Преглед на файлове

Merge "Always have username in CADF initiator" into stable/train

tags/16.0.1
Zuul Gerrit Code Review преди 3 месеца
родител
ревизия
abd5bae62f
променени са 3 файла, в които са добавени 39 реда и са изтрити 1 реда
  1. +18
    -0
      keystone/notifications.py
  2. +12
    -1
      keystone/tests/unit/common/test_notifications.py
  3. +9
    -0
      releasenotes/notes/bug-1856904-101af15bb48eb3ca.yaml

+ 18
- 0
keystone/notifications.py Целия файл

@@ -74,6 +74,7 @@ SAML_AUDIT_TYPE = 'http://docs.oasis-open.org/security/saml/v2.0'
_SUBSCRIBERS = {}
_notifier = None
SERVICE = 'identity'
PROVIDERS = provider_api.ProviderAPIs

ROOT_DOMAIN = '<<keystone.domain.root>>'

@@ -529,6 +530,7 @@ def _get_request_audit_info(context, user_id=None):
if user_id:
initiator.user_id = user_id
initiator.id = utils.resource_uuid(user_id)
initiator = _add_username_to_initiator(initiator)

if project_id:
initiator.project_id = project_id
@@ -565,6 +567,7 @@ class CadfNotificationWrapper(object):
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
initiator = build_audit_initiator()
initiator.user_id = user_id
initiator = _add_username_to_initiator(initiator)
initiator.id = utils.resource_uuid(user_id)
try:
result = f(wrapped_self, user_id, *args, **kwargs)
@@ -763,6 +766,8 @@ def _send_audit_notification(action, initiator, outcome, target,
service_id = i['id']
break

initiator = _add_username_to_initiator(initiator)

event = eventfactory.EventFactory().new_event(
eventType=cadftype.EVENTTYPE_ACTIVITY,
outcome=outcome,
@@ -820,6 +825,19 @@ def _check_notification_opt_out(event_type, outcome):
return False


def _add_username_to_initiator(initiator):
"""Add the username to the initiator if missing."""
if hasattr(initiator, 'username'):
return initiator
try:
user_ref = PROVIDERS.identity_api.get_user(initiator.user_id)
initiator.username = user_ref['name']
except (exception.UserNotFound, AttributeError):
# Either user not found or no user_id, move along
pass

return initiator

emit_event = CadfNotificationWrapper




+ 12
- 1
keystone/tests/unit/common/test_notifications.py Целия файл

@@ -1156,7 +1156,7 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
'typeURI': 'service/security/account/user',
'host': {'address': 'localhost'},
'id': 'openstack:0a90d95d-582c-4efb-9cbc-e2ca7ca9c341',
'name': u'bccc2d9bfc2a46fd9e33bcf82f0b5c21'
'username': u'admin'
},
'target': {
'typeURI': 'service/security/account/user',
@@ -1202,6 +1202,17 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
self.assertEqual(self.user_id, initiator.id)
self.assertEqual(self.user_id, initiator.user_id)

def test_initiator_always_contains_username(self):
# Clear notifications
while self._notifications:
self._notifications.pop()

self.get_scoped_token()
self.assertEqual(len(self._notifications), 1)
note = self._notifications.pop()
initiator = note['initiator']
self.assertEqual(self.user['name'], initiator.username)

def test_v3_authenticate_user_name_and_domain_id(self):
user_id = self.user_id
user_name = self.user['name']


+ 9
- 0
releasenotes/notes/bug-1856904-101af15bb48eb3ca.yaml Целия файл

@@ -0,0 +1,9 @@
---
fixes:
- |
[`Bug 1856904 <https://bugs.launchpad.net/keystone/+bug/1856904>`_]
The initiator object for CADF notifications now will always contain the
username for the user who initated the action. Previously, the initator
object only contained the user_id, which lead to issues mapping to users
when using LDAP-backed identity providers. This also helps the initiator
object better conform to the OpenStack standard for CADF.

Loading…
Отказ
Запис