Bug 1078196 - [AAA] Proper audit log handling for expired account
Summary: [AAA] Proper audit log handling for expired account
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 3.5.0
Assignee: Yair Zaslavsky
QA Contact: Ondra Machacek
URL:
Whiteboard: infra
Depends On:
Blocks: oVirt-AAA-rewrite rhev3.5beta3
TreeView+ depends on / blocked
 
Reported: 2014-03-19 11:26 UTC by Jiri Belka
Modified: 2016-02-10 19:14 UTC (History)
10 users (show)

Fixed In Version: org.ovirt.engine-root-3.5.0-15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-11 20:52:35 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 33992 0 None None None Never
oVirt gerrit 34108 0 ovirt-engine-3.5 MERGED aaa: Handle audit log of expired account Never

Description Jiri Belka 2014-03-19 11:26:50 UTC
Description of problem:
BZ1059550 introduces better info about various login failures.

One can see event in audit_log for expired password but not for expired account.

expired passwd:

                             |                     | oVirt  |              -1 |                 30 |             | f       | 
         1359 | 00000000-0000-0000-0000-000000000000 | vdcexppwd.LAB.ENG.BRQ.REDHAT.COM   | 00000000-0000-0000-0000-000000000000 |         |                  
                    |                  |                                      |                                            | 2014-03-19 12:00:16.533+01 | USER_ACCOUNT_PASSWOR
D_EXPIRED                                   |     1101 |        2 | User vdcexppwd.LAB.ENG.BRQ.REDHAT.COM cannot login, as the user account password has expir
ed. Please contact the system administrator.

nothing like this for expired account. mperina@ checked the source code and there's nothing specific about expired account.


Version-Release number of selected component (if applicable):
rhevm-backend-3.4.0-0.5.master.el6ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. have an AD added into RHEVM env
2. have an AD user account with expired account
3. try to login with the user

Actual results:
nothing in audit_log table

Expected results:
add same as for expired passwd

Additional info:

Comment 1 Barak 2014-05-27 11:39:04 UTC
Alon - is there any standard on expired accounts ? or is it AD only ?

Comment 2 Alon Bar-Lev 2014-05-27 11:47:07 UTC
this is already handled in the new ldap implementation as a message to user.

not sure why it is interesting in the audit context, even at the new accounting interface I planned to map this into PRINCIPAL_LOGIN_LOCKED as it is not important why.

Comment 3 Alon Bar-Lev 2014-06-11 14:11:55 UTC
yair, make sure you map account locked into:

PRINCIPAL_LOGIN_LOCKED

and that PRINCIPAL_LOGIN_CREDENTIALS is only if credentials are incorrect.

so we actually need to go over all acct mapping

Comment 4 Yair Zaslavsky 2014-10-10 09:17:17 UTC
(In reply to Alon Bar-Lev from comment #3)
> yair, make sure you map account locked into:
> 
> PRINCIPAL_LOGIN_LOCKED
> 
> and that PRINCIPAL_LOGIN_CREDENTIALS is only if credentials are incorrect.
> 
> so we actually need to go over all acct mapping

Alon, shouldn't account expired be differentiated from account locked?
We have the differentiation at Authn.java already, so why did you mention account locked if the bug is about account expired?

Comment 5 Alon Bar-Lev 2014-10-10 09:22:58 UTC
(In reply to Yair Zaslavsky from comment #4)
> (In reply to Alon Bar-Lev from comment #3)
> > yair, make sure you map account locked into:
> > 
> > PRINCIPAL_LOGIN_LOCKED
> > 
> > and that PRINCIPAL_LOGIN_CREDENTIALS is only if credentials are incorrect.
> > 
> > so we actually need to go over all acct mapping
> 
> Alon, shouldn't account expired be differentiated from account locked?
> We have the differentiation at Authn.java already, so why did you mention
> account locked if the bug is about account expired?

as far as I remember the mapping between authn result and audit log is incomplete.

Comment 6 Ondra Machacek 2014-10-22 09:09:04 UTC
$ ldapsearch -LLL -x -h ad-w2k12r2.rhev.lab.eng.brq.redhat.com -p 389 -D Administrator.lab.eng.brq.redhat.com -W -b 'DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com' "cn=vdcexpadmin"
dn: CN=vdcexpadmin,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redh
 at,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: vdcexpadmin
givenName: vdcexpadmin
distinguishedName: CN=vdcexpadmin,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng
 ,DC=brq,DC=redhat,DC=com
...
accountExpires: 125912412000000000
....

125912412000000000 = Sat, 01 Jan 2000 23:00:00 GMT

$ ldapsearch -LLL -x -h ad-w2k12r2.rhev.lab.eng.brq.redhat.com -p 389 -D vdcexpadmin.lab.eng.brq.redhat.com -W -b 'DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com' "cn=vdcexpadmin"
ldap_bind: Invalid credentials (49)
	additional info: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 701, v2580

701 means account expired

when I log in as user vdcexpadmin into user portal this is in audit log:

engine=# select * from audit_log order by log_time DESC;
 audit_log_id |               user_id                |      user_name       |                vm_id                 | vm_name |            vm_template_id            | vm_template_name |                vds_id                |   vds_name   |          log_time          |    
                      log_type_name                          | log_type | severity |                                                                                                                          message                                                          
                                                                | processed |           storage_pool_id            | storage_pool_name |          storage_domain_id           | storage_domain_name |             vds_group_id             | vds_group_name |            correl
ation_id             |                job_id                | quota_id | quota_name |          gluster_volume_id           | gluster_volume_name | origin | custom_event_id | event_flood_in_sec | custom_data | deleted | call_stack 
--------------+--------------------------------------+----------------------+--------------------------------------+---------+--------------------------------------+------------------+--------------------------------------+--------------+----------------------------+----
-------------------------------------------------------------+----------+----------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------+-----------+--------------------------------------+-------------------+--------------------------------------+---------------------+--------------------------------------+----------------+------------------
---------------------+--------------------------------------+----------+------------+--------------------------------------+---------------------+--------+-----------------+--------------------+-------------+---------+------------
         1301 | 00000000-0000-0000-0000-000000000000 | vdcexpadmin          | 00000000-0000-0000-0000-000000000000 |         |                                      |                  |                                      |              | 2014-10-22 11:07:28.892+02 | USE
R_VDC_LOGIN_FAILED                                           |      114 |        2 | User vdcexpadmin failed to log in.                                                                                                                                                        
                                                                | f         |                                      |                   |                                      |                     | 00000000-0000-0000-0000-000000000000 |                |                  
                     |                                      |          |            | 00000000-0000-0000-0000-000000000000 |                     | oVirt  |              -1 |                 30 |             | f       |

Comment 7 Yair Zaslavsky 2014-10-22 10:15:41 UTC
Alon, is the 701 error code mapped correctly at the generic ldap provider?

Comment 8 Alon Bar-Lev 2014-10-22 10:36:33 UTC
At login I get:
Cannot Login. User Account has expired, Please contact your system administrator.

In database I get:
$ PGPASSWORD="engine" psql -U engine -d engine -c "select audit_log_id, message from audit_log order by log_time DESC;" | head -n 10
 audit_log_id |                                      message                                      
--------------+-----------------------------------------------------------------------------------
           69 | User vdcexpadmin failed to log in.
           68 | The account for vdcexpadmin got expired. Please contact the system administrator.

Comment 9 Ondra Machacek 2014-10-22 11:23:06 UTC
Oh sorry I tested with it old package. Now correct:

engine=# select audit_log_id, message from audit_log order by log_time DESC LIMIT 2;
 audit_log_id |                                                                                                                            message                                                                                                                            
--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
            9 | User vdcexpadmin failed to log in.
            8 | The account for vdcexpadmin got expired. Please contact the system administrator.


Note You need to log in before you can comment on or make changes to this bug.