Hi Kevin - I would think that you can use the correlation id (GUID) to find the url used to access the failed authentication. For instance, consider the following:
*17/10/10 10:19:20 ||a7bae089-e52d-403e-a623-fddde5c15c67|audit|0:0:0:0:0:0:0:1|AMBARI||||access|uri|/gateway/mgt/ambari/api/v1/clusters/ljm/requests?to=end&page_size=10&fields=Requests&_=1507645160383|unavailable|Request method: GET* *17/10/10 10:19:20 ||a7bae089-e52d-403e-a623-fddde5c15c67|audit|0:0:0:0:0:0:0:1|AMBARI|anonymous|||authentication|uri|/gateway/mgt/ambari/api/v1/clusters/ljm/requests?to=end&page_size=10&fields=Requests&_=1507645160383|success|* *17/10/10 10:19:20 ||a7bae089-e52d-403e-a623-* fddde5c15c67|audit|0:0:0:0:0:0:0:1|AMBARI|anonymous|||dispatch|uri| http://c6401.ambari.apache.org:8080/api/v1/clusters/ljm/requests?to=end&fields=Requests&page_size=10&_=1507645160383|unavailable|Request method: GET 17/10/10 10:19:20 ||a7bae089-e52d-403e-a623-fddde5c15c67|audit|0:0:0:0:0:0:0:1|AMBARI|anonymous|||dispatch|uri| http://c6401.ambari.apache.org:8080/api/v1/clusters/ljm/requests?to=end&fields=Requests&page_size=10&_=1507645160383|success|Response status: 200 17/10/10 10:19:20 ||a7bae089-e52d-403e-a623-fddde5c15c67|audit|0:0:0:0:0:0:0:1|AMBARI|anonymous|||access|uri|/gateway/mgt/ambari/api/v1/clusters/ljm/requests?to=end&page_size=10&fields=Requests&_=1507645160383|success|Response status: 200 All of the above are related to the same request. The "access" entry prior to the "authentication" entry contains the URI being request with the topology in it. Does this not meet the needs? thanks, --larry On Tue, Oct 10, 2017 at 9:59 AM, Kevin Risden <[email protected]> wrote: > Background > ---------------- > Currently we have multiple topologies in a single Knox server. Each > topology points to a different Hadoop environment. For this example, assume > the topologies are named DEV, TEST, and PROD. > > We had a group who hits Knox forget to change their LDAP password so there > were a bunch of messages like this in the audit logs: > > 17/09/12 15:05:08 > ||GUID|audit|WEBHBASE||||authentication|principal|USERNAME|failure|LDAP >> authentication failed. > > > We contacted the group and they wanted to know which topology the requests > were hitting so they could fix their password. Regardless of if they should > have different users per environment or not, we had no way to easily tell > the group which topology they were hitting. The LDAP authentication failure > log didn't say which topology it was hitting. > > It would be great if the audit log message was something like this: > > >> 17/09/12 15:05:08 >> ||GUID|audit|DEV|WEBHBASE||||authentication|principal|USERNAME|failure|LDAP >> authentication failed. >> > > In this case, the topology was added in the audit line maybe near the > service name. We think having the topology name on the line somewhere would > be useful for debugging purposes. > > Question > ------------ > Is it possible to configure Knox to log which topology each line in the > audit log came from? > > I was looking at https://github.com/apache/knox/blob/master/gateway-util- > common/src/main/java/org/apache/hadoop/gateway/audit/ > log4j/layout/AuditLayout.java and I'm not sure if its possible to easily > add the topology there or if it is even the right place? > > >
