[ https://issues.apache.org/jira/browse/GEODE-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jinmei Liao updated GEODE-2066: ------------------------------- Flagged: (was: Impediment) > Log UnauthorizedException message at INFO and stack at DEBUG > ------------------------------------------------------------ > > Key: GEODE-2066 > URL: https://issues.apache.org/jira/browse/GEODE-2066 > Project: Geode > Issue Type: Sub-task > Components: security > Reporter: Jinmei Liao > Priority: Major > > 1. First, a similar Stack Trace appears at the INFO log-level every time a > security violation (e.g. authentication or authorization failure) occurs... > [info 2016/10/25 21:09:08.339 PDT <RMI TCP Connection(2)-10.99.199.3> > tid=0x24] (tid=36 msgId=0) Could not execute "list members". > org.apache.geode.security.NotAuthorizedException: guest not authorized for > CLUSTER:READ > at > org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:303) > at > org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:280) > at > org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:275) > at > org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:217) > at > org.apache.geode.management.internal.cli.remote.CommandProcessor.executeCommand(CommandProcessor.java:116) > at > org.apache.geode.management.internal.cli.remote.CommandStatementImpl.process(CommandStatementImpl.java:66) > at > org.apache.geode.management.internal.cli.remote.MemberCommandService.processCommand(MemberCommandService.java:54) > at > org.apache.geode.management.internal.beans.MemberMBeanBridge.processCommand(MemberMBeanBridge.java:1690) > at > org.apache.geode.management.internal.beans.MemberMBean.processCommand(MemberMBean.java:406) > at > org.apache.geode.management.internal.beans.MemberMBean.processCommand(MemberMBean.java:399) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:71) > at sun.reflect.GeneratedMethodAccessor8.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:275) > at > com.sun.jmx.mbeanserver.ConvertingMethod.invokeWithOpenReturn(ConvertingMethod.java:193) > at > com.sun.jmx.mbeanserver.ConvertingMethod.invokeWithOpenReturn(ConvertingMethod.java:175) > at > com.sun.jmx.mbeanserver.MXBeanIntrospector.invokeM2(MXBeanIntrospector.java:117) > at > com.sun.jmx.mbeanserver.MXBeanIntrospector.invokeM2(MXBeanIntrospector.java:54) > at > com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:237) > at com.sun.jmx.mbeanserver.PerInterface.invoke(PerInterface.java:138) > at com.sun.jmx.mbeanserver.MBeanSupport.invoke(MBeanSupport.java:252) > at > com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819) > at > com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801) > at > org.apache.geode.management.internal.security.MBeanServerWrapper.invoke(MBeanServerWrapper.java:208) > at > javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1471) > at > javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76) > at > javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1312) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1411) > at > javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:832) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:323) > at sun.rmi.transport.Transport$1.run(Transport.java:200) > at sun.rmi.transport.Transport$1.run(Transport.java:197) > at java.security.AccessController.doPrivileged(Native Method) > at sun.rmi.transport.Transport.serviceCall(Transport.java:196) > at > sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:568) > at > sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:826) > at > sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$256(TCPTransport.java:683) > at java.security.AccessController.doPrivileged(Native Method) > at > sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:682) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.apache.shiro.authz.UnauthorizedException: Subject does not > have permission [CLUSTER:READ] > at > org.apache.shiro.authz.ModularRealmAuthorizer.checkPermission(ModularRealmAuthorizer.java:334) > at > org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:141) > at > org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:210) > at > org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:298) > ... 51 more > It is probably sufficient to log just the security exception "message" at > INFO level or higher. Though, I would not mind seeing a Stack Trace if I > explicitly set the log-level to DEBUG/FINE. Given all the possible > concurrent requests from a multitude of application clients/users, the Geode > log file is going to fill up with these Stack Traces quite quickly. -- This message was sent by Atlassian JIRA (v7.6.3#76005)