[SERVER-14727] Details of SASL failures aren't logged Created: 30/Jul/14 Updated: 11/Jul/16 Resolved: 02/Sep/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 2.6.5, 2.7.6 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Jonathan Reams | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Backport Completed: | |||||
| Participants: | |||||
| Description |
|
When there is a GSSAPI SASL failure, the log shows an authentication failure, but doesn't show the GSSAPI major/minor codes.
We set a global log callback for SASL at https://github.com/10gen/mongo-enterprise-modules/blob/master/src/sasl/cyrus_sasl_authentication_session.cpp#L423, but for the SASL_LOG_FAIL log level, there's a comment that says " Logged elsewhere" and we throw the log message away. Either we need to document where the log message gets logged, or we need to make sure these messages aren't thrown away. As a side-note, we also hard-code the SASL debug level to "3" (https://github.com/10gen/mongo-enterprise-modules/blame/master/src/sasl/cyrus_sasl_authentication_session.cpp#L161). This should be configurable, or it should always set the highest level and let the normal mongod logging utilities decide whether to discard messages or not. |
| Comments |
| Comment by Githook User [ 16/Sep/14 ] |
|
Author: {u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}Message: (cherry picked from commit ed08a14) |
| Comment by Githook User [ 22/Aug/14 ] |
|
Author: {u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: Closes #19 Signed-off-by: Benety Goh <benety@mongodb.com> |