ec2 credentials do not create audit notifications

Bug #1831918 reported by Nathan Oyler on 2019-06-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Nathan Oyler

Bug Description

ec2 credentials is not configured to create audit notifications, meaning actions are untracked by the auditing system.

Colleen Murphy (krinkle) wrote :

Is the issue that there are no notifications when you create/delete them, or when you try to authenticate with them?

Changed in keystone:
status: New → Incomplete
Nathan Oyler (notq) wrote :

No notifications when you create/delete them. I do not have authentication notifications turned on, so cannot validate that portion.

Colleen Murphy (krinkle) wrote :

Got it. Notifications should be being emitted from here https://opendev.org/openstack/keystone/src/branch/master/keystone/credential/core.py#L115-L132 (for example, the way we do here https://opendev.org/openstack/keystone/src/branch/master/keystone/application_credential/core.py#L150) and it looks like we just don't have them.

Changed in keystone:
status: Incomplete → Triaged
importance: Undecided → Medium
Nathan Oyler (notq) wrote :

Straight forward for create, add notifications import, change signature to include initiator=None and add the notification code as listed.

There is no delete method because it automagically calls the delete in the driver (keystone/credentials/backends/sql.py), best to add the delete function to the manager in core.py so the notification can happen from there

But then do I have to make sure the delete function in the manager is actually called? We're starting to get past my understanding of how things work.

Fix proposed to branch: master
Review: https://review.opendev.org/664618

Changed in keystone:
assignee: nobody → Nathan Oyler (notq)
status: Triaged → In Progress

Reviewed: https://review.opendev.org/664618
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=579cc19857048a8710a9f173c602f51a2fcabba1
Submitter: Zuul
Branch: master

commit 579cc19857048a8710a9f173c602f51a2fcabba1
Author: Nathan Oyler <email address hidden>
Date: Mon Jun 10 10:32:05 2019 -0700

    Add cadf auditing to credentials

    added audit logging to credentials.

    Closes-bug: #1831918
    Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers