When running a simple REST API call from CLI, I could see two entries in ambari-audit.log file.
Following is my API call:
curl -k -i -u admin:<passwd> -H "X-Requested-By: ambari" -X GET http://<ambari-host>:8080/api/v1/clusters
Following are the 2 entries in ambari-audit.log:
2019-04-08T10:19:04.991Z, User(null), RemoteIp(x.x.x.x), Operation(User login), Roles(
), Status(Failed), Reason(Authentication required), Consecutive failures(UNKNOWN USER)
2019-04-08T10:19:04.999Z, User(admin), RemoteIp(x.x.x.x), Operation(User login), Roles(
Ambari: Ambari Administrator
The second line seems to be valid. However, the first line (with the null user) shouldn't be there.
Note: I'm not sure if it helps, but the cluster is Kerberized and Knox isn't involved.
Edit: This issue could be seen on both Ambari 2.5.2 and 2.7.3. Also, 2.5.2 version cluster is Kerberized, the 2.7.3 version is NOT Kerberized.