← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1461266] Re: Failed logon does not state where user is from (REMOTE_IP)

 

The fix has to be made to the horizon logger.

The application of the feature is not limited to login, for examples:
user trying to access resources that they don't have privileges on.

Closing on DOA, and moving to Horizon

** Also affects: horizon
   Importance: Undecided
       Status: New

** Changed in: horizon
   Importance: Undecided => Wishlist

** Changed in: django-openstack-auth
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1461266

Title:
  Failed logon does not state where user is from (REMOTE_IP)

Status in django-openstack-auth:
  Won't Fix
Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  When a user logs on to horizon the status of their logon is logged to
  the apache error.log file.  However this log data does not provide
  anything useful for the configuration of monitoring or security
  controls because it does not provide the REMOTE_IP.

  Since some configurations use ha_proxy and some don't the logging will
  need to be able to determine if the user is accessing via a proxy or
  not.  There are several issues with this as pointed out in this
  article: http://esd.io/blog/flask-apps-heroku-real-ip-spoofing.html.
  I would recommend using a function similar to what is in that post,
  however to get things working I have used the following code to get
  the log to display the end-user IP address:

  /usr/lib/python2.7/dist-packages/openstack_auth/forms.py

  27a28,34
  > def get_client_ip(request):
  >     x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
  >     if x_forwarded_for:
  >         ip = x_forwarded_for
  >     else:
  >         ip = request.META.get('REMOTE_ADDR')
  >     return ip
  94,95c101,102
  <             msg = 'Login successful for user "%(username)s".' % \
  <                 {'username': username}
  ---
  >             msg = '$(remote_ip)s - Login successful for user "%(username)s".' % \
  >                 {'username': username, 'remote_ip': get_client_ip(self.request) }
  98,99c105,106
  <             msg = 'Login failed for user "%(username)s".' % \
  <                 {'username': username}
  ---
  >             msg = '%(remote_ip)s - Login failed for user "%(username)s".' % \
  >                 {'username': username, 'remote_ip': get_client_ip(self.request) }

  It's defiantly not the best answer, in fact it may not even be fully
  functional :), but something is needed to be able to monitor invalid
  attempts; unless something in django can be used to have some logic
  (beyond locking accounts) where it is able to send a user to a sink
  hole or something based on # of exceptions per session or something.
  But that's beyond the scope of this request :)

To manage notifications about this bug go to:
https://bugs.launchpad.net/django-openstack-auth/+bug/1461266/+subscriptions