Reviewed: https://review.opendev.org/699013 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=95edaaab06c6da761411ef97bc2545d86d579215 Submitter: Zuul Branch: master
commit 95edaaab06c6da761411ef97bc2545d86d579215 Author: Gage Hugo <[email protected]> Date: Fri Dec 13 14:25:28 2019 -0600 Always have username in CADF initiator The current initiator object for CADF notifications does not include the username of the user who initiated the action, which leads to issues when using an LDAP backend and not having a direct way to map a username to a user id. This change makes it so that the initiator object for CADF notifications always contains the username for a user as well as the user id. This follows along with the CADF standard for OpenStack[0]. [0] https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf#page=12 Closes-Bug: #1856904 Change-Id: I833e6e0d7792acf49f816050ad7a63e8ea4f702f ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1856904 Title: CADF Notifications are missing user name in initiator object Status in OpenStack Identity (keystone): Fix Released Bug description: When enabling CADF notifications, each event notification contains an initiator object, this object contains an id, typeuri, project_id, etc. This notification is useful for auditors to determine who has authenticated and/or what action a user has performed. The various examples in the OpenStack CADF standard[0] show a user name as part of the initiator, however most notifications only contain the user_id. For deployments that contain non-local users, this only provides a UUID as the user_id, and it is not immediately clear which user performed an action. Additional work has to be done, either manually or via an alerting process to query each user_id against keystone to determine which user performed what action. To better conform to the standard[0], keystone should be including usernames as part of the initiator object. [0] https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf#page=12 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1856904/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
