← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #81458

[Bug 1856904] Re: CADF Notifications are missing user name in initiator object

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/699013
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=95edaaab06c6da761411ef97bc2545d86d579215
Submitter: Zuul
Branch:    master

commit 95edaaab06c6da761411ef97bc2545d86d579215
Author: Gage Hugo <gagehugo@xxxxxxxxx>
Date:   Fri Dec 13 14:25:28 2019 -0600

    Always have username in CADF initiator
    
    The current initiator object for CADF notifications does not include
    the username of the user who initiated the action, which leads to
    issues when using an LDAP backend and not having a direct way to
    map a username to a user id.
    
    This change makes it so that the initiator object for CADF
    notifications always contains the username for a user as well
    as the user id. This follows along with the CADF standard
    for OpenStack[0].
    
    [0] https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf#page=12
    
    Closes-Bug: #1856904
    
    Change-Id: I833e6e0d7792acf49f816050ad7a63e8ea4f702f


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1856904

Title:
  CADF Notifications are missing user name in initiator object

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When enabling CADF notifications, each event notification contains an
  initiator object, this object contains an id, typeuri, project_id,
  etc. This notification is useful for auditors to determine who has
  authenticated and/or what action a user has performed.

  The various examples in the OpenStack CADF standard[0] show a user
  name as part of the initiator, however most notifications only contain
  the user_id. For deployments that contain non-local users, this only
  provides a UUID as the user_id, and it is not immediately clear which
  user performed an action. Additional work has to be done, either
  manually or via an alerting process to query each user_id against
  keystone to determine which user performed what action.

  To better conform to the standard[0], keystone should be including
  usernames as part of the initiator object.

  [0]
  https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf#page=12

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1856904/+subscriptions

References

  Thread PreviousDate PreviousThread Next