Martin Peřina has uploaded a new change for review. Change subject: core: Fix audit log messages for auth results ......................................................................
core: Fix audit log messages for auth results Adds audit log messages for all authention results that didn't have audit log messages assigned. Change-Id: I0fa17e2ea206195813b258101a367396399543eb Bug-Url: https://bugzilla.redhat.com/1059550 Signed-off-by: Martin Perina <mper...@redhat.com> --- M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/AuditLogType.java M backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/AuditLogDirector.java M backend/manager/modules/dal/src/main/resources/bundles/AuditLogMessages.properties M backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/AuthenticationResult.java 4 files changed, 107 insertions(+), 24 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/67/25267/1 diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/AuditLogType.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/AuditLogType.java index 0627025..02ef01d 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/AuditLogType.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/AuditLogType.java @@ -752,6 +752,24 @@ // Authentication USER_ACCOUNT_DISABLED_OR_LOCKED(1100, AuditLogTimeInterval.HOUR.getValue()), USER_ACCOUNT_PASSWORD_EXPIRED(1101, AuditLogTimeInterval.HOUR.getValue()), + AUTH_FAILED_INVALID_CREDENTIALS(1172), + AUTH_FAILED_CLOCK_SKEW_TOO_GREAT(1173, + AuditLogTimeInterval.HOUR.getValue()), + AUTH_FAILED_NO_KDCS_FOUND(1174), + AUTH_FAILED_DNS_ERROR(1175, + AuditLogTimeInterval.HOUR.getValue()), + AUTH_FAILED_OTHER(1176), + AUTH_FAILED_DNS_COMMUNICATION_ERROR(1177, + AuditLogTimeInterval.HOUR.getValue()), + AUTH_FAILED_CONNECTION_TIMED_OUT(1178, + AuditLogTimeInterval.HOUR.getValue()), + AUTH_FAILED_WRONG_REALM(1179), + AUTH_FAILED_CONNECTION_ERROR(1180, + AuditLogTimeInterval.HOUR.getValue()), + AUTH_FAILED_CANNOT_FIND_LDAP_SERVER_FOR_DOMAIN(1181), + AUTH_FAILED_NO_USER_INFORMATION_WAS_FOUND(1182), + AUTH_FAILED_CLIENT_NOT_FOUND_IN_KERBEROS_DATABASE(1183), + AUTH_FAILED_INTERNAL_KERBEROS_ERROR(1184), // Providers PROVIDER_ADDED(1150), diff --git a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/AuditLogDirector.java b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/AuditLogDirector.java index be53534..b917573 100644 --- a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/AuditLogDirector.java +++ b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/AuditLogDirector.java @@ -881,6 +881,19 @@ private static void initUserAccountSeverities() { severities.put(AuditLogType.USER_ACCOUNT_DISABLED_OR_LOCKED, AuditLogSeverity.ERROR); severities.put(AuditLogType.USER_ACCOUNT_PASSWORD_EXPIRED, AuditLogSeverity.ERROR); + severities.put(AuditLogType.AUTH_FAILED_INVALID_CREDENTIALS, AuditLogSeverity.ERROR); + severities.put(AuditLogType.AUTH_FAILED_CLOCK_SKEW_TOO_GREAT, AuditLogSeverity.ERROR); + severities.put(AuditLogType.AUTH_FAILED_NO_KDCS_FOUND, AuditLogSeverity.ERROR); + severities.put(AuditLogType.AUTH_FAILED_DNS_ERROR, AuditLogSeverity.ERROR); + severities.put(AuditLogType.AUTH_FAILED_OTHER, AuditLogSeverity.ERROR); + severities.put(AuditLogType.AUTH_FAILED_DNS_COMMUNICATION_ERROR, AuditLogSeverity.ERROR); + severities.put(AuditLogType.AUTH_FAILED_CONNECTION_TIMED_OUT, AuditLogSeverity.ERROR); + severities.put(AuditLogType.AUTH_FAILED_WRONG_REALM, AuditLogSeverity.ERROR); + severities.put(AuditLogType.AUTH_FAILED_CONNECTION_ERROR, AuditLogSeverity.ERROR); + severities.put(AuditLogType.AUTH_FAILED_CANNOT_FIND_LDAP_SERVER_FOR_DOMAIN, AuditLogSeverity.ERROR); + severities.put(AuditLogType.AUTH_FAILED_NO_USER_INFORMATION_WAS_FOUND, AuditLogSeverity.ERROR); + severities.put(AuditLogType.AUTH_FAILED_CLIENT_NOT_FOUND_IN_KERBEROS_DATABASE, AuditLogSeverity.ERROR); + severities.put(AuditLogType.AUTH_FAILED_INTERNAL_KERBEROS_ERROR, AuditLogSeverity.ERROR); } private static void initCommonSeverities() { diff --git a/backend/manager/modules/dal/src/main/resources/bundles/AuditLogMessages.properties b/backend/manager/modules/dal/src/main/resources/bundles/AuditLogMessages.properties index 70ffb0f..2fb132c 100644 --- a/backend/manager/modules/dal/src/main/resources/bundles/AuditLogMessages.properties +++ b/backend/manager/modules/dal/src/main/resources/bundles/AuditLogMessages.properties @@ -618,6 +618,19 @@ RELOAD_CONFIGURATIONS_FAILURE=System Configurations failed to reload. USER_ACCOUNT_DISABLED_OR_LOCKED=User ${UserName} cannot login, as it got disabled or locked. Please contact the system administrator. USER_ACCOUNT_PASSWORD_EXPIRED=User ${UserName} cannot login, as the user account password has expired. Please contact the system administrator. +AUTH_FAILED_INVALID_CREDENTIALS=User ${UserName} cannot login, please verify the username and password. +AUTH_FAILED_CLOCK_SKEW_TOO_GREAT=User ${UserName} cannot login, the engine clock is not synchronized with directory services. Please contact the system administrator. +AUTH_FAILED_NO_KDCS_FOUND=User ${UserName} cannot login, authentication domain cannot be found. Please contact the system administrator. +AUTH_FAILED_DNS_ERROR=User ${UserName} cannot login, there's an error in DNS configuration. Please contact the system administrator. +AUTH_FAILED_OTHER=User ${UserName} cannot login, unknown kerberos error. Please contact the system administrator. +AUTH_FAILED_DNS_COMMUNICATION_ERROR=User ${UserName} cannot login, cannot lookup DNS for SRV records. Please contact the system administrator. +AUTH_FAILED_CONNECTION_TIMED_OUT=User ${UserName} cannot login, connection to LDAP server has timed out. Please contact the system administrator. +AUTH_FAILED_WRONG_REALM=User ${UserName} cannot login, please verify your domain name. +AUTH_FAILED_CONNECTION_ERROR=User ${UserName} cannot login, connection refused or some configuration problems exist. Possible DNS error. Please contact the system administrator. +AUTH_FAILED_CANNOT_FIND_LDAP_SERVER_FOR_DOMAIN=User ${UserName} cannot login, cannot find valid LDAP server for domain. Please contact the system administrator. +AUTH_FAILED_NO_USER_INFORMATION_WAS_FOUND=User ${UserName} cannot login, no user information was found. Please contact the system administrator. +AUTH_FAILED_CLIENT_NOT_FOUND_IN_KERBEROS_DATABASE=User ${UserName} cannot login, user was not found in domain. Please contact the system administrator. +AUTH_FAILED_INTERNAL_KERBEROS_ERROR=User ${UserName} cannot login, an internal error has ocurred in the Kerberos implementation of the JVM. Please contact the system administrator. ENTITY_RENAMED=${EntityType} ${OldEntityName} was renamed from ${OldEntityName} to ${NewEntityName}. USER_ADD_EXTERNAL_JOB=New external Job ${description} was added by user ${UserName} USER_ADD_EXTERNAL_JOB_FAILED=Failed to add new external Job ${description} diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/AuthenticationResult.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/AuthenticationResult.java index 399df78..f125bdb 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/AuthenticationResult.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/AuthenticationResult.java @@ -3,70 +3,109 @@ import org.ovirt.engine.core.common.AuditLogType; public enum AuthenticationResult { - OK("", "", 0), + OK("", "", 0, AuditLogType.USER_VDC_LOGIN), + INVALID_CREDENTIALS( "Authentication Failed. Please verify the username and password.", "USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD", - 11), + 11, + AuditLogType.AUTH_FAILED_INVALID_CREDENTIALS), + CLOCK_SKEW_TOO_GREAT( - "Authentication Failed. The Engine clock is not synchronized with directory services (must be within 5 minutes difference). Please verify the clocks are synchronized", + "Authentication Failed. The Engine clock is not synchronized with directory services (must be within 5" + + " minutes difference). Please verify the clocks are synchronized", "USER_FAILED_TO_AUTHENTICATE_CLOCK_SKEW_TOO_GREAT", - 12), + 12, + AuditLogType.AUTH_FAILED_CLOCK_SKEW_TOO_GREAT), + NO_KDCS_FOUND( - "Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.", + "Authentication Failed. Please verify the fully qualified domain name that is used for authentication is" + + " correct.", "USER_FAILED_TO_AUTHENTICATE_NO_KDCS_FOUND", - 13), + 13, + AuditLogType.AUTH_FAILED_NO_KDCS_FOUND), + DNS_ERROR( - "Authentication Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse DNS (PTR) record.", + "Authentication Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse" + + " DNS (PTR) record.", "USER_FAILED_TO_AUTHENTICATE_DNS_ERROR", - 14), - OTHER("Kerberos error. Please check log for further details.", "USER_FAILED_TO_AUTHENTICATE", 15), + 14, + AuditLogType.AUTH_FAILED_DNS_ERROR), + + OTHER( + "Kerberos error. Please check log for further details.", + "USER_FAILED_TO_AUTHENTICATE", + 15, + AuditLogType.AUTH_FAILED_OTHER), + USER_ACCOUNT_DISABLED_OR_LOCKED( "Authentication failed. The user is either locked or disabled", "USER_FAILED_TO_AUTHENTICATE_ACCOUNT_IS_LOCKED_OR_DISABLED", - 16, AuditLogType.USER_ACCOUNT_DISABLED_OR_LOCKED), + 16, + AuditLogType.USER_ACCOUNT_DISABLED_OR_LOCKED), + DNS_COMMUNICATION_ERROR( "Authentication Failed. Cannot lookup DNS for SRV records. Please check your DNS configuration", "USER_FAILED_TO_AUTHENTICATE_DNS_ERROR", - 17), + 17, + AuditLogType.AUTH_FAILED_DNS_COMMUNICATION_ERROR), + CONNECTION_TIMED_OUT( - "Authentication Failed. Connection to LDAP server has timed out. Please contact your system administrator", + "Authentication Failed. Connection to LDAP server has timed out. Please contact your system" + + " administrator", "USER_FAILED_TO_AUTHENTICATE_CONNECTION_TIMED_OUT", - 18), + 18, + AuditLogType.AUTH_FAILED_CONNECTION_TIMED_OUT), + WRONG_REALM( "Authentication Failed. Wrong domain name was provided for authentication.", "USER_FAILED_TO_AUTHENTICATE_WRONG_REALM", - 19), + 19, + AuditLogType.AUTH_FAILED_WRONG_REALM), + CONNECTION_ERROR( - "Connection refused or some configuration problems exists. Possible DNS error." + + "Connection refused or some configuration problems exist. Possible DNS error." + " Check your Kerberos and LDAP records", "USER_FAILED_TO_AUTHENTICATE_CONNECTION_ERROR", - 20), + 20, + AuditLogType.AUTH_FAILED_CONNECTION_ERROR), + CANNOT_FIND_LDAP_SERVER_FOR_DOMAIN( "Cannot find valid LDAP server for domain", "CANNOT_FIND_LDAP_SERVER_FOR_DOMAIN", - 21), + 21, + AuditLogType.AUTH_FAILED_CANNOT_FIND_LDAP_SERVER_FOR_DOMAIN), + NO_USER_INFORMATION_WAS_FOUND_FOR_USER( "No user information was found for user", "NO_USER_INFORMATION_WAS_FOUND_FOR_USER", - 22), + 22, + AuditLogType.AUTH_FAILED_NO_USER_INFORMATION_WAS_FOUND), + PASSWORD_EXPIRED( "Authentication Failed. The password has expired. Please change your password and login again.", "USER_PASSWORD_EXPIRED", - 23, AuditLogType.USER_ACCOUNT_PASSWORD_EXPIRED), + 23, + AuditLogType.USER_ACCOUNT_PASSWORD_EXPIRED), + CLIENT_NOT_FOUND_IN_KERBEROS_DATABASE( "Authentication Failed. Client not found in kerberos database.", "USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD", - 24); + 24, + AuditLogType.AUTH_FAILED_CLIENT_NOT_FOUND_IN_KERBEROS_DATABASE), + + INTERNAL_KERBEROS_ERROR( + "An internal error has ocurred in the Kerberos implementation of the Java virtual machine. This usually" + + " means that the LDAP server is configured with a minimum security strength factor (minssf)" + + " of 0. Change it to 1 and try again.", + "INTERNAL_KERBEROS_ERROR", + 25, + AuditLogType.AUTH_FAILED_INTERNAL_KERBEROS_ERROR); private String vdcBllMessage; private String detailedMessage; private final int exitCode; private AuditLogType auditLogType; - - private AuthenticationResult(String detailedMsg, String vdcBllMessage, int exitCode) { - this(detailedMsg, vdcBllMessage, exitCode, null); - } private AuthenticationResult(String detailedMsg, String vdcBllMessage, int exitCode, AuditLogType auditLogType) { this.detailedMessage = detailedMsg; -- To view, visit http://gerrit.ovirt.org/25267 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0fa17e2ea206195813b258101a367396399543eb Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: ovirt-engine-3.4 Gerrit-Owner: Martin Peřina <mper...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
