yahoo-eng-team team mailing list archive

[OpenStack Infra <1537963@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/613455
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a02a47a65f2be3d80d8e05685d6001c91aaeef25
Submitter: Zuul
Branch:    master

commit a02a47a65f2be3d80d8e05685d6001c91aaeef25
Author: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date:   Thu Oct 25 17:41:13 2018 -0700

    Emit CADF notifications on authentication for invalid users
    
    Emit CADF notifications on authentication when the user_name or the
    user_id is invalid (UserNotFound raised). This closes a minor security
    gap in notifications.
    
    Change-Id: If8b49b5dc49a4b0670fb81a493f50c77df7b4362
    closes-bug: #1537963


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1537963

Title:
  notification not generated for authentication failure with invalid
  user name

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Enable event notification in log mode:
  [DEFAULT]
  notification_format = cadf
  notification_driver = log

  Test by "Create a token"
  $ openstack token issue

  1.[OK]  Correct user name and password:  an event notification was created with "event_type": "identity.authenticate" 
   "outcome": "success"

  2. [OK] Correct user name  but invalid password:  an event notification was also created with "event_type": "identity.authenticate" 
   "outcome": "failure"

  3. [BUG] Invalid user name:  NO event notification was created.

  This may cause a security issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1537963/+subscriptions