ZOOKEEPER-2649 - Add more session and authentication information to S…

[Ghatage]

…ASL success and failure logs.

Another one from the backlogs - created in 2016, no activity since 6 months.

JIRA: https://issues.apache.org/jira/browse/ZOOKEEPER-2649

cc @eolivelli

[Ghatage]

Needs more work, nvm. Will close, rework and open a new PR later.

[ztzg]

+1.

I'd like to have this in the tree, and was about to submit a patch with something like this.

(Arguably, it'd be sufficient to augment logging here and not on the other path of ZooKeeperServer, as the "pluggable" authentication providers can and should do their own, "domain-specific," logging.)

@Ghatage: are you planning to give this another go?

[ztzg]

This is the "traditional" authentication path, used by providers others than SASL. Unless I am missing something, saslServer is likely to be NULL here.

(I suppose this is the reason for your "Needs more work" comment.)

[Ghatage]

That's right @ztzg.
I was just helping clear out the backlog when I took this up but I think I'll need to add in more code so took a breather on this.
I would still like to give it a shot till the weekend if you don't mind. Will tag you for updated codes' review :)

[ztzg]

Sure; no hurry/pressure. Was just checking as I was working in the same area…

[Ghatage]

@ztzg I added some code to protect the use of sasl in the log statement only if its not null.
Not sure if that is sufficient / appropriate.. please advise!

[ztzg]

Hi @Ghatage,

No, I don't think that's what we want—sorry for not being clearer in my previous comment.

This is the code path where "traditional" auth packets are being handled. While it is technically possible to send a sasl auth packet to a server, the handleAuthentication method of SASLAuthenticationProvider always returns AUTHFAILED. So you'll never enter that block in response to SASL auth.

Now, while I think it would be good to add at least the sessionId and scheme to that message, adding the "user name" corresponding to a traditional AuthenticationProvider is quite a bit more complicated—and doing it "very cleanly" would arguably require incompatible infrastructure changes.

(For example, DigestAuthenticationProvider can add up to two Ids to a connection, and the existing interface does not allow it to return them; you'd have to "diff" the before and after Id sets to know what has changed.)

So I'm not sure it's worth the effort, given that everybody is moving towards SASL and/or X509 anyway. And even if one wants to keep using a traditional provider, it is usually more useful to let it do its own (domain-specific) logging.

In conclusion: I'd just add the sessionId and scheme there, and ignore the actual Id(s).

Hope this helps, -D

Cc: @eolivelli & @symat.

[symat]

In conclusion: I'd just add the sessionId and scheme there, and ignore the actual Id(s).

make sense to me.
(for SASL I think we already have log outputs about the authenticated principal names)

[Ghatage]

Thank you for the detailed explanation, @ztzg!
I've made the recommended changes, PTAL and let me know if that's appropriate.

cc @eolivelli, @symat

[ztzg]

Almost… but I'm afraid you still have a leftover saslServer variable here :)

[Ghatage]

Sorry about that! Fixed it now.

[ztzg]

No problem! LGTM.

[Ghatage]

@eolivelli @symat PTAL

[eolivelli]

LGTM

[symat]

LGTM, +1

[ztzg]

Merged into master. Thank you for this and #1497, @Ghatage!

[Ghatage]

Thanks for the guidance and accepting my contributions @ztzg and @symat.
I absolutely love the project and hope to make more contributions going forward!