[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Logging of subrequest authorization checks in mod_dav_svn/mod_authz_svn

From: Ivan Zhakov <ivan_at_visualsvn.com>
Date: Mon, 19 Jan 2015 20:10:42 +0300

I've implemented proposed behavior in r1653032.

On 16 January 2015 at 22:52, C. Michael Pilato <cmpilato_at_collab.net> wrote:
[...]
>
> As for log levels, is there any reason to log the implicit read attempts
> at a level higher than "debug"? I have no opinion about the log level
> for the explicit ones.
>
Some audit tools may parse logs to collect information of all path
accessed by user. So I've decided to use INFO level for such implicit
attempts.

On 17 January 2015 at 00:45, Branko Čibej <brane_at_wandisco.com> wrote:
>> I have no opinion about the log level for the explicit ones.
>
> I believe a request for /private will return a 404 error, same as a
> request for a non-existent path. And IIRC these are normally logged at
> error level.
Agree, that what I implemented in r1653032.

On 18 January 2015 at 06:48, Daniel Shahaf <d.s_at_daniel.shahaf.name> wrote:
> It would be nice if the the logged message should be different in that
> case, too. That is: there should be some indication, besides the
> different log level, that the subrequest-generated log event is
> "normal".
>
> That is, we don't want this:
>
> [debug] Access denied: /private
> [error] Access denied: /private
>
> But this:
>
> [debug] Hiding directory '/private' (Access denied)
> [error] Access denied: /private
>
> (Or some other log level instead of "debug" — I haven't thought about
> what log level would be appropriate.)
I agree that different log message would be nice to have, but there is
an issue: in mod_authz_svn we're not 100% sure that path will be
hidden. mod_authz_svn just answer the question whether access allowed
or not, but it doesn't know how this information will be used latter
at mod_dav_svn layer. May be different wording may fix this issue
though.

-- 
Ivan Zhakov
Received on 2015-01-19 18:12:16 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.