Skip to content

KNOX-3102 - Complete Auditing in RemoteAuthProvider #999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Feb 28, 2025
Merged

KNOX-3102 - Complete Auditing in RemoteAuthProvider #999

merged 6 commits into from
Feb 28, 2025

Conversation

lmccay
Copy link
Contributor

@lmccay lmccay commented Feb 28, 2025

What changes were proposed in this pull request?

The initial implementation of the RemoteAuthProvider only has the initial access level audit. We need to add not only the result of the authentication attempt but also add the correlation id for the audit entries to the call to the remote auth service so that the audit logs can be correlated.

How was this patch tested?

Added new unit tests and ran all existing tests.
Manually tested with a single instance and traced the call from through the initial topology and the "remote" endpoint. Note the correlation id is the same for all of the entries. This will follow across instances as well.

25/02/27 23:53:15 ||9f67555c-6561-40fb-ad39-6fa8ac4fa1f9|audit|[0:0:0:0:0:0:0:1]|KNOXTOKEN||||access|uri|/gateway/tokengen/knoxtoken/api/v1/token|unavailable|Request method: GET
25/02/27 23:53:15 ||9f67555c-6561-40fb-ad39-6fa8ac4fa1f9|audit|127.0.0.1|KNOX-AUTH-SERVICE||||access|uri|/gateway/sandbox/auth/api/v1/pre|unavailable|Request method: GET
25/02/27 23:53:15 ||9f67555c-6561-40fb-ad39-6fa8ac4fa1f9|audit|127.0.0.1|KNOX-AUTH-SERVICE|guest|||authentication|uri|/gateway/sandbox/auth/api/v1/pre|success|
25/02/27 23:53:15 ||9f67555c-6561-40fb-ad39-6fa8ac4fa1f9|audit|127.0.0.1|KNOX-AUTH-SERVICE|guest|||authentication|uri|/gateway/sandbox/auth/api/v1/pre|success|Groups: []
25/02/27 23:53:15 ||9f67555c-6561-40fb-ad39-6fa8ac4fa1f9|audit|127.0.0.1|KNOX-AUTH-SERVICE|guest|||identity-mapping|principal|guest|success|Groups: []
25/02/27 23:53:15 ||9f67555c-6561-40fb-ad39-6fa8ac4fa1f9|audit|127.0.0.1|KNOX-AUTH-SERVICE|guest|||access|uri|/gateway/sandbox/auth/api/v1/pre|success|Response status: 200
25/02/27 23:53:15 ||9f67555c-6561-40fb-ad39-6fa8ac4fa1f9|audit|[0:0:0:0:0:0:0:1]|KNOXTOKEN|guest|||authentication|uri|/gateway/tokengen/knoxtoken/api/v1/token|success|
25/02/27 23:53:15 ||9f67555c-6561-40fb-ad39-6fa8ac4fa1f9|audit|[0:0:0:0:0:0:0:1]|KNOXTOKEN|guest|||identity-mapping|principal|guest|success|Groups: []
25/02/27 23:53:15 ||9f67555c-6561-40fb-ad39-6fa8ac4fa1f9|audit|[0:0:0:0:0:0:0:1]|KNOXTOKEN|guest|||access|uri|/gateway/tokengen/knoxtoken/api/v1/token|success|Response status: 200

moresandeep
moresandeep requested changes Feb 28, 2025
View reviewed changes
...der-security-authc-remote/src/main/java/org/apache/knox/gateway/filter/RemoteAuthFilter.java Outdated
@@ -70,8 +71,11 @@ public class RemoteAuthFilter implements Filter {
private static final String CONFIG_USER_HEADER = "remote.auth.user.header";
private static final String CONFIG_GROUP_HEADER = "remote.auth.group.header";
private static final String DEFAULT_CONFIG_USER_HEADER = "X-Knox-Actor-ID";
private static final String DEFAULT_CONFIG_GROUP_HEADER = "X-Knox-Actor-Groups-*";
private static final String DEFAULT_CONFIG_GROUP_HEADER = "X-Knox-Actor-Groups-1";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this property X-Knox-Actor-Groups-* ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmmm - yes. I think I hit CMD+Z too many times. :)

@lmccay lmccay requested a review from moresandeep February 28, 2025 22:06
moresandeep
moresandeep approved these changes Feb 28, 2025
View reviewed changes
Copy link
Contributor

@moresandeep moresandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good :)

@lmccay lmccay merged commit cdf6e80 into apache:master Feb 28, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moresandeep moresandeep moresandeep approved these changes

@pzampino pzampino Awaiting requested review from pzampino

@smolnar82 smolnar82 Awaiting requested review from smolnar82

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lmccay @moresandeep