freeipa/doc
Alexander Bokovoy 84eed2a67f frontend: add systemd journal audit of executed API commands
For each executed command in server context, send the information about
the command to the systemd journal. The resulting string is similar to
what is recored in httpd's error_log for API requests coming through the
RPC layer.

In server mode operations are performed directly on the server over
LDAPI unix domain socket, so httpd end-point is not used and therefore
operations aren't recorded in the error_log.

With this change any IPA API operation is sent as an audit event to the
journal, alog with additional information collected by the journald
itself.

To aid with identification of these messages, an application name is
replaced with IPA.API and the actual name from api.env.script is made a
part of the logged message. The actual application script name is
available as part of the journal metadata anyway.

If no Kerberos authentication was used but rather LDAPI autobind was in
use, the name of the authenticated principal will be replaced with
[autobind].

Messages sent with syslog NOTICE priority.

More information is available in the design document 'audit-ipa-api.md'

Fixes: https://pagure.io/freeipa/issue/9589

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-05-22 17:06:23 -04:00
..
_static/css docs: tune RTD to display lists with disc and left margin 2022-05-10 15:52:41 +03:00
api batch: add keeponly option 2024-05-22 10:03:38 +02:00
designs frontend: add systemd journal audit of executed API commands 2024-05-22 17:06:23 -04:00
examples Have all the scripts run in python 3 by default 2018-02-15 18:43:12 +01:00
guide logging: do not reference loggers in arguments and attributes 2017-07-14 15:55:59 +02:00
workshop docs: Mention that Keycloak requires openid scope 2023-11-17 11:56:19 -05:00
conf.py Change doc theme to 'book' 2023-05-03 18:21:12 +02:00
constraints.txt ap: Constrain supported docutils 2022-07-26 12:36:41 -04:00
index.rst doc: generate API Reference 2022-11-16 14:46:17 -05:00
Makefile doc/Makefile: run sphinx in serial mode 2024-01-23 13:19:37 +01:00
requirements.txt Replace netifaces with ifaddr 2024-05-03 16:35:19 -04:00
workshop.rst workshop: add chapter 12: External IdP support 2022-05-10 15:52:41 +03:00