Re: Artemis - audit logging and anonymous user

[Howard Gao <ho...@gmail.com>]

Some of the audit log method have the username passed in explicitly and so
get correctly logged. Some others however don't, in which case the audit
logger uses Subject.getSubject(context) in an attempt to acquire the
caller. But within broker I believe most of the operations doesn't
associated the subject/caller in this way, so it will return null. In other
words, it doesn't work. I think the simple way to solve this is pass the
username explicitly to the auditlogger.
I'd suggest you raise the JIRA bug for that and link it with ARTEMIS-2648.

Howard

On Sat, Apr 25, 2020 at 2:04 AM Stephen M Groucutt
<St...@yahoo.com.invalid> wrote:

> Hi,
>
> We’re using Artemis 2.11.0 running on Red Hat 8 in a pod. We use the
> TextFileCertificateLoginModule for authentication, which has been working
> well for us. We are configured only for the AMQP acceptor using amqps on
> port 5671.
>
> My question is about the audit log output from the logger with name
> org.apache.activemq.audit.base. In this output, we see only the anonymous
> user principal having actions logged - for instance, a lot of “User
> anonymous is creating address/creating a queue/etc” type output, when an
> authenticated client is performing those actions. We would like to be able
> to trace the activity back to the authenticated subject.
>
> I am pretty sure that the login module itself is working fine and is
> returning a valid UserPrincipal in the subject, as I can add the
> populate-validated-user configuration and subsequently I see the client
> name in the incoming messages as a message header.
>
> I wanted to ask:
>  - Should the subject username be getting logged in the audit logs, or is
> that name coming from some unexpected place?
>  - Is there some other place to configure the subject name that gets
> logged, or is there some reason the text file login module will definitely
> not work for this purpose?
>  - I saw ARTEMIS-2648 was filed to improve audit logging in general: if
> this is a known issue, would that issue resolve this?
>
> Thanks very much,
> Steve
>

Re: Artemis - audit logging and anonymous user

[Stephen M Groucutt <St...@yahoo.com.INVALID>]

Thanks Andy, I added a comment to that issue to track.

> On Apr 27, 2020, at 10:38 AM, andytaylor <an...@gmail.com> wrote:
> 
> https://issues.apache.org/jira/browse/ARTEMIS-2648
> 
> feel free to add extra requirements
> 
> 
> 
> --
> Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html

Re: Artemis - audit logging and anonymous user

[andytaylor <an...@gmail.com>]

https://issues.apache.org/jira/browse/ARTEMIS-2648

feel free to add extra requirements



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html

Re: Artemis - audit logging and anonymous user

[andytaylor <an...@gmail.com>]

just fyi, Im currently doing some workaround this to improve audit logging.
basically being able to log the user and ip address in certain events and
also refining the granularity, should have something in a week or so.




--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html

Re: Artemis - audit logging and anonymous user

[brusdev <br...@gmail.com>]

Hi Steve,

the AuditLogger is often called in a context without a `Subject`[1] so it
can't log the right username.
To avoid this issue the username could be passed explicitly as suggested by
Howard. Each AuditLogger entry has 2 methods and adding the `user` parameter
to the static one would allow to pass it explicitly, ie `static void
sendMessage(Object source, String user, Object... args)` [2]

[1]
https://docs.oracle.com/javase/8/docs/api/javax/security/auth/Subject.html
[2]
https://github.com/apache/activemq-artemis/blob/2.12.0/artemis-commons/src/main/java/org/apache/activemq/artemis/logs/AuditLogger.java#L203

Regards,
Domenico



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html

Re: Artemis - audit logging and anonymous user

[Stephen M Groucutt <St...@yahoo.com.INVALID>]

Thanks very much for your response. Just so I’m clear when submitting the ticket, you’re saying that the method signatures in org.apache.activemq.artemis.logs.AuditLogger that use the getCaller() method should be considered for removal, leaving just the ones that take the explicit user argument, because the AccessController isn’t tracking the subject in a way that would let the audit be accurate here?

> On Apr 25, 2020, at 5:56 AM, Howard Gao <ho...@gmail.com> wrote:
> 
> Some of the audit log method have the username passed in explicitly and so
> get correctly logged. Some others however don't, in which case the audit
> logger uses Subject.getSubject(context) in an attempt to acquire the
> caller. But within broker I believe most of the operations doesn't
> associated the subject/caller in this way, so it will return null. In other
> words, it doesn't work. I think the simple way to solve this is pass the
> username explicitly to the auditlogger.
> I'd suggest you raise the JIRA bug for that and link it with ARTEMIS-2648.
> 
> Howard
> 
>> On Sat, Apr 25, 2020 at 2:04 AM Stephen M Groucutt
>> <St...@yahoo.com.invalid> wrote:
>> 
>> Hi,
>> 
>> We’re using Artemis 2.11.0 running on Red Hat 8 in a pod. We use the
>> TextFileCertificateLoginModule for authentication, which has been working
>> well for us. We are configured only for the AMQP acceptor using amqps on
>> port 5671.
>> 
>> My question is about the audit log output from the logger with name
>> org.apache.activemq.audit.base. In this output, we see only the anonymous
>> user principal having actions logged - for instance, a lot of “User
>> anonymous is creating address/creating a queue/etc” type output, when an
>> authenticated client is performing those actions. We would like to be able
>> to trace the activity back to the authenticated subject.
>> 
>> I am pretty sure that the login module itself is working fine and is
>> returning a valid UserPrincipal in the subject, as I can add the
>> populate-validated-user configuration and subsequently I see the client
>> name in the incoming messages as a message header.
>> 
>> I wanted to ask:
>> - Should the subject username be getting logged in the audit logs, or is
>> that name coming from some unexpected place?
>> - Is there some other place to configure the subject name that gets
>> logged, or is there some reason the text file login module will definitely
>> not work for this purpose?
>> - I saw ARTEMIS-2648 was filed to improve audit logging in general: if
>> this is a known issue, would that issue resolve this?
>> 
>> Thanks very much,
>> Steve
>>