Hi Roger, Thank you for the suggestions.
I think we should have a separate JIRA to address logging improvements for authentication. That shouldn't need a KIP. The way the code is structured at the moment, SSL implementation is in the network package. And that makes it a bit messy to move authentication logs into a separate config. I have added an error_message field to SaslAuthenticate response. For those who have already voted, please let me know if you have any concerns about the new field. Thank you... Regards, Rajini On Tue, Aug 29, 2017 at 8:44 PM, Roger Hoover <roger.hoo...@gmail.com> wrote: > Hi Rajini, > > One more thought. Maybe we should also add an error_message field in the > response like we do with CreateTopics response so that the server can > return an appropriate message that we can bubble up to the user. Examples > would be "Invalid username or password", "SASL Impersonation not allowed", > or "You account has been locked, please contact cluster admin". > > Thanks, > > Roger > > On Tue, Aug 29, 2017 at 12:41 PM, Roger Hoover <roger.hoo...@gmail.com> > wrote: > > > Hi Rajini, > > > > The metrics in KIP-188 will provide counts across all users but the log > > could potentially be used to audit individual authentication events. I > > think these would be useful at INFO level but if it's inconsistent with > the > > rest of Kafka, DEBUG is ok too. The default log4j config for Kafka > > separates authorization logs. It seems like a good idea to treat > > authentication logs the same way whether or not we choose DEBUG or INFO. > > > > https://github.com/apache/kafka/blob/trunk/config/log4j. > properties#L54-L58 > > > > Cheers, > > > > Roger > > > > On Tue, Aug 29, 2017 at 10:51 AM, Rajini Sivaram < > rajinisiva...@gmail.com> > > wrote: > > > >> Hi Roger, > >> > >> If we are changing logging level for successful SASL authentications in > >> the > >> broker, we should probably do the same for SSL too. Since KIP-188 > proposes > >> to add new metrics for successful and failed authentications which may > be > >> more useful for monitoring, do we really need info-level logging for > >> authentication? At the moment, there don't seem to be any per-connection > >> informational messages at info-level, but if you think it is useful, we > >> could do this in a separate JIRA. Let me know what you think. > >> > >> On Tue, Aug 29, 2017 at 1:09 PM, Roger Hoover <roger.hoo...@gmail.com> > >> wrote: > >> > >> > Just re-read the KIP and was wondering if you think INFO would be ok > for > >> > logging successful authentications? They should be relatively > >> infrequent. > >> > > >> > On Tue, Aug 29, 2017 at 9:54 AM, Roger Hoover <roger.hoo...@gmail.com > > > >> > wrote: > >> > > >> > > +1 (non-binding). Thanks, Rajini > >> > > > >> > > On Tue, Aug 29, 2017 at 2:10 AM, Ismael Juma <ism...@juma.me.uk> > >> wrote: > >> > > > >> > >> Thanks for the KIP, +1 (binding) from me. > >> > >> > >> > >> Ismael > >> > >> > >> > >> On Thu, Aug 24, 2017 at 6:29 PM, Rajini Sivaram < > >> > rajinisiva...@gmail.com> > >> > >> wrote: > >> > >> > >> > >> > Hi all, > >> > >> > > >> > >> > I would like to start vote on KIP-152 to improve diagnostics of > >> > >> > authentication failures and to update clients to treat > >> authentication > >> > >> > failures as fatal exceptions rather than transient errors: > >> > >> > https://cwiki.apache.org/confluence/display/KAFKA/KIP- > >> > >> > 152+-+Improve+diagnostics+for+SASL+authentication+failures > >> > >> > > >> > >> > Thank you... > >> > >> > > >> > >> > Rajini > >> > >> > > >> > >> > >> > > > >> > > > >> > > >> > > > > >
