summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNathan Oyler <notque@gmail.com>2019-06-10 10:32:05 -0700
committerRaildo Mascena <rmascena@redhat.com>2020-04-01 15:05:25 -0300
commite57e44c0ecf4491bba4ed451e6b3016552824ff5 (patch)
tree550c0af1703dce491575f14bea3115d584e0129b
parent2de401b79ba5baf69c7ab8f9c68f02d69f9ae47e (diff)
downloadkeystone-e57e44c0ecf4491bba4ed451e6b3016552824ff5.tar.gz
Add cadf auditing to credentials
added audit logging to credentials. This backport is a bit different than the original patch, since we don't have the adds caching of credentials patch find on commit 479a2a0afaeb505c371ee97a1f2fbc1b11e3cef1 and we were not able to backport it. So, there are sense on keep the invalidate cache calls in the original bits. Closes-bug: #1831918 Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541 (cherry picked from commit 579cc19857048a8710a9f173c602f51a2fcabba1)
Diffstat
-rw-r--r--keystone/api/credentials.py6
-rw-r--r--keystone/credential/core.py17
-rw-r--r--releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml6
3 files changed, 26 insertions, 3 deletions
diff --git a/keystone/api/credentials.py b/keystone/api/credentials.py
index 08a492c1d..6985b92d1 100644
--- a/keystone/api/credentials.py
+++ b/keystone/api/credentials.py
@@ -148,7 +148,8 @@ class CredentialResource(ks_flask.ResourceBase):
trust_id = getattr(self.oslo_context, 'trust_id', None)
ref = self._assign_unique_id(
self._normalize_dict(credential), trust_id=trust_id)
- ref = PROVIDERS.credential_api.create_credential(ref['id'], ref)
+ ref = PROVIDERS.credential_api.create_credential(ref['id'], ref,
+ initiator=self.audit_initiator)
return self.wrap_member(ref), http_client.CREATED
def patch(self, credential_id):
@@ -173,7 +174,8 @@ class CredentialResource(ks_flask.ResourceBase):
build_target=_build_target_enforcement
)
- return (PROVIDERS.credential_api.delete_credential(credential_id),
+ return (PROVIDERS.credential_api.delete_credential(credential_id,
+ initiator=self.audit_initiator),
http_client.NO_CONTENT)
diff --git a/keystone/credential/core.py b/keystone/credential/core.py
index cb28b314e..d6c48ff16 100644
--- a/keystone/credential/core.py
+++ b/keystone/credential/core.py
@@ -21,6 +21,7 @@ from keystone.common import manager
from keystone.common import provider_api
import keystone.conf
from keystone import exception
+from keystone import notifications
CONF = keystone.conf.CONF
@@ -38,6 +39,8 @@ class Manager(manager.Manager):
driver_namespace = 'keystone.credential'
_provides_api = 'credential_api'
+ _CRED = 'credential'
+
def __init__(self):
super(Manager, self).__init__(CONF.credential.driver)
@@ -102,13 +105,18 @@ class Manager(manager.Manager):
credential = self.driver.get_credential(credential_id)
return self._decrypt_credential(credential)
- def create_credential(self, credential_id, credential):
+ def create_credential(self, credential_id, credential,
+ initiator=None):
"""Create a credential."""
credential_copy = self._encrypt_credential(credential)
ref = self.driver.create_credential(credential_id, credential_copy)
ref.pop('key_hash', None)
ref.pop('encrypted_blob', None)
ref['blob'] = credential['blob']
+ notifications.Audit.created(
+ self._CRED,
+ credential_id,
+ initiator)
return ref
def _validate_credential_update(self, credential_id, credential):
@@ -143,3 +151,10 @@ class Manager(manager.Manager):
else:
ref['blob'] = existing_blob
return ref
+
+ def delete_credential(self, credential_id,
+ initiator=None):
+ """Delete a credential."""
+ self.driver.delete_credential(credential_id)
+ notifications.Audit.deleted(
+ self._CRED, credential_id, initiator)
diff --git a/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml b/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml
new file mode 100644
index 000000000..33a355cc5
--- /dev/null
+++ b/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - |
+ [`bug 1831918 <https://bugs.launchpad.net/keystone/+bug/1831918>`_]
+ Credentials now logs cadf audit messages.
+
View Lorry Controller Status