746003 - use metlog for CEF logging of auth failures in mozsvc

Status: VERIFIED WONTFIX

(Cloud Services Graveyard :: Server: Sync, defect)

Description

[Toby Elliott [:telliott]]

There aren't a lot of points that the sync/aitc server needs to do security logging - most of those are now in the purview of BID. However, I suspect that submitting a token with a bad signature (as opposed to an expired one) should raise a flag somewhere.

We will need to continue to support CEF through metlog in some fashion, so that gives us a good single point to do some poking at.

Comment 1

[Ryan Kelly [:rfkelly]]

This will be simple to add into mozsvc once Bug 753117 lands.

Comment 2

[Ryan Kelly [:rfkelly]]

Attachment: patch to do cef logging on auth failure

This patch copies the approach taken in the old auth system, directly calling log_cef() when there is an auth failure.

:RaFromBRC what's the situation with CEF logging in metlog?  Should I modify this patch to call into metlog, or leave it as-is for now and rework it for metlog in a later version?

Comment 3

[Ryan Kelly [:rfkelly]]

Initial patch committed in https://github.com/mozilla-services/mozservices/commit/d621720a8f933201ab1f01fabe889f6e4e27dbfe

I'm morphing this into a "do CEF logging through metlog" bug since that seems like the logical next step.

Comment 4

[Ryan Kelly [:rfkelly]]

Adding Bug 784926 as a dependency, because I'll just copy whatever plugin-loading approach we take there.

Comment 5

[Ryan Kelly [:rfkelly]]

s/metlog/heka/g so we don't need this any longer

Comment 6

[James Bonacci [:jbonacci]]

+1 for heka