[jira] [Updated] (HBASE-27526) NettyHBaseSaslRpcServerHandler.channelRead0 forget to record "AUTH_FAILED_FOR" auditlog for an exception.
[
https://issues.apache.org/jira/browse/HBASE-27526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Beibei Zhao updated HBASE-27526:
Issue Type: Brainstorming (was: Improvement)
> NettyHBaseSaslRpcServerHandler.channelRead0 forget to record
> "AUTH_FAILED_FOR" auditlog for an exception.
> -
>
> Key: HBASE-27526
> URL: https://issues.apache.org/jira/browse/HBASE-27526
> Project: HBase
> Issue Type: Brainstorming
>Reporter: Beibei Zhao
>Priority: Minor
>
> In other methods such as SimpleServerRpcConnection.saslReadAndProcess, they
> always record "AUTH_FAILED_FOR" for an exception, and "AUTH_SUCCESSFUL_FOR"
> after task is completed like this:
> {code:java}
> private void saslReadAndProcess(ByteBuff saslToken) throws IOException,
> InterruptedException {
> ..
> } catch (IOException e) {
> ..
> // attempting user could be null
> RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR,
> clientIP,
> saslServer.getAttemptingUser());
> throw e;
> }
> ..
> if (saslServer.isComplete()) {
> ..
> RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi);
> ..
> }
> }
> }
> {code}
> but NettyHBaseSaslRpcServerHandler.channelRead0 only record
> "AUTH_SUCCESSFUL_FOR" in finishSaslNegotiation, and just throw Exception
> without record "AUTH_FAILED_FOR":
> {code:java}
> protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws
> Exception {
> ..
> if (saslServer.isComplete()) {
> conn.finishSaslNegotiation();
> ..
> }
> }
> void finishSaslNegotiation() throws IOException {
> ..
> RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi);
> }
> {code}
> So I think an exceptionCaught should be called here:
> {code:java}
> public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause)
> throws Exception {
> LOG.error("Error when doing SASL handshade, provider={}", conn.provider,
> cause);
> Throwable sendToClient = HBaseSaslRpcServer.unwrap(cause);
> doResponse(ctx, SaslStatus.ERROR, null, sendToClient.getClass().getName(),
> sendToClient.getLocalizedMessage());
> rpcServer.metrics.authenticationFailure();
> String clientIP = this.toString();
> // attempting user could be null
> RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, clientIP,
> conn.saslServer != null ? conn.saslServer.getAttemptingUser() :
> "Unknown");
> NettyFutureUtils.safeClose(ctx);
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (HBASE-27526) NettyHBaseSaslRpcServerHandler.channelRead0 forget to record "AUTH_FAILED_FOR" auditlog for an exception.
[
https://issues.apache.org/jira/browse/HBASE-27526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Beibei Zhao updated HBASE-27526:
Issue Type: Improvement (was: Bug)
> NettyHBaseSaslRpcServerHandler.channelRead0 forget to record
> "AUTH_FAILED_FOR" auditlog for an exception.
> -
>
> Key: HBASE-27526
> URL: https://issues.apache.org/jira/browse/HBASE-27526
> Project: HBase
> Issue Type: Improvement
>Reporter: Beibei Zhao
>Priority: Minor
>
> In other methods such as SimpleServerRpcConnection.saslReadAndProcess, they
> always record "AUTH_FAILED_FOR" for an exception, and "AUTH_SUCCESSFUL_FOR"
> after task is completed like this:
> {code:java}
> private void saslReadAndProcess(ByteBuff saslToken) throws IOException,
> InterruptedException {
> ..
> } catch (IOException e) {
> ..
> // attempting user could be null
> RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR,
> clientIP,
> saslServer.getAttemptingUser());
> throw e;
> }
> ..
> if (saslServer.isComplete()) {
> ..
> RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi);
> ..
> }
> }
> }
> {code}
> but NettyHBaseSaslRpcServerHandler.channelRead0 only record
> "AUTH_SUCCESSFUL_FOR" in finishSaslNegotiation, and just throw Exception
> without record "AUTH_FAILED_FOR":
> {code:java}
> protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws
> Exception {
> ..
> if (saslServer.isComplete()) {
> conn.finishSaslNegotiation();
> ..
> }
> }
> void finishSaslNegotiation() throws IOException {
> ..
> RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi);
> }
> {code}
> So I think an exceptionCaught should be called here:
> {code:java}
> public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause)
> throws Exception {
> LOG.error("Error when doing SASL handshade, provider={}", conn.provider,
> cause);
> Throwable sendToClient = HBaseSaslRpcServer.unwrap(cause);
> doResponse(ctx, SaslStatus.ERROR, null, sendToClient.getClass().getName(),
> sendToClient.getLocalizedMessage());
> rpcServer.metrics.authenticationFailure();
> String clientIP = this.toString();
> // attempting user could be null
> RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, clientIP,
> conn.saslServer != null ? conn.saslServer.getAttemptingUser() :
> "Unknown");
> NettyFutureUtils.safeClose(ctx);
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (HBASE-27526) NettyHBaseSaslRpcServerHandler.channelRead0 forget to record "AUTH_FAILED_FOR" auditlog for an exception.
[
https://issues.apache.org/jira/browse/HBASE-27526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Beibei Zhao updated HBASE-27526:
Priority: Minor (was: Major)
> NettyHBaseSaslRpcServerHandler.channelRead0 forget to record
> "AUTH_FAILED_FOR" auditlog for an exception.
> -
>
> Key: HBASE-27526
> URL: https://issues.apache.org/jira/browse/HBASE-27526
> Project: HBase
> Issue Type: Bug
>Reporter: Beibei Zhao
>Priority: Minor
>
> In other methods such as SimpleServerRpcConnection.saslReadAndProcess, they
> always record "AUTH_FAILED_FOR" for an exception, and "AUTH_SUCCESSFUL_FOR"
> after task is completed like this:
> {code:java}
> private void saslReadAndProcess(ByteBuff saslToken) throws IOException,
> InterruptedException {
> ..
> } catch (IOException e) {
> ..
> // attempting user could be null
> RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR,
> clientIP,
> saslServer.getAttemptingUser());
> throw e;
> }
> ..
> if (saslServer.isComplete()) {
> ..
> RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi);
> ..
> }
> }
> }
> {code}
> but NettyHBaseSaslRpcServerHandler.channelRead0 only record
> "AUTH_SUCCESSFUL_FOR" in finishSaslNegotiation, and just throw Exception
> without record "AUTH_FAILED_FOR":
> {code:java}
> protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws
> Exception {
> ..
> if (saslServer.isComplete()) {
> conn.finishSaslNegotiation();
> ..
> }
> }
> void finishSaslNegotiation() throws IOException {
> ..
> RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi);
> }
> {code}
> So I think an exceptionCaught should be called here:
> {code:java}
> public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause)
> throws Exception {
> LOG.error("Error when doing SASL handshade, provider={}", conn.provider,
> cause);
> Throwable sendToClient = HBaseSaslRpcServer.unwrap(cause);
> doResponse(ctx, SaslStatus.ERROR, null, sendToClient.getClass().getName(),
> sendToClient.getLocalizedMessage());
> rpcServer.metrics.authenticationFailure();
> String clientIP = this.toString();
> // attempting user could be null
> RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, clientIP,
> conn.saslServer != null ? conn.saslServer.getAttemptingUser() :
> "Unknown");
> NettyFutureUtils.safeClose(ctx);
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (HBASE-27526) NettyHBaseSaslRpcServerHandler.channelRead0 forget to record "AUTH_FAILED_FOR" auditlog for an exception.
[
https://issues.apache.org/jira/browse/HBASE-27526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Beibei Zhao updated HBASE-27526:
Summary: NettyHBaseSaslRpcServerHandler.channelRead0 forget to record
"AUTH_FAILED_FOR" auditlog for an exception. (was:
NettyHBaseSaslRpcServerHandler.channelRead0 forget record "AUTH_FAILED_FOR"
auditlog for an exception.)
> NettyHBaseSaslRpcServerHandler.channelRead0 forget to record
> "AUTH_FAILED_FOR" auditlog for an exception.
> -
>
> Key: HBASE-27526
> URL: https://issues.apache.org/jira/browse/HBASE-27526
> Project: HBase
> Issue Type: Bug
>Reporter: Beibei Zhao
>Priority: Major
>
> In other methods such as SimpleServerRpcConnection.saslReadAndProcess, they
> always record "AUTH_FAILED_FOR" for an exception, and "AUTH_SUCCESSFUL_FOR"
> after task is completed like this:
> {code:java}
> private void saslReadAndProcess(ByteBuff saslToken) throws IOException,
> InterruptedException {
> ..
> } catch (IOException e) {
> ..
> // attempting user could be null
> RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR,
> clientIP,
> saslServer.getAttemptingUser());
> throw e;
> }
> ..
> if (saslServer.isComplete()) {
> ..
> RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi);
> ..
> }
> }
> }
> {code}
> but NettyHBaseSaslRpcServerHandler.channelRead0 only record
> "AUTH_SUCCESSFUL_FOR" in finishSaslNegotiation, and just throw Exception
> without record "AUTH_FAILED_FOR":
> {code:java}
> protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws
> Exception {
> ..
> if (saslServer.isComplete()) {
> conn.finishSaslNegotiation();
> ..
> }
> }
> void finishSaslNegotiation() throws IOException {
> ..
> RpcServer.AUDITLOG.info(RpcServer.AUTH_SUCCESSFUL_FOR + ugi);
> }
> {code}
> So I think an exceptionCaught should be called here:
> {code:java}
> public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause)
> throws Exception {
> LOG.error("Error when doing SASL handshade, provider={}", conn.provider,
> cause);
> Throwable sendToClient = HBaseSaslRpcServer.unwrap(cause);
> doResponse(ctx, SaslStatus.ERROR, null, sendToClient.getClass().getName(),
> sendToClient.getLocalizedMessage());
> rpcServer.metrics.authenticationFailure();
> String clientIP = this.toString();
> // attempting user could be null
> RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, clientIP,
> conn.saslServer != null ? conn.saslServer.getAttemptingUser() :
> "Unknown");
> NettyFutureUtils.safeClose(ctx);
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
