User login attempts not found in the OpenShift audit log files

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform 4.6 (OCP)
  • Red Hat OpenShift Container Platform 4.7 (OCP)

Issue

  • Due to security audit logging requirement, there is the need to collect log on attempts performed on the OpenShift Container Platform

Resolution

  • The service oauth-openshift in debug mode will provide the succeeded or failed log in of the user if it was not adjusted with another identity provider:

    • Enable the debug mode in the authentication operator
    $ oc edit authentication.operator.openshift.io
      ...
      spec:
        logLevel: Debug  <-- change from Normal to Debug
      managementState: Managed
    
    • Wait for the openshift-authentication pods to restart
    watch oc get pods -n openshift-authentication
    
    NAME                               READY   STATUS              RESTARTS   AGE
    oauth-openshift-59d9dfbcf-5jmb4    1/1     Terminating         0          37m
    oauth-openshift-59d9dfbcf-n5hnx    1/1     Running           0          37m
    oauth-openshift-7ddc657f69-g7q7l   1/1     Running           0          9s
    oauth-openshift-7ddc657f69-m8xbn   0/1     ContainerCreating   0          3s
    
    • Verify in the pods log, the login attemps
    $ oc logs oauth-openshift-7ddc657f69-m8xbn
    I0217 08:23:56.354387       1 login.go:182] Login with provider "htpasswd_myusers" succeeded for "developer1": &user.DefaultInfo{Name:"developer1", UID:"5853541a-8ab6-4cf2-8822-d93348825ecb", Groups:[]string(nil), Extra:map[string][]string(nil)}
    ...
    I0217 08:25:41.071003       1 login.go:177] Login with provider "htpasswd_myusers" failed for "developer1"
    ...
    I0217 08:26:51.765063       1 login.go:177] Login with provider "htpasswd_myusers" failed for "test2"
    

Root Cause

  • OpenShift master 4.6 has split apart the oauth resources from openshift-apiserver into a new oauth-apiserver component, the change was done in order to allow the replacement of the built-in OAuth server with other identity provider.
  • Once another identity provider is plugged in, oauth-apiserver gets disabled.
  • The user management events are reported to the path "oauth-apiserver/audit-log" without enabling the debug mode, the login attempts are currently only reported to the logs of the oauth-openshift pods under debug mode.
  • RFE-520 is in progress to adjust audit log policy in a supported way, this will allow customer to adjust audit policy profile as required.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.