Bug 1447774 - Allow Install to enable audit logging configuration.
Summary: Allow Install to enable audit logging configuration.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Scott Dodson
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On:
Blocks: 1465299
TreeView+ depends on / blocked
 
Reported: 2017-05-03 19:03 UTC by Eric Rich
Modified: 2017-08-16 19:51 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
The example inventory files have been amended to illustrate all available audit logging configuration options.
Clone Of:
: 1465299 (view as bug list)
Environment:
Last Closed: 2017-08-10 05:21:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1447773 0 high CLOSED [DOCS] openshift_master_audit_config not documented 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2017:1716 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.6 RPM Release Advisory 2017-08-10 09:02:50 UTC

Description Eric Rich 2017-05-03 19:03:19 UTC 
Description of problem:

We provide an option openshift_master_audit_config 

> https://github.com/openshift/openshift-ansible/blob/openshift-ansible-3.4.71-1/inventory/byo/hosts.ose.example#L638-L639

To enable audit logging, but don't document it: https://bugzilla.redhat.com/show_bug.cgi?id=1447773 That said, we need to provide a way at install time to enable the following configuration: https://docs.openshift.com/container-platform/3.5/install_config/master_node_configuration.html#master-node-config-audit-config
Comment 1 Eric Rich 2017-05-03 19:05:56 UTC 
This should be addressed, because if oc adm diagnostics (run as root|system:admin) run after a cluster install will report:

>[Note] Running diagnostic: MasterConfigCheck
>       Description: Check the master config file

>WARN:  [DH0005 from diagnostic MasterConfigCheck@openshift/origin/pkg/diagnostics/host/check_master_config.go:52]
>       Validation of master config file '/etc/origin/master/master-config.yaml' warned:
> ...
>       auditConfig.auditFilePath: Required value: audit can now be logged to a separate file
Comment 2 Scott Dodson 2017-06-09 04:46:57 UTC 
The full configurability of audit logging has always been possible, you just need to convert the full key value into json.

Only action for cluster lifecycle here is to update the example inventories with an example that uses all the options in the docs link from comment 0.
Comment 3 Scott Dodson 2017-06-15 20:31:23 UTC 
https://github.com/openshift/openshift-ansible/pull/4458 community contribution
Comment 6 Gaoyun Pei 2017-06-20 03:18:21 UTC 
verify this with openshift-ansible-3.6.116-1.git.0.e2840e8.el7.noarch

In /usr/share/doc/openshift-ansible-docs-3.6.116/docs/example-inventories/hosts.ose.example we have more options added.

[root@gpei-test-ansible ]# grep openshift_master_audit_config /usr/share/doc/openshift-ansible-docs-3.6.116/docs/example-inventories/hosts.ose.example
#openshift_master_audit_config={"enabled": true}
#openshift_master_audit_config={"enabled": true, "auditFilePath": "/var/log/openpaas-oscp-audit/openpaas-oscp-audit.log", "maximumFileRetentionDays": 14, "maximumFileSizeMegabytes": 500, "maximumRetainedFiles": 5}}
Comment 14 errata-xmlrpc 2017-08-10 05:21:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716
Note You need to log in before you can comment on or make changes to this bug.