ec2 credentials do not create audit notifications

Bug #1831918 reported by Nathan Oyler on 2019-06-06
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Nathan Oyler

Bug Description

ec2 credentials is not configured to create audit notifications, meaning actions are untracked by the auditing system.

Revision history for this message
Colleen Murphy (krinkle) wrote :

Is the issue that there are no notifications when you create/delete them, or when you try to authenticate with them?

Changed in keystone:
status: New → Incomplete
Revision history for this message
Nathan Oyler (notq) wrote :

No notifications when you create/delete them. I do not have authentication notifications turned on, so cannot validate that portion.

Revision history for this message
Colleen Murphy (krinkle) wrote :

Got it. Notifications should be being emitted from here https://opendev.org/openstack/keystone/src/branch/master/keystone/credential/core.py#L115-L132 (for example, the way we do here https://opendev.org/openstack/keystone/src/branch/master/keystone/application_credential/core.py#L150) and it looks like we just don't have them.

Changed in keystone:
status: Incomplete → Triaged
importance: Undecided → Medium
Revision history for this message
Nathan Oyler (notq) wrote :

Straight forward for create, add notifications import, change signature to include initiator=None and add the notification code as listed.

There is no delete method because it automagically calls the delete in the driver (keystone/credentials/backends/sql.py), best to add the delete function to the manager in core.py so the notification can happen from there

But then do I have to make sure the delete function in the manager is actually called? We're starting to get past my understanding of how things work.

Revision history for this message
Nathan Oyler (notq) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/664618

Changed in keystone:
assignee: nobody → Nathan Oyler (notq)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/664618
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=579cc19857048a8710a9f173c602f51a2fcabba1
Submitter: Zuul
Branch: master

commit 579cc19857048a8710a9f173c602f51a2fcabba1
Author: Nathan Oyler <email address hidden>
Date: Mon Jun 10 10:32:05 2019 -0700

    Add cadf auditing to credentials

    added audit logging to credentials.

    Closes-bug: #1831918
    Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/711545

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/711547

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/stein)

Reviewed: https://review.opendev.org/711545
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e57e44c0ecf4491bba4ed451e6b3016552824ff5
Submitter: Zuul
Branch: stable/stein

commit e57e44c0ecf4491bba4ed451e6b3016552824ff5
Author: Nathan Oyler <email address hidden>
Date: Mon Jun 10 10:32:05 2019 -0700

    Add cadf auditing to credentials

    added audit logging to credentials.

    This backport is a bit different than the original patch,
    since we don't have the adds caching of credentials
    patch find on commit 479a2a0afaeb505c371ee97a1f2fbc1b11e3cef1
    and we were not able to backport it.

    So, there are sense on keep the invalidate cache calls in the
    original bits.

    Closes-bug: #1831918
    Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541
    (cherry picked from commit 579cc19857048a8710a9f173c602f51a2fcabba1)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/rocky)

Reviewed: https://review.opendev.org/711547
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=abf5cb6a55b78afceade692dceba7542e06736b4
Submitter: Zuul
Branch: stable/rocky

commit abf5cb6a55b78afceade692dceba7542e06736b4
Author: Nathan Oyler <email address hidden>
Date: Mon Jun 10 10:32:05 2019 -0700

    Add cadf auditing to credentials

    added audit logging to credentials.

    This backport is a bit different than the original patch,
    since we don't have the adds caching of credentials
    patch find on commit 479a2a0afaeb505c371ee97a1f2fbc1b11e3cef1
    and we were not able to backport it.

    So, there are sense on keep the invalidate cache calls in the
    original bits.

    Closes-bug: #1831918
    Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541
    (cherry picked from commit 579cc19857048a8710a9f173c602f51a2fcabba1)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/729765

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers