Bug 536356 (RHQ-714)

Summary: Authentication failures should show the sender IP
Product: [Other] RHQ Project Reporter: Heiko W. Rupp <hrupp>
Component: Communications SubsystemAssignee: John Mazzitelli <mazz>
Status: CLOSED NEXTRELEASE QA Contact: Pavel Kralik <pkralik>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0.1CC: mvecera
Target Milestone: ---Keywords: Improvement
Target Release: ---   
Hardware: All   
OS: All   
URL: http://jira.rhq-project.org/browse/RHQ-714
Whiteboard:
Fixed In Version: 1.2 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Heiko W. Rupp 2008-08-05 13:00:00 EDT
Users are currently seeing messages like 

2008-08-05 10:41:45,385 WARN  [org.rhq.enterprise.communications.command.server.CommandProcessor] {CommandProcessor.failed-authentication}Command failed to be authenticated!  This command will be ignored and not processed: Command: type=[remotepojo]; cmd-in-response=[false]; config=[{rhq.security-toke
n=1209058866725-1418902078-8985156550799411863, rhq.send-throttle=true, rhq.guaranteed-delivery=true}]; params=[{targetInterfaceName=org.rhq.core.clientapi.server.measurement.MeasurementServerService, invocation=NameBasedInvocation[mergeMeasurementReport]}]

in the server log / console, but will not be able to tell from this which IP address is sending the bad token.
We should display the sender ip as a help to admins.
Comment 1 John Mazzitelli 2008-10-13 08:59:41 EDT
We already have something in a newer version (svn rev1740) - you will now see the agent's name in the "config" properties of the command.  Its not the true remote endpoint IP of the agent, but it does identify the name of the agent that is trying to send the message.

Note that there is currently no way for us to know which IP is sending messages via JBossRemoting because AFAIK the JBossRemoting invocation handler isn't given any informating regarding the client (there is nothing in JBossRemoting that says a client must have an IP that is resolvable by the server).  Therefore, that is why we have to add our own identification information in our out-of-band configuration found in the incoming command.
Comment 2 John Mazzitelli 2008-12-09 22:40:56 EST
there is now a way to know what agent is sending the message - svn rev 1740 logs the agent name - from there you can figure out the agent IP and other identification about the agent (through either looking at the UI or performing DB queries of the rhq_agent table).
Comment 3 John Mazzitelli 2009-02-09 11:26:53 EST
you can test this by starting an agent, get it registered and talking to a server. Then change its security token to some invalid value like this (from the agent prompt):

setconfig rhq.agent.security-token=foo

Now, enter this from the agent prompt:

ping

and the server's log should show you the same kind of warning as seen in the description, but in the config= section, you'll see the agent's name in it. That's what we want.
Comment 4 Pavel Kralik 2009-02-09 13:16:36 EST
Tested as specified above. The agent's name is logged in the server log file.

RHEL5.3, x86_64, PostgreSQL8.2.4, java 1.6.0_11, JON RHQ SVN rev# 2894
Comment 5 Red Hat Bugzilla 2009-11-10 16:15:22 EST
This bug was previously known as http://jira.rhq-project.org/browse/RHQ-714