Bug 1059550

Summary: Proper audit log handling should be added for various login failures
Product: [Retired] oVirt Reporter: Yair Zaslavsky <yzaslavs>
Component: ovirt-engine-coreAssignee: Martin Perina <mperina>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.4CC: acathrow, bazulay, gklein, iheim, jbelka, knesenko, oourfali, yeylon
Target Milestone: ---   
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: ovirt-3.4.0-ga Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-31 12:26:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
engine.log, server.log none

Description Yair Zaslavsky 2014-01-30 06:54:18 UTC 
Description of problem:

Currently, the audit log is not informative enough on why an authentication failure has occurred. For some cases the audit log does provide information - such as password expiration. But in other cases, the audit log is not informative.

see AuthenticationResult.java -
It has two CTORs - one that defines the audit log type, and one that doesn't.
for most enum literals (for example - CLIENT_NOT_FOUND_IN_KERBEROS_DATABASE ) there is no audit log type defined.



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Itamar Heim 2014-02-02 08:16:55 UTC 
Setting target release to current version for consideration and review. please
do not push non-RFE bugs to an undefined target release to make sure bugs are
reviewed for relevancy, fix, closure, etc.
Comment 2 Martin Perina 2014-03-03 11:41:58 UTC 
Too much automation, merged only to master.
Comment 3 Martin Perina 2014-03-12 13:26:07 UTC 
Included in oVirt 3.4.0 RC2
Comment 4 Jiri Belka 2014-03-19 10:38:54 UTC 
This should be in av3 but I don't see any difference while putting bad password and putting unknown user. FYI QE is verifying using downstream only.

rhevm-backend-3.4.0-0.5.master.el6ev.noarch

2014-03-19 11:33:56,389 INFO  [org.ovirt.engine.core.bll.LoginBaseCommand] (ajp-/127.0.0.1:8702-7) Cant login user "admin" with authentication profile "internal" because the authentication failed.
2014-03-19 11:33:56,390 WARN  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-7) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE

2014-03-19 11:34:05,785 INFO  [org.ovirt.engine.core.bll.LoginBaseCommand] (ajp-/127.0.0.1:8702-8) Cant login user "foobar" with authentication profile "internal" because the authentication failed.
2014-03-19 11:34:05,786 WARN  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-8) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE

Surprisingly my last record from autid_log table is:

                   |                  |                                      |                                            | 2014-03-18 15:27:37.422+01 | DWH_ERROR                                                       |     9704 |        2 | ETL service sampling has encountered an error. Please consult the service log for more details.                                                                                  | t         |                                      |                   |                                      |                     |                                      |                |                |                                      |          |            |                                      |                     | oVirt  |              -1 |                 30 |             | f       |
Comment 5 Jiri Belka 2014-03-19 10:39:19 UTC 
Created attachment 876302 [details]
engine.log, server.log
Comment 6 Martin Perina 2014-03-19 10:56:31 UTC 
Different audit log errors are displayed only for LDAP users since they are bound to Kerberos error codes.
Comment 7 Jiri Belka 2014-03-19 11:13:51 UTC 
ok, av3.

                              |                     | oVirt  |              -1 |                 30 |             | f       | 
         1359 | 00000000-0000-0000-0000-000000000000 | vdcexppwd.LAB.ENG.BRQ.REDHAT.COM   | 00000000-0000-0000-0000-000000000000 |         |                  
                    |                  |                                      |                                            | 2014-03-19 12:00:16.533+01 | USER_ACCOUNT_PASSWOR
D_EXPIRED                                   |     1101 |        2 | User vdcexppwd.LAB.ENG.BRQ.REDHAT.COM cannot login, as the user account password has expir
ed. Please contact the system administrator.                           | t         |                                      |                   |                               
       |                     | 00000000-0000-0000-0000-000000000000 |                |                |                                      |          |            | 0000000
0-0000-0000-0000-000000000000 |                     | oVirt  |              -1 |                 30 |             | f       | 
         1358 | 00000000-0000-0000-0000-000000000000 | vdcdisabled.LAB.ENG.BRQ.REDHAT.COM | 00000000-0000-0000-0000-000000000000 |         |                  
                    |                  |                                      |                                            | 2014-03-19 11:58:43.29+01  | USER_ACCOUNT_DISABLE
D_OR_LOCKED                                 |     1100 |        2 | User vdcdisabled.LAB.ENG.BRQ.REDHAT.COM cannot login, as it got disabled or locked. Please
 contact the system administrator.

         1355 | 00000000-0000-0000-0000-000000000000 | ad-w2k12r2.LAB.ENG.BRQ.REDHAT.COM  | 00000000-0000-0000-0000-000000000000 |         |                  
                    |                  |                                      |                                            | 2014-03-19 11:54:33.021+01 | AUTH_FAILED_INVALID_
CREDENTIALS                                 |     1172 |        2 | User ad-w2k12r2.LAB.ENG.BRQ.REDHAT.COM cannot login, please verify the username and passwo
rd.                                                                    | t         |                                      |                   |                               
       |                     | 00000000-0000-0000-0000-000000000000 |                |                |                                      |          |            | 0000000
0-0000-0000-0000-000000000000 |                     | oVirt  |              -1 |                 30 |             | f       | 
         1354 | 00000000-0000-0000-0000-000000000000 | foobar.LAB.ENG.BRQ.REDHAT.COM      | 00000000-0000-0000-0000-000000000000 |         |                  
                    |                  |                                      |                                            | 2014-03-19 11:53:20.627+01 | AUTH_FAILED_CLIENT_N
OT_FOUND_IN_KERBEROS_DATABASE               |     1183 |        2 | User foobar.LAB.ENG.BRQ.REDHAT.COM cannot login, user was not found in domain. Please cont
act the system administrator.
Comment 8 Sandro Bonazzola 2014-03-31 12:26:14 UTC 
this is an automated message: moving to Closed CURRENT RELEASE since oVirt 3.4.0 has been released