempting user could be null
> RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, clientIP,
> conn.saslServer != null ? conn.saslServer.getAttemptingUser() : "Unknown");
> NettyFutureUtils.safeClose(ctx);
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)