Open ParamConstructor opened 1 week ago
Hi @ParamConstructor. Today there is no difference between a login by UI or by bearer. Its something we think about but not yet planned.
Thanks for your comment @richard-julien I'm switching this ticket to feature, with the triage label, since it appears not to be a bug, but rather a feature request.
However this number of login is not normal. Connector and worker must maintain a session that prevent them to login all the time. @ParamConstructor please take a look to your deployment to check if cookies can correctly be maintains between connectors/workers and the platform
Hi @ParamConstructor. Today there is no difference between a login by UI or by bearer. Its something we think about but not yet planned.
@richard-julien - it does seem to track the Login type within "Context Data". Doesn't say I did it by the UI Login form specifically, but does track the method used to authenticate. (Data from DEVEL system - so UUID are not really sensitive.....)
Sample Kibana Query:
GET opencti_history/_search
{
"query": {
"bool": {
"should": [
{ "match": { "context_data.provider": "bearer"}}
]
}
}
}
Result:
{
"_index": "opencti_history-000001",
"_id": "1725896159258-0",
"_score": 0.0005127196,
"_source": {
"internal_id": "1725896159258-0",
"base_type": "ENTITY",
"created_at": "2024-09-09T15:35:59.258Z",
"updated_at": "2024-09-09T15:35:59.258Z",
"entity_type": "Activity",
"event_type": "authentication",
"event_status": "success",
"event_access": "administration",
"event_scope": "login",
"user_id": "88ec0c6a-13ce-5e39-b486-354fe4a7084f",
"user_metadata": {},
"group_ids": [
"933440dc-e83a-4ee7-ba9d-7dce18244277"
],
"organization_ids": [],
"timestamp": "2024-09-09T15:35:59.258Z",
"context_data": {
"provider": "Bearer",
"message": "login from provider `Bearer`"
}
}
},
Or, swap to:
GET opencti_history/_search
{
"query": {
"bool": {
"should": [
{ "match": { "context_data.provider": "local"}},
{ "match": { "context_data.provider": "saml"}},
{ "match": { "context_data.provider": "ldap"}}
]
}
}
}
Results:
{
"_index": "opencti_history-000001",
"_id": "1726063923616-0",
"_score": 10.240055,
"_source": {
"internal_id": "1726063923616-0",
"base_type": "ENTITY",
"created_at": "2024-09-11T14:12:03.616Z",
"updated_at": "2024-09-11T14:12:03.616Z",
"entity_type": "Activity",
"event_type": "authentication",
"event_status": "success",
"event_access": "administration",
"event_scope": "login",
"user_id": "e41d309b-f545-4a0c-8d07-ad490c1bb63d",
"user_metadata": {},
"group_ids": [
"933440dc-e83a-4ee7-ba9d-7dce18244277"
],
"organization_ids": [],
"timestamp": "2024-09-11T14:12:03.616Z",
"context_data": {
"provider": "saml",
"message": "login from provider `saml`"
}
}
},
{
"_index": "opencti_history-000001",
"_id": "1725983811820-0",
"_score": 7.6250944,
"_source": {
"internal_id": "1725983811820-0",
"base_type": "ENTITY",
"created_at": "2024-09-10T15:56:51.820Z",
"updated_at": "2024-09-10T15:56:51.820Z",
"entity_type": "Activity",
"event_type": "authentication",
"event_status": "success",
"event_access": "administration",
"event_scope": "login",
"user_id": "88ec0c6a-13ce-5e39-b486-354fe4a7084f",
"user_metadata": {},
"group_ids": [
"933440dc-e83a-4ee7-ba9d-7dce18244277"
],
"organization_ids": [],
"timestamp": "2024-09-10T15:56:51.820Z",
"context_data": {
"provider": "local",
"message": "login from provider `local`"
}
}
},
However this number of login is not normal. Connector and worker must maintain a session that prevent them to login all the time. @ParamConstructor please take a look to your deployment to check if cookies can correctly be maintains between connectors/workers and the platform
@richard-julien - This behavior is on a DEVEL node.... so let me purge things and verify that all configurations are accurate and report back.
Description
Maybe this is intentional? But on the User Analytics tab the 'Login to the Platform' metric displayer seems to include the 'Bearer' login type - which I believe is used by the connectors. So, when you look at a user - like say Admin (who might also be configured for connector logins on a platform - not a best practice :-O) - the logins to the platform is terribly skewed since connectors renew their sessions regularly.
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
Expect that the login count in the 'Login to the Platform' widget would only reflect logins that were initiated by a "physical person/user from the login prompt" using a valid login Strategy detailed on - https://docs.opencti.io/latest/deployment/authentication/
Actual Output
Widget included all login strategies plus the "bearer" login entries (which technically is a login). Maybe this is the intended behavior, since you really shouldn't be sharing a real user as a connector auth user... but possibly end users do have a purpose for this... which would skew the results?
Additional information
N/A