yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(auth): add more detailed logs for auth/acl

This commit is contained in:
firest 2023-02-09 14:08:42 +08:00
parent 6f5e6e7f9b
commit 3314d9616d
14 changed files with 86 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/emqx_auth_http/src/emqx_acl_http.erl
View File

@ -44,7 +44,10 @@ check_acl(ClientInfo, PubSub, Topic, _AclResult, #{acl := ACLParams = #{path :=
Username = maps:get(username, ClientInfo1, undefined), Username = maps:get(username, ClientInfo1, undefined),
case check_acl_request(ACLParams, ClientInfo1) of case check_acl_request(ACLParams, ClientInfo1) of
{ok, 200, <<"ignore">>} -> ok; {ok, 200, <<"ignore">>} -> ok;
{ok, 200, _Body} -> {stop, allow}; {ok, 200, _Body} ->
?LOG(debug, "Allow ~s to topic ~ts, username: ~ts",
[PubSub, Topic, Username]),
{stop, allow};
{ok, Code, _Body} -> {ok, Code, _Body} ->
?LOG(warning, "Deny ~s to topic ~ts, username: ~ts, http response code: ~p", ?LOG(warning, "Deny ~s to topic ~ts, username: ~ts, http response code: ~p",
[PubSub, Topic, Username, Code]), [PubSub, Topic, Username, Code]),
@ -74,4 +77,3 @@ check_acl_request(ACLParams =
access(subscribe) -> 1; access(subscribe) -> 1;
access(publish) -> 2. access(publish) -> 2.

5
apps/emqx_auth_http/src/emqx_auth_http.erl
View File

@ -41,19 +41,20 @@ check(ClientInfo, AuthResult, #{auth := AuthParms = #{path := Path},
{ok, 200, <<"ignore">>} -> {ok, 200, <<"ignore">>} ->
ok; ok;
{ok, 200, Body} -> {ok, 200, Body} ->
?LOG(debug, "Auth succeeded from path: ~ts, username: ~ts", [Path, Username]),
IsSuperuser = is_superuser(SuperParams, ClientInfo), IsSuperuser = is_superuser(SuperParams, ClientInfo),
{stop, AuthResult#{is_superuser => IsSuperuser, {stop, AuthResult#{is_superuser => IsSuperuser,
auth_result => success, auth_result => success,
anonymous => false, anonymous => false,
mountpoint => mountpoint(Body, ClientInfo)}}; mountpoint => mountpoint(Body, ClientInfo)}};
{ok, Code, _Body} -> {ok, Code, _Body} ->
?LOG(warning, "Deny connection from path: ~s, username: ~ts, http " ?LOG(warning, "Deny connection from path: ~ts, username: ~ts, http "
"response code: ~p", "response code: ~p",
[Path, Username, Code]), [Path, Username, Code]),
{stop, AuthResult#{auth_result => http_to_connack_error(Code), {stop, AuthResult#{auth_result => http_to_connack_error(Code),
anonymous => false}}; anonymous => false}};
{error, Error} -> {error, Error} ->
?LOG_SENSITIVE(warning, "Deny connection from path: ~s, username: ~ts, due to " ?LOG_SENSITIVE(warning, "Deny connection from path: ~ts, username: ~ts, due to "
"request http-server failed: ~0p", [Path, Username, Error]), "request http-server failed: ~0p", [Path, Username, Error]),
%%FIXME later: server_unavailable is not right. %%FIXME later: server_unavailable is not right.
{stop, AuthResult#{auth_result => server_unavailable, {stop, AuthResult#{auth_result => server_unavailable,

6
apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
View File

@ -51,8 +51,14 @@ check_auth(ClientInfo, AuthResult, #{from := From, checklists := Checklists}) ->
{error, not_token} -> {error, not_token} ->
ok; ok;
{error, Reason} -> {error, Reason} ->
?LOG_SENSITIVE(debug,
"Auth from JWT failed, Client: ~p, Reason: ~p",
[ClientInfo, Reason]),
{stop, AuthResult#{auth_result => Reason, anonymous => false}}; {stop, AuthResult#{auth_result => Reason, anonymous => false}};
{ok, Claims} -> {ok, Claims} ->
?LOG_SENSITIVE(debug,
"Auth from JWT succeeded, Client: ~p",
[ClientInfo]),
{stop, maps:merge(AuthResult, verify_claims(Checklists, Claims, ClientInfo))} {stop, maps:merge(AuthResult, verify_claims(Checklists, Claims, ClientInfo))}
end end
end. end.

12
apps/emqx_auth_ldap/src/emqx_acl_ldap.erl
View File

@ -29,8 +29,16 @@
check_acl(ClientInfo, PubSub, Topic, NoMatchAction, State) -> check_acl(ClientInfo, PubSub, Topic, NoMatchAction, State) ->
case do_check_acl(ClientInfo, PubSub, Topic, NoMatchAction, State) of case do_check_acl(ClientInfo, PubSub, Topic, NoMatchAction, State) of
ok -> ok; ok -> ok;
{stop, allow} -> {stop, allow}; {stop, allow} ->
{stop, deny} -> {stop, deny} ?LOG_SENSITIVE(debug,
"[LDAP] Allow Topic: ~p, Action: ~p for Client: ~p",
[Topic, PubSub, ClientInfo]),
{stop, allow};
{stop, deny} ->
?LOG_SENSITIVE(debug,
"[LDAP] Deny Topic: ~p, Action: ~p for Client: ~p",
[Topic, PubSub, ClientInfo]),
{stop, deny}
end. end.
do_check_acl(#{username := <<$$, _/binary>>}, _PubSub, _Topic, _NoMatchAction, _State) -> do_check_acl(#{username := <<$$, _/binary>>}, _PubSub, _Topic, _NoMatchAction, _State) ->

3
apps/emqx_auth_ldap/src/emqx_auth_ldap.erl
View File

@ -58,6 +58,9 @@ check(ClientInfo = #{username := Username, password := Password}, AuthResult,
end, end,
case CheckResult of case CheckResult of
ok -> ok ->
?LOG_SENSITIVE(debug,
"[LDAP] Auth from ldap succeeded, Client: ~p",
[ClientInfo]),
{stop, AuthResult#{auth_result => success, anonymous => false}}; {stop, AuthResult#{auth_result => success, anonymous => false}};
{error, not_found} -> {error, not_found} ->
ok; ok;

7
apps/emqx_auth_mnesia/src/emqx_acl_mnesia.erl
View File

@ -17,6 +17,7 @@
-module(emqx_acl_mnesia). -module(emqx_acl_mnesia).
-include("emqx_auth_mnesia.hrl"). -include("emqx_auth_mnesia.hrl").
-include_lib("emqx/include/logger.hrl").
%% ACL Callbacks %% ACL Callbacks
-export([ init/0 -export([ init/0
@ -43,8 +44,14 @@ check_acl(ClientInfo = #{ clientid := Clientid }, PubSub, Topic, _NoMatchAction,
case match(ClientInfo, PubSub, Topic, Acls) of case match(ClientInfo, PubSub, Topic, Acls) of
allow -> allow ->
?LOG_SENSITIVE(debug,
"[Mnesia] Allow Topic: ~p, Action: ~p for Client: ~p",
[Topic, PubSub, ClientInfo]),
{stop, allow}; {stop, allow};
deny -> deny ->
?LOG_SENSITIVE(debug,
"[Mnesia] Deny Topic: ~p, Action: ~p for Client: ~p",
[Topic, PubSub, ClientInfo]),
{stop, deny}; {stop, deny};
_ -> _ ->
ok ok

3
apps/emqx_auth_mnesia/src/emqx_auth_mnesia.erl
View File

@ -70,6 +70,9 @@ check(ClientInfo = #{ clientid := Clientid
?LOG(info, "[Mnesia] Auth from mnesia failed: ~p", [Info]), ?LOG(info, "[Mnesia] Auth from mnesia failed: ~p", [Info]),
{stop, AuthResult#{anonymous => false, auth_result => password_error}}; {stop, AuthResult#{anonymous => false, auth_result => password_error}};
_ -> _ ->
?LOG_SENSITIVE(debug,
"[Mnesia] Auth from mnesia succeeded, Client: ~p",
[ClientInfo]),
{stop, AuthResult#{anonymous => false, auth_result => success}} {stop, AuthResult#{anonymous => false, auth_result => success}}
end end
end. end.

12
apps/emqx_auth_mongo/src/emqx_acl_mongo.erl
View File

@ -38,8 +38,16 @@ check_acl(ClientInfo, PubSub, Topic, _AclResult, Env = #{aclquery := AclQuery})
[] -> ok; [] -> ok;
Rows -> Rows ->
try match(ClientInfo, Topic, topics(PubSub, Rows)) of try match(ClientInfo, Topic, topics(PubSub, Rows)) of
matched -> {stop, allow}; matched ->
nomatch -> {stop, deny} ?LOG_SENSITIVE(debug,
"[MongoDB] Allow Topic: ~p, Action: ~p for Client: ~p",
[Topic, PubSub, ClientInfo]),
{stop, allow};
nomatch ->
?LOG_SENSITIVE(debug,
"[MongoDB] Deny Topic: ~p, Action: ~p for Client: ~p",
[Topic, PubSub, ClientInfo]),
{stop, deny}
catch catch
_Err:Reason-> _Err:Reason->
?LOG(error, "[MongoDB] Check mongo ~p ACL failed, got ACL config: ~p, error: :~p", ?LOG(error, "[MongoDB] Check mongo ~p ACL failed, got ACL config: ~p, error: :~p",

3
apps/emqx_auth_mongo/src/emqx_auth_mongo.erl
View File

@ -68,6 +68,9 @@ check(ClientInfo = #{password := Password}, AuthResult,
case Result of case Result of
ok -> ok ->
?tp(emqx_auth_mongo_superuser_check_authn_ok, #{}), ?tp(emqx_auth_mongo_superuser_check_authn_ok, #{}),
?LOG_SENSITIVE(debug,
"[MongoDB] Auth from mongo succeeded, Client: ~p",
[ClientInfo]),
{stop, AuthResult#{is_superuser => is_superuser(Pool, SuperQuery, ClientInfo), {stop, AuthResult#{is_superuser => is_superuser(Pool, SuperQuery, ClientInfo),
anonymous => false, anonymous => false,
auth_result => success}}; auth_result => success}};

12
apps/emqx_auth_mysql/src/emqx_acl_mysql.erl
View File

@ -29,8 +29,16 @@
check_acl(ClientInfo, PubSub, Topic, NoMatchAction, #{pool := Pool} = State) -> check_acl(ClientInfo, PubSub, Topic, NoMatchAction, #{pool := Pool} = State) ->
case do_check_acl(Pool, ClientInfo, PubSub, Topic, NoMatchAction, State) of case do_check_acl(Pool, ClientInfo, PubSub, Topic, NoMatchAction, State) of
ok -> ok; ok -> ok;
{stop, allow} -> {stop, allow}; {stop, allow} ->
{stop, deny} -> {stop, deny} ?LOG_SENSITIVE(debug,
"[MySQL] Allow Topic: ~p, Action: ~p for Client: ~p",
[Topic, PubSub, ClientInfo]),
{stop, allow};
{stop, deny} ->
?LOG_SENSITIVE(debug,
"[MySQL] Allow Topic: ~p, Action: ~p for Client: ~p",
[Topic, PubSub, ClientInfo]),
{stop, deny}
end. end.
do_check_acl(_Pool, #{username := <<$$, _/binary>>}, _PubSub, _Topic, _NoMatchAction, _State) -> do_check_acl(_Pool, #{username := <<$$, _/binary>>}, _PubSub, _Topic, _NoMatchAction, _State) ->

3
apps/emqx_auth_mysql/src/emqx_auth_mysql.erl
View File

@ -46,6 +46,9 @@ check(ClientInfo = #{password := Password}, AuthResult,
end, end,
case CheckPass of case CheckPass of
ok -> ok ->
?LOG_SENSITIVE(debug,
"[MySQL] Auth from mysql succeeded, Client: ~p",
[ClientInfo]),
{stop, AuthResult#{is_superuser => is_superuser(Pool, SuperQuery, ClientInfo), {stop, AuthResult#{is_superuser => is_superuser(Pool, SuperQuery, ClientInfo),
anonymous => false, anonymous => false,
auth_result => success}}; auth_result => success}};

13
apps/emqx_auth_pgsql/src/emqx_acl_pgsql.erl
View File

@ -36,8 +36,16 @@ do_check_acl(Pool, ClientInfo, PubSub, Topic, _NoMatchAction, #{acl_query := {Ac
{ok, _, Rows} -> {ok, _, Rows} ->
Rules = filter(PubSub, compile(Rows)), Rules = filter(PubSub, compile(Rows)),
case match(ClientInfo, Topic, Rules) of case match(ClientInfo, Topic, Rules) of
{matched, allow} -> {stop, allow}; {matched, allow} ->
{matched, deny} -> {stop, deny}; ?LOG_SENSITIVE(debug,
"[Postgres] Allow Topic: ~p, Action: ~p for Client: ~p",
[Topic, PubSub, ClientInfo]),
{stop, allow};
{matched, deny} ->
?LOG_SENSITIVE(debug,
"[Postgres] Deny Topic: ~p, Action: ~p for Client: ~p",
[Topic, PubSub, ClientInfo]),
{stop, deny};
nomatch -> ok nomatch -> ok
end; end;
{error, Reason} -> {error, Reason} ->
@ -105,4 +113,3 @@ empty(null) -> true;
empty("") -> true; empty("") -> true;
empty(<<>>) -> true; empty(<<>>) -> true;
empty(_) -> false. empty(_) -> false.

3
apps/emqx_auth_pgsql/src/emqx_auth_pgsql.erl
View File

@ -45,6 +45,9 @@ check(ClientInfo = #{password := Password}, AuthResult,
end, end,
case CheckPass of case CheckPass of
ok -> ok ->
?LOG_SENSITIVE(debug,
"[Postgres] Auth from pgsql succeeded, Client: ~p",
[ClientInfo]),
{stop, AuthResult#{is_superuser => is_superuser(Pool, SuperQuery, ClientInfo), {stop, AuthResult#{is_superuser => is_superuser(Pool, SuperQuery, ClientInfo),
anonymous => false, anonymous => false,
auth_result => success}}; auth_result => success}};

13
apps/emqx_auth_redis/src/emqx_acl_redis.erl
View File

@ -33,8 +33,16 @@ check_acl(ClientInfo, PubSub, Topic, _AclResult,
{ok, []} -> ok; {ok, []} -> ok;
{ok, Rules} -> {ok, Rules} ->
case match(ClientInfo, PubSub, Topic, Rules) of case match(ClientInfo, PubSub, Topic, Rules) of
allow -> {stop, allow}; allow ->
nomatch -> {stop, deny} ?LOG_SENSITIVE(debug,
"[Redis] Allow Topic: ~p, Action: ~p for Client: ~p",
[Topic, PubSub, ClientInfo]),
{stop, allow};
nomatch ->
?LOG_SENSITIVE(debug,
"[Redis] Deny Topic: ~p, Action: ~p for Client: ~p",
[Topic, PubSub, ClientInfo]),
{stop, deny}
end; end;
{error, Reason} -> {error, Reason} ->
?LOG(error, "[Redis] do_check_acl error: ~p", [Reason]), ?LOG(error, "[Redis] do_check_acl error: ~p", [Reason]),
@ -71,4 +79,3 @@ feed_var(Str, Var, Val) ->
b2i(Bin) -> list_to_integer(binary_to_list(Bin)). b2i(Bin) -> list_to_integer(binary_to_list(Bin)).
description() -> "Redis ACL Module". description() -> "Redis ACL Module".