Improving logs to make AUTH_DENIES easy to understand and fix
Hi all,
I've been using httpd's authentication & authorization modules for several
weeks. Compared to many other modules I used in the past, the debugging of
"auth deny" issues (caused by these modules) is really a pain in the ass.
The key problem is that httpd often does not tell *why* certain requests
are denied, but only give a very general message like,
"[auth_basic:error] AH01617: user tixu: authentication failure for "/":
"
"[authz_core:error] AH01631: user tixu: authorization failure for "/":"
In many cases, these two log messages are the only ones available for
debugging. But they really do not pinpoint the reason beneath the
authn/authz failures. Yes, these two logs are printed in `mod_auth_basic`
and `mod_authz_core` where the authn/authz results from different providers
are aggregated.
Even worse, things got much more complicated and hard to debug when
multiple authn/authz providers are applied (e.g., file + ldap + ssl). In
fact, these're not uncommon,
https://httpd.apache.org/docs/2.4/howto/auth.html#multprovider
Note that, with AH01617 and AH01631, we can't even know which module
actually denied the request!
Certainly, there are awesome auth modules like `mod_authz_owner` and
`mod_authz_dbm` which have excellent logging ---before each AUTH_DENIED, it
has error logs to pinpoint the precise reason (checkout
`fileowner_check_authorization(..)` in `mod_authz_owner.c` and
`dbmgroup_check_authorization(..)` in `mod_authz_dbm.c`).
https://github.com/apache/httpd/blob/trunk/modules/aaa/mod_authz_owner.c
https://github.com/apache/httpd/blob/trunk/modules/aaa/mod_authz_dbm.c
With such precise log msgs, we sysadmins can understand the problems and
take actions immediately.
Unfortunately, in many other cases, the authn/z modules keep silent and
thus ending with AH01617 and AH01631. The following shows two of the
examples,
static authz_status ssl_authz_require_ssl_check(...) { /*
ssl_engine_kernel.c */
...
if (ssl)
return AUTHZ_GRANTED;
else
return AUTHZ_DENIED;
}
and
static authz_status dbdgroup_check_authorization(...) { /* mod_authz_dbd.c
*/
while (...) {
...
return AUTHZ_GRANTED;
}
return AUTHZ_DENIED;
}
Such cases are not rare, but prevalent across several authn/authz modules.
I propose to apply the same good practices (such as mod_authz_owner &
mod_authz_dbm) to all the authn/authz modules. Basically, I want to add log
messages before each AUTHN/Z_DENIES to pinpoint:
1) which module denied the request
2) the reason the request gets denied
In this way, sysadmins can immediately understand the causes and take
actions (if necessary).
Any advice or feedback on this proposal is highly welcomed (that's the
whole purpose of this email)!
Specially, I want to understand whether this is something worth doing
(besides scratching my own itch)? Is there any concerns, or did I miss any
important things? Let me know!
Thanks a lot!
Tianyin
Re: Questions on writing logging stmts in httpd
I find a previous post, http://marc.info/?t=14057931881=1=2 which helped answer the 2nd question, basically, "anything more important than DEBUG needs a number." but it does not answer the Question #1 and #3 :-| ~t On Wed, Mar 23, 2016 at 5:55 PM, Tianyin Xu <t...@cs.ucsd.edu> wrote: > Hi folks, > > I've a question regarding writing logging statements in httpd code. I > notice that most of the logging statements are associated with a log > number, defined by the APLOGNO macro, while some others (in the same > module) do not. I have the following questions when writing new logging > statements, > > 1. What are these log numbers used for? (I remember the early versions do > not have these...) > > 2. What kinds of logs need the log numbers and what do not? > > 3. How to determine the number when writing a new logging statement? Is > there any specific rule to generate the number? If not, how to avoid the > collision? > > Thanks a lot! > Tianyin > >
Questions on writing logging stmts in httpd
Hi folks, I've a question regarding writing logging statements in httpd code. I notice that most of the logging statements are associated with a log number, defined by the APLOGNO macro, while some others (in the same module) do not. I have the following questions when writing new logging statements, 1. What are these log numbers used for? (I remember the early versions do not have these...) 2. What kinds of logs need the log numbers and what do not? 3. How to determine the number when writing a new logging statement? Is there any specific rule to generate the number? If not, how to avoid the collision? Thanks a lot! Tianyin
Re: Re: [users@httpd] Unable to create or access scoreboard (anonymous shared memory failure)
Thanks a lot, William!! One amazing thing of Apache is that you developers are really responsible and do care the usability of the software. Best, T On Wed, Mar 21, 2012 at 9:32 PM, William A. Rowe Jr. wr...@rowe-clan.netwrote: Room for improvement? Forwarding as attach to include formatting. Thanks for the observations, Tianyin! -- Tianyin XU, http://cseweb.ucsd.edu/~tixu/
How are requested URIs translated into local resource names? (where is the ap_run_translate_name function?)
Hi, all, Happy new year!!! I'm trying to understand how are the requested URIs translated into local resource names in Apache. For example, how does Apache know which resource name the url http//XXX/image/test.png points to. What if we use Alias or Redirect directives? I looked at the request.c file. It seems such job is done by the function ap_run_translate_name() and ap_run_map_to_storage(). However, I cannot find the definition or implementation of these functions at all. It only appears in exports.c and httpd.exp. Both of them are not the definition/implementation of these functions. Could anyone tell me how can I find the implementation of the function ap_run_translate_name and ap_run_map_to_storage? Or give me some direction or hints. Thanks a lot for your help!! Best regards, Tianyin -- Tianyin XU, http://cseweb.ucsd.edu/~tixu/
