Bug 5608 - More details in security logging please
: More details in security logging please
Status: RESOLVED FIXED
: Java WS Security
Authorization
: 4.0.5
: Macintosh All
: P3 normal
: 4.0.6
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2007-10-12 11:13 by
Modified: 2008-01-16 16:39 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2007-10-12 11:13:13
Two authz logging requests:

1)  Getting the filename of the gridmap in use

When a gridmap authorization fails (and maybe even when it succeeds), could we
get the filename of the gridmap if the gridmap came from a file?  As people
deploy more service-specific gridmap files it will help debugging if we know
which file is in use for a particular decision.  Otherwise we have to trace
back the WSDL name of the operation (namespace:op) to a particular service,
then go find that service's security descriptor to see what gridmap it's using.

2) Gridmap authorization failed: peer <anonymous>
Could we get the IP of the failed client in these messages?
------- Comment #1 From 2007-10-15 11:06:35 -------
Another bit of security logging, this time for container startup:

If the container fails to start in secure mode, it would be nice to have a
friendly error message like:
"In the gloabl security descriptor <path to descriptor>, the container is
configured to look 
for <type of credential> at <path to credential>.  [If it's a proxy and the
proxy doesn't exist/is 
expired, suggest running grid-proxy-init]
------- Comment #2 From 2007-10-23 18:38:10 -------
Fixed issue (1) in branch and trunk.
------- Comment #3 From 2007-10-24 15:36:36 -------
Fixed issue (3), container startup logging, fixed in trunk and branch
------- Comment #4 From 2007-10-24 18:41:12 -------
Added client IP address in error messages with anonymous client access.

In GT 4.0.x, secure transport adds default principal value to peer subject,
while secure conversation does not. This affects how policy is enforced and
cannot be changed in branch. So in GridMapAuthz, with anonymous secure
transport access, authz fails with "<anonymous> not in gridmap", but with
anonymous secure conversation access, authz fails with "anonymous peer".This
cannot be fixed in branch, since it changes authz policy enforcement behavior.

Trunk code has been fixed such that principal set is empty with anonymous
access.
------- Comment #5 From 2007-11-28 16:23:27 -------
*** Bug 4338 has been marked as a duplicate of this bug. ***