-
Epic
-
Resolution: Done
-
Major
-
None
-
Logs should contain login/logout and login failure details
-
Green
-
To Do
-
OCPPLAN-5714 - Auth and API Improvements
-
Impediment
-
0% To Do, 0% In Progress, 100% Done
Summary (PM+lead)
Configure audit logging to capture login, logout and login failure details
Motivation (PM+lead)
TODO(PM): update this
Customer who needs login, logout and login failure details inside the openshift container platform.
I have checked for this on my test cluster but the audit logs do not contain any user name specifying login or logout details. For successful logins or logout, on CLI and openshift console as well we can see 'Login successful' or 'Invalid credentials'.
Expected results: Login, logout and login failures should be captured in audit logging.
Goals (lead)
- Login,
logoutand login failures should be captured in audit logs
Non-Goals (lead)
- Don't attempt to log login failures in the IdP login flow that goes beyond timeout, if it the information is not available in explicit oauth-server requests (e.g. github password login error).
- Logout does not involve oauth-server (but is a simple API object deletion in oauth-apiserver). Hence, the audit log discussed here won't include logout.
Deliverables
- Changes to oauth-server to log into /varLog/oauth-server/audit.log on the master node.
- Documentation
Proposal (lead)
The apiserver pods today have ´/var/log/<kube|oauth|openshift>-apiserver` mounted from the host and create audit files there using the upstream audit event format (JSON lines following https://github.com/kubernetes/apiserver/blob/92392ef22153d75b3645b0ae339f89c12767fb52/pkg/apis/audit/v1/types.go#L72). These events are apiserver specific, but as oauth authentication flow events are also requests, we can use the apiserver event format to log logins, login failures and logouts. Hence, we propose to make oauth-server to create /var/log/oauth-server/audit.log files on the master nodes using that format.
When the login flow does not finish within a certain time (e.g. 10min), we can artificially create an event to show a login failure in the audit logs.
User Stories (PM)
Dependencies (internal and external, lead)
Previous Work (lead)
Open questions (lead)
- ...
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
- is related to
-
RFE-1744 Request source ip for logins in debug log of authentication pods
-
- Accepted
-
-
-
- Closed
-
- relates to
-
AUTH-114 Update OEP for Audit Output Spec
-
- Closed
-
-
AUTH-110 Verify that the API change we introduced can stay
-
- Closed
-
- links to
