Jinmei Liao created GEODE-2066:
----------------------------------

             Summary: Log UnauthorizedException message at INFO and stack at 
DEBUG
                 Key: GEODE-2066
                 URL: https://issues.apache.org/jira/browse/GEODE-2066
             Project: Geode
          Issue Type: Sub-task
          Components: security
            Reporter: Jinmei Liao


1. First, a similar Stack Trace appears at the INFO log-level every time a 
security violation (e.g. authentication or authorization failure) occurs...

[info 2016/10/25 21:09:08.339 PDT <RMI TCP Connection(2)-10.99.199.3> tid=0x24] 
(tid=36 msgId=0) Could not execute "list members".
org.apache.geode.security.NotAuthorizedException: guest not authorized for 
CLUSTER:READ
        at 
org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:303)
        at 
org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:280)
        at 
org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:275)
        at 
org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:217)
        at 
org.apache.geode.management.internal.cli.remote.CommandProcessor.executeCommand(CommandProcessor.java:116)
        at 
org.apache.geode.management.internal.cli.remote.CommandStatementImpl.process(CommandStatementImpl.java:66)
        at 
org.apache.geode.management.internal.cli.remote.MemberCommandService.processCommand(MemberCommandService.java:54)
        at 
org.apache.geode.management.internal.beans.MemberMBeanBridge.processCommand(MemberMBeanBridge.java:1690)
        at 
org.apache.geode.management.internal.beans.MemberMBean.processCommand(MemberMBean.java:406)
        at 
org.apache.geode.management.internal.beans.MemberMBean.processCommand(MemberMBean.java:399)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:71)
        at sun.reflect.GeneratedMethodAccessor8.invoke(Unknown Source)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:275)
        at 
com.sun.jmx.mbeanserver.ConvertingMethod.invokeWithOpenReturn(ConvertingMethod.java:193)
        at 
com.sun.jmx.mbeanserver.ConvertingMethod.invokeWithOpenReturn(ConvertingMethod.java:175)
        at 
com.sun.jmx.mbeanserver.MXBeanIntrospector.invokeM2(MXBeanIntrospector.java:117)
        at 
com.sun.jmx.mbeanserver.MXBeanIntrospector.invokeM2(MXBeanIntrospector.java:54)
        at 
com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:237)
        at com.sun.jmx.mbeanserver.PerInterface.invoke(PerInterface.java:138)
        at com.sun.jmx.mbeanserver.MBeanSupport.invoke(MBeanSupport.java:252)
        at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
        at 
com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801)
        at 
org.apache.geode.management.internal.security.MBeanServerWrapper.invoke(MBeanServerWrapper.java:208)
        at 
javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1471)
        at 
javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76)
        at 
javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1312)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1411)
        at 
javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:832)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:323)
        at sun.rmi.transport.Transport$1.run(Transport.java:200)
        at sun.rmi.transport.Transport$1.run(Transport.java:197)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
        at 
sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:568)
        at 
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:826)
        at 
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$256(TCPTransport.java:683)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:682)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.shiro.authz.UnauthorizedException: Subject does not have 
permission [CLUSTER:READ]
        at 
org.apache.shiro.authz.ModularRealmAuthorizer.checkPermission(ModularRealmAuthorizer.java:334)
        at 
org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:141)
        at 
org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:210)
        at 
org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:298)
        ... 51 more

It is probably sufficient to log just the security exception "message" at INFO 
level or higher.  Though, I would not mind seeing a Stack Trace if I explicitly 
set the log-level to DEBUG/FINE.  Given all the possible concurrent requests 
from a multitude of application clients/users, the Geode log file is going to 
fill up with these Stack Traces quite quickly.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to