Обсуждение: Better detail logging for password auth failures

We often tell people to look in the postmaster log for more information
about authentication problems; but an off-list question prompted me to
notice that many of the common authentication failure cases don't actually
get any useful commentary in the log.  The attached proposed patch
remedies this by adding specific log detail messages for all the
non-out-of-memory cases processed by md5_crypt_verify().  Essentially,
this is just covering cases that I omitted to cover in commit 64e43c59,
for reasons that no longer seem very good to me.

I did not bother with going through the other auth methods in similar
detail.  It seems like only password authentication is in use by people
who are in need of this kind of help.  (But if someone else wants to do
something similar for other auth methods, feel free.)

In passing, the patch gets rid of a vestigial CHECK_FOR_INTERRUPTS()
call; it was added by e710b65c and IMO should have been removed again
by 6647248e.  There's certainly no very good reason to have one right
at that spot anymore.

Any objections?

            regards, tom lane

diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
index 97be944..64c25e8 100644
*** a/src/backend/libpq/crypt.c
--- b/src/backend/libpq/crypt.c
*************** md5_crypt_verify(const Port *port, const
*** 50,56 ****
--- 50,60 ----
      /* Get role info from pg_authid */
      roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role));
      if (!HeapTupleIsValid(roleTup))
+     {
+         *logdetail = psprintf(_("Role \"%s\" does not exist."),
+                               role);
          return STATUS_ERROR;    /* no such user */
+     }

      datum = SysCacheGetAttr(AUTHNAME, roleTup,
                              Anum_pg_authid_rolpassword, &isnull);
*************** md5_crypt_verify(const Port *port, const
*** 71,83 ****
      ReleaseSysCache(roleTup);

      if (*shadow_pass == '\0')
          return STATUS_ERROR;    /* empty password */
!
!     CHECK_FOR_INTERRUPTS();

      /*
       * Compare with the encrypted or plain password depending on the
!      * authentication method being used for this connection.
       */
      switch (port->hba->auth_method)
      {
--- 75,92 ----
      ReleaseSysCache(roleTup);

      if (*shadow_pass == '\0')
+     {
+         *logdetail = psprintf(_("User \"%s\" has an empty password."),
+                               role);
          return STATUS_ERROR;    /* empty password */
!     }

      /*
       * Compare with the encrypted or plain password depending on the
!      * authentication method being used for this connection.  (We do not
!      * bother setting logdetail for pg_md5_encrypt failure: the only possible
!      * error is out-of-memory, which is unlikely, and if it did happen adding
!      * a psprintf call would only make things worse.)
       */
      switch (port->hba->auth_method)
      {
*************** md5_crypt_verify(const Port *port, const
*** 154,159 ****
--- 163,171 ----
          else
              retval = STATUS_OK;
      }
+     else
+         *logdetail = psprintf(_("Password does not match for user \"%s\"."),
+                               role);

      if (port->hba->auth_method == uaMD5)
          pfree(crypt_pwd);

On Wed, Dec 30, 2015 at 1:07 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> We often tell people to look in the postmaster log for more information
> about authentication problems; but an off-list question prompted me to
> notice that many of the common authentication failure cases don't actually
> get any useful commentary in the log.  The attached proposed patch
> remedies this by adding specific log detail messages for all the
> non-out-of-memory cases processed by md5_crypt_verify().  Essentially,
> this is just covering cases that I omitted to cover in commit 64e43c59,
> for reasons that no longer seem very good to me.
>
> Any objections?

Not really. +1. And the patch looks good.
-- 
Michael

On 2015-12-29 11:07:26 -0500, Tom Lane wrote:
> In passing, the patch gets rid of a vestigial CHECK_FOR_INTERRUPTS()
> call; it was added by e710b65c and IMO should have been removed again
> by 6647248e.  There's certainly no very good reason to have one right
> at that spot anymore.

Why? Doesn't seem like the worst place for an explicit interrupt check?
I think we don't really have a problem with too many such checks... We
surely could move it, but I don't really see how it's related to the
topic at hand nor do I think it's really worth pondering about
extensively.

Andres

Andres Freund <andres@anarazel.de> writes:
> On 2015-12-29 11:07:26 -0500, Tom Lane wrote:
>> In passing, the patch gets rid of a vestigial CHECK_FOR_INTERRUPTS()
>> call; it was added by e710b65c and IMO should have been removed again
>> by 6647248e.  There's certainly no very good reason to have one right
>> at that spot anymore.

> Why? Doesn't seem like the worst place for an explicit interrupt check?

The only reason there was one there at all was that e710b65c added
code like this:

+   /*
+    * Disable immediate interrupts while doing database access.  (Note
+    * we don't bother to turn this back on if we hit one of the failure
+    * conditions, since we can expect we'll just exit right away anyway.)
+    */
+   ImmediateInterruptOK = false;
   ... some catalog access here ...

+   /* Re-enable immediate response to SIGTERM/SIGINT/timeout interrupts */
+   ImmediateInterruptOK = true;
+   /* And don't forget to detect one that already arrived */
+   CHECK_FOR_INTERRUPTS();

In 6647248e you got rid of nine of these ten lines, leaving something
that's both pointless and undocumented.  There are more than enough
CHECK_FOR_INTERRUPTS calls already in the auth code; there's not a
reason to expend code space on one here.  (If MD5 ran long enough to
be worth interrupting, there would be an argument for a check inside
its hashing loop, but that still wouldn't be this check.)
        regards, tom lane

On Wed, Dec 30, 2015 at 10:18:35AM -0500, Tom Lane wrote:
> Andres Freund <andres@anarazel.de> writes:
> > On 2015-12-29 11:07:26 -0500, Tom Lane wrote:
> >> In passing, the patch gets rid of a vestigial CHECK_FOR_INTERRUPTS()
> >> call; it was added by e710b65c and IMO should have been removed again
> >> by 6647248e.  There's certainly no very good reason to have one right
> >> at that spot anymore.
> 
> > Why? Doesn't seem like the worst place for an explicit interrupt check?
> > I think we don't really have a problem with too many such checks... We
> > surely could move it, but I don't really see how it's related to the
> > topic at hand nor do I think it's really worth pondering about
> > extensively.

Agreed.

> The only reason there was one there at all was that e710b65c added
> code like this:
> 
> +   /*
> +    * Disable immediate interrupts while doing database access.  (Note
> +    * we don't bother to turn this back on if we hit one of the failure
> +    * conditions, since we can expect we'll just exit right away anyway.)
> +    */
> +   ImmediateInterruptOK = false;
> 
>     ... some catalog access here ...
> 
> +   /* Re-enable immediate response to SIGTERM/SIGINT/timeout interrupts */
> +   ImmediateInterruptOK = true;
> +   /* And don't forget to detect one that already arrived */
> +   CHECK_FOR_INTERRUPTS();
> 
> In 6647248e you got rid of nine of these ten lines, leaving something
> that's both pointless and undocumented.  There are more than enough
> CHECK_FOR_INTERRUPTS calls already in the auth code; there's not a
> reason to expend code space on one here.  (If MD5 ran long enough to
> be worth interrupting, there would be an argument for a check inside
> its hashing loop, but that still wouldn't be this check.)

I see no general benefit from being parsimonious with CHECK_FOR_INTERRUPTS
calls or documenting them.  As you explain, it's probably fine to remove the
two calls that commit e710b65 had added.  However, the sole connection to
$SUBJECT is one of those two calls sharing a screenful with lines $SUBJECT
changed.  The removal, if worthwhile, is worth a freestanding patch.
Squashing the changes makes both topics harder to review.

nm

<br /><br /><div class="gmail_quote">Em 31 de dezembro de 2015 04:56:55 BRST, Noah Misch <noah@leadboat.com>
escreveu:<blockquoteclass="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left:1ex;"><pre class="k9mail">On Wed, Dec 30, 2015 at 10:18:35AM -0500, Tom Lane wrote:<br /><blockquote
class="gmail_quote"style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> Andres Freund
<andres@anarazel.de>writes:<br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left:
1pxsolid #ad7fa8; padding-left: 1ex;"> On 2015-12-29 11:07:26 -0500, Tom Lane wrote:<br /><blockquote
class="gmail_quote"style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;"> In passing,
thepatch gets rid of a vestigial CHECK_FOR_INTERRUPTS()<br /> call; it was added by e710b65c and IMO should have been
removedagain<br /> by 6647248e.  There's certainly no very good reason to have one right<br /> at that spot anymore.<br
/></blockquote></blockquote><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px
solid#ad7fa8; padding-left: 1ex;"> Why? Doesn't seem like the worst place for an
 
explicit interrupt check?<br /> I think we don't really have a problem with too many such checks... We<br /> surely
couldmove it, but I don't really see how it's related to the<br /> topic at hand nor do I think it's really worth
ponderingabout<br /> extensively.<br /></blockquote></blockquote><br />Agreed.<br /><br /><blockquote
class="gmail_quote"style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> The only
reasonthere was one there at all was that e710b65c added<br /> code like this:<br /> <br /> +   /*<br /> +    * Disable
immediateinterrupts while doing database access.  (Note<br /> +    * we don't bother to turn this back on if we hit one
ofthe failure<br /> +    * conditions, since we can expect we'll just exit right away anyway.)<br /> +    */<br /> +
ImmediateInterruptOK= false;<br /> <br />     ... some catalog access here ...<br /> <br /> +   /* Re-enable immediate
responseto SIGTERM/SIGINT/timeout interrupts */<br /> +  
 
ImmediateInterruptOK = true;<br /> +   /* And don't forget to detect one that already arrived */<br /> +
CHECK_FOR_INTERRUPTS();<br/> <br /> In 6647248e you got rid of nine of these ten lines, leaving something<br /> that's
bothpointless and undocumented.  There are more than enough<br /> CHECK_FOR_INTERRUPTS calls already in the auth code;
there'snot a<br /> reason to expend code space on one here.  (If MD5 ran long enough to<br /> be worth interrupting,
therewould be an argument for a check inside<br /> its hashing loop, but that still wouldn't be this check.)<br
/></blockquote><br/>I see no general benefit from being parsimonious with CHECK_FOR_INTERRUPTS<br />calls or
documentingthem.  As you explain, it's probably fine to remove the<br />two calls that commit e710b65 had added.
However,the sole connection to<br />$SUBJECT is one of those two calls sharing a screenful with lines $SUBJECT<br
/>changed. The removal, if worthwhile, is worth a freestanding patch.<br />Squashing the changes makes both topics
harderto review.<br /><br />nm<br /><br /></pre></blockquote></div><br /> -- <br /> Sent from my Android device with
K-9Mail. Please excuse my brevity. 

On Thu, Dec 31, 2015 at 11:09 AM, Edson - Amplosoft Software
<edson@openmailbox.org> wrote:
> [ quote of an existing message in its entirety ]
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.

Yes, that was extremely brief.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company