Skip to content

Commit 7b44fd8

Browse files
n-sodan-soda
committed
auth SASL: better server-side log handling
* use gflog_notice() instead of gflog_error() to suppress alerts by gfarm-zabbix * return a communication error instead of GFARM_ERR_AUTHENTICATION in case of gfp_xdr_send() failure. this does not change its behavior, but only detects communcation errors earlier. * suppress some useless gflog_debug() in case of GFARM_ERR_NO_ERROR * log "skip SASL authentication" when next authentication method is attempted, from @otatebe san
1 parent dcc52a5 commit 7b44fd8

File tree

1 file changed

+64
-42
lines changed

1 file changed

+64
-42
lines changed

lib/libgfarm/gfarm/auth_server_sasl.c

+64-42
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,8 @@ gfarm_authorize_sasl_common(struct gfp_xdr *conn,
9494
if (result != GFARM_ERR_NO_ERROR) {
9595
/* server cert is invalid? raise alert */
9696
gflog_warning(GFARM_MSG_1005354,
97-
"%s: does not accept my certificate: %s",
97+
"%s: does not accept my certificate: %s, "
98+
"skip SASL authentication",
9899
hostname, gfarm_error_string(result));
99100
gfp_xdr_tls_reset(conn); /* XXX this is NOT graceful for now */
100101
return (GFARM_ERR_AUTHENTICATION);
@@ -111,7 +112,9 @@ gfarm_authorize_sasl_common(struct gfp_xdr *conn,
111112

112113
if (r != SASL_OK) {
113114
sasl_conn = NULL;
114-
gflog_notice(GFARM_MSG_UNFIXED, "%s: sasl_server_new(): %s",
115+
gflog_notice(GFARM_MSG_UNFIXED,
116+
"%s: sasl_server_new() faild: %s, "
117+
"skip SASL authentication",
115118
hostname, sasl_errstring(r, NULL, NULL));
116119
data = ""; /* mechanism_candidates == "" means error */
117120
len = 0;
@@ -120,13 +123,15 @@ gfarm_authorize_sasl_common(struct gfp_xdr *conn,
120123
len = strlen(data);
121124
if (data[0] == '\0')
122125
gflog_notice(GFARM_MSG_UNFIXED,
123-
"%s: no sasl mechanism candidate", hostname);
126+
"%s: no sasl mechanism candidate, "
127+
"skip SASL authentication", hostname);
124128
} else {
125129
r = sasl_listmech(sasl_conn, NULL, NULL, " ", NULL,
126130
&data, &len, &count);
127131
if (r != SASL_OK) {
128-
gflog_error(GFARM_MSG_UNFIXED,
129-
"%s: sasl_listmech(): %s",
132+
gflog_notice(GFARM_MSG_UNFIXED,
133+
"%s: sasl_listmech() failed: %s, "
134+
"skip SASL authentication",
130135
hostname, sasl_errstring(r, NULL, NULL));
131136
data = ""; /* mechanism_candidates == "" means error */
132137
len = 0;
@@ -145,13 +150,13 @@ gfarm_authorize_sasl_common(struct gfp_xdr *conn,
145150
sasl_dispose(&sasl_conn);
146151
gfp_xdr_tls_reset(conn);
147152
if (data == NULL) {
148-
gflog_error(GFARM_MSG_UNFIXED,
153+
gflog_notice(GFARM_MSG_UNFIXED,
149154
"%s: %s: sasl_listmech(): no memory?",
150155
diag, hostname);
151156
return (GFARM_ERR_NO_MEMORY);
152157
}
153158
/* a gflog message was already recorded in previous clause */
154-
return (GFARM_ERR_AUTHENTICATION);
159+
return (e != GFARM_ERR_NO_ERROR ? e : GFARM_ERR_AUTHENTICATION);
155160
}
156161
gflog_auth_info(GFARM_MSG_UNFIXED,
157162
"SASL: %s: propose mechanisms <%s>", hostname, data);
@@ -189,8 +194,9 @@ gfarm_authorize_sasl_common(struct gfp_xdr *conn,
189194
"%s: %s: unexpected EOF", diag, hostname);
190195
} else {
191196
e = GFARM_ERR_AUTHENTICATION;
192-
gflog_auth_error(GFARM_MSG_UNFIXED,
193-
"%s: SASL mechanism unmatch", hostname);
197+
gflog_auth_notice(GFARM_MSG_UNFIXED,
198+
"%s: SASL mechanism mismatch, "
199+
"skip SASL authentication", hostname);
194200
}
195201
sasl_dispose(&sasl_conn);
196202
gfp_xdr_tls_reset(conn);
@@ -224,21 +230,24 @@ gfarm_authorize_sasl_common(struct gfp_xdr *conn,
224230

225231
if (gfarm_ctxp->sasl_mechanisms != NULL &&
226232
strcasecmp(chosen_mechanism, gfarm_ctxp->sasl_mechanisms) != 0) {
227-
gflog_error(GFARM_MSG_1005358,
228-
"%s: SASL mechanism does not match. \"%s\" vs \"%s\"",
233+
gflog_info(GFARM_MSG_1005358,
234+
"%s: SASL mechanism does not match. \"%s\" vs \"%s\""
235+
"skip SASL authentication",
229236
hostname, gfarm_ctxp->sasl_mechanisms, chosen_mechanism);
230237
/* XXX FIXME is this graceful? */
231238
e = gfp_xdr_send(conn, "i",
232239
(gfarm_int32_t)GFARM_AUTH_SASL_STEP_ERROR);
233240
if (e == GFARM_ERR_NO_ERROR)
234241
e = gfp_xdr_flush(conn);
235-
gflog_debug(GFARM_MSG_UNFIXED, "%s: %s: gfp_xdr_send: %s",
236-
diag, hostname, gfarm_error_string(e));
242+
if (e != GFARM_ERR_NO_ERROR)
243+
gflog_debug(GFARM_MSG_UNFIXED,
244+
"%s: %s: gfp_xdr_send: %s",
245+
diag, hostname, gfarm_error_string(e));
237246
free(response);
238247
free(chosen_mechanism);
239248
sasl_dispose(&sasl_conn);
240249
gfp_xdr_tls_reset(conn); /* is this case graceful? */
241-
return (GFARM_ERR_AUTHENTICATION);
250+
return (e != GFARM_ERR_NO_ERROR ? e : GFARM_ERR_AUTHENTICATION);
242251
}
243252

244253
data = NULL;
@@ -250,18 +259,21 @@ gfarm_authorize_sasl_common(struct gfp_xdr *conn,
250259
free(chosen_mechanism);
251260
chosen_mechanism = response = NULL;
252261
if (r != SASL_OK && r != SASL_CONTINUE) {
253-
gflog_error(GFARM_MSG_1005359,
254-
"%s: SASL negotiation: %s", hostname,
262+
gflog_notice(GFARM_MSG_1005359,
263+
"%s: SASL negotiation: %s, "
264+
"skip SASL authentication", hostname,
255265
sasl_errstring(r, NULL, NULL));
256266
e = gfp_xdr_send(conn, "i",
257267
(gfarm_int32_t)GFARM_AUTH_SASL_STEP_ERROR);
258268
if (e == GFARM_ERR_NO_ERROR)
259269
e = gfp_xdr_flush(conn);
260-
gflog_debug(GFARM_MSG_UNFIXED, "%s: %s: gfp_xdr_send: %s",
261-
diag, hostname, gfarm_error_string(e));
270+
if (e != GFARM_ERR_NO_ERROR)
271+
gflog_debug(GFARM_MSG_UNFIXED,
272+
"%s: %s: gfp_xdr_send: %s",
273+
diag, hostname, gfarm_error_string(e));
262274
sasl_dispose(&sasl_conn);
263275
gfp_xdr_tls_reset(conn); /* is this case graceful? */
264-
return (GFARM_ERR_AUTHENTICATION);
276+
return (e != GFARM_ERR_NO_ERROR ? e : GFARM_ERR_AUTHENTICATION);
265277
}
266278

267279
while (r == SASL_CONTINUE) {
@@ -302,71 +314,81 @@ gfarm_authorize_sasl_common(struct gfp_xdr *conn,
302314
free(response);
303315
response = NULL;
304316
if (r != SASL_OK && r != SASL_CONTINUE) {
305-
gflog_error(GFARM_MSG_1005360,
306-
"%s: SASL negotiation: %s", peer_hsbuf,
317+
gflog_notice(GFARM_MSG_1005360,
318+
"%s: SASL negotiation: %s, "
319+
"skip SASL authentication", peer_hsbuf,
307320
sasl_errstring(r, NULL, NULL));
308321
e = gfp_xdr_send(conn, "i",
309322
(gfarm_int32_t)GFARM_AUTH_SASL_STEP_ERROR);
310323
if (e == GFARM_ERR_NO_ERROR)
311324
e = gfp_xdr_flush(conn);
312-
gflog_debug(GFARM_MSG_UNFIXED,
313-
"%s: %s: gfp_xdr_send: %s",
314-
diag, hostname, gfarm_error_string(e));
325+
if (e != GFARM_ERR_NO_ERROR)
326+
gflog_debug(GFARM_MSG_UNFIXED,
327+
"%s: %s: gfp_xdr_send: %s",
328+
diag, hostname, gfarm_error_string(e));
315329
sasl_dispose(&sasl_conn);
316330
gfp_xdr_tls_reset(conn); /* is this case graceful? */
317-
return (GFARM_ERR_AUTHENTICATION);
331+
return (e != GFARM_ERR_NO_ERROR ? e
332+
: GFARM_ERR_AUTHENTICATION);
318333
}
319334
}
320335

321336
if (r != SASL_OK) {
322-
gflog_error(GFARM_MSG_1005361,
323-
"%s: SASL: incorrect authentication: %s", hostname,
337+
gflog_notice(GFARM_MSG_1005361,
338+
"%s: SASL: incorrect authentication: %s, "
339+
"skip SASL authentication", hostname,
324340
sasl_errstring(r, NULL, NULL));
325341
e = gfp_xdr_send(conn, "i",
326342
(gfarm_int32_t)GFARM_AUTH_SASL_STEP_ERROR);
327343
if (e == GFARM_ERR_NO_ERROR)
328344
e = gfp_xdr_flush(conn);
329-
gflog_debug(GFARM_MSG_UNFIXED, "%s: %s: gfp_xdr_send: %s",
330-
diag, hostname, gfarm_error_string(e));
345+
if (e != GFARM_ERR_NO_ERROR)
346+
gflog_debug(GFARM_MSG_UNFIXED,
347+
"%s: %s: gfp_xdr_send: %s",
348+
diag, hostname, gfarm_error_string(e));
331349
sasl_dispose(&sasl_conn);
332350
gfp_xdr_tls_reset(conn); /* is this case graceful? */
333-
return (GFARM_ERR_AUTHENTICATION);
351+
return (e != GFARM_ERR_NO_ERROR ? e : GFARM_ERR_AUTHENTICATION);
334352
}
335353

336354
r = sasl_getprop(sasl_conn, SASL_USERNAME,
337355
(const void **)&user_id);
338356

339357
if (r != SASL_OK) {
340-
gflog_error(GFARM_MSG_1005362,
341-
"%s: SASL: SASL_USERNAME: %s", hostname,
358+
gflog_notice(GFARM_MSG_1005362,
359+
"%s: SASL: SASL_USERNAME: %s, "
360+
"skip SASL authentication", hostname,
342361
sasl_errstring(r, NULL, NULL));
343362
e = gfp_xdr_send(conn, "i",
344363
(gfarm_int32_t)GFARM_AUTH_SASL_STEP_ERROR);
345364
if (e == GFARM_ERR_NO_ERROR)
346365
e = gfp_xdr_flush(conn);
347-
gflog_debug(GFARM_MSG_UNFIXED,
348-
"%s: %s: gfp_xdr_send: %s",
349-
diag, hostname, gfarm_error_string(e));
366+
if (e != GFARM_ERR_NO_ERROR)
367+
gflog_debug(GFARM_MSG_UNFIXED,
368+
"%s: %s: gfp_xdr_send: %s",
369+
diag, hostname, gfarm_error_string(e));
350370
sasl_dispose(&sasl_conn);
351371
gfp_xdr_tls_reset(conn); /* is this case graceful? */
352-
return (GFARM_ERR_AUTHENTICATION);
372+
return (e != GFARM_ERR_NO_ERROR ? e : GFARM_ERR_AUTHENTICATION);
353373
}
354374

355375
e = (*auth_uid_to_global_user)(closure, auth_method,
356376
user_id, &peer_role, &global_username);
357377
if (e != GFARM_ERR_NO_ERROR) {
358-
gflog_error(GFARM_MSG_1005363,
359-
"%s@%s: unregistered user: %s", user_id, hostname,
360-
gfarm_error_string(e));
378+
gflog_notice(GFARM_MSG_1005363,
379+
"%s@%s: unregistered user: %s, skip SASL authentication",
380+
user_id, hostname, gfarm_error_string(e));
361381
e = gfp_xdr_send(conn, "i",
362382
(gfarm_int32_t)GFARM_AUTH_SASL_STEP_ERROR);
363383
if (e == GFARM_ERR_NO_ERROR)
364384
e = gfp_xdr_flush(conn);
365-
gflog_debug(GFARM_MSG_UNFIXED, "%s: %s: gfp_xdr_send: %s",
366-
diag, hostname, gfarm_error_string(e));
385+
if (e != GFARM_ERR_NO_ERROR)
386+
gflog_debug(GFARM_MSG_UNFIXED,
387+
"%s: %s: gfp_xdr_send: %s",
388+
diag, hostname, gfarm_error_string(e));
367389
sasl_dispose(&sasl_conn);
368390
gfp_xdr_tls_reset(conn); /* is this case graceful? */
369-
return (GFARM_ERR_AUTHENTICATION);
391+
return (e != GFARM_ERR_NO_ERROR ? e : GFARM_ERR_AUTHENTICATION);
370392
}
371393

372394
sasl_dispose(&sasl_conn); /* user_id is freed here */

0 commit comments

Comments
 (0)