When enabling CADF notifications and clearing the notification_opt_out setting[0] (which cause keystone to be more chatty with notifications) in order to audit identity.authenticate events, keystone (sometimes) emits a notification for the identity.authentication event where the initiator's ID is a random UUID that doesn't match up to a user.
An example of this is shown below, where keystone only has one user (admin). The config values for enabling CADF notifications were set here:
ubuntu@zbook:~$ openstack --os-cloud openstack_helm user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 37d3c436d45347529926a4887607d01b | admin |
+----------------------------------+-------+
ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672 --vhost="keystone" --username=superuser --password=123456 get queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head -n +1
When enabling CADF notifications and clearing the notification_ opt_out setting[0] (which cause keystone to be more chatty with notifications) in order to audit identity. authenticate events, keystone (sometimes) emits a notification for the identity. authentication event where the initiator's ID is a random UUID that doesn't match up to a user.
An example of this is shown below, where keystone only has one user (admin). The config values for enabling CADF notifications were set here:
DEFAULT: format: cadf opt_out: "" notifications:
notification_
notification_
oslo_messaging_
driver: messagingv2
ubuntu@zbook:~$ openstack --os-cloud openstack_helm token issue ------+ ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+ ------+ ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+ 07T10:55: 00+0000 | NE7uqaSEN6dDR4s EDB5N0EvOA085lp 82_puZmDxeVV16u lJ_4wCp_ FR7suulqGyOf078 kXWabvbL8jn45pB S95qRHfJeHDYZtf -mDsjFWm22Yaiwq YnSUImz3Y2HsCD9 ps_oJgwc2BHQUHH IYCiQeWQ- XmkzEvlc6tqQwfl WFhHoM | f85bcbb11ac6c30 0e | 29926a4887607d0 1b | ------+ ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+
+------
| Field | Value |
+------
| expires | 2018-07-
| id | gAAAAABbP_
| project_id | f9e2428b6863443
| user_id | 37d3c436d453475
+------
ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672 --vhost="keystone" --username= superuser --password=123456 get queue=notificat ions.info ackmode= ack_requeue_ false | tail -n +4 | head -n +1
| notifications.info | keystone | 0 | {"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \"c4180ddc95004 19898d6dd89086c 1a0a\", \"event_type\": \"identity. authenticate\ ", \"timestamp\": \"2018-07-06 22:55:00.205671\", \"publisher_id\": \"identity. keystone- api-7d5c6cff4- g9dvd\" , \"payload\": {\"typeURI\": \"http:// schemas. dmtf.org/ cloud/audit/ 1.0/event\", \"initiator\": {\"typeURI\": \"service/ security/ account/ user\", \"host\": {\"agent\": \"osc-lib/1.10.0 keystoneauth1/3.7.0 python- requests/ 2.18.4 CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\": \"936c1487- eff3-59cc- b424-096cff3cd6 e9\"}, \"target\": {\"typeURI\": \"service/ security/ account/ user\", \"id\": \"932768de- 4bf4-5c83- 88cc-11f33f39cb a9\"}, \"observer\": {\"typeURI\": \"service/ security\ ", \"id\": \"9e53891b98b84 bb898c0419e1642 6eca\"} , \"eventType\": \"activity\", \"eventTime\": \"2018- 07-06T22: 55:00.205401+ 0000\", \"action\": \"authenticate\", \"outcome\": \"success\", \"id\": \"bf658c41- 24b5-5075- 9aee-64e6b3db92 cc\"}, \"message_id\": \"b1026bd5- c0d2-48af- adec-dc44c2e1a4 6b\"}", "oslo.version": "2.0"} | 1054 | string | False |
ubuntu@zbook:~$ openstack --os-cloud openstack_helm user list ------- ------- ------- ------- +------ -+ ------- ------- ------- ------- +------ -+ 29926a4887607d0 1b | admin | ------- ------- ------- ------- +------ -+
+------
| ID | Name |
+------
| 37d3c436d453475
+------
ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672 --vhost="keystone" --username= superuser --password=123456 get queue=notificat ions.info ackmode= ack_requeue_ false | tail -n +4 | head -n +1
| notifications.info | keystone | 1 | {"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \"c0fa7577c07a4 de39013f41b3318 5489\", \"event_type\": \"identity. authenticate\ ", \"timestamp\": \"2018-07-06 22:56:45.534129\", \"publisher_id\": \"identity. keystone- api-7d5c6cff4- g9dvd\" , \"payload\": {\"typeURI\": \"http:// schemas. dmtf.org/ cloud/audit/ 1.0/event\", \"initiator\": {\"typeURI\": \"service/ security/ account/ user\", \"host\": {\"agent\": \"osc-lib/1.10.0 keystoneauth1/3.7.0 python- requests/ 2.18.4 CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\": \"129bfaf0- a8e3-579b- 9030-0a5917547b 46\"}, \"target\": {\"typeURI\": \"service/ security/ account/ user\", \"id\": \"f67acddd- 78df-58f1- be93-dcb196e44a 9e\"}, \"observer\": {\"typeURI\": \"service/ security\ ", \"id\": \"9e53891b98b84 bb898c0419e1642 6eca\"} , \"eventType\": \"activity\", \"eventTime\": \"2018- 07-06T22: 56:45.533872+ 0000\", \"action\": \"authenticate\", \"outcome\": \"success\", \"id\": \"50468200- 4b87-5a8a- b855-d25e8721cc ea\"}, \"message_id\": \"cd9fe069- c0f6-4d3e- af65-f288cbb90f 41\"}", "oslo.version": "2.0"} | 1054 | string | False |
ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672 --vhost="keystone" --username= superuser --password=123456 get queue=notificat ions.info ackmode= ack_requeue_ false | tail -n +4 | head -n +1
| notifications.info | keystone | 0 | {"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \"e13c4eb094404 96cb80b2297a61c 12b8\", \"event_type\": \"identity. authenticate\ ", \"timestamp\": \"2018-07-06 22:56:45.572963\", \"publisher_id\": \"identity. keystone- api-7d5c6cff4- g9dvd\" , \"payload\": {\"typeURI\": \"http:// schemas. dmtf.org/ cloud/audit/ 1.0/event\", \"initiator\": {\"typeURI\": \"service/ security/ account/ user\", \"host\": {\"agent\": \"osc-lib/1.10.0 keystoneauth1/3.7.0 python- requests/ 2.18.4 CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\": \"38cee0b3- 9b7f-5905- 95f1-fa6cf61a63 7d\"}, \"target\": {\"typeURI\": \"service/ security/ account/ user\", \"id\": \"3c9cdad0- a0f4-5151- ab44-da09add4be 49\"}, \"observer\": {\"typeURI\": \"service/ security\ ", \"id\": \"9e53891b98b84 bb898c0419e1642 6eca\"} , \"eventType\": \"activity\", \"eventTime\": \"2018- 07-06T22: 56:45.572690+ 0000\", \"action\": \"authenticate\", \"outcome\": \"success\", \"id\": \"1b0d8ade- f94a-517c- a9f6-fb3df0a2c8 c1\"}, \"message_id\": \"c8a55a89- 908c-49c0- a0b2-9002fccecb 03\"}", "oslo.version": "2.0"} | 1054 | string | False |
[0] https:/ /github. com/openstack/ keystone/ blob/master/ keystone/ conf/default. py#L221