[jira] [Updated] (HBASE-27526) NettyHBaseSaslRpcServerHandler.channelRead0 forget to record "AUTH_FAILED_FOR" auditlog for an exception.

Sun, 08 Jan 2023 07:44:04 -0800 


     [ 
https://issues.apache.org/jira/browse/HBASE-27526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Beibei Zhao updated HBASE-27526:
--------------------------------
    Issue Type: Brainstorming  (was: Improvement)

> NettyHBaseSaslRpcServerHandler.channelRead0 forget to record 
> "AUTH_FAILED_FOR" auditlog for an exception.
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-27526
>                 URL: https://issues.apache.org/jira/browse/HBASE-27526
>             Project: HBase
>          Issue Type: Brainstorming
>            Reporter: Beibei Zhao
>            Priority: Minor
>
> In other methods such as SimpleServerRpcConnection.saslReadAndProcess, they 
> always record "AUTH_FAILED_FOR" for an exception,  and "AUTH_SUCCESSFUL_FOR" 
> after task is completed like this: 
> {code:java}
>   private void saslReadAndProcess(ByteBuff saslToken) throws IOException, 
> InterruptedException {
>     ......
>       } catch (IOException e) {
>         ......
>         // attempting user could be null
>         RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, 
> clientIP,
>           saslServer.getAttemptingUser());
>         throw e;
>       }
>       ......
>       if (saslServer.isComplete()) {
>         ......
>         RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi);
>         ......
>       }
>     }
>   }
> {code}
> but NettyHBaseSaslRpcServerHandler.channelRead0 only record 
> "AUTH_SUCCESSFUL_FOR" in finishSaslNegotiation, and just throw Exception 
> without record "AUTH_FAILED_FOR": 
> {code:java}
> protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws 
> Exception {
>       ......
>       if (saslServer.isComplete()) {
>         conn.finishSaslNegotiation();
>         ......
>       }
>   }
> void finishSaslNegotiation() throws IOException {
>     ......
>     RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi);
>   }
> {code}
> So I think an exceptionCaught should be called here: 
> {code:java}
>   public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) 
> throws Exception {
>     LOG.error("Error when doing SASL handshade, provider={}", conn.provider, 
> cause);
>     Throwable sendToClient = HBaseSaslRpcServer.unwrap(cause);
>     doResponse(ctx, SaslStatus.ERROR, null, sendToClient.getClass().getName(),
>       sendToClient.getLocalizedMessage());
>     rpcServer.metrics.authenticationFailure();
>     String clientIP = this.toString();
>     // attempting user could be null
>     RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, clientIP,
>       conn.saslServer != null ? conn.saslServer.getAttemptingUser() : 
> "Unknown");
>     NettyFutureUtils.safeClose(ctx);
>   }
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to