Description of problem: Currently, the audit log is not informative enough on why an authentication failure has occurred. For some cases the audit log does provide information - such as password expiration. But in other cases, the audit log is not informative. see AuthenticationResult.java - It has two CTORs - one that defines the audit log type, and one that doesn't. for most enum literals (for example - CLIENT_NOT_FOUND_IN_KERBEROS_DATABASE ) there is no audit log type defined. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Setting target release to current version for consideration and review. please do not push non-RFE bugs to an undefined target release to make sure bugs are reviewed for relevancy, fix, closure, etc.
Too much automation, merged only to master.
Included in oVirt 3.4.0 RC2
This should be in av3 but I don't see any difference while putting bad password and putting unknown user. FYI QE is verifying using downstream only. rhevm-backend-3.4.0-0.5.master.el6ev.noarch 2014-03-19 11:33:56,389 INFO [org.ovirt.engine.core.bll.LoginBaseCommand] (ajp-/127.0.0.1:8702-7) Cant login user "admin" with authentication profile "internal" because the authentication failed. 2014-03-19 11:33:56,390 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-7) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE 2014-03-19 11:34:05,785 INFO [org.ovirt.engine.core.bll.LoginBaseCommand] (ajp-/127.0.0.1:8702-8) Cant login user "foobar" with authentication profile "internal" because the authentication failed. 2014-03-19 11:34:05,786 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-8) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE Surprisingly my last record from autid_log table is: | | | | 2014-03-18 15:27:37.422+01 | DWH_ERROR | 9704 | 2 | ETL service sampling has encountered an error. Please consult the service log for more details. | t | | | | | | | | | | | | | oVirt | -1 | 30 | | f |
Created attachment 876302 [details] engine.log, server.log
Different audit log errors are displayed only for LDAP users since they are bound to Kerberos error codes.
ok, av3. | | oVirt | -1 | 30 | | f | 1359 | 00000000-0000-0000-0000-000000000000 | vdcexppwd.LAB.ENG.BRQ.REDHAT.COM | 00000000-0000-0000-0000-000000000000 | | | | | | 2014-03-19 12:00:16.533+01 | USER_ACCOUNT_PASSWOR D_EXPIRED | 1101 | 2 | User vdcexppwd.LAB.ENG.BRQ.REDHAT.COM cannot login, as the user account password has expir ed. Please contact the system administrator. | t | | | | | 00000000-0000-0000-0000-000000000000 | | | | | | 0000000 0-0000-0000-0000-000000000000 | | oVirt | -1 | 30 | | f | 1358 | 00000000-0000-0000-0000-000000000000 | vdcdisabled.LAB.ENG.BRQ.REDHAT.COM | 00000000-0000-0000-0000-000000000000 | | | | | | 2014-03-19 11:58:43.29+01 | USER_ACCOUNT_DISABLE D_OR_LOCKED | 1100 | 2 | User vdcdisabled.LAB.ENG.BRQ.REDHAT.COM cannot login, as it got disabled or locked. Please contact the system administrator. 1355 | 00000000-0000-0000-0000-000000000000 | ad-w2k12r2.LAB.ENG.BRQ.REDHAT.COM | 00000000-0000-0000-0000-000000000000 | | | | | | 2014-03-19 11:54:33.021+01 | AUTH_FAILED_INVALID_ CREDENTIALS | 1172 | 2 | User ad-w2k12r2.LAB.ENG.BRQ.REDHAT.COM cannot login, please verify the username and passwo rd. | t | | | | | 00000000-0000-0000-0000-000000000000 | | | | | | 0000000 0-0000-0000-0000-000000000000 | | oVirt | -1 | 30 | | f | 1354 | 00000000-0000-0000-0000-000000000000 | foobar.LAB.ENG.BRQ.REDHAT.COM | 00000000-0000-0000-0000-000000000000 | | | | | | 2014-03-19 11:53:20.627+01 | AUTH_FAILED_CLIENT_N OT_FOUND_IN_KERBEROS_DATABASE | 1183 | 2 | User foobar.LAB.ENG.BRQ.REDHAT.COM cannot login, user was not found in domain. Please cont act the system administrator.
this is an automated message: moving to Closed CURRENT RELEASE since oVirt 3.4.0 has been released