<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
This updated patch address the issue that Endi found which would
cause startup to fail for anonymous access.<br>
<br>
thanks,<br>
Christina<br>
<br>
<div class="moz-cite-prefix">On 05/07/2015 12:20 PM, Christina Fu
wrote:<br>
</div>
<blockquote cite="mid:554BBAFE.6090307@redhat.com" type="cite">Please
review. This patch address the missing REST API auth/authz
auditing part of the ticket
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/1160">https://fedorahosted.org/pki/ticket/1160</a>
<br>
<br>
The kra for getKeyInfo will come as a separate patch after this.
<br>
<br>
here are sample signed audit log messages resulted from my test
cases:
<br>
<br>
pki -d . -c netscape -h kraHost -p 28443 -P https -n "PKI
Administrator for kraHost" key-find --maxResults -5
<br>
<br>
== case when running the above request as a kraadmin with valid
cert ==
<br>
0.http-bio-28443-exec-1 - [07/May/2015:14:30:26 EDT] [14] [6]
[AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr]
authentication success
<br>
0.http-bio-28443-exec-1 - [07/May/2015:14:30:27 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login]
authorization success
<br>
0.http-bio-28443-exec-2 - [07/May/2015:14:30:27 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=null][Op=null][Info=ACL
mapping not found; OK:SystemCertResource.getTransportCert]
authorization success
<br>
0.http-bio-28443-exec-3 - [07/May/2015:14:30:28 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keys][Op=execute][Info=KeyResource.listKeys]
authorization success
<br>
0.http-bio-28443-exec-4 - [07/May/2015:14:30:28 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout]
authorization success
<br>
<br>
== case when running the above request as a caadmin with ca admin
cert ==
<br>
0.http-bio-28443-exec-6 - [07/May/2015:14:31:24 EDT] [14] [6]
[AuditEvent=AUTH_FAIL][SubjectID=CN=PKI Administrator,
<a class="moz-txt-link-abbreviated" href="mailto:EMAILADDRESS=caadmin@idm.lab.bos.redhat.com">EMAILADDRESS=caadmin@idm.lab.bos.redhat.com</a>,
O=idm.lab.bos.redhat.com Security
Domain][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=$Unidentified$]
authentication failure
<br>
<br>
== case when creating a caadmin in the kra user db but not given
any group privilege ==
<br>
0.http-bio-28443-exec-18 - [07/May/2015:14:48:31 EDT] [14] [6]
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr]
authentication success
<br>
0.http-bio-28443-exec-18 - [07/May/2015:14:48:31 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login]
authorization success
<br>
0.http-bio-28443-exec-19 - [07/May/2015:14:48:31 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=null][Op=null][Info=ACL
mapping not found; OK:SystemCertResource.getTransportCert]
authorization success
<br>
0.http-bio-28443-exec-2 - [07/May/2015:14:48:32 EDT] [14] [6]
[AuditEvent=AUTHZ_FAIL][SubjectID=caadmin][Outcome=Failure][aclResource=certServer.kra.keys][Op=execute][Info=Authorization
Error] authorization failure
<br>
0.http-bio-28443-exec-3 - [07/May/2015:14:48:32 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout]
authorization success
<br>
<br>
<br>
thanks,
<br>
Christina
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a></pre>
</blockquote>
<br>
</body>
</html>