Changed the realm authentication failure logging

Now it logs the failure on debug and on trace it also logs the full stack trace. There's no point in logging it on info as a lot of the failures that will be logged are just fine (e.g. esusers will fail to authenticate and log the failure, but LDAP will succeed). This logging should only be applied for debugging purposes... for normal logging we have the audit logs While at it, also cleaned up the Ldap realm code... change java.lang.SecurityException to shield's LdapException Closes elastic/elasticsearch#281 Original commit: elastic/x-pack-elasticsearch@d5f0ad2efb
2014-10-29 01:31:13 +01:00 · 2014-10-29 01:31:13 +01:00 · df3956fafe
parent c5cbd58909
commit df3956fafe
7 changed files with 16 additions and 6 deletions
--- a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapConnection.java
+++ b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapConnection.java
@ -90,7 +90,7 @@ public class LdapConnection implements Closeable {
                groups.add(results.next().getNameInNamespace());
            }
        } catch (NamingException e) {
-            throw new SecurityException("Could not search for an LDAP group for user [" + userDn + "]", e);
+            throw new LdapException("Could not search for an LDAP group for user [" + userDn + "]", e);
        }
        return groups;
    }
@ -116,7 +116,7 @@ public class LdapConnection implements Closeable {
                }
            }
        } catch (NamingException e) {
-            throw new SecurityException("Could not look up group attributes for user [" + userDn + "]", e);
+            throw new LdapException("Could not look up group attributes for user [" + userDn + "]", e);
        }
        return groupDns;
    }
@ -142,7 +142,7 @@ public class LdapConnection implements Closeable {
                userAttrs.put(attr.getID(), attrArray);
            }
        } catch (NamingException e) {
-            throw new SecurityException("Could not look up attributes for user [" + userDn + "]", e);
+            throw new LdapException("Could not look up attributes for user [" + userDn + "]", e);
        }
        return userAttrs;
    }
--- a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapException.java
+++ b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapException.java
@ -10,6 +10,7 @@ package org.elasticsearch.shield.authc.ldap;
 * parameter of DN attached to each message.
 */
 public class LdapException extends SecurityException {
    public LdapException(String msg){
        super(msg);
    }
@ -17,6 +18,7 @@ public class LdapException extends SecurityException {
    public LdapException(String msg, Throwable cause){
        super(msg, cause);
    }
    public LdapException(String msg, String dn) {
        this(msg, dn, null);
    }
--- a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapGroupToRoleMapper.java
+++ b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapGroupToRoleMapper.java
@ -115,7 +115,7 @@ public class LdapGroupToRoleMapper extends AbstractComponent {
     * This will map the groupDN's to ES Roles
     */
    public Set<String> mapRoles(List<String> groupDns) {
-        Set<String>roles = new HashSet<>();
+        Set<String> roles = new HashSet<>();
        for(String groupDn: groupDns){
            LdapName groupLdapName = LdapUtils.ldapName(groupDn);
            if (this.groupRoles.containsKey(groupLdapName)) {
--- a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapModule.java
+++ b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapModule.java
@ -17,6 +17,7 @@ import static org.elasticsearch.common.inject.name.Names.named;
 * Configures Ldap object injections
 */
 public class LdapModule extends AbstractShieldModule.Node {
    private final boolean enabled;
    public LdapModule(Settings settings) {
--- a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapRealm.java
+++ b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapRealm.java
@ -64,7 +64,9 @@ public class LdapRealm extends CachingUsernamePasswordRealm implements Realm<Use
            Set<String> roles = roleMapper.mapRoles(groupDNs);
            return new User.Simple(token.principal(), roles.toArray(new String[roles.size()]));
        } catch (ShieldException e){
-            logger.info("Authentication Failed for user [{}]", e, token.principal());
+            if (logger.isDebugEnabled()) {
                logger.debug("Authentication Failed for user [{}]", e, token.principal());
            }
            return null;
        }
    }
--- a/src/main/java/org/elasticsearch/shield/authc/ldap/StandardLdapConnectionFactory.java
+++ b/src/main/java/org/elasticsearch/shield/authc/ldap/StandardLdapConnectionFactory.java
@ -29,6 +29,7 @@ import java.util.Hashtable;
 * for each user context would need to be supplied.
 */
 public class StandardLdapConnectionFactory extends AbstractComponent implements LdapConnectionFactory {
    public static final String USER_DN_TEMPLATES_SETTING = "user_dn_templates";
    public static final String GROUP_SEARCH_SUBTREE_SETTING = "group_search.subtree_search";
    public static final String GROUP_SEARCH_BASEDN_SETTING = "group_search.group_search_dn";
--- a/src/main/java/org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealm.java
+++ b/src/main/java/org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealm.java
@ -110,7 +110,11 @@ public abstract class CachingUsernamePasswordRealm extends AbstractComponent imp
            return userWithHash.user;
        } catch (ExecutionException | UncheckedExecutionException ee) {
-            logger.warn("Could not authenticate [" + token.principal() + "]", ee);
+            if (logger.isTraceEnabled()) {
                logger.trace("Realm [" + type() + "] could not authenticate [" + token.principal() + "]", ee);
            } else if (logger.isDebugEnabled()) {
                logger.debug("Realm [" + type() + "] could not authenticate [" + token.principal() + "]");
            }
            return null;
        }
    }