| 2023-04-05 10:13:20 |
Pavlo Shchelokovskyy |
description |
This is directly related to a very old bug https://bugs.launchpad.net/keystonemiddleware/+bug/1421858
Currently enabling audit middleware will result in _any_ authenticated request producing the following or similar line in the logs:
2023-04-04 08:00:23.563274 /var/lib/openstack/lib/python3.8/site-packages/pycadf/identifier.py:71: UserWarning: Invalid uuid: nova. To ensure interoperability, identifiers should be a valid uuid.
2023-04-04 08:00:23.563279 warnings.warn(('Invalid uuid: %s. To ensure interoperability, '
I tracked it down to the 'target id' being set to name instead of id by the audit middleware [0] because when generating the catalog to set on request, the auth_token middleware drops the endpoint ids [1].
We can not possibly explicitly ignore all the service names in pyCADF to exclude them from 'is it uuid' check as it is done for some values like 'default' [2].
Instead, we should rather re-instate endpoint IDs in the catalog, or use the service id as the 'target id' if we do not want to puff the catalog too much (not sure how crucial for the audit system is knowing if the request came from public or internal endpoint, besides current code in audit middleware does not try to distinguish that anyway [0], as it always tries to take the id of the first endpoint).
[0] https://opendev.org/openstack/keystonemiddleware/src/branch/stable/2023.1/keystonemiddleware/audit/_api.py#L199
[1] https://opendev.org/openstack/keystonemiddleware/src/branch/stable/2023.1/keystonemiddleware/auth_token/_request.py#L19-L49
[2] https://opendev.org/openstack/pycadf/src/tag/3.1.1/pycadf/identifier.py#L36 |
This is directly related to a very old bug https://bugs.launchpad.net/keystonemiddleware/+bug/1421858
Currently enabling audit middleware will result in _any_ authenticated request producing the following or similar line in the logs:
2023-04-04 08:00:23.563274 /var/lib/openstack/lib/python3.8/site-packages/pycadf/identifier.py:71: UserWarning: Invalid uuid: nova. To ensure interoperability, identifiers should be a valid uuid.
2023-04-04 08:00:23.563279 warnings.warn(('Invalid uuid: %s. To ensure interoperability, '
I tracked it down to the 'target id' being set to 'endpoint name' instead of id by the audit middleware [0] because when generating the catalog to set on request, the auth_token middleware drops the endpoint ids [1].
We can not possibly explicitly ignore all the service names in pyCADF to exclude them from 'is it uuid' check as it is done for some values like 'default' [2].
Instead, we should rather re-instate endpoint IDs in the catalog, or use the service id as the 'target id' if we do not want to puff the catalog too much (not sure how crucial for the audit system is knowing if the request came from public or internal endpoint, besides current code in audit middleware does not try to distinguish that anyway [0], as it always tries to take the id of the first endpoint).
[0] https://opendev.org/openstack/keystonemiddleware/src/branch/stable/2023.1/keystonemiddleware/audit/_api.py#L199
[1] https://opendev.org/openstack/keystonemiddleware/src/branch/stable/2023.1/keystonemiddleware/auth_token/_request.py#L19-L49
[2] https://opendev.org/openstack/pycadf/src/tag/3.1.1/pycadf/identifier.py#L36 |
|
