[jira] [Updated] (HBASE-27526) NettyHBaseSaslRpcServerHandler.channelRead0 forget to record "AUTH_FAILED_FOR" auditlog for an exception.
[ https://issues.apache.org/jira/browse/HBASE-27526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Beibei Zhao updated HBASE-27526: Issue Type: Brainstorming (was: Improvement) > NettyHBaseSaslRpcServerHandler.channelRead0 forget to record > "AUTH_FAILED_FOR" auditlog for an exception. > - > > Key: HBASE-27526 > URL: https://issues.apache.org/jira/browse/HBASE-27526 > Project: HBase > Issue Type: Brainstorming >Reporter: Beibei Zhao >Priority: Minor > > In other methods such as SimpleServerRpcConnection.saslReadAndProcess, they > always record "AUTH_FAILED_FOR" for an exception, and "AUTH_SUCCESSFUL_FOR" > after task is completed like this: > {code:java} > private void saslReadAndProcess(ByteBuff saslToken) throws IOException, > InterruptedException { > .. > } catch (IOException e) { > .. > // attempting user could be null > RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, > clientIP, > saslServer.getAttemptingUser()); > throw e; > } > .. > if (saslServer.isComplete()) { > .. > RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi); > .. > } > } > } > {code} > but NettyHBaseSaslRpcServerHandler.channelRead0 only record > "AUTH_SUCCESSFUL_FOR" in finishSaslNegotiation, and just throw Exception > without record "AUTH_FAILED_FOR": > {code:java} > protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws > Exception { > .. > if (saslServer.isComplete()) { > conn.finishSaslNegotiation(); > .. > } > } > void finishSaslNegotiation() throws IOException { > .. > RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi); > } > {code} > So I think an exceptionCaught should be called here: > {code:java} > public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) > throws Exception { > LOG.error("Error when doing SASL handshade, provider={}", conn.provider, > cause); > Throwable sendToClient = HBaseSaslRpcServer.unwrap(cause); > doResponse(ctx, SaslStatus.ERROR, null, sendToClient.getClass().getName(), > sendToClient.getLocalizedMessage()); > rpcServer.metrics.authenticationFailure(); > String clientIP = this.toString(); > // attempting user could be null > RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, clientIP, > conn.saslServer != null ? conn.saslServer.getAttemptingUser() : > "Unknown"); > NettyFutureUtils.safeClose(ctx); > } > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (HBASE-27526) NettyHBaseSaslRpcServerHandler.channelRead0 forget to record "AUTH_FAILED_FOR" auditlog for an exception.
[ https://issues.apache.org/jira/browse/HBASE-27526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Beibei Zhao updated HBASE-27526: Issue Type: Improvement (was: Bug) > NettyHBaseSaslRpcServerHandler.channelRead0 forget to record > "AUTH_FAILED_FOR" auditlog for an exception. > - > > Key: HBASE-27526 > URL: https://issues.apache.org/jira/browse/HBASE-27526 > Project: HBase > Issue Type: Improvement >Reporter: Beibei Zhao >Priority: Minor > > In other methods such as SimpleServerRpcConnection.saslReadAndProcess, they > always record "AUTH_FAILED_FOR" for an exception, and "AUTH_SUCCESSFUL_FOR" > after task is completed like this: > {code:java} > private void saslReadAndProcess(ByteBuff saslToken) throws IOException, > InterruptedException { > .. > } catch (IOException e) { > .. > // attempting user could be null > RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, > clientIP, > saslServer.getAttemptingUser()); > throw e; > } > .. > if (saslServer.isComplete()) { > .. > RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi); > .. > } > } > } > {code} > but NettyHBaseSaslRpcServerHandler.channelRead0 only record > "AUTH_SUCCESSFUL_FOR" in finishSaslNegotiation, and just throw Exception > without record "AUTH_FAILED_FOR": > {code:java} > protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws > Exception { > .. > if (saslServer.isComplete()) { > conn.finishSaslNegotiation(); > .. > } > } > void finishSaslNegotiation() throws IOException { > .. > RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi); > } > {code} > So I think an exceptionCaught should be called here: > {code:java} > public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) > throws Exception { > LOG.error("Error when doing SASL handshade, provider={}", conn.provider, > cause); > Throwable sendToClient = HBaseSaslRpcServer.unwrap(cause); > doResponse(ctx, SaslStatus.ERROR, null, sendToClient.getClass().getName(), > sendToClient.getLocalizedMessage()); > rpcServer.metrics.authenticationFailure(); > String clientIP = this.toString(); > // attempting user could be null > RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, clientIP, > conn.saslServer != null ? conn.saslServer.getAttemptingUser() : > "Unknown"); > NettyFutureUtils.safeClose(ctx); > } > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (HBASE-27526) NettyHBaseSaslRpcServerHandler.channelRead0 forget to record "AUTH_FAILED_FOR" auditlog for an exception.
[ https://issues.apache.org/jira/browse/HBASE-27526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Beibei Zhao updated HBASE-27526: Priority: Minor (was: Major) > NettyHBaseSaslRpcServerHandler.channelRead0 forget to record > "AUTH_FAILED_FOR" auditlog for an exception. > - > > Key: HBASE-27526 > URL: https://issues.apache.org/jira/browse/HBASE-27526 > Project: HBase > Issue Type: Bug >Reporter: Beibei Zhao >Priority: Minor > > In other methods such as SimpleServerRpcConnection.saslReadAndProcess, they > always record "AUTH_FAILED_FOR" for an exception, and "AUTH_SUCCESSFUL_FOR" > after task is completed like this: > {code:java} > private void saslReadAndProcess(ByteBuff saslToken) throws IOException, > InterruptedException { > .. > } catch (IOException e) { > .. > // attempting user could be null > RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, > clientIP, > saslServer.getAttemptingUser()); > throw e; > } > .. > if (saslServer.isComplete()) { > .. > RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi); > .. > } > } > } > {code} > but NettyHBaseSaslRpcServerHandler.channelRead0 only record > "AUTH_SUCCESSFUL_FOR" in finishSaslNegotiation, and just throw Exception > without record "AUTH_FAILED_FOR": > {code:java} > protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws > Exception { > .. > if (saslServer.isComplete()) { > conn.finishSaslNegotiation(); > .. > } > } > void finishSaslNegotiation() throws IOException { > .. > RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi); > } > {code} > So I think an exceptionCaught should be called here: > {code:java} > public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) > throws Exception { > LOG.error("Error when doing SASL handshade, provider={}", conn.provider, > cause); > Throwable sendToClient = HBaseSaslRpcServer.unwrap(cause); > doResponse(ctx, SaslStatus.ERROR, null, sendToClient.getClass().getName(), > sendToClient.getLocalizedMessage()); > rpcServer.metrics.authenticationFailure(); > String clientIP = this.toString(); > // attempting user could be null > RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, clientIP, > conn.saslServer != null ? conn.saslServer.getAttemptingUser() : > "Unknown"); > NettyFutureUtils.safeClose(ctx); > } > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (HBASE-27526) NettyHBaseSaslRpcServerHandler.channelRead0 forget to record "AUTH_FAILED_FOR" auditlog for an exception.
[ https://issues.apache.org/jira/browse/HBASE-27526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Beibei Zhao updated HBASE-27526: Summary: NettyHBaseSaslRpcServerHandler.channelRead0 forget to record "AUTH_FAILED_FOR" auditlog for an exception. (was: NettyHBaseSaslRpcServerHandler.channelRead0 forget record "AUTH_FAILED_FOR" auditlog for an exception.) > NettyHBaseSaslRpcServerHandler.channelRead0 forget to record > "AUTH_FAILED_FOR" auditlog for an exception. > - > > Key: HBASE-27526 > URL: https://issues.apache.org/jira/browse/HBASE-27526 > Project: HBase > Issue Type: Bug >Reporter: Beibei Zhao >Priority: Major > > In other methods such as SimpleServerRpcConnection.saslReadAndProcess, they > always record "AUTH_FAILED_FOR" for an exception, and "AUTH_SUCCESSFUL_FOR" > after task is completed like this: > {code:java} > private void saslReadAndProcess(ByteBuff saslToken) throws IOException, > InterruptedException { > .. > } catch (IOException e) { > .. > // attempting user could be null > RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, > clientIP, > saslServer.getAttemptingUser()); > throw e; > } > .. > if (saslServer.isComplete()) { > .. > RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi); > .. > } > } > } > {code} > but NettyHBaseSaslRpcServerHandler.channelRead0 only record > "AUTH_SUCCESSFUL_FOR" in finishSaslNegotiation, and just throw Exception > without record "AUTH_FAILED_FOR": > {code:java} > protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws > Exception { > .. > if (saslServer.isComplete()) { > conn.finishSaslNegotiation(); > .. > } > } > void finishSaslNegotiation() throws IOException { > .. > RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi); > } > {code} > So I think an exceptionCaught should be called here: > {code:java} > public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) > throws Exception { > LOG.error("Error when doing SASL handshade, provider={}", conn.provider, > cause); > Throwable sendToClient = HBaseSaslRpcServer.unwrap(cause); > doResponse(ctx, SaslStatus.ERROR, null, sendToClient.getClass().getName(), > sendToClient.getLocalizedMessage()); > rpcServer.metrics.authenticationFailure(); > String clientIP = this.toString(); > // attempting user could be null > RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, clientIP, > conn.saslServer != null ? conn.saslServer.getAttemptingUser() : > "Unknown"); > NettyFutureUtils.safeClose(ctx); > } > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)