[
https://issues.apache.org/jira/browse/CASSANDRA-18420?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17720004#comment-17720004
]
Brandon Williams edited comment on CASSANDRA-18420 at 5/5/23 9:33 PM:
----------------------------------------------------------------------
Thanks for the info, [~samt].
bq. So the situation I think you're describing is that the client receives the
AUTHENTICATE then simply doesn't respond and this is what is happening in the
cqlsh example posted here. If no credentials are supplied to cqlsh at the
outset, it doesn't configure an AuthProvider then throws when it receives the
AUTHENTICATE response from the server (here).
This is indeed what is happening, I can see StartupMessage create and return a
new AuthenticationMessage. What I'm having difficulty with is finding the spot
where the client disconnects and we can check if AUTHENTICATE was the last
thing sent and never responded to so we can log something useful about it.
ConnectionTracker would seem like a good place but it doesn't process single
client removal, and even with
`-Dcassandra.unsafe_verbose_debug_client_protocol` I'm not getting any help
from the logs.
was (Author: brandon.williams):
Thanks for the info, [~samt].
bq. So the situation I think you're describing is that the client receives the
AUTHENTICATE then simply doesn't respond and this is what is happening in the
cqlsh example posted here. If no credentials are supplied to cqlsh at the
outset, it doesn't configure an AuthProvider then throws when it receives the
AUTHENTICATE response from the server (here).
This is indeed what is happening, I can see StartupMessage create and return a
new AuthenticationMessage. What I'm having difficult with is finding the spot
where the client disconnects and we can check if AUTHENTICATE was the last
thing sent and never responded to so we can log something useful about it.
ConnectionTracker would seem like a good place but it doesn't process single
client removal, and even with
`-Dcassandra.unsafe_verbose_debug_client_protocol` I'm not getting any help
from the logs.
> Connection without username not logged in auditlog
> ---------------------------------------------------
>
> Key: CASSANDRA-18420
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18420
> Project: Cassandra
> Issue Type: Bug
> Components: Tool/auditlogging
> Reporter: Yakir Gibraltar
> Assignee: Ningzi Zhan
> Priority: Normal
> Fix For: 4.0.x, 4.1.x, 5.x
>
>
> Hi,
> If making connection *without username* to cassandra cluster with
> PasswordAuthenticator enabled,
> Connection will fail but not logged on auditlog.
> How to reproduce:
> # Enable "authenticator: PasswordAuthenticator" on cluster
> # Enable audit : "nodetool enableauditlog"
> # Open a new screen and run "auditlogviewer -f <log_location>/audit/"
> # Try to connect, and connection will fail:
> {code:java}
> [root@c1 ~]# cqlsh
> Connection error: ('Unable to connect to any servers', {'127.0.0.1:9042':
> AuthenticationFailed('Remote end requires authentication',)}){code}
> # *But nothing in auditlogviewer*.
> Connection with incorrect usernames or password logged correct on auditlog ,
> the problem only on connection without username.
> How it's affecting:
> # Security reason, hard to find unauthorized connections attempt .
> # When migrating cluster into PasswordAuthenticator, hard to find
> applications that didn't add username/password.
> Thank you.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
