Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-14727

Details of SASL failures aren't logged

    • Type: Icon: Improvement Improvement
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.6.5, 2.7.6
    • Affects Version/s: None
    • Component/s: Security
    • None

      When there is a GSSAPI SASL failure, the log shows an authentication failure, but doesn't show the GSSAPI major/minor codes.

      2014-07-29T10:21:06.818-0500 [initandlisten] connection accepted from 10.1.2.3:46996 #5 (1 connection now open)
      2014-07-29T10:21:06.830-0500 [conn5] GSSAPI authentication failed for  on $external ; AuthenticationFailed SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
      2014-07-29T10:21:06.833-0500 [conn5] end connection 10.1.2.3:46996 (0 connections now open)

      We set a global log callback for SASL at https://github.com/10gen/mongo-enterprise-modules/blob/master/src/sasl/cyrus_sasl_authentication_session.cpp#L423, but for the SASL_LOG_FAIL log level, there's a comment that says " Logged elsewhere" and we throw the log message away. Either we need to document where the log message gets logged, or we need to make sure these messages aren't thrown away.

      As a side-note, we also hard-code the SASL debug level to "3" (https://github.com/10gen/mongo-enterprise-modules/blame/master/src/sasl/cyrus_sasl_authentication_session.cpp#L161). This should be configurable, or it should always set the highest level and let the normal mongod logging utilities decide whether to discard messages or not.

            Assignee:
            spencer.jackson@mongodb.com Spencer Jackson
            Reporter:
            jonathan.reams@mongodb.com Jonathan Reams
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: