yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #74237
[Bug 1780503] Re: CADF identity.authenticate event initiator id is random UUID
Reviewed: https://review.openstack.org/588086
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fd8b5f3206392f210a7240af5b52358791a1df87
Submitter: Zuul
Branch: master
commit fd8b5f3206392f210a7240af5b52358791a1df87
Author: Gage Hugo <gagehugo@xxxxxxxxx>
Date: Wed Aug 1 15:49:03 2018 -0500
Set initiator id as user_id for auth events
This change sets the initiator id as the user_id for
authentication events. The notificiation initiator id would
be set to a random UUID by default, which makes auditing the
identity of the user who is authenticating difficult. This
also adds the user_id as well for auth events for consistency.
Also removes the WIP unit-test header to verify that this
change works as intended.
Change-Id: I511a03eada22c66847bd1502b16cbd2c34b1b35d
Closes-Bug: #1780503
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1780503
Title:
CADF identity.authenticate event initiator id is random UUID
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
When enabling CADF notifications and clearing the notification_opt_out
setting[0] (which cause keystone to be more chatty with notifications)
in order to audit identity.authenticate events, keystone emits a
notification for the identity.authentication event where the
initiator's ID is a random UUID that doesn't match up to a user.
Normally the initiator's ID is the ID of the user who performed the
operation[1]. This was noticed when users would log into horizon and
from the audit notification, it could not be determined which user was
logging in.
An example of this is shown below, where keystone only has one user
(admin). The config values for enabling CADF notifications were set
here:
DEFAULT:
notification_format: cadf
notification_opt_out: ""
oslo_messaging_notifications:
driver: messagingv2
ubuntu@zbook:~$ openstack --os-cloud openstack_helm token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-07-07T10:55:00+0000 |
| id | gAAAAABbP_NE7uqaSEN6dDR4sEDB5N0EvOA085lp82_puZmDxeVV16ulJ_4wCp_FR7suulqGyOf078kXWabvbL8jn45pBS95qRHfJeHDYZtf-mDsjFWm22YaiwqYnSUImz3Y2HsCD9ps_oJgwc2BHQUHHIYCiQeWQ-XmkzEvlc6tqQwflWFhHoM |
| project_id | f9e2428b6863443f85bcbb11ac6c300e |
| user_id | 37d3c436d45347529926a4887607d01b |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672
--vhost="keystone" --username=superuser --password=123456 get
queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head
-n +1
| notifications.info | keystone | 0 | {"oslo.message":
"{\"priority\": \"INFO\", \"_unique_id\":
\"c4180ddc9500419898d6dd89086c1a0a\", \"event_type\":
\"identity.authenticate\", \"timestamp\": \"2018-07-06
22:55:00.205671\", \"publisher_id\": \"identity.keystone-api-
7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\":
\"http://schemas.dmtf.org/cloud/audit/1.0/event\";, \"initiator\":
{\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\":
\"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4
CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\":
\"936c1487-eff3-59cc-b424-096cff3cd6e9\"}, \"target\": {\"typeURI\":
\"service/security/account/user\", \"id\": \"932768de-4bf4-5c83-88cc-
11f33f39cba9\"}, \"observer\": {\"typeURI\": \"service/security\",
\"id\": \"9e53891b98b84bb898c0419e16426eca\"}, \"eventType\":
\"activity\", \"eventTime\": \"2018-07-06T22:55:00.205401+0000\",
\"action\": \"authenticate\", \"outcome\": \"success\", \"id\":
\"bf658c41-24b5-5075-9aee-64e6b3db92cc\"}, \"message_id\":
\"b1026bd5-c0d2-48af-adec-dc44c2e1a46b\"}", "oslo.version": "2.0"} |
1054 | string | False |
ubuntu@zbook:~$ openstack --os-cloud openstack_helm user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 37d3c436d45347529926a4887607d01b | admin |
+----------------------------------+-------+
ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672
--vhost="keystone" --username=superuser --password=123456 get
queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head
-n +1
| notifications.info | keystone | 1 | {"oslo.message":
"{\"priority\": \"INFO\", \"_unique_id\":
\"c0fa7577c07a4de39013f41b33185489\", \"event_type\":
\"identity.authenticate\", \"timestamp\": \"2018-07-06
22:56:45.534129\", \"publisher_id\": \"identity.keystone-api-
7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\":
\"http://schemas.dmtf.org/cloud/audit/1.0/event\";, \"initiator\":
{\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\":
\"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4
CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\":
\"129bfaf0-a8e3-579b-9030-0a5917547b46\"}, \"target\": {\"typeURI\":
\"service/security/account/user\", \"id\": \"f67acddd-78df-
58f1-be93-dcb196e44a9e\"}, \"observer\": {\"typeURI\":
\"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"},
\"eventType\": \"activity\", \"eventTime\":
\"2018-07-06T22:56:45.533872+0000\", \"action\": \"authenticate\",
\"outcome\": \"success\", \"id\":
\"50468200-4b87-5a8a-b855-d25e8721ccea\"}, \"message_id\":
\"cd9fe069-c0f6-4d3e-af65-f288cbb90f41\"}", "oslo.version": "2.0"} |
1054 | string | False |
ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672
--vhost="keystone" --username=superuser --password=123456 get
queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head
-n +1
| notifications.info | keystone | 0 | {"oslo.message":
"{\"priority\": \"INFO\", \"_unique_id\":
\"e13c4eb09440496cb80b2297a61c12b8\", \"event_type\":
\"identity.authenticate\", \"timestamp\": \"2018-07-06
22:56:45.572963\", \"publisher_id\": \"identity.keystone-api-
7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\":
\"http://schemas.dmtf.org/cloud/audit/1.0/event\";, \"initiator\":
{\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\":
\"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4
CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\":
\"38cee0b3-9b7f-5905-95f1-fa6cf61a637d\"}, \"target\": {\"typeURI\":
\"service/security/account/user\", \"id\":
\"3c9cdad0-a0f4-5151-ab44-da09add4be49\"}, \"observer\": {\"typeURI\":
\"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"},
\"eventType\": \"activity\", \"eventTime\":
\"2018-07-06T22:56:45.572690+0000\", \"action\": \"authenticate\",
\"outcome\": \"success\", \"id\": \"1b0d8ade-f94a-517c-
a9f6-fb3df0a2c8c1\"}, \"message_id\": \"c8a55a89-908c-
49c0-a0b2-9002fccecb03\"}", "oslo.version": "2.0"} | 1054 |
string | False |
[0]
https://github.com/openstack/keystone/blob/master/keystone/conf/default.py#L221
[1] https://docs.openstack.org/keystone/latest/advanced-
topics/event_notifications.html#auditing-with-cadf
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1780503/+subscriptions
References
