Bug 536356 (RHQ-714) - Authentication failures should show the sender IP
Summary: Authentication failures should show the sender IP
Keywords:
Status: CLOSED NEXTRELEASE
Alias: RHQ-714
Product: RHQ Project
Classification: Other
Component: Communications Subsystem
Version: 1.0.1
Hardware: All
OS: All
medium
medium
Target Milestone: ---
: ---
Assignee: John Mazzitelli
QA Contact: Pavel Kralik
URL: http://jira.rhq-project.org/browse/RH...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-05 17:00 UTC by Heiko W. Rupp
Modified: 2013-04-30 23:32 UTC (History)
1 user (show)

Fixed In Version: 1.2
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Heiko W. Rupp 2008-08-05 17:00:00 UTC 
Users are currently seeing messages like 

2008-08-05 10:41:45,385 WARN  [org.rhq.enterprise.communications.command.server.CommandProcessor] {CommandProcessor.failed-authentication}Command failed to be authenticated!  This command will be ignored and not processed: Command: type=[remotepojo]; cmd-in-response=[false]; config=[{rhq.security-toke
n=1209058866725-1418902078-8985156550799411863, rhq.send-throttle=true, rhq.guaranteed-delivery=true}]; params=[{targetInterfaceName=org.rhq.core.clientapi.server.measurement.MeasurementServerService, invocation=NameBasedInvocation[mergeMeasurementReport]}]

in the server log / console, but will not be able to tell from this which IP address is sending the bad token.
We should display the sender ip as a help to admins.
Comment 1 John Mazzitelli 2008-10-13 12:59:41 UTC 
We already have something in a newer version (svn rev1740) - you will now see the agent's name in the "config" properties of the command.  Its not the true remote endpoint IP of the agent, but it does identify the name of the agent that is trying to send the message.

Note that there is currently no way for us to know which IP is sending messages via JBossRemoting because AFAIK the JBossRemoting invocation handler isn't given any informating regarding the client (there is nothing in JBossRemoting that says a client must have an IP that is resolvable by the server).  Therefore, that is why we have to add our own identification information in our out-of-band configuration found in the incoming command.
Comment 2 John Mazzitelli 2008-12-10 03:40:56 UTC 
there is now a way to know what agent is sending the message - svn rev 1740 logs the agent name - from there you can figure out the agent IP and other identification about the agent (through either looking at the UI or performing DB queries of the rhq_agent table).
Comment 3 John Mazzitelli 2009-02-09 16:26:53 UTC 
you can test this by starting an agent, get it registered and talking to a server. Then change its security token to some invalid value like this (from the agent prompt):

setconfig rhq.agent.security-token=foo

Now, enter this from the agent prompt:

ping

and the server's log should show you the same kind of warning as seen in the description, but in the config= section, you'll see the agent's name in it. That's what we want.
Comment 4 Pavel Kralik 2009-02-09 18:16:36 UTC 
Tested as specified above. The agent's name is logged in the server log file.

RHEL5.3, x86_64, PostgreSQL8.2.4, java 1.6.0_11, JON RHQ SVN rev# 2894
Comment 5 Red Hat Bugzilla 2009-11-10 21:15:22 UTC 
This bug was previously known as http://jira.rhq-project.org/browse/RHQ-714
Note You need to log in before you can comment on or make changes to this bug.