Reviewed: https://review.openstack.org/588086 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fd8b5f3206392f210a7240af5b52358791a1df87 Submitter: Zuul Branch: master
commit fd8b5f3206392f210a7240af5b52358791a1df87 Author: Gage Hugo <[email protected]> Date: Wed Aug 1 15:49:03 2018 -0500 Set initiator id as user_id for auth events This change sets the initiator id as the user_id for authentication events. The notificiation initiator id would be set to a random UUID by default, which makes auditing the identity of the user who is authenticating difficult. This also adds the user_id as well for auth events for consistency. Also removes the WIP unit-test header to verify that this change works as intended. Change-Id: I511a03eada22c66847bd1502b16cbd2c34b1b35d Closes-Bug: #1780503 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1780503 Title: CADF identity.authenticate event initiator id is random UUID Status in OpenStack Identity (keystone): Fix Released Bug description: When enabling CADF notifications and clearing the notification_opt_out setting[0] (which cause keystone to be more chatty with notifications) in order to audit identity.authenticate events, keystone emits a notification for the identity.authentication event where the initiator's ID is a random UUID that doesn't match up to a user. Normally the initiator's ID is the ID of the user who performed the operation[1]. This was noticed when users would log into horizon and from the audit notification, it could not be determined which user was logging in. An example of this is shown below, where keystone only has one user (admin). The config values for enabling CADF notifications were set here: DEFAULT: notification_format: cadf notification_opt_out: "" oslo_messaging_notifications: driver: messagingv2 ubuntu@zbook:~$ openstack --os-cloud openstack_helm token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-07-07T10:55:00+0000 | | id | gAAAAABbP_NE7uqaSEN6dDR4sEDB5N0EvOA085lp82_puZmDxeVV16ulJ_4wCp_FR7suulqGyOf078kXWabvbL8jn45pBS95qRHfJeHDYZtf-mDsjFWm22YaiwqYnSUImz3Y2HsCD9ps_oJgwc2BHQUHHIYCiQeWQ-XmkzEvlc6tqQwflWFhHoM | | project_id | f9e2428b6863443f85bcbb11ac6c300e | | user_id | 37d3c436d45347529926a4887607d01b | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672 --vhost="keystone" --username=superuser --password=123456 get queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head -n +1 | notifications.info | keystone | 0 | {"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \"c4180ddc9500419898d6dd89086c1a0a\", \"event_type\": \"identity.authenticate\", \"timestamp\": \"2018-07-06 22:55:00.205671\", \"publisher_id\": \"identity.keystone-api- 7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\": \"http://schemas.dmtf.org/cloud/audit/1.0/event\";, \"initiator\": {\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\": \"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4 CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\": \"936c1487-eff3-59cc-b424-096cff3cd6e9\"}, \"target\": {\"typeURI\": \"service/security/account/user\", \"id\": \"932768de-4bf4-5c83-88cc- 11f33f39cba9\"}, \"observer\": {\"typeURI\": \"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"}, \"eventType\": \"activity\", \"eventTime\": \"2018-07-06T22:55:00.205401+0000\", \"action\": \"authenticate\", \"outcome\": \"success\", \"id\": \"bf658c41-24b5-5075-9aee-64e6b3db92cc\"}, \"message_id\": \"b1026bd5-c0d2-48af-adec-dc44c2e1a46b\"}", "oslo.version": "2.0"} | 1054 | string | False | ubuntu@zbook:~$ openstack --os-cloud openstack_helm user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 37d3c436d45347529926a4887607d01b | admin | +----------------------------------+-------+ ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672 --vhost="keystone" --username=superuser --password=123456 get queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head -n +1 | notifications.info | keystone | 1 | {"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \"c0fa7577c07a4de39013f41b33185489\", \"event_type\": \"identity.authenticate\", \"timestamp\": \"2018-07-06 22:56:45.534129\", \"publisher_id\": \"identity.keystone-api- 7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\": \"http://schemas.dmtf.org/cloud/audit/1.0/event\";, \"initiator\": {\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\": \"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4 CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\": \"129bfaf0-a8e3-579b-9030-0a5917547b46\"}, \"target\": {\"typeURI\": \"service/security/account/user\", \"id\": \"f67acddd-78df- 58f1-be93-dcb196e44a9e\"}, \"observer\": {\"typeURI\": \"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"}, \"eventType\": \"activity\", \"eventTime\": \"2018-07-06T22:56:45.533872+0000\", \"action\": \"authenticate\", \"outcome\": \"success\", \"id\": \"50468200-4b87-5a8a-b855-d25e8721ccea\"}, \"message_id\": \"cd9fe069-c0f6-4d3e-af65-f288cbb90f41\"}", "oslo.version": "2.0"} | 1054 | string | False | ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672 --vhost="keystone" --username=superuser --password=123456 get queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head -n +1 | notifications.info | keystone | 0 | {"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \"e13c4eb09440496cb80b2297a61c12b8\", \"event_type\": \"identity.authenticate\", \"timestamp\": \"2018-07-06 22:56:45.572963\", \"publisher_id\": \"identity.keystone-api- 7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\": \"http://schemas.dmtf.org/cloud/audit/1.0/event\";, \"initiator\": {\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\": \"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4 CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\": \"38cee0b3-9b7f-5905-95f1-fa6cf61a637d\"}, \"target\": {\"typeURI\": \"service/security/account/user\", \"id\": \"3c9cdad0-a0f4-5151-ab44-da09add4be49\"}, \"observer\": {\"typeURI\": \"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"}, \"eventType\": \"activity\", \"eventTime\": \"2018-07-06T22:56:45.572690+0000\", \"action\": \"authenticate\", \"outcome\": \"success\", \"id\": \"1b0d8ade-f94a-517c- a9f6-fb3df0a2c8c1\"}, \"message_id\": \"c8a55a89-908c- 49c0-a0b2-9002fccecb03\"}", "oslo.version": "2.0"} | 1054 | string | False | [0] https://github.com/openstack/keystone/blob/master/keystone/conf/default.py#L221 [1] https://docs.openstack.org/keystone/latest/advanced- topics/event_notifications.html#auditing-with-cadf To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1780503/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
