XML

Word

Printable

Details

Type: Epic
Resolution: Done
Priority: Major
Fix Version/s: openshift-4.11
Affects Version/s: None
Labels:
- tc-approved

Epic Name:
Logs should contain login/logout and login failure details
Color Status:
Green
Epic Status:
To Do
Feature Link:
OCPPLAN-5714 - Auth and API Improvements
Flagged:

Impediment
Hierarchy Progress:
100
Hierarchy Progress Bar:

100% 100%
Target Version:

openshift-4.11

SFDC Cases Links:
SFDC Cases Counter:

Description

Summary (PM+lead)

Configure audit logging to capture login, ~~logout~~ and login failure details

Motivation (PM+lead)

TODO(PM): update this

Customer who needs login, ~~logout~~ and login failure details inside the openshift container platform.
I have checked for this on my test cluster but the audit logs do not contain any user name specifying login or ~~logout~~ details. For successful logins or ~~logout~~, on CLI and openshift console as well we can see 'Login successful' or 'Invalid credentials'.

Expected results: Login, ~~logout~~ and login failures should be captured in audit logging.

Goals (lead)

Non-Goals (lead)

Don't attempt to log login failures in the IdP login flow that goes beyond timeout, if it the information is not available in explicit oauth-server requests (e.g. github password login error).
Logout does not involve oauth-server (but is a simple API object deletion in oauth-apiserver). Hence, the audit log discussed here won't include logout.

Deliverables

Changes to oauth-server to log into /varLog/oauth-server/audit.log on the master node.
Documentation

Proposal (lead)

The apiserver pods today have ´/var/log/<kube|oauth|openshift>-apiserver` mounted from the host and create audit files there using the upstream audit event format (JSON lines following https://github.com/kubernetes/apiserver/blob/92392ef22153d75b3645b0ae339f89c12767fb52/pkg/apis/audit/v1/types.go#L72). These events are apiserver specific, but as oauth authentication flow events are also requests, we can use the apiserver event format to log logins, login failures and logouts. Hence, we propose to make oauth-server to create /var/log/oauth-server/audit.log files on the master nodes using that format.

When the login flow does not finish within a certain time (e.g. 10min), we can artificially create an event to show a login failure in the audit logs.

User Stories (PM)

Dependencies (internal and external, lead)

Previous Work (lead)

Open questions (lead)

Done Checklist

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>

Attachments

Issue Links

is related to

RFE-1744 Request source ip for logins in debug log of authentication pods

Accepted

OBSDA-344 Audit log forwarding produces excessive data, configuration for prefiltering is needed

Closed

relates to

AUTH-114 Update OEP for Audit Output Spec

Closed

AUTH-110 Verify that the API change we introduced can stay

Closed

links to

openshift/api#1073: Revert "config/v1/types_oauth: add OAuthAudit"

openshift/oauth-server#106: AUTH-100: Add request header authn auditing

openshift/openshift-docs#45799: OSDOCS-2890: Updating for OAuth server audit logging

(2 links to)

Sub-Tasks

There are no Sub-Tasks for this issue.

Activity

People

Assignee:: Krzysztof Ostrowski

Reporter:: David Hernandez Fernandez

QA Contact:: Xingxing Xia

Votes:: 7 Vote for this issue

Watchers:: 37 Start watching this issue

Dates

Created:: 2020/01/27 12:42 AM

Updated:: 2024/03/25 6:45 PM

Resolved:: 2022/07/29 9:42 AM