Bug 1078196
Summary: | [AAA] Proper audit log handling for expired account | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Jiri Belka <jbelka> |
Component: | ovirt-engine | Assignee: | Yair Zaslavsky <yzaslavs> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ondra Machacek <omachace> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 3.4.0 | CC: | alonbl, bazulay, gklein, iheim, lpeer, oourfali, pstehlik, rbalakri, Rhev-m-bugs, yeylon |
Target Milestone: | --- | ||
Target Release: | 3.5.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | infra | ||
Fixed In Version: | org.ovirt.engine-root-3.5.0-15 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-11 20:52:35 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1076964, 1156162 |
Description
Jiri Belka
2014-03-19 11:26:50 UTC
Alon - is there any standard on expired accounts ? or is it AD only ? this is already handled in the new ldap implementation as a message to user. not sure why it is interesting in the audit context, even at the new accounting interface I planned to map this into PRINCIPAL_LOGIN_LOCKED as it is not important why. yair, make sure you map account locked into: PRINCIPAL_LOGIN_LOCKED and that PRINCIPAL_LOGIN_CREDENTIALS is only if credentials are incorrect. so we actually need to go over all acct mapping (In reply to Alon Bar-Lev from comment #3) > yair, make sure you map account locked into: > > PRINCIPAL_LOGIN_LOCKED > > and that PRINCIPAL_LOGIN_CREDENTIALS is only if credentials are incorrect. > > so we actually need to go over all acct mapping Alon, shouldn't account expired be differentiated from account locked? We have the differentiation at Authn.java already, so why did you mention account locked if the bug is about account expired? (In reply to Yair Zaslavsky from comment #4) > (In reply to Alon Bar-Lev from comment #3) > > yair, make sure you map account locked into: > > > > PRINCIPAL_LOGIN_LOCKED > > > > and that PRINCIPAL_LOGIN_CREDENTIALS is only if credentials are incorrect. > > > > so we actually need to go over all acct mapping > > Alon, shouldn't account expired be differentiated from account locked? > We have the differentiation at Authn.java already, so why did you mention > account locked if the bug is about account expired? as far as I remember the mapping between authn result and audit log is incomplete. $ ldapsearch -LLL -x -h ad-w2k12r2.rhev.lab.eng.brq.redhat.com -p 389 -D Administrator.lab.eng.brq.redhat.com -W -b 'DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com' "cn=vdcexpadmin" dn: CN=vdcexpadmin,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redh at,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: vdcexpadmin givenName: vdcexpadmin distinguishedName: CN=vdcexpadmin,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng ,DC=brq,DC=redhat,DC=com ... accountExpires: 125912412000000000 .... 125912412000000000 = Sat, 01 Jan 2000 23:00:00 GMT $ ldapsearch -LLL -x -h ad-w2k12r2.rhev.lab.eng.brq.redhat.com -p 389 -D vdcexpadmin.lab.eng.brq.redhat.com -W -b 'DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com' "cn=vdcexpadmin" ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 701, v2580 701 means account expired when I log in as user vdcexpadmin into user portal this is in audit log: engine=# select * from audit_log order by log_time DESC; audit_log_id | user_id | user_name | vm_id | vm_name | vm_template_id | vm_template_name | vds_id | vds_name | log_time | log_type_name | log_type | severity | message | processed | storage_pool_id | storage_pool_name | storage_domain_id | storage_domain_name | vds_group_id | vds_group_name | correl ation_id | job_id | quota_id | quota_name | gluster_volume_id | gluster_volume_name | origin | custom_event_id | event_flood_in_sec | custom_data | deleted | call_stack --------------+--------------------------------------+----------------------+--------------------------------------+---------+--------------------------------------+------------------+--------------------------------------+--------------+----------------------------+---- -------------------------------------------------------------+----------+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------+-----------+--------------------------------------+-------------------+--------------------------------------+---------------------+--------------------------------------+----------------+------------------ ---------------------+--------------------------------------+----------+------------+--------------------------------------+---------------------+--------+-----------------+--------------------+-------------+---------+------------ 1301 | 00000000-0000-0000-0000-000000000000 | vdcexpadmin | 00000000-0000-0000-0000-000000000000 | | | | | | 2014-10-22 11:07:28.892+02 | USE R_VDC_LOGIN_FAILED | 114 | 2 | User vdcexpadmin failed to log in. | f | | | | | 00000000-0000-0000-0000-000000000000 | | | | | | 00000000-0000-0000-0000-000000000000 | | oVirt | -1 | 30 | | f | Alon, is the 701 error code mapped correctly at the generic ldap provider? At login I get: Cannot Login. User Account has expired, Please contact your system administrator. In database I get: $ PGPASSWORD="engine" psql -U engine -d engine -c "select audit_log_id, message from audit_log order by log_time DESC;" | head -n 10 audit_log_id | message --------------+----------------------------------------------------------------------------------- 69 | User vdcexpadmin failed to log in. 68 | The account for vdcexpadmin got expired. Please contact the system administrator. Oh sorry I tested with it old package. Now correct: engine=# select audit_log_id, message from audit_log order by log_time DESC LIMIT 2; audit_log_id | message --------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 9 | User vdcexpadmin failed to log in. 8 | The account for vdcexpadmin got expired. Please contact the system administrator. |