← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1914260] [NEW] Lack of project and domain information in audit logs

 

Public bug reported:

In our cloud build we have Train release of keystone.

It is expected to found some extended info in initiator block of audit log: user id, domain id, domain name. But there is only user_id.
Also, there is no data for domain id, domain name, project id and authentication scope in target block.
Keystone RBAC-model supports to allow access one's domain users to another.
Now we have lack of user and domain information for this two block in audit section for such cases.

At the moment, the authentication message looks like this:
{
  "message_id": "f81d337f-c9c0-4902-82c7-3a0e15c38dea",
  "publisher_id": "identity.<node name>",
  "event_type": "identity.authenticate",
  "priority": "INFO",
  "payload": {
    "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event";,
    "eventType": "activity",
    "id": "721b1fba-02f9-5238-a9bc-3eb8e0cd1272",
    "eventTime": "2021-02-02T11:58:36.725225+0000",
    "action": "authenticate",
    "outcome": "success",
    "observer": {
      "id": "ebd9684ee6154f0990e8faa76b0f00d5",
      "typeURI": "service/security"
    },
    "initiator": {
      "id": "d0be769053234cbc9ffd8e144a045954",
      "typeURI": "service/security/account/user",
      "host": {
        "address": "10.10.0.222",
        "agent": "airflow keystoneauth1/4.3.0 python-requests/2.23.0 CPython/3.7.9"
      },
      "request_id": "req-4275e914-707b-4282-96b3-36fac6b0a000",
      "user_id": "<User ID here>",
      "username": "<User name here>"
    },
    "target": {
      "id": "436fe84b-6209-5cf4-84ba-7e17199dfba6",
      "typeURI": "service/security/account/user"
    }
  },
  "timestamp": "2021-02-02 11:58:36.726087"
}

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1914260

Title:
  Lack of project and domain information in audit logs

Status in OpenStack Identity (keystone):
  New

Bug description:
  In our cloud build we have Train release of keystone.

  It is expected to found some extended info in initiator block of audit log: user id, domain id, domain name. But there is only user_id.
  Also, there is no data for domain id, domain name, project id and authentication scope in target block.
  Keystone RBAC-model supports to allow access one's domain users to another.
  Now we have lack of user and domain information for this two block in audit section for such cases.

  At the moment, the authentication message looks like this:
  {
    "message_id": "f81d337f-c9c0-4902-82c7-3a0e15c38dea",
    "publisher_id": "identity.<node name>",
    "event_type": "identity.authenticate",
    "priority": "INFO",
    "payload": {
      "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event";,
      "eventType": "activity",
      "id": "721b1fba-02f9-5238-a9bc-3eb8e0cd1272",
      "eventTime": "2021-02-02T11:58:36.725225+0000",
      "action": "authenticate",
      "outcome": "success",
      "observer": {
        "id": "ebd9684ee6154f0990e8faa76b0f00d5",
        "typeURI": "service/security"
      },
      "initiator": {
        "id": "d0be769053234cbc9ffd8e144a045954",
        "typeURI": "service/security/account/user",
        "host": {
          "address": "10.10.0.222",
          "agent": "airflow keystoneauth1/4.3.0 python-requests/2.23.0 CPython/3.7.9"
        },
        "request_id": "req-4275e914-707b-4282-96b3-36fac6b0a000",
        "user_id": "<User ID here>",
        "username": "<User name here>"
      },
      "target": {
        "id": "436fe84b-6209-5cf4-84ba-7e17199dfba6",
        "typeURI": "service/security/account/user"
      }
    },
    "timestamp": "2021-02-02 11:58:36.726087"
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1914260/+subscriptions