Thanks very much for your response. Just so I’m clear when submitting the ticket, you’re saying that the method signatures in org.apache.activemq.artemis.logs.AuditLogger that use the getCaller() method should be considered for removal, leaving just the ones that take the explicit user argument, because the AccessController isn’t tracking the subject in a way that would let the audit be accurate here?
> On Apr 25, 2020, at 5:56 AM, Howard Gao <howard....@gmail.com> wrote: > > Some of the audit log method have the username passed in explicitly and so > get correctly logged. Some others however don't, in which case the audit > logger uses Subject.getSubject(context) in an attempt to acquire the > caller. But within broker I believe most of the operations doesn't > associated the subject/caller in this way, so it will return null. In other > words, it doesn't work. I think the simple way to solve this is pass the > username explicitly to the auditlogger. > I'd suggest you raise the JIRA bug for that and link it with ARTEMIS-2648. > > Howard > >> On Sat, Apr 25, 2020 at 2:04 AM Stephen M Groucutt >> <steveg...@yahoo.com.invalid> wrote: >> >> Hi, >> >> We’re using Artemis 2.11.0 running on Red Hat 8 in a pod. We use the >> TextFileCertificateLoginModule for authentication, which has been working >> well for us. We are configured only for the AMQP acceptor using amqps on >> port 5671. >> >> My question is about the audit log output from the logger with name >> org.apache.activemq.audit.base. In this output, we see only the anonymous >> user principal having actions logged - for instance, a lot of “User >> anonymous is creating address/creating a queue/etc” type output, when an >> authenticated client is performing those actions. We would like to be able >> to trace the activity back to the authenticated subject. >> >> I am pretty sure that the login module itself is working fine and is >> returning a valid UserPrincipal in the subject, as I can add the >> populate-validated-user configuration and subsequently I see the client >> name in the incoming messages as a message header. >> >> I wanted to ask: >> - Should the subject username be getting logged in the audit logs, or is >> that name coming from some unexpected place? >> - Is there some other place to configure the subject name that gets >> logged, or is there some reason the text file login module will definitely >> not work for this purpose? >> - I saw ARTEMIS-2648 was filed to improve audit logging in general: if >> this is a known issue, would that issue resolve this? >> >> Thanks very much, >> Steve >>
