Public bug reported: When enabling CADF notifications and clearing the notification_opt_out setting[0] (which cause keystone to be more chatty with notifications) in order to audit identity.authenticate events, keystone (sometimes) emits a notification for the identity.authentication event where the initiator's ID is a random UUID that doesn't match up to a user.
An example of this is shown below, where keystone only has one user (admin). The config values for enabling CADF notifications were set here: DEFAULT: notification_format: cadf notification_opt_out: "" oslo_messaging_notifications: driver: messagingv2 ubuntu@zbook:~$ openstack --os-cloud openstack_helm token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-07-07T10:55:00+0000 | | id | gAAAAABbP_NE7uqaSEN6dDR4sEDB5N0EvOA085lp82_puZmDxeVV16ulJ_4wCp_FR7suulqGyOf078kXWabvbL8jn45pBS95qRHfJeHDYZtf-mDsjFWm22YaiwqYnSUImz3Y2HsCD9ps_oJgwc2BHQUHHIYCiQeWQ-XmkzEvlc6tqQwflWFhHoM | | project_id | f9e2428b6863443f85bcbb11ac6c300e | | user_id | 37d3c436d45347529926a4887607d01b | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672 --vhost="keystone" --username=superuser --password=123456 get queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head -n +1 | notifications.info | keystone | 0 | {"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \"c4180ddc9500419898d6dd89086c1a0a\", \"event_type\": \"identity.authenticate\", \"timestamp\": \"2018-07-06 22:55:00.205671\", \"publisher_id\": \"identity.keystone-api- 7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\": \"http://schemas.dmtf.org/cloud/audit/1.0/event\", \"initiator\": {\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\": \"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4 CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\": \"936c1487-eff3-59cc-b424-096cff3cd6e9\"}, \"target\": {\"typeURI\": \"service/security/account/user\", \"id\": \"932768de-4bf4-5c83-88cc- 11f33f39cba9\"}, \"observer\": {\"typeURI\": \"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"}, \"eventType\": \"activity\", \"eventTime\": \"2018-07-06T22:55:00.205401+0000\", \"action\": \"authenticate\", \"outcome\": \"success\", \"id\": \"bf658c41-24b5-5075-9aee-64e6b3db92cc\"}, \"message_id\": \"b1026bd5-c0d2-48af-adec-dc44c2e1a46b\"}", "oslo.version": "2.0"} | 1054 | string | False | ubuntu@zbook:~$ openstack --os-cloud openstack_helm user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 37d3c436d45347529926a4887607d01b | admin | +----------------------------------+-------+ ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672 --vhost="keystone" --username=superuser --password=123456 get queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head -n +1 | notifications.info | keystone | 1 | {"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \"c0fa7577c07a4de39013f41b33185489\", \"event_type\": \"identity.authenticate\", \"timestamp\": \"2018-07-06 22:56:45.534129\", \"publisher_id\": \"identity.keystone-api- 7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\": \"http://schemas.dmtf.org/cloud/audit/1.0/event\", \"initiator\": {\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\": \"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4 CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\": \"129bfaf0-a8e3-579b-9030-0a5917547b46\"}, \"target\": {\"typeURI\": \"service/security/account/user\", \"id\": \"f67acddd-78df- 58f1-be93-dcb196e44a9e\"}, \"observer\": {\"typeURI\": \"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"}, \"eventType\": \"activity\", \"eventTime\": \"2018-07-06T22:56:45.533872+0000\", \"action\": \"authenticate\", \"outcome\": \"success\", \"id\": \"50468200-4b87-5a8a-b855-d25e8721ccea\"}, \"message_id\": \"cd9fe069-c0f6-4d3e-af65-f288cbb90f41\"}", "oslo.version": "2.0"} | 1054 | string | False | ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672 --vhost="keystone" --username=superuser --password=123456 get queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head -n +1 | notifications.info | keystone | 0 | {"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \"e13c4eb09440496cb80b2297a61c12b8\", \"event_type\": \"identity.authenticate\", \"timestamp\": \"2018-07-06 22:56:45.572963\", \"publisher_id\": \"identity.keystone-api- 7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\": \"http://schemas.dmtf.org/cloud/audit/1.0/event\", \"initiator\": {\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\": \"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4 CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\": \"38cee0b3-9b7f-5905-95f1-fa6cf61a637d\"}, \"target\": {\"typeURI\": \"service/security/account/user\", \"id\": \"3c9cdad0-a0f4-5151-ab44-da09add4be49\"}, \"observer\": {\"typeURI\": \"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"}, \"eventType\": \"activity\", \"eventTime\": \"2018-07-06T22:56:45.572690+0000\", \"action\": \"authenticate\", \"outcome\": \"success\", \"id\": \"1b0d8ade-f94a-517c- a9f6-fb3df0a2c8c1\"}, \"message_id\": \"c8a55a89-908c- 49c0-a0b2-9002fccecb03\"}", "oslo.version": "2.0"} | 1054 | string | False | [0] https://github.com/openstack/keystone/blob/master/keystone/conf/default.py#L221 ** Affects: keystone Importance: Undecided Assignee: Gage Hugo (gagehugo) Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1780503 Title: identity.authenticate CADF initiator id is random Status in OpenStack Identity (keystone): New Bug description: When enabling CADF notifications and clearing the notification_opt_out setting[0] (which cause keystone to be more chatty with notifications) in order to audit identity.authenticate events, keystone (sometimes) emits a notification for the identity.authentication event where the initiator's ID is a random UUID that doesn't match up to a user. An example of this is shown below, where keystone only has one user (admin). The config values for enabling CADF notifications were set here: DEFAULT: notification_format: cadf notification_opt_out: "" oslo_messaging_notifications: driver: messagingv2 ubuntu@zbook:~$ openstack --os-cloud openstack_helm token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-07-07T10:55:00+0000 | | id | gAAAAABbP_NE7uqaSEN6dDR4sEDB5N0EvOA085lp82_puZmDxeVV16ulJ_4wCp_FR7suulqGyOf078kXWabvbL8jn45pBS95qRHfJeHDYZtf-mDsjFWm22YaiwqYnSUImz3Y2HsCD9ps_oJgwc2BHQUHHIYCiQeWQ-XmkzEvlc6tqQwflWFhHoM | | project_id | f9e2428b6863443f85bcbb11ac6c300e | | user_id | 37d3c436d45347529926a4887607d01b | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672 --vhost="keystone" --username=superuser --password=123456 get queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head -n +1 | notifications.info | keystone | 0 | {"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \"c4180ddc9500419898d6dd89086c1a0a\", \"event_type\": \"identity.authenticate\", \"timestamp\": \"2018-07-06 22:55:00.205671\", \"publisher_id\": \"identity.keystone-api- 7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\": \"http://schemas.dmtf.org/cloud/audit/1.0/event\", \"initiator\": {\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\": \"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4 CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\": \"936c1487-eff3-59cc-b424-096cff3cd6e9\"}, \"target\": {\"typeURI\": \"service/security/account/user\", \"id\": \"932768de-4bf4-5c83-88cc- 11f33f39cba9\"}, \"observer\": {\"typeURI\": \"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"}, \"eventType\": \"activity\", \"eventTime\": \"2018-07-06T22:55:00.205401+0000\", \"action\": \"authenticate\", \"outcome\": \"success\", \"id\": \"bf658c41-24b5-5075-9aee-64e6b3db92cc\"}, \"message_id\": \"b1026bd5-c0d2-48af-adec-dc44c2e1a46b\"}", "oslo.version": "2.0"} | 1054 | string | False | ubuntu@zbook:~$ openstack --os-cloud openstack_helm user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 37d3c436d45347529926a4887607d01b | admin | +----------------------------------+-------+ ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672 --vhost="keystone" --username=superuser --password=123456 get queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head -n +1 | notifications.info | keystone | 1 | {"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \"c0fa7577c07a4de39013f41b33185489\", \"event_type\": \"identity.authenticate\", \"timestamp\": \"2018-07-06 22:56:45.534129\", \"publisher_id\": \"identity.keystone-api- 7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\": \"http://schemas.dmtf.org/cloud/audit/1.0/event\", \"initiator\": {\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\": \"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4 CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\": \"129bfaf0-a8e3-579b-9030-0a5917547b46\"}, \"target\": {\"typeURI\": \"service/security/account/user\", \"id\": \"f67acddd-78df- 58f1-be93-dcb196e44a9e\"}, \"observer\": {\"typeURI\": \"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"}, \"eventType\": \"activity\", \"eventTime\": \"2018-07-06T22:56:45.533872+0000\", \"action\": \"authenticate\", \"outcome\": \"success\", \"id\": \"50468200-4b87-5a8a-b855-d25e8721ccea\"}, \"message_id\": \"cd9fe069-c0f6-4d3e-af65-f288cbb90f41\"}", "oslo.version": "2.0"} | 1054 | string | False | ubuntu@zbook:~$ python rabbitmqadmin --host=[redacted] --port=15672 --vhost="keystone" --username=superuser --password=123456 get queue=notifications.info ackmode=ack_requeue_false | tail -n +4 | head -n +1 | notifications.info | keystone | 0 | {"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \"e13c4eb09440496cb80b2297a61c12b8\", \"event_type\": \"identity.authenticate\", \"timestamp\": \"2018-07-06 22:56:45.572963\", \"publisher_id\": \"identity.keystone-api- 7d5c6cff4-g9dvd\", \"payload\": {\"typeURI\": \"http://schemas.dmtf.org/cloud/audit/1.0/event\", \"initiator\": {\"typeURI\": \"service/security/account/user\", \"host\": {\"agent\": \"osc-lib/1.10.0 keystoneauth1/3.7.0 python-requests/2.18.4 CPython/2.7.12\", \"address\": \"[redacted]\"}, \"id\": \"38cee0b3-9b7f-5905-95f1-fa6cf61a637d\"}, \"target\": {\"typeURI\": \"service/security/account/user\", \"id\": \"3c9cdad0-a0f4-5151-ab44-da09add4be49\"}, \"observer\": {\"typeURI\": \"service/security\", \"id\": \"9e53891b98b84bb898c0419e16426eca\"}, \"eventType\": \"activity\", \"eventTime\": \"2018-07-06T22:56:45.572690+0000\", \"action\": \"authenticate\", \"outcome\": \"success\", \"id\": \"1b0d8ade-f94a-517c- a9f6-fb3df0a2c8c1\"}, \"message_id\": \"c8a55a89-908c- 49c0-a0b2-9002fccecb03\"}", "oslo.version": "2.0"} | 1054 | string | False | [0] https://github.com/openstack/keystone/blob/master/keystone/conf/default.py#L221 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1780503/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp