diff --git a/keystone/conf/default.py b/keystone/conf/default.py index 68e569d06a..2d5a6f38de 100644 --- a/keystone/conf/default.py +++ b/keystone/conf/default.py @@ -202,7 +202,7 @@ will default to using the server's host name. notification_format = cfg.StrOpt( 'notification_format', - default='basic', + default='cadf', choices=['basic', 'cadf'], help=utils.fmt(""" Define the notification format for identity service events. A `basic` @@ -215,14 +215,18 @@ auditing use cases. notification_opt_out = cfg.MultiStrOpt( 'notification_opt_out', - default=[], + default=["identity.authenticate.success", + "identity.authenticate.pending", + "identity.authenticate.failed"], help=utils.fmt(""" -If left undefined, keystone will emit notifications for all types of events. -You can reduce the number of notifications keystone emits by using this option -to enumerate notification topics that should be suppressed. Values are expected -to be in the form `identity..`. This field can be set -multiple times in order to opt-out of multiple notification topics. For -example: +You can reduce the number of notifications keystone emits by explicitly +opting out. Keystone will not emit notifications that match the patterns +expressed in this list. Values are expected to be in the form of +`identity..`. By default, all notifications +related to authentication are automatically suppressed. This field can be +set multiple times in order to opt-out of multiple notification topics. For +example, the following suppresses notifications describing user creation or +successful authentication events: notification_opt_out=identity.user.create notification_opt_out=identity.authenticate.success """)) diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py index ba655b8ca0..32a0d919ec 100644 --- a/keystone/tests/unit/common/test_notifications.py +++ b/keystone/tests/unit/common/test_notifications.py @@ -122,6 +122,9 @@ class NotificationsTestCase(unit.BaseTestCase): resource_type = EXP_RESOURCE_TYPE operation = CREATED_OPERATION + conf = self.useFixture(config_fixture.Config(CONF)) + conf.config(notification_format='basic') + # NOTE(ldbragst): Even though notifications._send_notification doesn't # contain logic that creates cases, this is supposed to test that # context is always empty and that we ensure the resource ID of the diff --git a/releasenotes/notes/enable-cadf-notification-format-by-default-f938267e1ec54071.yaml b/releasenotes/notes/enable-cadf-notification-format-by-default-f938267e1ec54071.yaml new file mode 100644 index 0000000000..7a5f51bb10 --- /dev/null +++ b/releasenotes/notes/enable-cadf-notification-format-by-default-f938267e1ec54071.yaml @@ -0,0 +1,12 @@ +--- +fixes: + - Changed the default notification from ``basic`` to ``cadf``. + - Added ``identity.authenticate.success``, ``identity.authenticate.pending`` + and ``identity.authenticate.failed`` as default for + ``notification_opt_out``. +upgrade: + - The default setting for ``notification_opt_out`` is changed to include + ``identity.authenticate.success``, ``identity.authenticate.pending`` and + ``identity.authenticate.failed``. If a deployment relies on these + notifications, then override the default ``notification_opt_out`` setting + by explicitly specifying the notifications to suppress.