yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #40327
[Bug 1461266] Re: Failed logon does not state where user is from (REMOTE_IP)
The fix has to be made to the horizon logger.
The application of the feature is not limited to login, for examples:
user trying to access resources that they don't have privileges on.
Closing on DOA, and moving to Horizon
** Also affects: horizon
Importance: Undecided
Status: New
** Changed in: horizon
Importance: Undecided => Wishlist
** Changed in: django-openstack-auth
Status: New => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1461266
Title:
Failed logon does not state where user is from (REMOTE_IP)
Status in django-openstack-auth:
Won't Fix
Status in OpenStack Dashboard (Horizon):
New
Bug description:
When a user logs on to horizon the status of their logon is logged to
the apache error.log file. However this log data does not provide
anything useful for the configuration of monitoring or security
controls because it does not provide the REMOTE_IP.
Since some configurations use ha_proxy and some don't the logging will
need to be able to determine if the user is accessing via a proxy or
not. There are several issues with this as pointed out in this
article: http://esd.io/blog/flask-apps-heroku-real-ip-spoofing.html.
I would recommend using a function similar to what is in that post,
however to get things working I have used the following code to get
the log to display the end-user IP address:
/usr/lib/python2.7/dist-packages/openstack_auth/forms.py
27a28,34
> def get_client_ip(request):
> x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
> if x_forwarded_for:
> ip = x_forwarded_for
> else:
> ip = request.META.get('REMOTE_ADDR')
> return ip
94,95c101,102
< msg = 'Login successful for user "%(username)s".' % \
< {'username': username}
---
> msg = '$(remote_ip)s - Login successful for user "%(username)s".' % \
> {'username': username, 'remote_ip': get_client_ip(self.request) }
98,99c105,106
< msg = 'Login failed for user "%(username)s".' % \
< {'username': username}
---
> msg = '%(remote_ip)s - Login failed for user "%(username)s".' % \
> {'username': username, 'remote_ip': get_client_ip(self.request) }
It's defiantly not the best answer, in fact it may not even be fully
functional :), but something is needed to be able to monitor invalid
attempts; unless something in django can be used to have some logic
(beyond locking accounts) where it is able to send a user to a sink
hole or something based on # of exceptions per session or something.
But that's beyond the scope of this request :)
To manage notifications about this bug go to:
https://bugs.launchpad.net/django-openstack-auth/+bug/1461266/+subscriptions