You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@syncope.apache.org by Hermann Angstl <ha...@talend.com> on 2014/11/18 10:24:55 UTC

Audit Logs (Syncope Version 1.2.0)

HI there,

I'm just trying to make sense of Syncope's Audit feature.

Under "Reports" -> "Audit" I enabled ALL options of type "REST".

So, for example, "REST" / "EntitlementController" / "getAll" and "getOwn" is checked. For both " Success" and "Failure".

Now I did a login to the Web Console, first with a wrong password, then with the correct password.

When I look into the Syncope database, table syncopeaudit, I see this:

(1) Login to Web Console with wrong Password:
EVENT_DATE, LOGGER_LEVEL, LOGGER, MESSAGE, THROWABLE
'2014-11-18 09:55:14', 'DEBUG', 'syncope.audit.[REST]:[UserController]:[]:[isSelfRegAllowed]:[SUCCESS]', '[anonymous] BEFORE:\n	unknown\nINPUT:\n	none\nOUTPUT:\n	true', ''
'2014-11-18 09:55:14', 'DEBUG', 'syncope.audit.[REST]:[UserController]:[]:[isPwdResetAllowed]:[SUCCESS]', '[anonymous] BEFORE:\n	unknown\nINPUT:\n	none\nOUTPUT:\n	true', ''
'2014-11-18 09:55:14', 'DEBUG', 'syncope.audit.[REST]:[UserController]:[]:[isPwdResetRequiringSecurityQuestions]:[SUCCESS]', '[anonymous] BEFORE:\n	unknown\nINPUT:\n	none\nOUTPUT:\n	true', ''
'2014-11-18 09:55:14', 'DEBUG', 'syncope.audit.[REST]:[UserController]:[]:[isSelfRegAllowed]:[SUCCESS]', '[anonymous] BEFORE:\n	unknown\nINPUT:\n	none\nOUTPUT:\n	true', ''
'2014-11-18 09:55:14', 'DEBUG', 'syncope.audit.[REST]:[UserController]:[]:[isPwdResetAllowed]:[SUCCESS]', '[anonymous] BEFORE:\n	unknown\nINPUT:\n	none\nOUTPUT:\n	true', ''
'2014-11-18 09:55:14', 'DEBUG', 'syncope.audit.[REST]:[UserController]:[]:[isPwdResetRequiringSecurityQuestions]:[SUCCESS]', '[anonymous] BEFORE:\n	unknown\nINPUT:\n	none\nOUTPUT:\n	true', ''


(2) Login to Web Console with correct Password:
# EVENT_DATE, LOGGER_LEVEL, LOGGER, MESSAGE, THROWABLE
'2014-11-18 09:58:28', 'DEBUG', 'syncope.audit.[REST]:[EntitlementController]:[]:[getOwn]:[SUCCESS]', '[anonymous] BEFORE:\n	unknown\nINPUT:\n	none\nOUTPUT:\n	[ROLE_ANONYMOUS]', ''
'2014-11-18 09:58:30', 'DEBUG', 'syncope.audit.[REST]:[UserController]:[]:[isSelfRegAllowed]:[SUCCESS]', '[anonymous] BEFORE:\n	unknown\nINPUT:\n	none\nOUTPUT:\n	true', ''
'2014-11-18 09:58:30', 'DEBUG', 'syncope.audit.[REST]:[UserController]:[]:[isPwdResetAllowed]:[SUCCESS]', '[anonymous] BEFORE:\n	unknown\nINPUT:\n	none\nOUTPUT:\n	true', ''
'2014-11-18 09:58:30', 'DEBUG', 'syncope.audit.[REST]:[UserController]:[]:[isPwdResetRequiringSecurityQuestions]:[SUCCESS]', '[anonymous] BEFORE:\n	unknown\nINPUT:\n	none\nOUTPUT:\n	true', ''
'2014-11-18 09:58:30', 'DEBUG', 'syncope.audit.[REST]:[UserController]:[]:[isSelfRegAllowed]:[SUCCESS]', '[anonymous] BEFORE:\n	unknown\nINPUT:\n	none\nOUTPUT:\n	true', ''
'2014-11-18 09:58:30', 'DEBUG', 'syncope.audit.[REST]:[UserController]:[]:[isPwdResetAllowed]:[SUCCESS]', '[anonymous] BEFORE:\n	unknown\nINPUT:\n	none\nOUTPUT:\n	true', ''
'2014-11-18 09:58:30', 'DEBUG', 'syncope.audit.[REST]:[UserController]:[]:[isPwdResetRequiringSecurityQuestions]:[SUCCESS]', '[anonymous] BEFORE:\n	unknown\nINPUT:\n	none\nOUTPUT:\n	true', ''


Questions:
- It seems that I only get EntitlementController audit events for the Success - not for Failure. What do I have to configure to get failed login requests?
- How to get change information, like Role XYZ has been added to User ABC? When I, for example, add Role "ArtDirector" to User "rossini" I get this here - which is hard to parse. Is there better way to get this kind of information?


# EVENT_DATE, LOGGER_LEVEL, LOGGER, MESSAGE, THROWABLE
'2014-11-18 10:17:22', 'DEBUG', 'syncope.audit.[REST]:[UserController]:[]:[update]:[SUCCESS]', '[admin] BEFORE:\n	org.apache.syncope.common.to.UserTO@70c0a9f0[\r\n  memberships=[org.apache.syncope.common.to.MembershipTO@78d50564[\r\n  roleId=1\r\n  roleName=root\r\n  id=1\r\n  derAttrs=[org.apache.syncope.common.to.AttributeTO@69552635[\r\n  schema=mderiveddata\r\n  values=[sx-dx]\r\n  readonly=true\r\n]]\r\n  virAttrs=[]\r\n  attrs=[org.apache.syncope.common.to.AttributeTO@553f9799[\r\n  schema=mderived_sx\r\n  values=[sx]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@41f9e988[\r\n  schema=mderived_dx\r\n  values=[dx]\r\n  readonly=false\r\n]]\r\n  creator=admin\r\n  creationDate=Wed Oct 20 11:00:00 CEST 2010\r\n  lastModifier=admin\r\n  lastChangeDate=Wed Oct 20 11:00:00 CEST 2010\r\n], org.apache.syncope.common.to.MembershipTO@7e53018e[\r\n  roleId=8\r\n  roleName=otherchild\r\n  id=5\r\n  derAttrs=[]\r\n  virAttrs=[]\r\n  attrs=[]\r\n  creator=admin\r\n  creationDate=Wed Oct 20 11:00:00 CEST 2010\r\n  lastModifier=admin\r\n  lastChangeDate=Wed Oct 20 11:00:00 CEST 2010\r\n], org.apache.syncope.common.to.MembershipTO@7b8b526c[\r\n  roleId=100\r\n  roleName=testRoleName\r\n  id=100\r\n  derAttrs=[]\r\n  virAttrs=[]\r\n  attrs=[]\r\n  creator=admin\r\n  creationDate=Tue Nov 18 10:12:28 CET 2014\r\n  lastModifier=admin\r\n  lastChangeDate=Tue Nov 18 10:12:28 CET 2014\r\n]]\r\n  status=active\r\n  token=<null>\r\n  tokenExpireTime=<null>\r\n  username=rossini\r\n  lastLoginDate=<null>\r\n  changePwdDate=<null>\r\n  failedLogins=0\r\n  securityQuestion=<null>\r\n  securityAnswer=<null>\r\n  resources=[resource-testdb2, ws-target-resource-2]\r\n  propagationStatusTOs=[]\r\n  id=1\r\n  derAttrs=[org.apache.syncope.common.to.AttributeTO@77d06fd1[\r\n  schema=cn\r\n  values=[Rossini, Gioacchino]\r\n  readonly=true\r\n]]\r\n  virAttrs=[]\r\n  attrs=[org.apache.syncope.common.to.AttributeTO@155d3fcb[\r\n  schema=type\r\n  values=[G]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@1d073362[\r\n  schema=fullname\r\n  values=[Gioacchino Rossini]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@43be75d1[\r\n  schema=firstname\r\n  values=[Gioacchino]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@d290f16[\r\n  schema=surname\r\n  values=[Rossini]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@29d741a[\r\n  schema=userId\r\n  values=[rossini@apache.org]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@2f31584d[\r\n  schema=loginDate\r\n  values=[2009-05-26, 2010-05-26]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@509c3f6f[\r\n  schema=gender\r\n  values=[M]\r\n  readonly=false\r\n]]\r\n  creator=admin\r\n  creationDate=Wed Oct 20 11:00:00 CEST 2010\r\n  lastModifier=admin\r\n  lastChangeDate=Tue Nov 18 10:12:28 CET 2014\r\n]\nINPUT:\n	org.apache.syncope.common.mod.UserMod@4e5d3310[\r\n  password=<null>\r\n  username=<null>\r\n  membershipsToAdd=[org.apache.syncope.common.mod.MembershipMod@3d0cc34e[\r\n  role=14\r\n  id=0\r\n  attrsToUpdate=[]\r\n  attrsToRemove=[]\r\n  derAttrsToAdd=[]\r\n  derAttrsToRemove=[]\r\n  virAttrsToUpdate=[]\r\n  virAttrsToRemove=[]\r\n]]\r\n  membershipsToRemove=[]\r\n  pwdPropRequest=org.apache.syncope.common.mod.StatusMod@37451b9d[\r\n  id=0\r\n  type=<null>\r\n  token=<null>\r\n  onSyncope=true\r\n  resourceNames=[]\r\n]\r\n  securityQuestion=<null>\r\n  securityAnswer=<null>\r\n  resourcesToAdd=[]\r\n  resourcesToRemove=[]\r\n  id=1\r\n  attrsToUpdate=[org.apache.syncope.common.mod.AttributeMod@23503284[\r\n  schema=cool\r\n  valuesToBeAdded=[]\r\n  valuesToBeRemoved=[]\r\n], org.apache.syncope.common.mod.AttributeMod@1d4ed824[\r\n  schema=activationDate\r\n  valuesToBeAdded=[]\r\n  valuesToBeRemoved=[]\r\n], org.apache.syncope.common.mod.AttributeMod@66248a38[\r\n  schema=uselessReadonly\r\n  valuesToBeAdded=[]\r\n  valuesToBeRemoved=[]\r\n], org.apache.syncope.common.mod.AttributeMod@68ee96eb[\r\n  schema=aLong\r\n  valuesToBeAdded=[]\r\n  valuesToBeRemoved=[]\r\n], org.apache.syncope.common.mod.AttributeMod@7f6541f[\r\n  schema=makeItDouble\r\n  valuesToBeAdded=[]\r\n  valuesToBeRemoved=[]\r\n]]\r\n  attrsToRemove=[email, obscure, photo]\r\n  derAttrsToAdd=[]\r\n  derAttrsToRemove=[]\r\n  virAttrsToUpdate=[]\r\n  virAttrsToRemove=[]\r\n]\nOUTPUT:\n	org.apache.syncope.common.to.UserTO@4208b9c1[\r\n  memberships=[org.apache.syncope.common.to.MembershipTO@4adb4fc5[\r\n  roleId=1\r\n  roleName=root\r\n  id=1\r\n  derAttrs=[org.apache.syncope.common.to.AttributeTO@45234e8[\r\n  schema=mderiveddata\r\n  values=[sx-dx]\r\n  readonly=true\r\n]]\r\n  virAttrs=[]\r\n  attrs=[org.apache.syncope.common.to.AttributeTO@310f6d8f[\r\n  schema=mderived_sx\r\n  values=[sx]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@6be1e072[\r\n  schema=mderived_dx\r\n  values=[dx]\r\n  readonly=false\r\n]]\r\n  creator=admin\r\n  creationDate=Wed Oct 20 11:00:00 CEST 2010\r\n  lastModifier=admin\r\n  lastChangeDate=Wed Oct 20 11:00:00 CEST 2010\r\n], org.apache.syncope.common.to.MembershipTO@3a5693b3[\r\n  roleId=8\r\n  roleName=otherchild\r\n  id=5\r\n  derAttrs=[]\r\n  virAttrs=[]\r\n  attrs=[]\r\n  creator=admin\r\n  creationDate=Wed Oct 20 11:00:00 CEST 2010\r\n  lastModifier=admin\r\n  lastChangeDate=Wed Oct 20 11:00:00 CEST 2010\r\n], org.apache.syncope.common.to.MembershipTO@9faeab1[\r\n  roleId=100\r\n  roleName=testRoleName\r\n  id=100\r\n  derAttrs=[]\r\n  virAttrs=[]\r\n  attrs=[]\r\n  creator=admin\r\n  creationDate=Tue Nov 18 10:12:28 CET 2014\r\n  lastModifier=admin\r\n  lastChangeDate=Tue Nov 18 10:12:28 CET 2014\r\n], org.apache.syncope.common.to.MembershipTO@38460f95[\r\n  roleId=14\r\n  roleName=artDirector\r\n  id=101\r\n  derAttrs=[]\r\n  virAttrs=[]\r\n  attrs=[]\r\n  creator=admin\r\n  creationDate=Tue Nov 18 10:17:21 CET 2014\r\n  lastModifier=admin\r\n  lastChangeDate=Tue Nov 18 10:17:21 CET 2014\r\n]]\r\n  status=active\r\n  token=<null>\r\n  tokenExpireTime=<null>\r\n  username=rossini\r\n  lastLoginDate=<null>\r\n  changePwdDate=<null>\r\n  failedLogins=0\r\n  securityQuestion=<null>\r\n  securityAnswer=<null>\r\n  resources=[resource-testdb2, ws-target-resource-2]\r\n  propagationStatusTOs=[]\r\n  id=1\r\n  derAttrs=[org.apache.syncope.common.to.AttributeTO@7fa91c0f[\r\n  schema=cn\r\n  values=[Rossini, Gioacchino]\r\n  readonly=true\r\n]]\r\n  virAttrs=[]\r\n  attrs=[org.apache.syncope.common.to.AttributeTO@37715e43[\r\n  schema=type\r\n  values=[G]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@73e39d24[\r\n  schema=fullname\r\n  values=[Gioacchino Rossini]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@6461e1ec[\r\n  schema=firstname\r\n  values=[Gioacchino]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@56378070[\r\n  schema=surname\r\n  values=[Rossini]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@55d16548[\r\n  schema=userId\r\n  values=[rossini@apache.org]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@265085fc[\r\n  schema=loginDate\r\n  values=[2009-05-26, 2010-05-26]\r\n  readonly=false\r\n], org.apache.syncope.common.to.AttributeTO@708c770a[\r\n  schema=gender\r\n  values=[M]\r\n  readonly=false\r\n]]\r\n  creator=admin\r\n  creationDate=Wed Oct 20 11:00:00 CEST 2010\r\n  lastModifier=admin\r\n  lastChangeDate=Tue Nov 18 10:17:21 CET 2014\r\n]', ''

cheers,
Hermann

Re: Audit Logs (Syncope Version 1.2.0)

Posted by Francesco Chicchiriccò <il...@apache.org>.

On 19/11/2014 09:37, Hermann Angstl wrote:
> Hello Francesco,
>
> thanks for your reply.
>
>> For your purpose I would suggest instead to set audit information on
>>
>> [REST]:[AuthenticationController]:[]:[login]:[SUCCESS]
>> [REST]:[AuthenticationController]:[]:[login]:[FAILURE]
> Unfortunately I don't have "AuthenticationController" in my dropdown box in the Admin Console.
> When I go to Reports -> Audit, select type: REST, the entries in Category start with "ConfigurationController, ConnectionController, ..." - no AuthenticationController.

You're right, that's a bug: see SYNCOPE-608 [1]; as reported there, a 
workaround via REST is available.

Regards.

[1] https://issues.apache.org/jira/browse/SYNCOPE-608

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/

RE: Audit Logs (Syncope Version 1.2.0)

Posted by Hermann Angstl <ha...@talend.com>.

Hello Francesco,

thanks for your reply.


> For your purpose I would suggest instead to set audit information on
> 
> [REST]:[AuthenticationController]:[]:[login]:[SUCCESS]
> [REST]:[AuthenticationController]:[]:[login]:[FAILURE]

Unfortunately I don't have "AuthenticationController" in my dropdown box in the Admin Console.
When I go to Reports -> Audit, select type: REST, the entries in Category start with "ConfigurationController, ConnectionController, ..." - no AuthenticationController.

I am using Syncope 1.2.0

cheers,
Hermann

Re: Audit Logs (Syncope Version 1.2.0)

Posted by Francesco Chicchiriccò <il...@apache.org>.

Il 19/11/2014 09:26, Francesco Chicchiriccò ha scritto:
> Hi Hermann,
> see my replies embedded below.
>
> Regards.
>
> On 18/11/2014 10:24, Hermann Angstl wrote:
>> HI there,
>>
>> I'm just trying to make sense of Syncope's Audit feature.
>>
>> Under "Reports" -> "Audit" I enabled ALL options of type "REST".
>>
>> So, for example, "REST" / "EntitlementController" / "getAll" and 
>> "getOwn" is checked. For both " Success" and "Failure".
>>
>> Now I did a login to the Web Console, first with a wrong password, 
>> then with the correct password.
>>
>> When I look into the Syncope database, table syncopeaudit, I see this:
>>
>> (1) Login to Web Console with wrong Password:
>> [...]
>>
>> (2) Login to Web Console with correct Password:
>> [...]
>>
>> Questions:
>> - It seems that I only get EntitlementController audit events for the 
>> Success - not for Failure. What do I have to configure to get failed 
>> login requests?
>
> EntitlementController [1] methods do not enforce any security 
> constraint, so there is no chance you can get any failure there under 
> normal circumstances.
>
> For your purpose I would suggest instead to set audit information on
>
> [REST]:[AuthenticationController]:[]:[login]:[SUCCESS]
> [REST]:[AuthenticationController]:[]:[login]:[FAILURE]
>
> I have just added such information to our FAQ page [2].
>
>> - How to get change information, like Role XYZ has been added to User 
>> ABC? When I, for example, add Role "ArtDirector" to User "rossini" I 
>> get this here - which is hard to parse. Is there better way to get 
>> this kind of information?
>
> The information reported below is the complete audit that needs of 
> course further processing for being effective.
>
> You could, however, empower Activiti for providing more sensible audit 
> for your own purpose: add a Java UserTask (see the provided classes 
> for some examples) which inspects the user request being served 
> (adding roles, in your case) and

...and invokes the AuditManager with appropriate arguments. (send was 
too quick, sorry).

>> [...]
>
> [1] 
> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/main/java/org/apache/syncope/core/rest/controller/EntitlementController.java;hb=1_2_X
> [2] 
> https://cwiki.apache.org/confluence/display/SYNCOPE/FAQ#FAQ-HowdoIauditloginsuccess/failure?
>


-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/

Re: Audit Logs (Syncope Version 1.2.0)

Posted by Francesco Chicchiriccò <il...@apache.org>.

On 20/11/2014 10:47, Hermann Angstl wrote:
> Hello Francesco,
>
>> You could, however, empower Activiti for providing more sensible audit for your own purpose: add a Java UserTask (see the provided classes for some examples)
>> which inspects the user request being served (adding roles, in your case)
>> and invokes the AuditManager with appropriate arguments.
> Can you explain this with a little bit more detail?

Hi,
as explained in SYNCOPE-608 [1] summary, the code snippet that does what 
required is something like:


         String name = 
"[REST]:[AuthenticationController]:[]:[login]:[SUCCESS]";
         LoggerTO loggerTO = new LoggerTO();
         loggerTO.setName(name);
         loggerTO.setLevel(LoggerLevel.DEBUG);

         LoggerService loggerService = ....;
         loggerService.update(LoggerType.AUDIT, name, loggerTO);


Naturally, this code would need require Syncope Java client setup: you 
can find an example in this project of mine [2] (check branch 1_2_X).

Anyway, as you can see the original issue has been already fixed in 
1.2.2-SNAPSHOT.

Regards.

[1] https://issues.apache.org/jira/browse/SYNCOPE-608
[2] https://github.com/ilgrosso/syncopeRestClient

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/

RE: Audit Logs (Syncope Version 1.2.0)

Posted by Hermann Angstl <ha...@talend.com>.

Hello Francesco,

> You could, however, empower Activiti for providing more sensible audit for your own purpose: add a Java UserTask (see the provided classes for some examples) 
> which inspects the user request being served (adding roles, in your case)
> and invokes the AuditManager with appropriate arguments.

Can you explain this with a little bit more detail?

cheers,
Hermann

Re: Audit Logs (Syncope Version 1.2.0)

Posted by Francesco Chicchiriccò <il...@apache.org>.

Hi Hermann,
see my replies embedded below.

Regards.

On 18/11/2014 10:24, Hermann Angstl wrote:
> HI there,
>
> I'm just trying to make sense of Syncope's Audit feature.
>
> Under "Reports" -> "Audit" I enabled ALL options of type "REST".
>
> So, for example, "REST" / "EntitlementController" / "getAll" and "getOwn" is checked. For both " Success" and "Failure".
>
> Now I did a login to the Web Console, first with a wrong password, then with the correct password.
>
> When I look into the Syncope database, table syncopeaudit, I see this:
>
> (1) Login to Web Console with wrong Password:
> [...]
>
> (2) Login to Web Console with correct Password:
> [...]
>
> Questions:
> - It seems that I only get EntitlementController audit events for the Success - not for Failure. What do I have to configure to get failed login requests?

EntitlementController [1] methods do not enforce any security 
constraint, so there is no chance you can get any failure there under 
normal circumstances.

For your purpose I would suggest instead to set audit information on

[REST]:[AuthenticationController]:[]:[login]:[SUCCESS]
[REST]:[AuthenticationController]:[]:[login]:[FAILURE]

I have just added such information to our FAQ page [2].

> - How to get change information, like Role XYZ has been added to User ABC? When I, for example, add Role "ArtDirector" to User "rossini" I get this here - which is hard to parse. Is there better way to get this kind of information?

The information reported below is the complete audit that needs of 
course further processing for being effective.

You could, however, empower Activiti for providing more sensible audit 
for your own purpose: add a Java UserTask (see the provided classes for 
some examples) which inspects the user request being served (adding 
roles, in your case) and

> [...]

[1] 
https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/main/java/org/apache/syncope/core/rest/controller/EntitlementController.java;hb=1_2_X
[2] 
https://cwiki.apache.org/confluence/display/SYNCOPE/FAQ#FAQ-HowdoIauditloginsuccess/failure?

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/