Log the initial line of authentication and login errors at warn level

The generic 401 error response from authenticators (specifically authn-k8s) can have a variety of root causes, some of them not directly related to the authentication credentials themselves, but rather issues with the authenticator configuration. This change improves the ability for a Conjur operator to quickly pinpoint the cause for an authentication failure, without changing log levels and restarting the Conjur process/container.
cyberark · Feb 28, 2020 · b15d2c3 · b15d2c3
1 parent 34ae4fd
commit b15d2c3
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Changed
 - Improved flows and rules around user creation
 - Kubernetes authenticator now returns 403 on unpermitted hosts instead of a 401
+- Authenticator will now log initial authentication failure reason at the `warn`
+ level rather than `debug`. Full stack trace is still available at `debug` level.
 
 ### Fixed
 - Updated broken links on server status page (#1341)

diff --git a/app/controllers/authenticate_controller.rb b/app/controllers/authenticate_controller.rb
@@ -125,7 +125,7 @@ def k8s_inject_client_cert
  private
 
  def handle_login_error(err)
- logger.debug("Login Error: #{err.inspect}")
+ logger.warn("Login Error: #{err.inspect}")
  err.backtrace.each do |line|
  logger.debug(line)
  end
@@ -141,7 +141,7 @@ def handle_login_error(err)
  end
 
  def handle_authentication_error(err)
- logger.debug("Authentication Error: #{err.inspect}")
+ logger.warn("Authentication Error: #{err.inspect}")
  err.backtrace.each do |line|
  logger.debug(line)
  end