Merge pull request #11638 from vespa-engine/bjorncs/configserver-authz-logging

Don't log warning when peer is not in host registry

2 files changed, 26 insertions, 5 deletions

diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/AuthorizationException.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/AuthorizationException.java
index 20435d96068..8b46a5b40fa 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/AuthorizationException.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/AuthorizationException.java
@@ -6,12 +6,28 @@ package com.yahoo.vespa.config.server.rpc.security;
  */
 class AuthorizationException extends RuntimeException {
 
-    AuthorizationException(String message) {
+    enum Type {WARN, SILENT}
+
+    private final Type type;
+
+    AuthorizationException(Type type, String message) {
         super(message);
+        this.type = type;
     }
 
-    AuthorizationException(String message, Throwable cause) {
+    AuthorizationException(String message) {
+        this(Type.WARN, message);
+    }
+
+    AuthorizationException(Type type, String message, Throwable cause) {
         super(message, cause);
+        this.type = type;
     }
+
+    AuthorizationException(String message, Throwable cause) {
+        this(Type.WARN, message, cause);
+    }
+
+    Type type() { return type; }
 }
 
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
index d20f9ed1abc..8d17a32d102 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
@@ -31,6 +31,8 @@ import java.util.concurrent.Executors;
 import java.util.function.BiConsumer;
 import java.util.logging.Logger;
 
+import static com.yahoo.vespa.config.server.rpc.security.AuthorizationException.*;
+
 
 /**
  * A {@link RpcAuthorizer} that perform access control for configserver RPC methods when TLS and multi-tenant mode are enabled.
@@ -110,7 +112,7 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer {
                         if (isConfigKeyForSentinelConfig(configKey)) {
                             return; // config processor will return empty sentinel config for unknown nodes
                         }
-                        throw new AuthorizationException(String.format("Host '%s' not found in host registry for [%s]", hostname, configKey));
+                        throw new AuthorizationException(Type.SILENT, String.format("Host '%s' not found in host registry for [%s]", hostname, configKey));
                     }
                     RequestHandler tenantHandler = getTenantHandler(tenantName.get());
                     ApplicationId resolvedApplication = tenantHandler.resolveApplicationId(hostname);
@@ -151,10 +153,13 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer {
     }
 
     private void handleAuthorizationFailure(Request request, Throwable throwable) {
+        boolean isAuthorizationException = throwable instanceof AuthorizationException;
         String errorMessage = String.format("For request '%s' from '%s': %s", request.methodName(), request.target().toString(), throwable.getMessage());
-        log.log(LogLevel.INFO, errorMessage);
+        if (!isAuthorizationException || ((AuthorizationException) throwable).type() != Type.SILENT) {
+            log.log(LogLevel.INFO, errorMessage);
+        }
         log.log(LogLevel.DEBUG, throwable, throwable::getMessage);
-        JrtErrorCode error = throwable instanceof AuthorizationException ? JrtErrorCode.UNAUTHORIZED : JrtErrorCode.AUTHORIZATION_FAILED;
+        JrtErrorCode error = isAuthorizationException ? JrtErrorCode.UNAUTHORIZED : JrtErrorCode.AUTHORIZATION_FAILED;
         request.setError(error.code, errorMessage);
         request.returnRequest();
         throwUnchecked(throwable); // rethrow exception to ensure that subsequent completion stages are not executed (don't execute implementation of rpc method).