diff options
author | Nathan Oyler <notque@gmail.com> | 2019-06-10 10:32:05 -0700 |
---|---|---|
committer | Raildo Mascena <rmascena@redhat.com> | 2020-04-01 15:05:25 -0300 |
commit | e57e44c0ecf4491bba4ed451e6b3016552824ff5 (patch) | |
tree | 550c0af1703dce491575f14bea3115d584e0129b | |
parent | 2de401b79ba5baf69c7ab8f9c68f02d69f9ae47e (diff) | |
download | keystone-e57e44c0ecf4491bba4ed451e6b3016552824ff5.tar.gz |
Add cadf auditing to credentials
added audit logging to credentials.
This backport is a bit different than the original patch,
since we don't have the adds caching of credentials
patch find on commit 479a2a0afaeb505c371ee97a1f2fbc1b11e3cef1
and we were not able to backport it.
So, there are sense on keep the invalidate cache calls in the
original bits.
Closes-bug: #1831918
Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541
(cherry picked from commit 579cc19857048a8710a9f173c602f51a2fcabba1)
-rw-r--r-- | keystone/api/credentials.py | 6 | ||||
-rw-r--r-- | keystone/credential/core.py | 17 | ||||
-rw-r--r-- | releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml | 6 |
3 files changed, 26 insertions, 3 deletions
diff --git a/keystone/api/credentials.py b/keystone/api/credentials.py index 08a492c1d..6985b92d1 100644 --- a/keystone/api/credentials.py +++ b/keystone/api/credentials.py @@ -148,7 +148,8 @@ class CredentialResource(ks_flask.ResourceBase): trust_id = getattr(self.oslo_context, 'trust_id', None) ref = self._assign_unique_id( self._normalize_dict(credential), trust_id=trust_id) - ref = PROVIDERS.credential_api.create_credential(ref['id'], ref) + ref = PROVIDERS.credential_api.create_credential(ref['id'], ref, + initiator=self.audit_initiator) return self.wrap_member(ref), http_client.CREATED def patch(self, credential_id): @@ -173,7 +174,8 @@ class CredentialResource(ks_flask.ResourceBase): build_target=_build_target_enforcement ) - return (PROVIDERS.credential_api.delete_credential(credential_id), + return (PROVIDERS.credential_api.delete_credential(credential_id, + initiator=self.audit_initiator), http_client.NO_CONTENT) diff --git a/keystone/credential/core.py b/keystone/credential/core.py index cb28b314e..d6c48ff16 100644 --- a/keystone/credential/core.py +++ b/keystone/credential/core.py @@ -21,6 +21,7 @@ from keystone.common import manager from keystone.common import provider_api import keystone.conf from keystone import exception +from keystone import notifications CONF = keystone.conf.CONF @@ -38,6 +39,8 @@ class Manager(manager.Manager): driver_namespace = 'keystone.credential' _provides_api = 'credential_api' + _CRED = 'credential' + def __init__(self): super(Manager, self).__init__(CONF.credential.driver) @@ -102,13 +105,18 @@ class Manager(manager.Manager): credential = self.driver.get_credential(credential_id) return self._decrypt_credential(credential) - def create_credential(self, credential_id, credential): + def create_credential(self, credential_id, credential, + initiator=None): """Create a credential.""" credential_copy = self._encrypt_credential(credential) ref = self.driver.create_credential(credential_id, credential_copy) ref.pop('key_hash', None) ref.pop('encrypted_blob', None) ref['blob'] = credential['blob'] + notifications.Audit.created( + self._CRED, + credential_id, + initiator) return ref def _validate_credential_update(self, credential_id, credential): @@ -143,3 +151,10 @@ class Manager(manager.Manager): else: ref['blob'] = existing_blob return ref + + def delete_credential(self, credential_id, + initiator=None): + """Delete a credential.""" + self.driver.delete_credential(credential_id) + notifications.Audit.deleted( + self._CRED, credential_id, initiator) diff --git a/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml b/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml new file mode 100644 index 000000000..33a355cc5 --- /dev/null +++ b/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + [`bug 1831918 <https://bugs.launchpad.net/keystone/+bug/1831918>`_] + Credentials now logs cadf audit messages. + |