Changed the realm authentication failure logging

Now it logs the failure on debug and on trace it also logs the full stack trace. There's no point in logging it on info as a lot of the failures that will be logged are just fine (e.g. esusers will fail to authenticate and log the failure, but LDAP will succeed). This logging should only be applied for debugging purposes... for normal logging we have the audit logs

While at it, also cleaned up the Ldap realm code... change java.lang.SecurityException to shield's LdapException

Closes elastic/elasticsearch#281

Original commit: elastic/x-pack-elasticsearch@d5f0ad2efb
This commit is contained in:
uboness 2014-10-29 01:31:13 +01:00
parent c5cbd58909
commit df3956fafe
7 changed files with 16 additions and 6 deletions

View File

@ -90,7 +90,7 @@ public class LdapConnection implements Closeable {
groups.add(results.next().getNameInNamespace());
}
} catch (NamingException e) {
throw new SecurityException("Could not search for an LDAP group for user [" + userDn + "]", e);
throw new LdapException("Could not search for an LDAP group for user [" + userDn + "]", e);
}
return groups;
}
@ -116,7 +116,7 @@ public class LdapConnection implements Closeable {
}
}
} catch (NamingException e) {
throw new SecurityException("Could not look up group attributes for user [" + userDn + "]", e);
throw new LdapException("Could not look up group attributes for user [" + userDn + "]", e);
}
return groupDns;
}
@ -142,7 +142,7 @@ public class LdapConnection implements Closeable {
userAttrs.put(attr.getID(), attrArray);
}
} catch (NamingException e) {
throw new SecurityException("Could not look up attributes for user [" + userDn + "]", e);
throw new LdapException("Could not look up attributes for user [" + userDn + "]", e);
}
return userAttrs;
}

View File

@ -10,6 +10,7 @@ package org.elasticsearch.shield.authc.ldap;
* parameter of DN attached to each message.
*/
public class LdapException extends SecurityException {
public LdapException(String msg){
super(msg);
}
@ -17,6 +18,7 @@ public class LdapException extends SecurityException {
public LdapException(String msg, Throwable cause){
super(msg, cause);
}
public LdapException(String msg, String dn) {
this(msg, dn, null);
}

View File

@ -115,7 +115,7 @@ public class LdapGroupToRoleMapper extends AbstractComponent {
* This will map the groupDN's to ES Roles
*/
public Set<String> mapRoles(List<String> groupDns) {
Set<String>roles = new HashSet<>();
Set<String> roles = new HashSet<>();
for(String groupDn: groupDns){
LdapName groupLdapName = LdapUtils.ldapName(groupDn);
if (this.groupRoles.containsKey(groupLdapName)) {

View File

@ -17,6 +17,7 @@ import static org.elasticsearch.common.inject.name.Names.named;
* Configures Ldap object injections
*/
public class LdapModule extends AbstractShieldModule.Node {
private final boolean enabled;
public LdapModule(Settings settings) {

View File

@ -64,7 +64,9 @@ public class LdapRealm extends CachingUsernamePasswordRealm implements Realm<Use
Set<String> roles = roleMapper.mapRoles(groupDNs);
return new User.Simple(token.principal(), roles.toArray(new String[roles.size()]));
} catch (ShieldException e){
logger.info("Authentication Failed for user [{}]", e, token.principal());
if (logger.isDebugEnabled()) {
logger.debug("Authentication Failed for user [{}]", e, token.principal());
}
return null;
}
}

View File

@ -29,6 +29,7 @@ import java.util.Hashtable;
* for each user context would need to be supplied.
*/
public class StandardLdapConnectionFactory extends AbstractComponent implements LdapConnectionFactory {
public static final String USER_DN_TEMPLATES_SETTING = "user_dn_templates";
public static final String GROUP_SEARCH_SUBTREE_SETTING = "group_search.subtree_search";
public static final String GROUP_SEARCH_BASEDN_SETTING = "group_search.group_search_dn";

View File

@ -110,7 +110,11 @@ public abstract class CachingUsernamePasswordRealm extends AbstractComponent imp
return userWithHash.user;
} catch (ExecutionException | UncheckedExecutionException ee) {
logger.warn("Could not authenticate [" + token.principal() + "]", ee);
if (logger.isTraceEnabled()) {
logger.trace("Realm [" + type() + "] could not authenticate [" + token.principal() + "]", ee);
} else if (logger.isDebugEnabled()) {
logger.debug("Realm [" + type() + "] could not authenticate [" + token.principal() + "]");
}
return null;
}
}