ftp: add user to access log

Unlike the SRM access log, the FTP access log currently does not identify the user when logging a response. This patch adds support for logging the user's identity. Identifying the user is delegated to the concrete subclass. The GSI FTP door logs the user's DN in a 'dn' attribute; the Kerberos FTP door logs the user's 'kerberos' principal as a kerberos attribute, and the weak FTP door logs the user's display name as the 'user' attribute. Target: master Patch: https://rb.dcache.org/r/7612/ Acked-by: Gerd Behrmann Acked-by: Albert Rossi Requires-notes: yes Requires-book: yes Request: 2.11 Request: 2.10
dCache · Jan 28, 2015 · e128bd2 · e128bd2
1 parent f435c15
commit e128bd2
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 0 deletions.
diff --git a/modules/common/src/main/java/org/dcache/auth/Subjects.java b/modules/common/src/main/java/org/dcache/auth/Subjects.java
@@ -320,6 +320,20 @@ public static String getDisplayName(Subject subject)
         return UNKNOWN;
     }
 
+    /**
+     * Returns the "Kerberos principal" for the user (as specified in
+     * Section 2.1 of RFC 1964) if they logged in via Kerberos or null if
+     * Kerberos was not used.
+     * @throws IllegalArgumentException if the subject contains multiple
+     * KerberosPrincipal.
+     */
+    public static String getKerberosName(Subject subject) throws IllegalArgumentException
+    {
+        KerberosPrincipal principal =
+                getUniquePrincipal(subject, KerberosPrincipal.class);
+        return (principal == null) ? null : principal.getName();
+    }
+
     /**
      * Maps a UserAuthBase to a Subject.  The Subject will contain the
      * UID (UidPrincipal), GID (GidPrincipal), user name

diff --git a/modules/dcache-ftp/src/main/java/org/dcache/ftp/door/AbstractFtpDoorV1.java b/modules/dcache-ftp/src/main/java/org/dcache/ftp/door/AbstractFtpDoorV1.java
@@ -1714,6 +1714,7 @@ private void logReply(String commandLine, String response)
 
             NetLoggerBuilder log = new NetLoggerBuilder(INFO, event).omitNullValues();
             log.add("host.remote", _remoteSocketAddress);
+            addUserAttribute(log);
             log.add("session", CDC.getSession());
             log.addInQuotes("command", commandLine);
             log.addInQuotes("reply", response);
@@ -1735,6 +1736,11 @@ protected void reply(String commandLine, String answer)
 
     protected abstract void secure_reply(String answer, String code);
 
+    /**
+     * Add the user identification to the logger.
+     */
+    protected abstract void addUserAttribute(NetLoggerBuilder log);
+
     protected void checkLoggedIn()
         throws FTPCommandException
     {

diff --git a/modules/dcache-ftp/src/main/java/org/dcache/ftp/door/GsiFtpDoorV1.java b/modules/dcache-ftp/src/main/java/org/dcache/ftp/door/GsiFtpDoorV1.java
@@ -33,6 +33,7 @@
 import org.dcache.gplazma.AuthenticationException;
 import org.dcache.util.CertificateFactories;
 import org.dcache.util.Crypto;
+import org.dcache.util.NetLoggerBuilder;
 
 import static java.util.Arrays.asList;
 
@@ -175,4 +176,15 @@ public void ftp_user(String arg)
             reply("530 Login failed: " + e.getMessage());
         }
     }
+
+    @Override
+    public void addUserAttribute(NetLoggerBuilder log)
+    {
+        try {
+            log.add("dn", Subjects.getDn(_subject));
+        } catch (IllegalArgumentException e) {
+            LOGGER.warn("Unable add user {} to access log: {}",
+                    Subjects.getDisplayName(_subject), e.getMessage());
+        }
+    }
 }
diff --git a/modules/dcache-ftp/src/main/java/org/dcache/ftp/door/KerberosFtpDoorV1.java b/modules/dcache-ftp/src/main/java/org/dcache/ftp/door/KerberosFtpDoorV1.java
@@ -24,6 +24,7 @@
 import org.dcache.auth.LoginNamePrincipal;
 import org.dcache.auth.Subjects;
 import org.dcache.cells.Option;
+import org.dcache.util.NetLoggerBuilder;
 
 /**
  *
@@ -155,4 +156,15 @@ public void ftp_user(String arg)
             reply("530 Login failed: " + e.getMessage());
         }
     }
+
+    @Override
+    public void addUserAttribute(NetLoggerBuilder log)
+    {
+        try {
+            log.add("kerberos", Subjects.getKerberosName(_subject));
+        } catch (IllegalArgumentException e) {
+            LOGGER.warn("Unable add user {} to access log: {}",
+                    Subjects.getDisplayName(_subject), e.getMessage());
+        }
+    }
 }
diff --git a/modules/dcache-ftp/src/main/java/org/dcache/ftp/door/WeakFtpDoorV1.java b/modules/dcache-ftp/src/main/java/org/dcache/ftp/door/WeakFtpDoorV1.java
@@ -15,6 +15,7 @@
 
 import org.dcache.auth.PasswordCredential;
 import org.dcache.auth.Subjects;
+import org.dcache.util.NetLoggerBuilder;
 
 /**
  *
@@ -96,4 +97,12 @@ public void startTlog(FTPTransactionLog tlog, String path, String action) {
             }
         }
     }
+
+    @Override
+    public void addUserAttribute(NetLoggerBuilder log)
+    {
+        if (_subject != null) {
+            log.add("user", Subjects.getDisplayName(_subject));
+        }
+    }
 }