Move audit filter before authn to log those failures as well

pkg/cmd/server/origin/master.go

@@ -273,7 +273,23 @@ func (c *MasterConfig) buildHandlerChain(assetConfig *AssetConfig) (func(http.Ha
 		handler = serverhandlers.AuthorizationFilter(handler, c.Authorizer, c.AuthorizationAttributeBuilder, contextMapper)
 		handler = serverhandlers.ImpersonationFilter(handler, c.Authorizer, c.GroupCache, contextMapper)
 
+		handler = serverhandlers.AuthenticationHandlerFilter(handler, c.Authenticator, contextMapper)
+		handler = namespacingFilter(handler, contextMapper)
+		handler = cacheControlFilter(handler, "no-store") // protected endpoints should not be cached
+
+		if c.Options.OAuthConfig != nil {
+			authConfig, err := BuildAuthConfig(c)
+			if err != nil {
+				glog.Fatalf("Failed to setup OAuth2: %v", err)
+			}
+			handler, err = authConfig.WithOAuth(handler)
+			if err != nil {
+				glog.Fatalf("Failed to setup OAuth2: %v", err)
+			}
+		}
+
 		// audit handler must comes before the impersonationFilter to read the original user
+		// additionally it comes before authn filter to log those failures as well
 		if c.Options.AuditConfig.Enabled {
 			var writer io.Writer
 			if len(c.Options.AuditConfig.AuditFilePath) > 0 {
@@ -289,20 +305,6 @@ func (c *MasterConfig) buildHandlerChain(assetConfig *AssetConfig) (func(http.Ha
 			}
 			handler = apifilters.WithAudit(handler, contextMapper, writer)
 		}
-		handler = serverhandlers.AuthenticationHandlerFilter(handler, c.Authenticator, contextMapper)
-		handler = namespacingFilter(handler, contextMapper)
-		handler = cacheControlFilter(handler, "no-store") // protected endpoints should not be cached
-
-		if c.Options.OAuthConfig != nil {
-			authConfig, err := BuildAuthConfig(c)
-			if err != nil {
-				glog.Fatalf("Failed to setup OAuth2: %v", err)
-			}
-			handler, err = authConfig.WithOAuth(handler)
-			if err != nil {
-				glog.Fatalf("Failed to setup OAuth2: %v", err)
-			}
-		}
 
 		handler, err := assetConfig.WithAssets(handler)
 		if err != nil {