User login attempts not found in the OpenShift audit log files
Environment
- Red Hat OpenShift Container Platform 4.6 (OCP)
- Red Hat OpenShift Container Platform 4.7 (OCP)
Issue
- Due to security audit logging requirement, there is the need to collect log on attempts performed on the OpenShift Container Platform
Resolution
-
The service oauth-openshift in debug mode will provide the succeeded or failed log in of the user if it was not adjusted with another identity provider:
- Enable the debug mode in the authentication operator
$ oc edit authentication.operator.openshift.io ... spec: logLevel: Debug <-- change from Normal to Debug managementState: Managed
- Wait for the openshift-authentication pods to restart
watch oc get pods -n openshift-authentication NAME READY STATUS RESTARTS AGE oauth-openshift-59d9dfbcf-5jmb4 1/1 Terminating 0 37m oauth-openshift-59d9dfbcf-n5hnx 1/1 Running 0 37m oauth-openshift-7ddc657f69-g7q7l 1/1 Running 0 9s oauth-openshift-7ddc657f69-m8xbn 0/1 ContainerCreating 0 3s
- Verify in the pods log, the login attemps
$ oc logs oauth-openshift-7ddc657f69-m8xbn I0217 08:23:56.354387 1 login.go:182] Login with provider "htpasswd_myusers" succeeded for "developer1": &user.DefaultInfo{Name:"developer1", UID:"5853541a-8ab6-4cf2-8822-d93348825ecb", Groups:[]string(nil), Extra:map[string][]string(nil)} ... I0217 08:25:41.071003 1 login.go:177] Login with provider "htpasswd_myusers" failed for "developer1" ... I0217 08:26:51.765063 1 login.go:177] Login with provider "htpasswd_myusers" failed for "test2"
Root Cause
- OpenShift master 4.6 has split apart the oauth resources from openshift-apiserver into a new oauth-apiserver component, the change was done in order to allow the replacement of the built-in OAuth server with other identity provider.
- Once another identity provider is plugged in, oauth-apiserver gets disabled.
- The user management events are reported to the path "oauth-apiserver/audit-log" without enabling the debug mode, the login attempts are currently only reported to the logs of the oauth-openshift pods under debug mode.
- RFE-520 is in progress to adjust audit log policy in a supported way, this will allow customer to adjust audit policy profile as required.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments