[SERVER-14727] Details of SASL failures aren't logged Created: 30/Jul/14  Updated: 11/Jul/16  Resolved: 02/Sep/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.6.5, 2.7.6

Type: Improvement Priority: Major - P3
Reporter: Jonathan Reams Assignee: Spencer Jackson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Backport Completed:
Participants:

 Description   

When there is a GSSAPI SASL failure, the log shows an authentication failure, but doesn't show the GSSAPI major/minor codes.

2014-07-29T10:21:06.818-0500 [initandlisten] connection accepted from 10.1.2.3:46996 #5 (1 connection now open)
2014-07-29T10:21:06.830-0500 [conn5] GSSAPI authentication failed for  on $external ; AuthenticationFailed SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
2014-07-29T10:21:06.833-0500 [conn5] end connection 10.1.2.3:46996 (0 connections now open)

We set a global log callback for SASL at https://github.com/10gen/mongo-enterprise-modules/blob/master/src/sasl/cyrus_sasl_authentication_session.cpp#L423, but for the SASL_LOG_FAIL log level, there's a comment that says " Logged elsewhere" and we throw the log message away. Either we need to document where the log message gets logged, or we need to make sure these messages aren't thrown away.

As a side-note, we also hard-code the SASL debug level to "3" (https://github.com/10gen/mongo-enterprise-modules/blame/master/src/sasl/cyrus_sasl_authentication_session.cpp#L161). This should be configurable, or it should always set the highest level and let the normal mongod logging utilities decide whether to discard messages or not.



 Comments   
Comment by Githook User [ 16/Sep/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-14727: Log SASL failures

(cherry picked from commit ed08a14)
Branch: v2.6
https://github.com/10gen/mongo-enterprise-modules/commit/aa46852a58be50eec4f128977c640c43d522bddb

Comment by Githook User [ 22/Aug/14 ]

Author:

{u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-14727 Log SASL failures

Closes #19

Signed-off-by: Benety Goh <benety@mongodb.com>
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/ed08a14a0781d3a1224436e36ffed689a1f570d8

Generated at Thu Feb 08 03:35:46 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.