hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix to MXS-54: https://mariadb.atlassian.net/browse/MXS-54

Browse Source 
Added a new configuration parameter that allows the user to control
whether authentication warning messages are logged.
This commit is contained in:
Markus Makela
2015-11-03 11:03:47 +02:00
parent d6230e68ef
commit d57b4cd531
6 changed files with 54 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Documentation/Getting-Started/Configuration-Guide.md
View File

@ -371,6 +371,12 @@ Enabling this feature will transform wildcard grants to individual database gran
The retry_on_failure parameter controls whether MaxScale will try to restart failed services and accepts a boolean value. This functionality is enabled by default to prevent services being permanently disabled if the starting of the service failed due to a network outage. Disabling the restarting of the failed services will cause them to be permanently disabled if the services can't be started when MaxScale is started.
#### `log_auth_warnings`
Enable or disable the logging of authentication failures and warnings. This parameter takes a boolean value.
MaxScale normally suppresses warning messages about failed authentication. Enabling this option will log those messages into the message log with details about who tried to connect to MaxScale and from where.
#### `connection_timeout`
The connection_timeout parameter is used to disconnect sessions to MaxScale that have been idle for too long. The session timeouts are disabled by default. To enable them, define the timeout in seconds in the service's configuration section.

16
server/core/config.c
View File

@ -498,6 +498,13 @@ process_config_context(CONFIG_CONTEXT *context)
subservices,
1,STRING_TYPE);
}
char *log_auth_warnings = config_get_value(obj->parameters,
"log_auth_warnings");
int truthval;
if (log_auth_warnings && (truthval = config_truth_value(log_auth_warnings)) != -1)
{
((SERVICE*) obj->element)->log_auth_warnings = (bool) truthval;
}
CONFIG_PARAMETER* param;
if((param = config_get_param(obj->parameters, "ignore_databases")))
@ -1781,6 +1788,14 @@ SERVER *server;
version_string = config_get_value(obj->parameters, "version_string");
allow_localhost_match_wildcard_host = config_get_value(obj->parameters, "localhost_match_wildcard_host");
char *log_auth_warnings = config_get_value(obj->parameters,
"log_auth_warnings");
int truthval;
if (log_auth_warnings && (truthval = config_truth_value(log_auth_warnings)) != -1)
{
service->log_auth_warnings = (bool)truthval;
}
CONFIG_PARAMETER* param;
if((param = config_get_param(obj->parameters, "ignore_databases")))
@ -2199,6 +2214,7 @@ static char *service_params[] =
"ssl_cert_verify_depth",
"ignore_databases",
"ignore_databases_regex",
"log_auth_warnings",
NULL
};

51
server/core/dbusers.c
View File

@ -1122,19 +1122,21 @@ getAllUsers(SERVICE *service, USERS *users)
} else if(rc == -1) {
/** Duplicate user*/
LOGIF(LT,(skygw_log_write(LT,
"Duplicate MySQL user found for service [%s]: %s@%s%s%s",
service->name,
row[0],row[1],havedb?" for database: ":"",
havedb ?dbnm:"")));
if (service->log_auth_warnings)
{
skygw_log_write(LM, "Duplicate MySQL user found for service"
" [%s]: %s@%s%s%s", service->name, row[0],
row[1], havedb ? " for database: " : "",
havedb ? dbnm : "");
}
} else {
LOGIF(LE, (skygw_log_write_flush(
LOGFILE_ERROR|LOGFILE_TRACE,
"Warning: Failed to add user %s@%s for service [%s]. "
"This user will be unavailable via MaxScale.",
row[0],
row[1],
service->name)));
if (service->log_auth_warnings)
{
skygw_log_write_flush(LM, "Warning: Failed to add user %s@%s"
" for service [%s]. This user will be "
"unavailable via MaxScale.", row[0],
row[1], service->name);
}
}
}
@ -1657,19 +1659,20 @@ getUsers(SERVICE *service, USERS *users)
} else if(rc == -1) {
/** Duplicate user*/
LOGIF(LE,(skygw_log_write(LT|LE,
"Warning: Duplicate MySQL user found for service [%s]: %s@%s%s%s",
service->name,
row[0],row[1],db_grants?" for database: ":"",
db_grants ?row[5]:"")));
if (service->log_auth_warnings)
{
skygw_log_write(LM, "Warning: Duplicate MySQL user found for "
"service [%s]: %s@%s%s%s", service->name, row[0],
row[1], db_grants ? " for database: " : "",
db_grants ? row[5] : "");
}
} else {
LOGIF(LE, (skygw_log_write_flush(
LOGFILE_ERROR|LOGFILE_TRACE,
"Warning: Failed to add user %s@%s for service [%s]. "
"This user will be unavailable via MaxScale.",
row[0],
row[1],
service->name)));
if (service->log_auth_warnings)
{
skygw_log_write_flush(LM, "Warning: Failed to add user %s@%s for"
" service [%s]. This user will be unavailable"
" via MaxScale.", row[0], row[1], service->name);
}
}
}

1
server/core/service.c
View File

@ -149,6 +149,7 @@ SERVICE *service;
service->ssl_ca_cert = NULL;
service->ssl_cert = NULL;
service->ssl_key = NULL;
service->log_auth_warnings = true;
service->ssl_cert_verify_depth = DEFAULT_SSL_CERT_VERIFY_DEPTH;
/** Support the highest possible SSL/TLS methods available as the default */
service->ssl_method_type = SERVICE_SSL_TLS_MAX;

2
server/include/service.h
View File

@ -192,7 +192,7 @@ typedef struct service {
char* ssl_ca_cert; /*< SSL CA certificate */
bool ssl_init_done; /*< If SSL has already been initialized for this service */
bool retry_start; /*< If starting of the service should be retried later */
bool log_auth_warnings; /*< Log authentication failures and warnings */
} SERVICE;
typedef enum count_spec_t {COUNT_NONE=0, COUNT_ATLEAST, COUNT_EXACT, COUNT_ATMOST} count_spec_t;

2
server/modules/protocol/mysql_client.c
View File

@ -600,7 +600,7 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF **buf) {
if (auth_ret == 0) {
dcb->user = strdup(client_data->user);
}
else
else if (dcb->service->log_auth_warnings)
{
skygw_log_write(LM, "%s: login attempt for user '%s', authentication failed.",
dcb->service->name, username);