Enable CADF notification format by default

The current default notification format is set to ``basic``, the home-brewed
openstack-styled format.  Since all new notifications have adhered to the
CADF format, we should switch to use CADF format by default, which provides
compatibility with the older format.

Also, messages for the following authentication events are squelched due
to their chattiness:

* identity.authenticate.success
* identity.authenticate.pending
* identity.authenticate.failed

Change-Id: I6dd3a52319bd59aa5ef856e6d99b5a1d7c37e371
Closes-Bug: #1641660

keystone/conf/default.py

@@ -202,7 +202,7 @@ will default to using the server's host name.
 
 notification_format = cfg.StrOpt(
     'notification_format',
-    default='basic',
+    default='cadf',
     choices=['basic', 'cadf'],
     help=utils.fmt("""
 Define the notification format for identity service events. A `basic`
@@ -215,14 +215,18 @@ auditing use cases.
 
 notification_opt_out = cfg.MultiStrOpt(
     'notification_opt_out',
-    default=[],
+    default=["identity.authenticate.success",
+             "identity.authenticate.pending",
+             "identity.authenticate.failed"],
     help=utils.fmt("""
-If left undefined, keystone will emit notifications for all types of events.
-You can reduce the number of notifications keystone emits by using this option
-to enumerate notification topics that should be suppressed. Values are expected
-to be in the form `identity.<resource_type>.<operation>`. This field can be set
-multiple times in order to opt-out of multiple notification topics. For
-example:
+You can reduce the number of notifications keystone emits by explicitly
+opting out. Keystone will not emit notifications that match the patterns
+expressed in this list. Values are expected to be in the form of
+`identity.<resource_type>.<operation>`. By default, all notifications
+related to authentication are automatically suppressed. This field can be
+set multiple times in order to opt-out of multiple notification topics. For
+example, the following suppresses notifications describing user creation or
+successful authentication events:
 notification_opt_out=identity.user.create
 notification_opt_out=identity.authenticate.success
 """))

keystone/tests/unit/common/test_notifications.py

@@ -122,6 +122,9 @@ class NotificationsTestCase(unit.BaseTestCase):
         resource_type = EXP_RESOURCE_TYPE
         operation = CREATED_OPERATION
 
+        conf = self.useFixture(config_fixture.Config(CONF))
+        conf.config(notification_format='basic')
+
         # NOTE(ldbragst): Even though notifications._send_notification doesn't
         # contain logic that creates cases, this is supposed to test that
         # context is always empty and that we ensure the resource ID of the

releasenotes/notes/enable-cadf-notification-format-by-default-f938267e1ec54071.yaml

@@ -0,0 +1,12 @@
+---
+fixes:
+  - Changed the default notification from ``basic`` to ``cadf``.
+  - Added ``identity.authenticate.success``, ``identity.authenticate.pending``
+    and ``identity.authenticate.failed`` as default for
+    ``notification_opt_out``.
+upgrade:
+  - The default setting for ``notification_opt_out`` is changed to include
+    ``identity.authenticate.success``, ``identity.authenticate.pending`` and
+    ``identity.authenticate.failed``. If a deployment relies on these
+    notifications, then override the default ``notification_opt_out`` setting
+    by explicitly specifying the notifications to suppress.