yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #85034
[Bug 1914260] [NEW] Lack of project and domain information in audit logs
Public bug reported:
In our cloud build we have Train release of keystone.
It is expected to found some extended info in initiator block of audit log: user id, domain id, domain name. But there is only user_id.
Also, there is no data for domain id, domain name, project id and authentication scope in target block.
Keystone RBAC-model supports to allow access one's domain users to another.
Now we have lack of user and domain information for this two block in audit section for such cases.
At the moment, the authentication message looks like this:
{
"message_id": "f81d337f-c9c0-4902-82c7-3a0e15c38dea",
"publisher_id": "identity.<node name>",
"event_type": "identity.authenticate",
"priority": "INFO",
"payload": {
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event",
"eventType": "activity",
"id": "721b1fba-02f9-5238-a9bc-3eb8e0cd1272",
"eventTime": "2021-02-02T11:58:36.725225+0000",
"action": "authenticate",
"outcome": "success",
"observer": {
"id": "ebd9684ee6154f0990e8faa76b0f00d5",
"typeURI": "service/security"
},
"initiator": {
"id": "d0be769053234cbc9ffd8e144a045954",
"typeURI": "service/security/account/user",
"host": {
"address": "10.10.0.222",
"agent": "airflow keystoneauth1/4.3.0 python-requests/2.23.0 CPython/3.7.9"
},
"request_id": "req-4275e914-707b-4282-96b3-36fac6b0a000",
"user_id": "<User ID here>",
"username": "<User name here>"
},
"target": {
"id": "436fe84b-6209-5cf4-84ba-7e17199dfba6",
"typeURI": "service/security/account/user"
}
},
"timestamp": "2021-02-02 11:58:36.726087"
}
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1914260
Title:
Lack of project and domain information in audit logs
Status in OpenStack Identity (keystone):
New
Bug description:
In our cloud build we have Train release of keystone.
It is expected to found some extended info in initiator block of audit log: user id, domain id, domain name. But there is only user_id.
Also, there is no data for domain id, domain name, project id and authentication scope in target block.
Keystone RBAC-model supports to allow access one's domain users to another.
Now we have lack of user and domain information for this two block in audit section for such cases.
At the moment, the authentication message looks like this:
{
"message_id": "f81d337f-c9c0-4902-82c7-3a0e15c38dea",
"publisher_id": "identity.<node name>",
"event_type": "identity.authenticate",
"priority": "INFO",
"payload": {
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event",
"eventType": "activity",
"id": "721b1fba-02f9-5238-a9bc-3eb8e0cd1272",
"eventTime": "2021-02-02T11:58:36.725225+0000",
"action": "authenticate",
"outcome": "success",
"observer": {
"id": "ebd9684ee6154f0990e8faa76b0f00d5",
"typeURI": "service/security"
},
"initiator": {
"id": "d0be769053234cbc9ffd8e144a045954",
"typeURI": "service/security/account/user",
"host": {
"address": "10.10.0.222",
"agent": "airflow keystoneauth1/4.3.0 python-requests/2.23.0 CPython/3.7.9"
},
"request_id": "req-4275e914-707b-4282-96b3-36fac6b0a000",
"user_id": "<User ID here>",
"username": "<User name here>"
},
"target": {
"id": "436fe84b-6209-5cf4-84ba-7e17199dfba6",
"typeURI": "service/security/account/user"
}
},
"timestamp": "2021-02-02 11:58:36.726087"
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1914260/+subscriptions