Public bug reported:
When enabling CADF notifications and clearing the notification_opt_out
setting[0] (which cause keystone to be more chatty with notifications)
in order to audit identity.authenticate events, keystone (sometimes)
emits a notification for the identity.authentication event where the
initiator's ID is a random UUID that doesn't match up to a user.
An example of this is shown below, where keystone only has one user
(admin). The config values for enabling CADF notifications were set
here:
DEFAULT:
notification_format: cadf
notification_opt_out: ""
oslo_messaging_notifications:
driver: messagingv2
ubuntu@zbook:~$ openstack --os-cloud openstack_helm token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value
|
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-07-07T10:55:00+0000
|
| id |
gAAAAABbP_NE7uqaSEN6dDR4sEDB5N0EvOA085lp82_puZmDxeVV16ulJ_4wCp_FR7suulqGyOf078kXWabvbL8jn45pBS95qRHfJeHDYZtf-mDsjFWm22YaiwqYnSUImz3Y2HsCD9ps_oJgwc2BHQUHHIYCiQeWQ-XmkzEvlc6tqQwflWFhHoM
|
| project_id | f9e2428b6863443f85bcbb11ac6c300e
|
| user_id | 37d3c436d45347529926a4887607d01b
|
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672
--vhost="keystone" --username=superuser --password=123456 get
queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head
-n +1
| notifications.info | keystone | 0 | {"oslo.message":
"{\"priority\": \"INFO\", \"_unique_id\":
\"c4180ddc9500419898d6dd89086c1a0a\", \"event_type\":
\"identity.authenticate\", \"timestamp\": \"2018-07-06
22:55:00.205671\", \"publisher_id\": \"identity.keystone-api-
7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\":
\"http://schemas.dmtf.org/cloud/audit/1.0/event\";, \"initiator\":
{\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\":
\"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4
CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\":
\"936c1487-eff3-59cc-b424-096cff3cd6e9\"}, \"target\": {\"typeURI\":
\"service/security/account/user\", \"id\": \"932768de-4bf4-5c83-88cc-
11f33f39cba9\"}, \"observer\": {\"typeURI\": \"service/security\",
\"id\": \"9e53891b98b84bb898c0419e16426eca\"}, \"eventType\":
\"activity\", \"eventTime\": \"2018-07-06T22:55:00.205401+0000\",
\"action\": \"authenticate\", \"outcome\": \"success\", \"id\":
\"bf658c41-24b5-5075-9aee-64e6b3db92cc\"}, \"message_id\":
\"b1026bd5-c0d2-48af-adec-dc44c2e1a46b\"}", "oslo.version": "2.0"} |
1054 | string | False |
ubuntu@zbook:~$ openstack --os-cloud openstack_helm user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 37d3c436d45347529926a4887607d01b | admin |
+----------------------------------+-------+
ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672
--vhost="keystone" --username=superuser --password=123456 get
queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head
-n +1
| notifications.info | keystone | 1 | {"oslo.message":
"{\"priority\": \"INFO\", \"_unique_id\":
\"c0fa7577c07a4de39013f41b33185489\", \"event_type\":
\"identity.authenticate\", \"timestamp\": \"2018-07-06
22:56:45.534129\", \"publisher_id\": \"identity.keystone-api-
7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\":
\"http://schemas.dmtf.org/cloud/audit/1.0/event\";, \"initiator\":
{\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\":
\"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4
CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\":
\"129bfaf0-a8e3-579b-9030-0a5917547b46\"}, \"target\": {\"typeURI\":
\"service/security/account/user\", \"id\": \"f67acddd-78df-
58f1-be93-dcb196e44a9e\"}, \"observer\": {\"typeURI\":
\"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"},
\"eventType\": \"activity\", \"eventTime\":
\"2018-07-06T22:56:45.533872+0000\", \"action\": \"authenticate\",
\"outcome\": \"success\", \"id\":
\"50468200-4b87-5a8a-b855-d25e8721ccea\"}, \"message_id\":
\"cd9fe069-c0f6-4d3e-af65-f288cbb90f41\"}", "oslo.version": "2.0"} |
1054 | string | False |
ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672
--vhost="keystone" --username=superuser --password=123456 get
queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head
-n +1
| notifications.info | keystone | 0 | {"oslo.message":
"{\"priority\": \"INFO\", \"_unique_id\":
\"e13c4eb09440496cb80b2297a61c12b8\", \"event_type\":
\"identity.authenticate\", \"timestamp\": \"2018-07-06
22:56:45.572963\", \"publisher_id\": \"identity.keystone-api-
7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\":
\"http://schemas.dmtf.org/cloud/audit/1.0/event\";, \"initiator\":
{\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\":
\"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4
CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\":
\"38cee0b3-9b7f-5905-95f1-fa6cf61a637d\"}, \"target\": {\"typeURI\":
\"service/security/account/user\", \"id\":
\"3c9cdad0-a0f4-5151-ab44-da09add4be49\"}, \"observer\": {\"typeURI\":
\"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"},
\"eventType\": \"activity\", \"eventTime\":
\"2018-07-06T22:56:45.572690+0000\", \"action\": \"authenticate\",
\"outcome\": \"success\", \"id\": \"1b0d8ade-f94a-517c-
a9f6-fb3df0a2c8c1\"}, \"message_id\": \"c8a55a89-908c-
49c0-a0b2-9002fccecb03\"}", "oslo.version": "2.0"} | 1054 |
string | False |
[0]
https://github.com/openstack/keystone/blob/master/keystone/conf/default.py#L221
** Affects: keystone
Importance: Undecided
Assignee: Gage Hugo (gagehugo)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1780503
Title:
identity.authenticate CADF initiator id is random
Status in OpenStack Identity (keystone):
New
Bug description:
When enabling CADF notifications and clearing the notification_opt_out
setting[0] (which cause keystone to be more chatty with notifications)
in order to audit identity.authenticate events, keystone (sometimes)
emits a notification for the identity.authentication event where the
initiator's ID is a random UUID that doesn't match up to a user.
An example of this is shown below, where keystone only has one user
(admin). The config values for enabling CADF notifications were set
here:
DEFAULT:
notification_format: cadf
notification_opt_out: ""
oslo_messaging_notifications:
driver: messagingv2
ubuntu@zbook:~$ openstack --os-cloud openstack_helm token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value
|
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-07-07T10:55:00+0000
|
| id |
gAAAAABbP_NE7uqaSEN6dDR4sEDB5N0EvOA085lp82_puZmDxeVV16ulJ_4wCp_FR7suulqGyOf078kXWabvbL8jn45pBS95qRHfJeHDYZtf-mDsjFWm22YaiwqYnSUImz3Y2HsCD9ps_oJgwc2BHQUHHIYCiQeWQ-XmkzEvlc6tqQwflWFhHoM
|
| project_id | f9e2428b6863443f85bcbb11ac6c300e
|
| user_id | 37d3c436d45347529926a4887607d01b
|
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672
--vhost="keystone" --username=superuser --password=123456 get
queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head
-n +1
| notifications.info | keystone | 0 | {"oslo.message":
"{\"priority\": \"INFO\", \"_unique_id\":
\"c4180ddc9500419898d6dd89086c1a0a\", \"event_type\":
\"identity.authenticate\", \"timestamp\": \"2018-07-06
22:55:00.205671\", \"publisher_id\": \"identity.keystone-api-
7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\":
\"http://schemas.dmtf.org/cloud/audit/1.0/event\";, \"initiator\":
{\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\":
\"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4
CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\":
\"936c1487-eff3-59cc-b424-096cff3cd6e9\"}, \"target\": {\"typeURI\":
\"service/security/account/user\", \"id\": \"932768de-4bf4-5c83-88cc-
11f33f39cba9\"}, \"observer\": {\"typeURI\": \"service/security\",
\"id\": \"9e53891b98b84bb898c0419e16426eca\"}, \"eventType\":
\"activity\", \"eventTime\": \"2018-07-06T22:55:00.205401+0000\",
\"action\": \"authenticate\", \"outcome\": \"success\", \"id\":
\"bf658c41-24b5-5075-9aee-64e6b3db92cc\"}, \"message_id\":
\"b1026bd5-c0d2-48af-adec-dc44c2e1a46b\"}", "oslo.version": "2.0"} |
1054 | string | False |
ubuntu@zbook:~$ openstack --os-cloud openstack_helm user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 37d3c436d45347529926a4887607d01b | admin |
+----------------------------------+-------+
ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672
--vhost="keystone" --username=superuser --password=123456 get
queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head
-n +1
| notifications.info | keystone | 1 | {"oslo.message":
"{\"priority\": \"INFO\", \"_unique_id\":
\"c0fa7577c07a4de39013f41b33185489\", \"event_type\":
\"identity.authenticate\", \"timestamp\": \"2018-07-06
22:56:45.534129\", \"publisher_id\": \"identity.keystone-api-
7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\":
\"http://schemas.dmtf.org/cloud/audit/1.0/event\";, \"initiator\":
{\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\":
\"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4
CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\":
\"129bfaf0-a8e3-579b-9030-0a5917547b46\"}, \"target\": {\"typeURI\":
\"service/security/account/user\", \"id\": \"f67acddd-78df-
58f1-be93-dcb196e44a9e\"}, \"observer\": {\"typeURI\":
\"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"},
\"eventType\": \"activity\", \"eventTime\":
\"2018-07-06T22:56:45.533872+0000\", \"action\": \"authenticate\",
\"outcome\": \"success\", \"id\":
\"50468200-4b87-5a8a-b855-d25e8721ccea\"}, \"message_id\":
\"cd9fe069-c0f6-4d3e-af65-f288cbb90f41\"}", "oslo.version": "2.0"} |
1054 | string | False |
ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672
--vhost="keystone" --username=superuser --password=123456 get
queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head
-n +1
| notifications.info | keystone | 0 | {"oslo.message":
"{\"priority\": \"INFO\", \"_unique_id\":
\"e13c4eb09440496cb80b2297a61c12b8\", \"event_type\":
\"identity.authenticate\", \"timestamp\": \"2018-07-06
22:56:45.572963\", \"publisher_id\": \"identity.keystone-api-
7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\":
\"http://schemas.dmtf.org/cloud/audit/1.0/event\";, \"initiator\":
{\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\":
\"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4
CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\":
\"38cee0b3-9b7f-5905-95f1-fa6cf61a637d\"}, \"target\": {\"typeURI\":
\"service/security/account/user\", \"id\":
\"3c9cdad0-a0f4-5151-ab44-da09add4be49\"}, \"observer\": {\"typeURI\":
\"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"},
\"eventType\": \"activity\", \"eventTime\":
\"2018-07-06T22:56:45.572690+0000\", \"action\": \"authenticate\",
\"outcome\": \"success\", \"id\": \"1b0d8ade-f94a-517c-
a9f6-fb3df0a2c8c1\"}, \"message_id\": \"c8a55a89-908c-
49c0-a0b2-9002fccecb03\"}", "oslo.version": "2.0"} | 1054 |
string | False |
[0]
https://github.com/openstack/keystone/blob/master/keystone/conf/default.py#L221
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1780503/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
