Add cadf auditing to credentials
added audit logging to credentials. This backport is a bit different than the original patch, since we don't have the adds caching of credentials patch find on commit479a2a0afa
and we were not able to backport it. Also, since there was no flask support on stable/queens we needed to backport the audit initiator on keystone/api/credentials.py stable/rocky: https://review.opendev.org/#/c/711547 stable/stein: https://review.opendev.org/#/c/711545 master: https://review.opendev.org/#/c/664618 Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541 (cherry picked from commitabf5cb6a55
)
This commit is contained in:
parent
487c7276c7
commit
654dd5ee47
|
@ -86,7 +86,8 @@ class CredentialV3(controller.V3Controller):
|
|||
trust_id=trust_id,
|
||||
app_cred_id=app_cred_id,
|
||||
access_token_id=access_token_id)
|
||||
ref = PROVIDERS.credential_api.create_credential(ref['id'], ref)
|
||||
ref = PROVIDERS.credential_api.create_credential(
|
||||
ref['id'], ref, initiator=request.audit_initiator)
|
||||
return CredentialV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@staticmethod
|
||||
|
@ -147,4 +148,5 @@ class CredentialV3(controller.V3Controller):
|
|||
|
||||
@controller.protected()
|
||||
def delete_credential(self, request, credential_id):
|
||||
return PROVIDERS.credential_api.delete_credential(credential_id)
|
||||
return (PROVIDERS.credential_api.delete_credential(credential_id,
|
||||
initiator=request.audit_initiator))
|
||||
|
|
|
@ -21,6 +21,7 @@ from keystone.common import manager
|
|||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone import notifications
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
|
@ -38,6 +39,8 @@ class Manager(manager.Manager):
|
|||
driver_namespace = 'keystone.credential'
|
||||
_provides_api = 'credential_api'
|
||||
|
||||
_CRED = 'credential'
|
||||
|
||||
def __init__(self):
|
||||
super(Manager, self).__init__(CONF.credential.driver)
|
||||
|
||||
|
@ -102,13 +105,18 @@ class Manager(manager.Manager):
|
|||
credential = self.driver.get_credential(credential_id)
|
||||
return self._decrypt_credential(credential)
|
||||
|
||||
def create_credential(self, credential_id, credential):
|
||||
def create_credential(self, credential_id, credential,
|
||||
initiator=None):
|
||||
"""Create a credential."""
|
||||
credential_copy = self._encrypt_credential(credential)
|
||||
ref = self.driver.create_credential(credential_id, credential_copy)
|
||||
ref.pop('key_hash', None)
|
||||
ref.pop('encrypted_blob', None)
|
||||
ref['blob'] = credential['blob']
|
||||
notifications.Audit.created(
|
||||
self._CRED,
|
||||
credential_id,
|
||||
initiator)
|
||||
return ref
|
||||
|
||||
def _validate_credential_update(self, credential_id, credential):
|
||||
|
@ -143,3 +151,10 @@ class Manager(manager.Manager):
|
|||
else:
|
||||
ref['blob'] = existing_blob
|
||||
return ref
|
||||
|
||||
def delete_credential(self, credential_id,
|
||||
initiator=None):
|
||||
"""Delete a credential."""
|
||||
self.driver.delete_credential(credential_id)
|
||||
notifications.Audit.deleted(
|
||||
self._CRED, credential_id, initiator)
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1831918 <https://bugs.launchpad.net/keystone/+bug/1831918>`_]
|
||||
Credentials now logs cadf audit messages.
|
||||
|
Loading…
Reference in New Issue