[GEODE-2066] Log UnauthorizedException message at INFO and stack at DEBUG - ASF JIRA

Details

Type: Sub-task
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: security
Labels:
None

Description

1. First, a similar Stack Trace appears at the INFO log-level every time a security violation (e.g. authentication or authorization failure) occurs...

[info 2016/10/25 21:09:08.339 PDT <RMI TCP Connection(2)-10.99.199.3> tid=0x24] (tid=36 msgId=0) Could not execute "list members".
org.apache.geode.security.NotAuthorizedException: guest not authorized for CLUSTER:READ
at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:303)
at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:280)
at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:275)
at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:217)
at org.apache.geode.management.internal.cli.remote.CommandProcessor.executeCommand(CommandProcessor.java:116)
at org.apache.geode.management.internal.cli.remote.CommandStatementImpl.process(CommandStatementImpl.java:66)
at org.apache.geode.management.internal.cli.remote.MemberCommandService.processCommand(MemberCommandService.java:54)
at org.apache.geode.management.internal.beans.MemberMBeanBridge.processCommand(MemberMBeanBridge.java:1690)
at org.apache.geode.management.internal.beans.MemberMBean.processCommand(MemberMBean.java:406)
at org.apache.geode.management.internal.beans.MemberMBean.processCommand(MemberMBean.java:399)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:71)
at sun.reflect.GeneratedMethodAccessor8.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:275)
at com.sun.jmx.mbeanserver.ConvertingMethod.invokeWithOpenReturn(ConvertingMethod.java:193)
at com.sun.jmx.mbeanserver.ConvertingMethod.invokeWithOpenReturn(ConvertingMethod.java:175)
at com.sun.jmx.mbeanserver.MXBeanIntrospector.invokeM2(MXBeanIntrospector.java:117)
at com.sun.jmx.mbeanserver.MXBeanIntrospector.invokeM2(MXBeanIntrospector.java:54)
at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:237)
at com.sun.jmx.mbeanserver.PerInterface.invoke(PerInterface.java:138)
at com.sun.jmx.mbeanserver.MBeanSupport.invoke(MBeanSupport.java:252)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801)
at org.apache.geode.management.internal.security.MBeanServerWrapper.invoke(MBeanServerWrapper.java:208)
at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1471)
at javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76)
at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1312)
at java.security.AccessController.doPrivileged(Native Method)
at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1411)
at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:832)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:323)
at sun.rmi.transport.Transport$1.run(Transport.java:200)
at sun.rmi.transport.Transport$1.run(Transport.java:197)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:568)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:826)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$256(TCPTransport.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:682)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [CLUSTER:READ]
at org.apache.shiro.authz.ModularRealmAuthorizer.checkPermission(ModularRealmAuthorizer.java:334)
at org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:141)
at org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:210)
at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:298)
... 51 more

It is probably sufficient to log just the security exception "message" at INFO level or higher. Though, I would not mind seeing a Stack Trace if I explicitly set the log-level to DEBUG/FINE. Given all the possible concurrent requests from a multitude of application clients/users, the Geode log file is going to fill up with these Stack Traces quite quickly.

Log UnauthorizedException message at INFO and stack at DEBUG

Details

Description

Attachments

Activity

People

Dates