Failed logon does not state where user is from (REMOTE_IP)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Expired
|
Wishlist
|
Unassigned |
Bug Description
When a user logs on to horizon the status of their logon is logged to the apache error.log file. However this log data does not provide anything useful for the configuration of monitoring or security controls because it does not provide the REMOTE_IP.
Since some configurations use ha_proxy and some don't the logging will need to be able to determine if the user is accessing via a proxy or not. There are several issues with this as pointed out in this article: http://
/usr/lib/
27a28,34
> def get_client_
> x_forwarded_for = request.
> if x_forwarded_for:
> ip = x_forwarded_for
> else:
> ip = request.
> return ip
94,95c101,102
< msg = 'Login successful for user "%(username)s".' % \
< {'username': username}
---
> msg = '$(remote_ip)s - Login successful for user "%(username)s".' % \
> {'username': username, 'remote_ip': get_client_
98,99c105,106
< msg = 'Login failed for user "%(username)s".' % \
< {'username': username}
---
> msg = '%(remote_ip)s - Login failed for user "%(username)s".' % \
> {'username': username, 'remote_ip': get_client_
It's defiantly not the best answer, in fact it may not even be fully functional :), but something is needed to be able to monitor invalid attempts; unless something in django can be used to have some logic (beyond locking accounts) where it is able to send a user to a sink hole or something based on # of exceptions per session or something. But that's beyond the scope of this request :)
Changed in horizon: | |
status: | New → Confirmed |
no longer affects: | django-openstack-auth |
tags: | added: low-hanging-fruit |
May have interpreted it wrong, but this seems more like a feature request? Marked as wishlist, for now :)