[SERVER-12270] Make Kerberos auth error messages more verbose Created: 07/Jan/14 Updated: 08/Sep/14 Resolved: 04/Sep/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Logging, Security |
| Affects Version/s: | None |
| Fix Version/s: | 2.7.6 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Andreas Nilsson | Assignee: | Andreas Nilsson |
| Resolution: | Done | Votes: | 0 |
| Labels: | kerberos | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Participants: |
| Description |
|
The Kerberos/SASL auth error document that is returned by the authentication command to the client should be made more verbose. One example is:
that could include the names of the two mismatching identities. |
| Comments |
| Comment by Githook User [ 04/Sep/14 ] |
|
Author: {u'name': u'Andreas Nilsson', u'email': u'agralius@gmail.com'}Message: |
| Comment by Githook User [ 04/Sep/14 ] |
|
Author: {u'name': u'Andreas Nilsson', u'email': u'agralius@gmail.com'}Message: |
| Comment by Andy Schwerin [ 15/Jan/14 ] |
|
When we log the requested and authenticated user names, we should make sure to escape the strings, so non-printing characters show up. |
| Comment by Andy Schwerin [ 15/Jan/14 ] |
|
This keeps coming up in support. We need to at least fix the Requested identity log message for 2.6. |
| Comment by Andy Schwerin [ 08/Jan/14 ] |
|
This is about returning more information to the client, not logging. It would be nice to tell the client "you authenticated as bob@REALM1, but asked to be bob@OTHERREALM". |
| Comment by Spencer Brody (Inactive) [ 08/Jan/14 ] |
|
the linux messages should probably contain the same info as the windows ones. |
| Comment by Andreas Nilsson [ 08/Jan/14 ] |
|
Interesting, schwerinshould we close this then? |
| Comment by Eric Milkie [ 08/Jan/14 ] |
|
The LOG(2) lines in mongo_sspi.cpp show all the names that we have, both authenticated and requested. |
| Comment by Andreas Nilsson [ 08/Jan/14 ] |
|
Where does that output come from, the actual SASL library? I've seen nothing in the server code outputting that. |
| Comment by Eric Milkie [ 08/Jan/14 ] |
|
At least in the Windows version of the SASL server, you can already raise the verbosity level to see the identity strings. |