Browse Source

Add cadf auditing to credentials

added audit logging to credentials.

This backport is a bit different than the original patch,
since we don't have the adds caching of credentials
patch find on commit 479a2a0afa
and we were not able to backport it.

Also, since there was no flask support on stable/queens we needed
to backport the audit initiator on keystone/api/credentials.py

stable/rocky: https://review.opendev.org/#/c/711547
stable/stein: https://review.opendev.org/#/c/711545
master: https://review.opendev.org/#/c/664618
Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541
(cherry picked from commit abf5cb6a55)
changes/65/729765/4
Nathan Oyler 1 year ago
committed by Raildo Mascena
parent
commit
654dd5ee47
3 changed files with 26 additions and 3 deletions
  1. +4
    -2
      keystone/credential/controllers.py
  2. +16
    -1
      keystone/credential/core.py
  3. +6
    -0
      releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml

+ 4
- 2
keystone/credential/controllers.py View File

@@ -86,7 +86,8 @@ class CredentialV3(controller.V3Controller):
trust_id=trust_id,
app_cred_id=app_cred_id,
access_token_id=access_token_id)
ref = PROVIDERS.credential_api.create_credential(ref['id'], ref)
ref = PROVIDERS.credential_api.create_credential(
ref['id'], ref, initiator=request.audit_initiator)
return CredentialV3.wrap_member(request.context_dict, ref)

@staticmethod
@@ -147,4 +148,5 @@ class CredentialV3(controller.V3Controller):

@controller.protected()
def delete_credential(self, request, credential_id):
return PROVIDERS.credential_api.delete_credential(credential_id)
return (PROVIDERS.credential_api.delete_credential(credential_id,
initiator=request.audit_initiator))

+ 16
- 1
keystone/credential/core.py View File

@@ -21,6 +21,7 @@ from keystone.common import manager
from keystone.common import provider_api
import keystone.conf
from keystone import exception
from keystone import notifications


CONF = keystone.conf.CONF
@@ -38,6 +39,8 @@ class Manager(manager.Manager):
driver_namespace = 'keystone.credential'
_provides_api = 'credential_api'

_CRED = 'credential'

def __init__(self):
super(Manager, self).__init__(CONF.credential.driver)

@@ -102,13 +105,18 @@ class Manager(manager.Manager):
credential = self.driver.get_credential(credential_id)
return self._decrypt_credential(credential)

def create_credential(self, credential_id, credential):
def create_credential(self, credential_id, credential,
initiator=None):
"""Create a credential."""
credential_copy = self._encrypt_credential(credential)
ref = self.driver.create_credential(credential_id, credential_copy)
ref.pop('key_hash', None)
ref.pop('encrypted_blob', None)
ref['blob'] = credential['blob']
notifications.Audit.created(
self._CRED,
credential_id,
initiator)
return ref

def _validate_credential_update(self, credential_id, credential):
@@ -143,3 +151,10 @@ class Manager(manager.Manager):
else:
ref['blob'] = existing_blob
return ref

def delete_credential(self, credential_id,
initiator=None):
"""Delete a credential."""
self.driver.delete_credential(credential_id)
notifications.Audit.deleted(
self._CRED, credential_id, initiator)

+ 6
- 0
releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml View File

@@ -0,0 +1,6 @@
---
fixes:
- |
[`bug 1831918 <https://bugs.launchpad.net/keystone/+bug/1831918>`_]
Credentials now logs cadf audit messages.


Loading…
Cancel
Save