MXS-1354: Enable muting of admin interface authentication failures

The warnings generated by the admin interface can now be silenced.
2017-08-14 08:31:23 +03:00
parent f0c2843195
commit e627740777
4 changed files with 33 additions and 3 deletions
--- a/include/maxscale/config.h
+++ b/include/maxscale/config.h
@ -80,6 +80,7 @@ extern const char CN_ARG_MAX[];
 extern const char CN_ARG_MIN[];
 extern const char CN_ADMIN_AUTH[];
 extern const char CN_ADMIN_ENABLED[];
+extern const char CN_ADMIN_LOG_AUTH_FAILURES[];
 extern const char CN_ADMIN_HOST[];
 extern const char CN_ADMIN_PORT[];
 extern const char CN_ADMIN_SSL_KEY[];
@ -212,6 +213,7 @@ typedef struct
    uint16_t      admin_port;                          /**< Admin interface port */
    bool          admin_auth;                          /**< Admin interface authentication */
    bool          admin_enabled;                       /**< Admin interface is enabled */
+    bool          admin_log_auth_failures;             /**< Log admin interface authentication failures */
    char          admin_ssl_key[PATH_MAX];             /**< Admin SSL key */
    char          admin_ssl_cert[PATH_MAX];            /**< Admin SSL cert */
    char          admin_ssl_ca_cert[PATH_MAX];         /**< Admin SSL CA cert */
--- a/server/core/admin.cc
+++ b/server/core/admin.cc
@ -170,9 +170,12 @@ bool do_auth(MHD_Connection *connection, const char* url)
        char* user = MHD_basic_auth_get_username_password(connection, &pw);

        if (!user || !pw || !admin_verify_inet_user(user, pw))
+        {
+            if (config_get_global_options()->admin_log_auth_failures)
            {
                MXS_WARNING("Authentication failed for '%s', %s. Request: %s", user ? user : "",
                            pw ? "using password" : "no password", url);
+            }
            rval = false;
            static char error_resp[] = "{\"errors\": [ { \"detail\": \"Access denied\" } ] }";
            MHD_Response *resp =
--- a/server/core/config.cc
+++ b/server/core/config.cc
@ -59,6 +59,7 @@ const char CN_ARG_MAX[]                       = "arg_max";
 const char CN_ARG_MIN[]                       = "arg_min";
 const char CN_ADMIN_AUTH[]                    = "admin_auth";
 const char CN_ADMIN_ENABLED[]                 = "admin_enabled";
+const char CN_ADMIN_LOG_AUTH_FAILURES[]       = "admin_log_auth_failures";
 const char CN_ADMIN_HOST[]                    = "admin_host";
 const char CN_ADMIN_PORT[]                    = "admin_port";
 const char CN_ADMIN_SSL_KEY[]                 = "admin_ssl_key";
@ -1564,6 +1565,10 @@ handle_global_item(const char *name, const char *value)
    {
        gateway.admin_enabled = config_truth_value(value);
    }
+    else if (strcmp(name, CN_ADMIN_LOG_AUTH_FAILURES) == 0)
+    {
+        gateway.admin_log_auth_failures = config_truth_value(value);
+    }
    else
    {
        for (i = 0; lognames[i].name; i++)
@ -1748,6 +1753,7 @@ global_defaults()
    gateway.skip_permission_checks = false;
    gateway.admin_port = DEFAULT_ADMIN_HTTP_PORT;
    gateway.admin_auth = true;
+    gateway.admin_log_auth_failures = true;
    gateway.admin_enabled = true;
    strcpy(gateway.admin_host, DEFAULT_ADMIN_HOST);
    gateway.admin_ssl_key[0] = '\0';
@ -3866,6 +3872,7 @@ json_t* config_maxscale_to_json(const char* host)
    json_object_set_new(param, CN_SKIP_PERMISSION_CHECKS, json_boolean(cnf->skip_permission_checks));
    json_object_set_new(param, CN_ADMIN_AUTH, json_boolean(cnf->admin_auth));
    json_object_set_new(param, CN_ADMIN_ENABLED, json_boolean(cnf->admin_enabled));
+    json_object_set_new(param, CN_ADMIN_LOG_AUTH_FAILURES, json_boolean(cnf->admin_log_auth_failures));
    json_object_set_new(param, CN_ADMIN_HOST, json_string(cnf->admin_host));
    json_object_set_new(param, CN_ADMIN_PORT, json_integer(cnf->admin_port));
    json_object_set_new(param, CN_ADMIN_SSL_KEY, json_string(cnf->admin_ssl_key));
--- a/server/core/config_runtime.cc
+++ b/server/core/config_runtime.cc
@ -691,6 +691,23 @@ bool runtime_alter_maxscale(const char* name, const char* value)
            runtime_error("Invalid boolean value for '%s': %s", CN_ADMIN_AUTH, value);
        }
    }
+    else if (key == CN_ADMIN_LOG_AUTH_FAILURES)
+    {
+        int boolval = config_truth_value(value);
+
+        if (boolval != -1)
+        {
+            MXS_NOTICE("Updated '%s' from '%s' to '%s'", CN_ADMIN_LOG_AUTH_FAILURES,
+                       cnf.admin_log_auth_failures ? "true" : "false",
+                       boolval ? "true" : "false");
+            cnf.admin_log_auth_failures = boolval;
+            rval = true;
+        }
+        else
+        {
+            runtime_error("Invalid boolean value for '%s': %s", CN_ADMIN_LOG_AUTH_FAILURES, value);
+        }
+    }
    else
    {
        runtime_error("Unknown global parameter: %s=%s", name, value);
@ -1815,7 +1832,8 @@ bool validate_maxscale_json(json_t* json)
        rval = is_count_or_null(param, CN_AUTH_CONNECT_TIMEOUT) &&
               is_count_or_null(param, CN_AUTH_READ_TIMEOUT) &&
               is_count_or_null(param, CN_AUTH_WRITE_TIMEOUT) &&
-               is_bool_or_null(param, CN_ADMIN_AUTH);
+               is_bool_or_null(param, CN_ADMIN_AUTH) &&
+               is_bool_or_null(param, CN_ADMIN_LOG_AUTH_FAILURES);
    }

    return rval;