Lack of project and domain information in audit logs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned |
Bug Description
In our cloud build we have Train release of keystone.
It is expected to found some extended info in initiator block of audit log: user id, domain id, domain name. But there is only user_id.
Also, there is no data for domain id, domain name, project id and authentication scope in target block.
Keystone RBAC-model supports to allow access one's domain users to another.
Now we have lack of user and domain information for this two block in audit section for such cases.
At the moment, the authentication message looks like this:
{
"message_id": "f81d337f-
"publisher_id": "identity.<node name>",
"event_type": "identity.
"priority": "INFO",
"payload": {
"typeURI": "http://
"eventType": "activity",
"id": "721b1fba-
"eventTime": "2021-02-
"action": "authenticate",
"outcome": "success",
"observer": {
"id": "ebd9684ee6154f
"typeURI": "service/security"
},
"initiator": {
"id": "d0be769053234c
"typeURI": "service/
"host": {
"address": "10.10.0.222",
"agent": "airflow keystoneauth1/4.3.0 python-
},
"request_id": "req-4275e914-
"user_id": "<User ID here>",
"username": "<User name here>"
},
"target": {
"id": "436fe84b-
"typeURI": "service/
}
},
"timestamp": "2021-02-02 11:58:36.726087"
}