Bug 64724

Summary: Enhance log message about dbdgroup_check_authorization
Product: Apache httpd-2 Reporter: Bingyu Shen <byshen>
Component: mod_authz_dbdAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal Keywords: PatchAvailable
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Mac OS X 10.1   
Attachments: Enhance log message for dbdgroup_check_authorization function

Description Bingyu Shen 2020-09-08 19:46:25 UTC
Created attachment 37436 [details]
Enhance log message for dbdgroup_check_authorization function

Currently, dbdgroup_check_authorization() function will simply return AUTHZ_DENIED for the group check authorization failures. 
In default log level, the log message will only show general errors "client denied by server configuration: xxxx".

It would be great to explicitly let the user know the group check fails in the log message, just like what we did in authz_dbd_login() when login/logout fails. It will not add much overhead since the authz failure happens rarely but will take long time to troubleshoot. 

I added log as follows (also filed a patch in the attachment.)

+    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
+                  "authz_dbd authorize: Authorization of user %s to access %s failed, reason: "
+                  "user is not part of the 'require'ed dbd-group(s).",
+                  r->user, r->uri);

     return AUTHZ_DENIED;


Any feedbacks are appreciated!