This is an automated email from the ASF dual-hosted git repository.
sorabh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/drill.git
The following commit(s) were added to refs/heads/master by this push:
new 9388e1c DRILL-7417: Add user logged in/out event in info level logs
9388e1c is described below
commit 9388e1ceea5e7c496f4b668038e00151626e308f
Author: Sorabh Hamirwasia <[email protected]>
AuthorDate: Tue Oct 22 14:16:52 2019 -0700
DRILL-7417: Add user logged in/out event in info level logs
---
.../org/apache/drill/exec/rpc/user/UserServer.java | 19 ++++++++++++++-----
.../drill/exec/server/rest/LogInLogOutResources.java | 13 ++++++++++++-
.../exec/server/rest/auth/DrillRestLoginService.java | 2 +-
.../server/rest/auth/DrillSpnegoAuthenticator.java | 5 ++---
.../server/rest/auth/DrillSpnegoLoginService.java | 7 ++++---
5 files changed, 33 insertions(+), 13 deletions(-)
diff --git
a/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java
b/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java
index e2fd1e8..1c2e2e2 100644
---
a/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java
+++
b/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java
@@ -205,6 +205,7 @@ public class UserServer extends BasicServer<RpcType,
BitToUserConnection> {
private UserSession session;
private UserToBitHandshake inbound;
+ private String authenticatedUser;
BitToUserConnection(SocketChannel channel) {
super(channel, config, !config.isAuthEnabled()
@@ -230,8 +231,8 @@ public class UserServer extends BasicServer<RpcType,
BitToUserConnection> {
public void finalizeSaslSession() throws IOException {
final String authorizationID = getSaslServer().getAuthorizationID();
final String userName = new
HadoopKerberosName(authorizationID).getShortName();
- logger.debug("Created session for {}", userName);
finalizeSession(userName);
+ logger.info("User {} logged in from {}", authenticatedUser,
getRemoteAddress());
}
/**
@@ -251,6 +252,7 @@ public class UserServer extends BasicServer<RpcType,
BitToUserConnection> {
.setSupportComplexTypes(inbound.getSupportComplexTypes())
.build();
+ this.authenticatedUser = userName;
// if inbound impersonation is enabled and a target is mentioned
final String targetName = session.getTargetUserName();
if (config.getImpersonationManager() != null && targetName != null) {
@@ -296,6 +298,15 @@ public class UserServer extends BasicServer<RpcType,
BitToUserConnection> {
return getChannel().remoteAddress();
}
+ @Override
+ public void channelClosed(RpcException ex) {
+ // log the logged out event only when authentication is enabled
+ if (config.isAuthEnabled()) {
+ logger.info("User {} logged out from {}", authenticatedUser,
getRemoteAddress());
+ }
+ super.channelClosed(ex);
+ }
+
private void cleanup() {
if (session != null) {
session.close();
@@ -429,10 +440,8 @@ public class UserServer extends BasicServer<RpcType,
BitToUserConnection> {
connection.changeHandlerTo(config.getMessageHandler());
connection.finalizeSession(userName);
respBuilder.setStatus(HandshakeStatus.SUCCESS);
- if (logger.isTraceEnabled()) {
- logger.trace("Authenticated {} successfully using PLAIN from
{}", userName,
- connection.getRemoteAddress());
- }
+ logger.info("Authenticated {} from {} successfully using PLAIN",
userName,
+ connection.getRemoteAddress());
return respBuilder.build();
} catch (UserAuthenticationException ex) {
return handleFailure(respBuilder, HandshakeStatus.AUTH_FAILED,
ex.getMessage(), ex);
diff --git
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/LogInLogOutResources.java
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/LogInLogOutResources.java
index 0abe2c5..3105012 100644
---
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/LogInLogOutResources.java
+++
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/LogInLogOutResources.java
@@ -17,16 +17,19 @@
*/
package org.apache.drill.exec.server.rest;
-import
org.apache.drill.shaded.guava.com.google.common.annotations.VisibleForTesting;
import org.apache.commons.lang3.StringUtils;
import org.apache.drill.common.config.DrillConfig;
import org.apache.drill.exec.ExecConstants;
import org.apache.drill.exec.server.rest.auth.AuthDynamicFeature;
import org.apache.drill.exec.server.rest.auth.DrillHttpSecurityHandlerProvider;
import org.apache.drill.exec.work.WorkManager;
+import
org.apache.drill.shaded.guava.com.google.common.annotations.VisibleForTesting;
import org.eclipse.jetty.security.authentication.FormAuthenticator;
+import org.eclipse.jetty.security.authentication.SessionAuthentication;
import org.eclipse.jetty.util.security.Constraint;
import org.glassfish.jersey.server.mvc.Viewable;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import javax.annotation.security.PermitAll;
import javax.inject.Inject;
@@ -51,6 +54,8 @@ import java.util.Set;
@PermitAll
public class LogInLogOutResources {
+ private static final Logger logger =
LoggerFactory.getLogger(LogInLogOutResources.class);
+
@Inject
WorkManager workManager;
@@ -120,6 +125,12 @@ public class LogInLogOutResources {
public void logout(@Context HttpServletRequest req, @Context
HttpServletResponse resp) throws Exception {
final HttpSession session = req.getSession();
if (session != null) {
+ final Object authCreds =
session.getAttribute(SessionAuthentication.__J_AUTHENTICATED);
+ if (authCreds != null) {
+ final SessionAuthentication sessionAuth = (SessionAuthentication)
authCreds;
+ logger.info("WebUser {} logged out from {}:{}",
sessionAuth.getUserIdentity().getUserPrincipal().getName(), req
+ .getRemoteHost(), req.getRemotePort());
+ }
session.invalidate();
}
diff --git
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillRestLoginService.java
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillRestLoginService.java
index 33fe52c..a21a0f1 100644
---
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillRestLoginService.java
+++
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillRestLoginService.java
@@ -78,7 +78,7 @@ public class DrillRestLoginService implements LoginService {
// Authenticate the user with configured Authenticator
userAuthenticator.authenticate(username, credentials.toString());
- logger.debug("WebUser {} is successfully authenticated", username);
+ logger.info("WebUser {} logged in from {}:{}", username,
request.getRemoteHost(), request.getRemotePort());
final SystemOptionManager sysOptions =
drillbitContext.getOptionManager();
diff --git
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoAuthenticator.java
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoAuthenticator.java
index d60aaf5..1efaf56 100644
---
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoAuthenticator.java
+++
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoAuthenticator.java
@@ -75,11 +75,10 @@ public class DrillSpnegoAuthenticator extends
SpnegoAuthenticator {
// If the Request URI is for /spnegoLogin then perform login
final boolean mandatory = mandatoryAuth ||
uri.equals(WebServerConstants.SPENGO_LOGIN_RESOURCE_PATH);
- // For logout remove the attribute from the session that holds UserIdentity
+ // For logout the attribute from the session that holds UserIdentity will
be removed when session is getting
+ // invalidated
if (authentication != null) {
if (uri.equals(WebServerConstants.LOGOUT_RESOURCE_PATH)) {
- logger.debug("Logging out user {}", req.getRemoteAddr());
- session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
return null;
}
diff --git
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoLoginService.java
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoLoginService.java
index 429aa3a..98a76cb 100644
---
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoLoginService.java
+++
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoLoginService.java
@@ -83,7 +83,7 @@ public class DrillSpnegoLoginService extends
SpnegoLoginService {
UserIdentity identity = null;
try {
- identity = loggedInUgi.doAs((PrivilegedExceptionAction<UserIdentity>) ()
-> spnegoLogin(credentials));
+ identity = loggedInUgi.doAs((PrivilegedExceptionAction<UserIdentity>) ()
-> spnegoLogin(credentials, request));
} catch (Exception e) {
logger.error("Failed to login using SPNEGO", e);
}
@@ -91,7 +91,7 @@ public class DrillSpnegoLoginService extends
SpnegoLoginService {
return identity;
}
- private UserIdentity spnegoLogin(Object credentials) {
+ private UserIdentity spnegoLogin(Object credentials, ServletRequest request)
{
String encodedAuthToken = (String) credentials;
byte[] authToken = B64Code.decode(encodedAuthToken);
@@ -122,7 +122,8 @@ public class DrillSpnegoLoginService extends
SpnegoLoginService {
// Get the client user short name
final String userShortName = new
HadoopKerberosName(clientName).getShortName();
-
+ logger.info("WebUser {} logged in from {}:{}", userShortName,
request.getRemoteHost(),
+ request.getRemotePort());
logger.debug("Client Name: {}, realm: {} and shortName: {}",
clientName, realm, userShortName);
final SystemOptionManager sysOptions =
drillContext.getOptionManager();
final boolean isAdmin =
ImpersonationUtil.hasAdminPrivileges(userShortName,
