Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-14727

Details of SASL failures aren't logged

    • Type: Icon: Improvement Improvement
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.6.5, 2.7.6
    • Affects Version/s: None
    • Component/s: Security
    • None

      When there is a GSSAPI SASL failure, the log shows an authentication failure, but doesn't show the GSSAPI major/minor codes.

      2014-07-29T10:21:06.818-0500 [initandlisten] connection accepted from #5 (1 connection now open)
      2014-07-29T10:21:06.830-0500 [conn5] GSSAPI authentication failed for  on $external ; AuthenticationFailed SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
      2014-07-29T10:21:06.833-0500 [conn5] end connection (0 connections now open)

      We set a global log callback for SASL at https://github.com/10gen/mongo-enterprise-modules/blob/master/src/sasl/cyrus_sasl_authentication_session.cpp#L423, but for the SASL_LOG_FAIL log level, there's a comment that says " Logged elsewhere" and we throw the log message away. Either we need to document where the log message gets logged, or we need to make sure these messages aren't thrown away.

      As a side-note, we also hard-code the SASL debug level to "3" (https://github.com/10gen/mongo-enterprise-modules/blame/master/src/sasl/cyrus_sasl_authentication_session.cpp#L161). This should be configurable, or it should always set the highest level and let the normal mongod logging utilities decide whether to discard messages or not.

            spencer.jackson@mongodb.com Spencer Jackson
            jonathan.reams@mongodb.com Jonathan Reams
            0 Vote for this issue
            7 Start watching this issue