Bug 536356 - (RHQ-714) Authentication failures should show the sender IP
Authentication failures should show the sender IP
Status: CLOSED NEXTRELEASE
Product: RHQ Project
Classification: Other
Component: Communications Subsystem (Show other bugs)
1.0.1
All All
medium Severity medium (vote)
: ---
: ---
Assigned To: John Mazzitelli
Pavel Kralik
http://jira.rhq-project.org/browse/RH...
: Improvement
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-05 13:00 EDT by Heiko W. Rupp
Modified: 2013-04-30 19:32 EDT (History)
1 user (show)

See Also:
Fixed In Version: 1.2
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Heiko W. Rupp 2008-08-05 13:00:00 EDT
Users are currently seeing messages like 

2008-08-05 10:41:45,385 WARN  [org.rhq.enterprise.communications.command.server.CommandProcessor] {CommandProcessor.failed-authentication}Command failed to be authenticated!  This command will be ignored and not processed: Command: type=[remotepojo]; cmd-in-response=[false]; config=[{rhq.security-toke
n=1209058866725-1418902078-8985156550799411863, rhq.send-throttle=true, rhq.guaranteed-delivery=true}]; params=[{targetInterfaceName=org.rhq.core.clientapi.server.measurement.MeasurementServerService, invocation=NameBasedInvocation[mergeMeasurementReport]}]

in the server log / console, but will not be able to tell from this which IP address is sending the bad token.
We should display the sender ip as a help to admins.
Comment 1 John Mazzitelli 2008-10-13 08:59:41 EDT
We already have something in a newer version (svn rev1740) - you will now see the agent's name in the "config" properties of the command.  Its not the true remote endpoint IP of the agent, but it does identify the name of the agent that is trying to send the message.

Note that there is currently no way for us to know which IP is sending messages via JBossRemoting because AFAIK the JBossRemoting invocation handler isn't given any informating regarding the client (there is nothing in JBossRemoting that says a client must have an IP that is resolvable by the server).  Therefore, that is why we have to add our own identification information in our out-of-band configuration found in the incoming command.
Comment 2 John Mazzitelli 2008-12-09 22:40:56 EST
there is now a way to know what agent is sending the message - svn rev 1740 logs the agent name - from there you can figure out the agent IP and other identification about the agent (through either looking at the UI or performing DB queries of the rhq_agent table).
Comment 3 John Mazzitelli 2009-02-09 11:26:53 EST
you can test this by starting an agent, get it registered and talking to a server. Then change its security token to some invalid value like this (from the agent prompt):

setconfig rhq.agent.security-token=foo

Now, enter this from the agent prompt:

ping

and the server's log should show you the same kind of warning as seen in the description, but in the config= section, you'll see the agent's name in it. That's what we want.
Comment 4 Pavel Kralik 2009-02-09 13:16:36 EST
Tested as specified above. The agent's name is logged in the server log file.

RHEL5.3, x86_64, PostgreSQL8.2.4, java 1.6.0_11, JON RHQ SVN rev# 2894
Comment 5 Red Hat Bugzilla 2009-11-10 16:15:22 EST
This bug was previously known as http://jira.rhq-project.org/browse/RHQ-714

Note You need to log in before you can comment on or make changes to this bug.