diff --git a/keystone/api/credentials.py b/keystone/api/credentials.py index 9487f19145..15cabe9e6c 100644 --- a/keystone/api/credentials.py +++ b/keystone/api/credentials.py @@ -139,7 +139,8 @@ class CredentialResource(ks_flask.ResourceBase): trust_id = getattr(self.oslo_context, 'trust_id', None) ref = self._assign_unique_id( self._normalize_dict(credential), trust_id=trust_id) - ref = PROVIDERS.credential_api.create_credential(ref['id'], ref) + ref = PROVIDERS.credential_api.create_credential(ref['id'], ref, + initiator=self.audit_initiator) return self.wrap_member(ref), http_client.CREATED def patch(self, credential_id): @@ -164,7 +165,8 @@ class CredentialResource(ks_flask.ResourceBase): build_target=_build_target_enforcement ) - return (PROVIDERS.credential_api.delete_credential(credential_id), + return (PROVIDERS.credential_api.delete_credential(credential_id, + initiator=self.audit_initiator), http_client.NO_CONTENT) diff --git a/keystone/credential/core.py b/keystone/credential/core.py index 900a45e164..5a32ef8b29 100644 --- a/keystone/credential/core.py +++ b/keystone/credential/core.py @@ -22,6 +22,7 @@ from keystone.common import manager from keystone.common import provider_api import keystone.conf from keystone import exception +from keystone import notifications CONF = keystone.conf.CONF @@ -40,6 +41,8 @@ class Manager(manager.Manager): driver_namespace = 'keystone.credential' _provides_api = 'credential_api' + _CRED = 'credential' + def __init__(self): super(Manager, self).__init__(CONF.credential.driver) @@ -112,7 +115,8 @@ class Manager(manager.Manager): def _get_credential(self, credential_id): return self.driver.get_credential(credential_id) - def create_credential(self, credential_id, credential): + def create_credential(self, credential_id, credential, + initiator=None): """Create a credential.""" credential_copy = self._encrypt_credential(credential) ref = self.driver.create_credential(credential_id, credential_copy) @@ -129,6 +133,10 @@ class Manager(manager.Manager): ref.pop('key_hash', None) ref.pop('encrypted_blob', None) ref['blob'] = credential['blob'] + notifications.Audit.created( + self._CRED, + credential_id, + initiator) return ref def _validate_credential_update(self, credential_id, credential): @@ -172,7 +180,8 @@ class Manager(manager.Manager): ref['blob'] = existing_blob return ref - def delete_credential(self, credential_id): + def delete_credential(self, credential_id, + initiator=None): """Delete a credential.""" cred = self.get_credential(credential_id) self.driver.delete_credential(credential_id) @@ -183,6 +192,8 @@ class Manager(manager.Manager): self._list_credentials_for_user.invalidate(self, cred['user_id'], None) + notifications.Audit.deleted( + self._CRED, credential_id, initiator) def delete_credentials_for_project(self, project_id): """Delete all credentials for a project.""" diff --git a/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml b/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml new file mode 100644 index 0000000000..33a355cc5d --- /dev/null +++ b/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + [`bug 1831918 `_] + Credentials now logs cadf audit messages. +