[Pki-devel] [PATCH] pki-cfu-0058-Ticket-1160-audit-logging-needed-REST-API-auth-authz.patch
Christina Fu
cfu at redhat.com
Mon May 11 18:39:29 UTC 2015
This updated patch address the issue that Endi found which would cause
startup to fail for anonymous access.
thanks,
Christina
On 05/07/2015 12:20 PM, Christina Fu wrote:
> Please review. This patch address the missing REST API auth/authz
> auditing part of the ticket https://fedorahosted.org/pki/ticket/1160
>
> The kra for getKeyInfo will come as a separate patch after this.
>
> here are sample signed audit log messages resulted from my test cases:
>
> pki -d . -c netscape -h kraHost -p 28443 -P https -n "PKI
> Administrator for kraHost" key-find --maxResults -5
>
> == case when running the above request as a kraadmin with valid cert ==
> 0.http-bio-28443-exec-1 - [07/May/2015:14:30:26 EDT] [14] [6]
> [AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr]
> authentication success
> 0.http-bio-28443-exec-1 - [07/May/2015:14:30:27 EDT] [14] [6]
> [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login]
> authorization success
> 0.http-bio-28443-exec-2 - [07/May/2015:14:30:27 EDT] [14] [6]
> [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=null][Op=null][Info=ACL
> mapping not found; OK:SystemCertResource.getTransportCert]
> authorization success
> 0.http-bio-28443-exec-3 - [07/May/2015:14:30:28 EDT] [14] [6]
> [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keys][Op=execute][Info=KeyResource.listKeys]
> authorization success
> 0.http-bio-28443-exec-4 - [07/May/2015:14:30:28 EDT] [14] [6]
> [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout]
> authorization success
>
> == case when running the above request as a caadmin with ca admin cert ==
> 0.http-bio-28443-exec-6 - [07/May/2015:14:31:24 EDT] [14] [6]
> [AuditEvent=AUTH_FAIL][SubjectID=CN=PKI Administrator,
> EMAILADDRESS=caadmin at idm.lab.bos.redhat.com, O=idm.lab.bos.redhat.com
> Security
> Domain][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=$Unidentified$]
> authentication failure
>
> == case when creating a caadmin in the kra user db but not given any
> group privilege ==
> 0.http-bio-28443-exec-18 - [07/May/2015:14:48:31 EDT] [14] [6]
> [AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr]
> authentication success
> 0.http-bio-28443-exec-18 - [07/May/2015:14:48:31 EDT] [14] [6]
> [AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login]
> authorization success
> 0.http-bio-28443-exec-19 - [07/May/2015:14:48:31 EDT] [14] [6]
> [AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=null][Op=null][Info=ACL
> mapping not found; OK:SystemCertResource.getTransportCert]
> authorization success
> 0.http-bio-28443-exec-2 - [07/May/2015:14:48:32 EDT] [14] [6]
> [AuditEvent=AUTHZ_FAIL][SubjectID=caadmin][Outcome=Failure][aclResource=certServer.kra.keys][Op=execute][Info=Authorization
> Error] authorization failure
> 0.http-bio-28443-exec-3 - [07/May/2015:14:48:32 EDT] [14] [6]
> [AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout]
> authorization success
>
>
> thanks,
> Christina
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150511/5ec9d26b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-cfu-0059-Ticket-1160-audit-logging-needed-REST-API-auth-authz.patch
Type: text/x-patch
Size: 23799 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150511/5ec9d26b/attachment.bin>
More information about the Pki-devel
mailing list