OpenStack Identity (keystone)

CADF Notifications are missing user name in initiator object

Bug #1856904 reported by Gage Hugo
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Undecided
Gage Hugo

Bug Description

When enabling CADF notifications, each event notification contains an initiator object, this object contains an id, typeuri, project_id, etc. This notification is useful for auditors to determine who has authenticated and/or what action a user has performed.

The various examples in the OpenStack CADF standard[0] show a user name as part of the initiator, however most notifications only contain the user_id. For deployments that contain non-local users, this only provides a UUID as the user_id, and it is not immediately clear which user performed an action. Additional work has to be done, either manually or via an alerting process to query each user_id against keystone to determine which user performed what action.

To better conform to the standard[0], keystone should be including usernames as part of the initiator object.

[0] https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf#page=12

Gage Hugo (gagehugo)
summary: - CADF Notifications are missing user name in initiator
+ CADF Notifications are missing user name in initiator object
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: nobody → Gage Hugo (gagehugo)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/699013
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=95edaaab06c6da761411ef97bc2545d86d579215
Submitter: Zuul
Branch: master

commit 95edaaab06c6da761411ef97bc2545d86d579215
Author: Gage Hugo <email address hidden>
Date: Fri Dec 13 14:25:28 2019 -0600

    Always have username in CADF initiator

    The current initiator object for CADF notifications does not include
    the username of the user who initiated the action, which leads to
    issues when using an LDAP backend and not having a direct way to
    map a username to a user id.

    This change makes it so that the initiator object for CADF
    notifications always contains the username for a user as well
    as the user id. This follows along with the CADF standard
    for OpenStack[0].

    [0] https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf#page=12

    Closes-Bug: #1856904

    Change-Id: I833e6e0d7792acf49f816050ad7a63e8ea4f702f

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/705334

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/705768

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/705771

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/train)

Reviewed: https://review.opendev.org/705334
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bd983f0c7339d30da834c26d6aeacab05a7adaff
Submitter: Zuul
Branch: stable/train

commit bd983f0c7339d30da834c26d6aeacab05a7adaff
Author: Gage Hugo <email address hidden>
Date: Fri Dec 13 14:25:28 2019 -0600

    Always have username in CADF initiator

    The current initiator object for CADF notifications does not include
    the username of the user who initiated the action, which leads to
    issues when using an LDAP backend and not having a direct way to
    map a username to a user id.

    This change makes it so that the initiator object for CADF
    notifications always contains the username for a user as well
    as the user id. This follows along with the CADF standard
    for OpenStack[0].

    [0] https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf#page=12

    Closes-Bug: #1856904

    Change-Id: I833e6e0d7792acf49f816050ad7a63e8ea4f702f
    (cherry picked from commit 95edaaab06c6da761411ef97bc2545d86d579215)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/stein)

Reviewed: https://review.opendev.org/705768
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=615fe2138de409356c34f17312e618b8c9b5cce3
Submitter: Zuul
Branch: stable/stein

commit 615fe2138de409356c34f17312e618b8c9b5cce3
Author: Gage Hugo <email address hidden>
Date: Fri Dec 13 14:25:28 2019 -0600

    Always have username in CADF initiator

    The current initiator object for CADF notifications does not include
    the username of the user who initiated the action, which leads to
    issues when using an LDAP backend and not having a direct way to
    map a username to a user id.

    This change makes it so that the initiator object for CADF
    notifications always contains the username for a user as well
    as the user id. This follows along with the CADF standard
    for OpenStack[0].

    [0] https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf#page=12

    Closes-Bug: #1856904

    Change-Id: I833e6e0d7792acf49f816050ad7a63e8ea4f702f
    (cherry picked from commit 95edaaab06c6da761411ef97bc2545d86d579215)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/rocky)

Reviewed: https://review.opendev.org/705771
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b33f71e21f1b17fff6b8f34e595ca8ef093acda4
Submitter: Zuul
Branch: stable/rocky

commit b33f71e21f1b17fff6b8f34e595ca8ef093acda4
Author: Gage Hugo <email address hidden>
Date: Fri Dec 13 14:25:28 2019 -0600

    Always have username in CADF initiator

    The current initiator object for CADF notifications does not include
    the username of the user who initiated the action, which leads to
    issues when using an LDAP backend and not having a direct way to
    map a username to a user id.

    This change makes it so that the initiator object for CADF
    notifications always contains the username for a user as well
    as the user id. This follows along with the CADF standard
    for OpenStack[0].

    [0] https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf#page=12

    Closes-Bug: #1856904

    Change-Id: I833e6e0d7792acf49f816050ad7a63e8ea4f702f
    (cherry picked from commit 95edaaab06c6da761411ef97bc2545d86d579215)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 14.2.0

This issue was fixed in the openstack/keystone 14.2.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.