Yair Zaslavsky has uploaded a new change for review.
Change subject: AAA: Introduce usage of Acct
......................................................................
AAA: Introduce usage of Acct
Introducing usage of accounting
Topic: AAA
Change-Id: Ief13d233d11b7ab32b328735b4f58ec7cffff567
Signed-off-by: Yair Zaslavsky <yzasl...@redhat.com>
---
M
backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationFilter.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/Backend.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/session/SessionDataContainer.java
M
backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthn.java
M
backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java
6 files changed, 70 insertions(+), 12 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/70/27070/1
diff --git
a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationFilter.java
b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationFilter.java
index 1659059..518685f 100644
---
a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationFilter.java
+++
b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationFilter.java
@@ -18,6 +18,7 @@
import org.ovirt.engine.api.extensions.Base;
import org.ovirt.engine.api.extensions.ExtMap;
+import org.ovirt.engine.api.extensions.aaa.Acct;
import org.ovirt.engine.api.extensions.aaa.Authn;
import org.ovirt.engine.core.utils.log.Log;
import org.ovirt.engine.core.utils.log.LogFactory;
@@ -145,13 +146,15 @@
)
);
+ ExtMap authRecord = output.<ExtMap>
get(Authn.InvokeKeys.AUTH_RECORD);
switch (output.<Integer> get(Authn.InvokeKeys.RESULT)) {
case Authn.AuthResult.SUCCESS:
- String name = output.<ExtMap>
get(Authn.InvokeKeys.AUTH_RECORD).<String> get(Authn.AuthRecord.PRINCIPAL);
+ String name = authRecord.<String>
get(Authn.AuthRecord.PRINCIPAL);
session.setAttribute(AUTHENTICATED_ATTR, true);
session.setAttribute(NAME_ATTR, name);
session.removeAttribute(STACK_ATTR);
req = new AuthenticatedRequestWrapper(req, name);
+
AcctUtils.reportAuthRecord(Acct.ReportReason.PRINCIPAL_LOGIN_NEGOTIATE,
authRecord);
chain.doFilter(req, rsp);
return;
@@ -170,6 +173,8 @@
// If we are here then there are no more authenticators to try so we
need to invalidate the session and reject
// the request:
session.invalidate();
+ AcctUtils.reportAuthRecord(Acct.ReportReason.PRINCIPAL_LOGIN_FAILED,
authRecord);
+
rsp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/Backend.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/Backend.java
index 8a0c2af..43035f4 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/Backend.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/Backend.java
@@ -20,6 +20,8 @@
import org.apache.commons.collections.KeyValue;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.exception.ExceptionUtils;
+import org.ovirt.engine.api.extensions.aaa.Acct;
+import org.ovirt.engine.core.aaa.AcctUtils;
import org.ovirt.engine.core.bll.attestationbroker.AttestThread;
import org.ovirt.engine.core.bll.context.CommandContext;
import
org.ovirt.engine.core.bll.interceptors.ThreadLocalSessionCleanerInterceptor;
@@ -243,6 +245,16 @@
1, quotaCacheIntervalInMinutes, TimeUnit.MINUTES);
//initializes attestation
initAttestation();
+
+ Runtime.getRuntime().addShutdownHook(new Thread(new Runnable() {
+
+ @Override
+ public void run() {
+ AcctUtils.reportReason(Acct.ReportReason.SHUTDOWN);
+ }
+ }));
+
+ AcctUtils.reportReason(Acct.ReportReason.STARTUP);
}
private void initAttestation() {
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java
index 0512aa5..fcde901 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java
@@ -12,9 +12,13 @@
import org.apache.commons.lang.time.DateUtils;
import org.ovirt.engine.api.extensions.Base;
import org.ovirt.engine.api.extensions.ExtMap;
+import org.ovirt.engine.api.extensions.aaa.Acct;
import org.ovirt.engine.api.extensions.aaa.Authn;
+import org.ovirt.engine.api.extensions.aaa.Acct.ReportReason;
import org.ovirt.engine.api.extensions.aaa.Authn.AuthRecord;
+import org.ovirt.engine.api.extensions.aaa.Authn.AuthResult;
import org.ovirt.engine.api.extensions.aaa.Mapping;
+import org.ovirt.engine.core.aaa.AcctUtils;
import org.ovirt.engine.core.aaa.AuthenticationProfile;
import org.ovirt.engine.core.aaa.AuthenticationProfileRepository;
import org.ovirt.engine.core.aaa.AuthzUtils;
@@ -44,6 +48,7 @@
private static final Map<Integer, AuditLogType> auditLogMap = new
HashMap<>();
private static final Map<Integer, VdcBllMessages> vdcBllMessagesMap = new
HashMap<>();
+ private static final Map<Integer, Integer> authResultToReportReasonMap =
new HashMap();
static {
auditLogMap.put(Authn.AuthResult.CREDENTIALS_EXPIRED,
AuditLogType.USER_ACCOUNT_PASSWORD_EXPIRED);
@@ -60,6 +65,9 @@
vdcBllMessagesMap.put(Authn.AuthResult.ACCOUNT_DISABLED,
VdcBllMessages.USER_ACCOUNT_DISABLED);
vdcBllMessagesMap.put(Authn.AuthResult.TIMED_OUT,
VdcBllMessages.USER_FAILED_TO_AUTHENTICATE_TIMED_OUT);
vdcBllMessagesMap.put(Authn.AuthResult.CREDENTIALS_EXPIRED,
VdcBllMessages.USER_PASSWORD_EXPIRED);
+
+ authResultToReportReasonMap.put(AuthResult.ACCOUNT_DISABLED,
ReportReason.PRINCIPAL_LOGIN_LOCKED);
+ authResultToReportReasonMap.put(AuthResult.GENERAL_ERROR,
ReportReason.PRINCIPAL_LOGIN_FAILED);
}
private ExtensionProxy authnExtension;
@@ -134,6 +142,7 @@
log.debug("Exception is ", e);
}
}
+ SessionDataContainer.getInstance().setAuthRecord(authRecord);
SessionDataContainer.getInstance().setHardLimit(validTo);
}
return true;
@@ -231,6 +240,8 @@
return false;
}
+
AcctUtils.reportAuthRecord(Acct.ReportReason.PRINCIPAL_LOGIN_CREDENTIALS,
authRecord);
+
// Check that the user exists in the database, if it doesn't exist
then we need to add it now:
dbUser =
@@ -255,6 +266,7 @@
MultiLevelAdministrationHandler.BOTTOM_OBJECT_ID,
VdcObjectType.Bottom,
true)) {
+
AcctUtils.reportAuthRecord(Acct.ReportReason.PRINCIPAL_LOGIN_NO_PERMISSION,
authRecord);
addCanDoActionMessage(VdcBllMessages.USER_NOT_AUTHORIZED_TO_PERFORM_ACTION);
return false;
}
@@ -319,7 +331,6 @@
}
private ExtMap authenticate(String user, String password) {
- ExtMap result = null;
ExtensionProxy mapper = profile.getMapper();
if (mapper != null) {
user = mapper.invoke(new ExtMap().mput(
@@ -342,13 +353,21 @@
password
));
+ ExtMap result = outputMap.<ExtMap> get(Authn.InvokeKeys.AUTH_RECORD);
int authResult = outputMap.<Integer>get(Authn.InvokeKeys.RESULT);
+ Integer reportReason = authResultToReportReasonMap.get(authResult);
+ if (reportReason == null) {
+ reportReason = Acct.ReportReason.PRINCIPAL_LOGIN_FAILED;
+ }
+
+ AcctUtils.reportAuthRecord(reportReason, result);
if (authResult != Authn.AuthResult.SUCCESS) {
log.infoFormat(
"Can't login user \"{0}\" with authentication profile
\"{1}\" because the authentication failed.",
user,
getParameters().getProfileName());
+
AuditLogType auditLogType = auditLogMap.get(authResult);
// if found matching audit log type, and it's not general login
failure audit log (which will be logged
// anyway due to CommandBase.log)
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/session/SessionDataContainer.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/session/SessionDataContainer.java
index 97c2b0b..ce44431 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/session/SessionDataContainer.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/session/SessionDataContainer.java
@@ -8,6 +8,9 @@
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.time.DateUtils;
+import org.ovirt.engine.api.extensions.ExtMap;
+import org.ovirt.engine.api.extensions.aaa.Acct;
+import org.ovirt.engine.core.aaa.AcctUtils;
import org.ovirt.engine.core.common.businessentities.DbUser;
import org.ovirt.engine.core.common.config.Config;
import org.ovirt.engine.core.common.config.ConfigValues;
@@ -27,6 +30,8 @@
private static final String PASSWORD_PARAMETER_NAME = "password";
private static final String HARD_LIMIT_PARAMETER_NAME = "hard_limit";
private static final String SOFT_LIMIT_PARAMETER_NAME = "soft_limit";
+
+ private static final String AUTH_RECORD_PARAMETER_NAME = null;
private static SessionDataContainer dataProviderInstance = new
SessionDataContainer();
@@ -130,7 +135,13 @@
* - id of current session
*/
public final void removeSession(String sessionId) {
+ reportSessionRemoval(sessionId, Acct.ReportReason.PRINCIPAL_LOGOUT);
sessionInfoMap.remove(sessionId);
+ }
+
+ private void reportSessionRemoval(String sessionId, int reason) {
+ AcctUtils.reportAuthRecord(reason,
+ (ExtMap) getData(sessionId, AUTH_RECORD_PARAMETER_NAME,
false));
}
/**
@@ -142,16 +153,19 @@
Iterator<Entry<String, SessionInfo>> iterator =
sessionInfoMap.entrySet().iterator();
while (iterator.hasNext()) {
- ConcurrentMap<String, Object> sessionMap =
iterator.next().getValue().contentOfSession;
+ Entry<String, SessionInfo> entryMap = iterator.next();
+ ConcurrentMap<String, Object> sessionMap =
entryMap.getValue().contentOfSession;
Date hardLimit = (Date) sessionMap.get(HARD_LIMIT_PARAMETER_NAME);
Date softLimit = (Date) sessionMap.get(SOFT_LIMIT_PARAMETER_NAME);
if (hardLimit != null) {
if (hardLimit.before(now)) {
+ reportSessionRemoval(entryMap.getKey(),
Acct.ReportReason.PRINCIPAL_SESSION_EXPIRED);
iterator.remove();
}
}
if (softLimit != null) {
+ reportSessionRemoval(entryMap.getKey(),
Acct.ReportReason.PRINCIPAL_SESSION_EXPIRED);
if (softLimit.before(now)) {
iterator.remove();
}
@@ -196,6 +210,10 @@
*/
public final boolean setUser(DbUser user) {
return setData(USER_PARAMETER_NAME, user);
+ }
+
+ public final boolean setAuthRecord(ExtMap authRecord) {
+ return setData(AUTH_RECORD_PARAMETER_NAME, authRecord);
}
public final void setHardLimit(Date hardLimit) {
@@ -261,4 +279,5 @@
}
}
+
}
diff --git
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthn.java
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthn.java
index fa82edd..2d558c9 100644
---
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthn.java
+++
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthn.java
@@ -40,14 +40,14 @@
.equals(adminPassword))) {
output.put(Authn.InvokeKeys.RESULT,
Authn.AuthResult.CREDENTIALS_INVALID);
} else {
- output.put(Authn.InvokeKeys.AUTH_RECORD,
+ output.put(Authn.InvokeKeys.RESULT, Authn.AuthResult.SUCCESS);
+ }
+ output.put(Authn.InvokeKeys.AUTH_RECORD,
new ExtMap().mput(
Authn.AuthRecord.PRINCIPAL,
adminUser
)
);
- output.put(Authn.InvokeKeys.RESULT, Authn.AuthResult.SUCCESS);
- }
}
private void doInit(ExtMap input, ExtMap output) {
diff --git
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java
index 90ff16a..6a759d1 100644
---
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java
+++
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java
@@ -27,9 +27,17 @@
LdapQueryData queryData = new LdapQueryDataImpl();
String loginName = getLoginName();
+ getParameters().getOutputMap().mput(
+ Authn.InvokeKeys.AUTH_RECORD,
+ new ExtMap().mput(
+ Authn.AuthRecord.PRINCIPAL,
+ loginName
+ ));
+
if (!loginName.contains("@")) {
loginName = loginName + "@" + getDomain();
}
+
queryData.setLdapQueryType(LdapQueryType.getUserByPrincipalName);
// The domain in the UPN must overwrite the domain field.
Discrepancies between the UPN domain and
// the domain may lead failure in Kerberos queries
@@ -55,12 +63,7 @@
getParameters().getOutputMap().mput(
Authn.InvokeKeys.RESULT,
Authn.AuthResult.SUCCESS
- ).mput(
- Authn.InvokeKeys.AUTH_RECORD,
- new ExtMap().mput(
- Authn.AuthRecord.PRINCIPAL,
- user.getUserName()
- ));
+ );
setSucceeded(true);
} else {
log.errorFormat("Failed authenticating. Domain is {0}. User is
{1}. The user doesn't have a UPN",
--
To view, visit http://gerrit.ovirt.org/27070
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ief13d233d11b7ab32b328735b4f58ec7cffff567
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Yair Zaslavsky <yzasl...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
