Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-14727

Details of SASL failures aren't logged

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.6.5, 2.7.6
    • Component/s: Security
    • Labels:
      None
    • Backport Completed:

      Description

      When there is a GSSAPI SASL failure, the log shows an authentication failure, but doesn't show the GSSAPI major/minor codes.

      2014-07-29T10:21:06.818-0500 [initandlisten] connection accepted from 10.1.2.3:46996 #5 (1 connection now open)
      2014-07-29T10:21:06.830-0500 [conn5] GSSAPI authentication failed for  on $external ; AuthenticationFailed SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
      2014-07-29T10:21:06.833-0500 [conn5] end connection 10.1.2.3:46996 (0 connections now open)

      We set a global log callback for SASL at https://github.com/10gen/mongo-enterprise-modules/blob/master/src/sasl/cyrus_sasl_authentication_session.cpp#L423, but for the SASL_LOG_FAIL log level, there's a comment that says " Logged elsewhere" and we throw the log message away. Either we need to document where the log message gets logged, or we need to make sure these messages aren't thrown away.

      As a side-note, we also hard-code the SASL debug level to "3" (https://github.com/10gen/mongo-enterprise-modules/blame/master/src/sasl/cyrus_sasl_authentication_session.cpp#L161). This should be configurable, or it should always set the highest level and let the normal mongod logging utilities decide whether to discard messages or not.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: