OpenStack Compute (nova)

Security group rule AUDIT message could be more useful

Bug #1154303 reported by Jay Pipes
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
Alex Hmelevsky
OpenStack Compute (nova) 2014.2 "juno"

Bug Description

Hi! This is mostly just a wishlist request related to operational usability.

Recently I was investigating a report of changes to security group rules for a tenant and found that the AUDIT log messages captured during security group rule changes was, well, less than useful :)

Example:

2013-03-12 17:25:31 AUDIT nova.compute.api [req-ea8ad999-2154-4631-8d80-e33eeeb5f9b6 a8f944429f2b43758079dfda3a123222 8a25888b704146ab95c1e3e8928253f6] Authorize security group ingress default

What would be more useful to know in this particular AUDIT log message would be something like this:

2013-03-12 17:25:31 AUDIT nova.compute.api [req-ea8ad999-2154-4631-8d80-e33eeeb5f9b6 a8f944429f2b43758079dfda3a123222 8a25888b704146ab95c1e3e8928253f6] Security group default added TCP ingress (22:22)

or:

2013-03-12 17:25:31 AUDIT nova.compute.api [req-ea8ad999-2154-4631-8d80-e33eeeb5f9b6 a8f944429f2b43758079dfda3a123222 8a25888b704146ab95c1e3e8928253f6] Security group default removed ICMP ingress (-1:-1)

Best,
-jay

Tags: ops usability
Revision history for this message
Michael Still (mikal) wrote :

This sounds like the sort of thing we could easily tweak in havana-1.

Changed in nova:
status: New → Triaged
importance: Undecided → Low
milestone: none → havana-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/27295

Changed in nova:
assignee: nobody → Chuck Short (zulcss)
status: Triaged → In Progress
Chuck Short (zulcss)
Changed in nova:
assignee: Chuck Short (zulcss) → nobody
Russell Bryant (russellb)
Changed in nova:
milestone: havana-1 → none
Mathew Odden (locke105)
Changed in nova:
status: In Progress → Triaged
Alex Hmelevsky (alex-hmelevsky)
Changed in nova:
assignee: nobody → Alex (alex-hmelevsky)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/69396

Changed in nova:
status: Triaged → In Progress
Revision history for this message
Sean Dague (sdague) wrote :

Disagree that this should be at AUDIT level. I'm fine with it as debug.

Revision history for this message
Alex Hmelevsky (alex-hmelevsky) wrote :

According to the comments in code review, it looks like it's out of scope of this bug, so it was proposed to create a separate ticket to consider/change audit to debug log level.
I'd create it, but I have no background of the reason to do this.

Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/69396
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=67179bf58f35d54bee12e6e8eaf084e2f70ea6a2
Submitter: Jenkins
Branch: master

commit 67179bf58f35d54bee12e6e8eaf084e2f70ea6a2
Author: Alex Hmelevsky <email address hidden>
Date: Mon Jan 27 17:54:51 2014 +0200

    Improved logs for add/remove security group rules.

    Added more details - protocol and port information to AUDIT log
    messages on add/remove rule actions for security groups.

    Change-Id: Ib446a63976dade90c51c13f30367a3ee17a739ea
    Closes-Bug: #1154303

Changed in nova:
status: In Progress → Fix Committed
Tom Fifield (fifieldt)
Changed in nova:
milestone: none → juno-1
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.