Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kafka: improve logging for authorization errors #3234

Merged
merged 3 commits into from
Dec 13, 2021
Merged

Kafka: improve logging for authorization errors #3234

merged 3 commits into from
Dec 13, 2021

Conversation

dotnwat
Copy link
Member

@dotnwat dotnwat commented Dec 10, 2021
edited
Loading

Cover letter

Improve authorization logging:

  1. Logs at debug level for authorization failures that are expected (e.g. when performing authorization to establish client visibility rather than authorizing for a specific resource requested by a client).
  2. Logs the authenticated principal when authorization fails

Fixes: #3235

Release notes

Improvements

  1. Logs at debug level for authorization failures that are expected (e.g. when performing authorization to establish client visibility rather than authorizing for a specific resource requested by a client).
  2. Logs the authenticated principal when authorization fails

@dotnwat
kafka: add quiet flag to control authz failure log level
fed556c 
Signed-off-by: Noah Watkins <noah@vectorized.io>
@dotnwat
kafka: quiet authz failure logging for all-topic ops
884fd13 
OffsetFetch and Metadata requests have modes in which authorization for
operation::describe is verified for all topics that exist as a means for
establishing visibility (e.g. list topics will show only those topics
for which the connection is authorized for the describe operation).

In these cases we want to avoid logging authorization failures because
they become noise in the logs: there is no real authorization failure,
rather an authorization failure results in a semantic change of the API
which is normal.

Signed-off-by: Noah Watkins <noah@vectorized.io>
@dotnwat
kafka: log principal name when authorization fails
8bfbe10 
This is useful for backtracking an error to a particular
client or context.

Signed-off-by: Noah Watkins <noah@vectorized.io>
@dotnwat dotnwat merged commit 558538a into redpanda-data:dev Dec 13, 2021
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mmaslankaprv mmaslankaprv mmaslankaprv approved these changes

@NyaliaLui NyaliaLui Awaiting requested review from NyaliaLui

@ajfabbri ajfabbri Awaiting requested review from ajfabbri

Assignees
No one assigned
Labels
area/redpanda
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Kafka: seeing lots of authorization failed messages
2 participants
@dotnwat @mmaslankaprv