openstack/deb-ceilometer
Code Issues Proposed changes

Add user_id,project_id traits to audit events

Browse Source 
The ceilometer audit events stored at the ceilometer database
currently don't have user_id/project_id associated with them
even though this information is available as part of the event
message payload. The user_id and project_id information has to
be stored as traits so that there's user/project context for each
event and these traits are required to apply RBAC-based rules
and filters on events. For eg., presence of these traits enable
db queries - like get all events for a project/user against events.
The audit event definition in the events yaml file already stores
payload.initiator.id as initiator_id but the initiator_id trait
is not a common trait across all events and thus this trait cannot
be used to apply RBAC filter against events.This changeset will
thus add user_id and project_id traits to the audit events namely
*.http.* and add useri_id and project_id as default traits for all
events.

DocImpact

Change-Id: If4034342c4e60d519f0ec96ae8895dcf78f8ad3b
blueprint: events-rbac
This commit is contained in:
Divya 2015-08-11 13:17:15 +02:00
parent c18d69a800
commit 6a532111bc
3 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ceilometer/event/converter.py
View File

@ -154,6 +154,12 @@ class EventDefinition(object):
DEFAULT_TRAITS = dict( DEFAULT_TRAITS = dict(
service=dict(type='text', fields='publisher_id'), service=dict(type='text', fields='publisher_id'),
request_id=dict(type='text', fields='_context_request_id'), request_id=dict(type='text', fields='_context_request_id'),
project_id=dict(type='text', fields=['payload.tenant_id',
'_context_tenant']),
user_id=dict(type='text', fields=['payload.user_id',
'_context_user_id']),
# TODO(dikonoor):tenant_id is old terminology and should
# be deprecated
tenant_id=dict(type='text', fields=['payload.tenant_id', tenant_id=dict(type='text', fields=['payload.tenant_id',
'_context_tenant']), '_context_tenant']),
) )

2
doc/source/events.rst
View File

@ -126,6 +126,8 @@ all events if the notification has the relevant data:
* service: (All notifications should have this) notification's publisher * service: (All notifications should have this) notification's publisher
* tenant_id * tenant_id
* request_id * request_id
* project_id
* user_id
These do not have to be specified in the event definition, they are These do not have to be specified in the event definition, they are
automatically added, but their definitions can be overridden for a given automatically added, but their definitions can be overridden for a given

4
etc/ceilometer/event_definitions.yaml
View File

@ -331,6 +331,10 @@
fields: ['payload.ipsec_site_connection.id', 'payload.id'] fields: ['payload.ipsec_site_connection.id', 'payload.id']
- event_type: '*http.*' - event_type: '*http.*'
traits: &http_audit traits: &http_audit
project_id:
fields: payload.initiator.project_id
user_id:
fields: payload.initiator.id
typeURI: typeURI:
fields: payload.typeURI fields: payload.typeURI
eventType: eventType: