Bug 2086465

Summary:	External identity providers should log login attempts in the audit trail
Product:	OpenShift Container Platform	Reporter:	Pierre Prinetti <pprinett>
Component:	apiserver-auth	Assignee:	Pierre Prinetti <pprinett>
Status:	CLOSED ERRATA	QA Contact:	Xingxing Xia <xxia>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	4.10	CC:	mfojtik, surbania
Target Milestone:	---
Target Release:	4.11.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Enhancement
Doc Text:	Feature: Include logins mediated by external identity providers to the login audit trail. Reason: Enable the inspection of successul, failed and errored login attempts when an external identity provider has been set up for OpenShift. Result: OpenShift's login audit trail contains successful, failed and errored login attempts to the OpenShift console when login is mediated by an external identity provider.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-08-10 11:12:00 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Pierre Prinetti 2022-05-16 08:58:38 UTC

Description of problem:
Authentication mediated by external identity providers should be logged in the audit trail. When available, the internal mapping of the identity confirmed by the external identity provider should be attached to both successful and unsuccessful authentication events.

Version-Release number of selected component (if applicable):


How reproducible: 100%

Steps to Reproduce:
1. Set up Github external authentication[1]
2. Log in through Github
3. The audit trails should contain either an indication of success, or an indication of denial or failure[2]


[1]: https://docs.openshift.com/container-platform/4.10/authentication/identity_providers/configuring-github-identity-provider.html
[2]: for oauth_pod in $(oc -n openshift-authentication get pods -oname); do
oc rsh -n openshift-authentication "$oauth_pod" cat /var/log/oauth-server/audit.log
done

Actual results:
The audit log does not contain login information.

Expected results:
For each login attempt carried through an external identity provider, the audit log should contain an entry containing:
A. an annotation with key "authentication.openshift.io/decision" and a value of allow, or deny, or error;
B. possibly, an annotation with key "authentication.openshift.io/username" and a value of the OpenShift user the login attempt was targeting.


Additional info:

Comment 3 Xingxing Xia 2022-06-02 14:00:28 UTC

This bug is tested via https://issues.redhat.com/browse/AUTH-6 cases with google, github, gitlab openid, google openid, ldap, request header, basic auth IDPs, work well in the annotations in audit logs for successful and failed logins.

Comment 5 errata-xmlrpc 2022-08-10 11:12:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069