This is an automated email from the ASF dual-hosted git repository. sorabh pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/drill.git
The following commit(s) were added to refs/heads/master by this push: new 9388e1c DRILL-7417: Add user logged in/out event in info level logs 9388e1c is described below commit 9388e1ceea5e7c496f4b668038e00151626e308f Author: Sorabh Hamirwasia <sor...@apache.org> AuthorDate: Tue Oct 22 14:16:52 2019 -0700 DRILL-7417: Add user logged in/out event in info level logs --- .../org/apache/drill/exec/rpc/user/UserServer.java | 19 ++++++++++++++----- .../drill/exec/server/rest/LogInLogOutResources.java | 13 ++++++++++++- .../exec/server/rest/auth/DrillRestLoginService.java | 2 +- .../server/rest/auth/DrillSpnegoAuthenticator.java | 5 ++--- .../server/rest/auth/DrillSpnegoLoginService.java | 7 ++++--- 5 files changed, 33 insertions(+), 13 deletions(-) diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java b/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java index e2fd1e8..1c2e2e2 100644 --- a/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java +++ b/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java @@ -205,6 +205,7 @@ public class UserServer extends BasicServer<RpcType, BitToUserConnection> { private UserSession session; private UserToBitHandshake inbound; + private String authenticatedUser; BitToUserConnection(SocketChannel channel) { super(channel, config, !config.isAuthEnabled() @@ -230,8 +231,8 @@ public class UserServer extends BasicServer<RpcType, BitToUserConnection> { public void finalizeSaslSession() throws IOException { final String authorizationID = getSaslServer().getAuthorizationID(); final String userName = new HadoopKerberosName(authorizationID).getShortName(); - logger.debug("Created session for {}", userName); finalizeSession(userName); + logger.info("User {} logged in from {}", authenticatedUser, getRemoteAddress()); } /** @@ -251,6 +252,7 @@ public class UserServer extends BasicServer<RpcType, BitToUserConnection> { .setSupportComplexTypes(inbound.getSupportComplexTypes()) .build(); + this.authenticatedUser = userName; // if inbound impersonation is enabled and a target is mentioned final String targetName = session.getTargetUserName(); if (config.getImpersonationManager() != null && targetName != null) { @@ -296,6 +298,15 @@ public class UserServer extends BasicServer<RpcType, BitToUserConnection> { return getChannel().remoteAddress(); } + @Override + public void channelClosed(RpcException ex) { + // log the logged out event only when authentication is enabled + if (config.isAuthEnabled()) { + logger.info("User {} logged out from {}", authenticatedUser, getRemoteAddress()); + } + super.channelClosed(ex); + } + private void cleanup() { if (session != null) { session.close(); @@ -429,10 +440,8 @@ public class UserServer extends BasicServer<RpcType, BitToUserConnection> { connection.changeHandlerTo(config.getMessageHandler()); connection.finalizeSession(userName); respBuilder.setStatus(HandshakeStatus.SUCCESS); - if (logger.isTraceEnabled()) { - logger.trace("Authenticated {} successfully using PLAIN from {}", userName, - connection.getRemoteAddress()); - } + logger.info("Authenticated {} from {} successfully using PLAIN", userName, + connection.getRemoteAddress()); return respBuilder.build(); } catch (UserAuthenticationException ex) { return handleFailure(respBuilder, HandshakeStatus.AUTH_FAILED, ex.getMessage(), ex); diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/LogInLogOutResources.java b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/LogInLogOutResources.java index 0abe2c5..3105012 100644 --- a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/LogInLogOutResources.java +++ b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/LogInLogOutResources.java @@ -17,16 +17,19 @@ */ package org.apache.drill.exec.server.rest; -import org.apache.drill.shaded.guava.com.google.common.annotations.VisibleForTesting; import org.apache.commons.lang3.StringUtils; import org.apache.drill.common.config.DrillConfig; import org.apache.drill.exec.ExecConstants; import org.apache.drill.exec.server.rest.auth.AuthDynamicFeature; import org.apache.drill.exec.server.rest.auth.DrillHttpSecurityHandlerProvider; import org.apache.drill.exec.work.WorkManager; +import org.apache.drill.shaded.guava.com.google.common.annotations.VisibleForTesting; import org.eclipse.jetty.security.authentication.FormAuthenticator; +import org.eclipse.jetty.security.authentication.SessionAuthentication; import org.eclipse.jetty.util.security.Constraint; import org.glassfish.jersey.server.mvc.Viewable; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import javax.annotation.security.PermitAll; import javax.inject.Inject; @@ -51,6 +54,8 @@ import java.util.Set; @PermitAll public class LogInLogOutResources { + private static final Logger logger = LoggerFactory.getLogger(LogInLogOutResources.class); + @Inject WorkManager workManager; @@ -120,6 +125,12 @@ public class LogInLogOutResources { public void logout(@Context HttpServletRequest req, @Context HttpServletResponse resp) throws Exception { final HttpSession session = req.getSession(); if (session != null) { + final Object authCreds = session.getAttribute(SessionAuthentication.__J_AUTHENTICATED); + if (authCreds != null) { + final SessionAuthentication sessionAuth = (SessionAuthentication) authCreds; + logger.info("WebUser {} logged out from {}:{}", sessionAuth.getUserIdentity().getUserPrincipal().getName(), req + .getRemoteHost(), req.getRemotePort()); + } session.invalidate(); } diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillRestLoginService.java b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillRestLoginService.java index 33fe52c..a21a0f1 100644 --- a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillRestLoginService.java +++ b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillRestLoginService.java @@ -78,7 +78,7 @@ public class DrillRestLoginService implements LoginService { // Authenticate the user with configured Authenticator userAuthenticator.authenticate(username, credentials.toString()); - logger.debug("WebUser {} is successfully authenticated", username); + logger.info("WebUser {} logged in from {}:{}", username, request.getRemoteHost(), request.getRemotePort()); final SystemOptionManager sysOptions = drillbitContext.getOptionManager(); diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoAuthenticator.java b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoAuthenticator.java index d60aaf5..1efaf56 100644 --- a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoAuthenticator.java +++ b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoAuthenticator.java @@ -75,11 +75,10 @@ public class DrillSpnegoAuthenticator extends SpnegoAuthenticator { // If the Request URI is for /spnegoLogin then perform login final boolean mandatory = mandatoryAuth || uri.equals(WebServerConstants.SPENGO_LOGIN_RESOURCE_PATH); - // For logout remove the attribute from the session that holds UserIdentity + // For logout the attribute from the session that holds UserIdentity will be removed when session is getting + // invalidated if (authentication != null) { if (uri.equals(WebServerConstants.LOGOUT_RESOURCE_PATH)) { - logger.debug("Logging out user {}", req.getRemoteAddr()); - session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED); return null; } diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoLoginService.java b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoLoginService.java index 429aa3a..98a76cb 100644 --- a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoLoginService.java +++ b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoLoginService.java @@ -83,7 +83,7 @@ public class DrillSpnegoLoginService extends SpnegoLoginService { UserIdentity identity = null; try { - identity = loggedInUgi.doAs((PrivilegedExceptionAction<UserIdentity>) () -> spnegoLogin(credentials)); + identity = loggedInUgi.doAs((PrivilegedExceptionAction<UserIdentity>) () -> spnegoLogin(credentials, request)); } catch (Exception e) { logger.error("Failed to login using SPNEGO", e); } @@ -91,7 +91,7 @@ public class DrillSpnegoLoginService extends SpnegoLoginService { return identity; } - private UserIdentity spnegoLogin(Object credentials) { + private UserIdentity spnegoLogin(Object credentials, ServletRequest request) { String encodedAuthToken = (String) credentials; byte[] authToken = B64Code.decode(encodedAuthToken); @@ -122,7 +122,8 @@ public class DrillSpnegoLoginService extends SpnegoLoginService { // Get the client user short name final String userShortName = new HadoopKerberosName(clientName).getShortName(); - + logger.info("WebUser {} logged in from {}:{}", userShortName, request.getRemoteHost(), + request.getRemotePort()); logger.debug("Client Name: {}, realm: {} and shortName: {}", clientName, realm, userShortName); final SystemOptionManager sysOptions = drillContext.getOptionManager(); final boolean isAdmin = ImpersonationUtil.hasAdminPrivileges(userShortName,