From e3294f0f911c888b578ffef50be237ade0955ac6 Mon Sep 17 00:00:00 2001 From: Georgina Date: Mon, 20 Jul 2020 13:44:48 +0000 Subject: [PATCH] Add CADF notifications for federated keystone Event notifications are useful for those that need to keep an audit trail. Turned off by default as these logs contain user specific data and local data protection laws should be considered. The default notificiation_opt_outs follow the keystone documentation. Please see here for more information on CADF notifications: https://docs.openstack.org/keystone/pike/advanced-topics/event_notifications.html Change-Id: Id1867b6b50fc769757781eabc208ee9ead65f4c9 --- defaults/main.yml | 5 +++++ templates/keystone.conf.j2 | 27 +++++++++++++++++++++++++-- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8ed6e54b..122c3527 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -333,6 +333,11 @@ keystone_sp: {} #keystone_sp: # cert_duration_years: 5 # apache_mod: shibboleth #or mod_auth_openidc +# cadf_notifications: false +# cadf_notifications_opt_out: +# - identity.authenticate.failed +# - identity.authenticate.pending +# - identity.authenticate.success # trusted_dashboard_list: # - "https://{{ external_lb_vip_address }}/auth/websso/" # - "https://{{ horizon_server_name }}/auth/websso/" diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2 index c01c98a9..f638ea63 100644 --- a/templates/keystone.conf.j2 +++ b/templates/keystone.conf.j2 @@ -9,7 +9,19 @@ debug = {{ debug }} public_endpoint = {{ keystone_public_endpoint }} {% endif %} fatal_deprecations = {{ keystone_fatal_deprecations }} - +{% if keystone_sp != {} and (keystone_sp.cadf_notifications is defined) and (keystone_sp.cadf_notifications | bool) %} +{% set cadf_notifications = true %} +{% else %} +{% set cadf_notifications = false %} +{% endif %} +{% if cadf_notifications | bool %} +notification_format = cadf +{% if keystone_sp.cadf_notifications_opt_out is defined %} +{% for opt_out in keystone_sp.cadf_notifications_opt_out %} +notification_opt_out = {{ opt_out }} +{% endfor %} +{% endif %} +{% endif %} ## Oslo.Messaging RPC transport_url = {{ keystone_oslomsg_rpc_transport }}://{% for host in keystone_oslomsg_rpc_servers.split(',') %}{{ keystone_oslomsg_rpc_userid }}:{{ keystone_oslomsg_rpc_password }}@{{ host }}:{{ keystone_oslomsg_rpc_port }}{% if not loop.last %},{% else %}/{{ keystone_oslomsg_rpc_vhost }}{% if keystone_oslomsg_rpc_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %} @@ -18,7 +30,18 @@ transport_url = {{ keystone_oslomsg_rpc_transport }}://{% for host in keystone_o ssl = {{ keystone_oslomsg_rpc_use_ssl }} [oslo_messaging_notifications] -driver = {{ (keystone_ceilometer_enabled | bool) | ternary('messagingv2', 'noop') }} +{% if keystone_ceilometer_enabled | bool %} +driver = messagingv2 +{% set notification_driver = true %} +{% endif %} +{% if cadf_notifications | bool %} +driver = log +{% set notification_driver = true %} +{% endif %} +{% if notification_driver is not defined or notification_driver == false | bool %} +driver = noop +{% endif %} + transport_url = {{ keystone_oslomsg_notify_transport }}://{% for host in keystone_oslomsg_notify_servers.split(',') %}{{ keystone_oslomsg_notify_userid }}:{{ keystone_oslomsg_notify_password }}@{{ host }}:{{ keystone_oslomsg_notify_port }}{% if not loop.last %},{% else %}/{{ keystone_oslomsg_notify_vhost }}{% if keystone_oslomsg_notify_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %} {% if keystone_cache_servers | length > 0 %}