Merge "Always have username in CADF initiator" into stable/train

3 files changed, 39 insertions, 1 deletions

diff --git a/keystone/notifications.py b/keystone/notifications.py
index 11e4a5875..65980b800 100644
--- a/keystone/notifications.py
+++ b/keystone/notifications.py
@@ -74,6 +74,7 @@ SAML_AUDIT_TYPE = 'http://docs.oasis-open.org/security/saml/v2.0'
 _SUBSCRIBERS = {}
 _notifier = None
 SERVICE = 'identity'
+PROVIDERS = provider_api.ProviderAPIs
 
 ROOT_DOMAIN = '<<keystone.domain.root>>'
 
@@ -529,6 +530,7 @@ def _get_request_audit_info(context, user_id=None):
     if user_id:
         initiator.user_id = user_id
         initiator.id = utils.resource_uuid(user_id)
+        initiator = _add_username_to_initiator(initiator)
 
     if project_id:
         initiator.project_id = project_id
@@ -565,6 +567,7 @@ class CadfNotificationWrapper(object):
             target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
             initiator = build_audit_initiator()
             initiator.user_id = user_id
+            initiator = _add_username_to_initiator(initiator)
             initiator.id = utils.resource_uuid(user_id)
             try:
                 result = f(wrapped_self, user_id, *args, **kwargs)
@@ -763,6 +766,8 @@ def _send_audit_notification(action, initiator, outcome, target,
             service_id = i['id']
             break
 
+    initiator = _add_username_to_initiator(initiator)
+
     event = eventfactory.EventFactory().new_event(
         eventType=cadftype.EVENTTYPE_ACTIVITY,
         outcome=outcome,
@@ -820,6 +825,19 @@ def _check_notification_opt_out(event_type, outcome):
     return False
 
 
+def _add_username_to_initiator(initiator):
+    """Add the username to the initiator if missing."""
+    if hasattr(initiator, 'username'):
+        return initiator
+    try:
+        user_ref = PROVIDERS.identity_api.get_user(initiator.user_id)
+        initiator.username = user_ref['name']
+    except (exception.UserNotFound, AttributeError):
+        # Either user not found or no user_id, move along
+        pass
+
+    return initiator
+
 emit_event = CadfNotificationWrapper
 
 
diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py
index ec3ba54cd..636abfa3b 100644
--- a/keystone/tests/unit/common/test_notifications.py
+++ b/keystone/tests/unit/common/test_notifications.py
@@ -1156,7 +1156,7 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
                     'typeURI': 'service/security/account/user',
                     'host': {'address': 'localhost'},
                     'id': 'openstack:0a90d95d-582c-4efb-9cbc-e2ca7ca9c341',
-                    'name': u'bccc2d9bfc2a46fd9e33bcf82f0b5c21'
+                    'username': u'admin'
                 },
                 'target': {
                     'typeURI': 'service/security/account/user',
@@ -1202,6 +1202,17 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
         self.assertEqual(self.user_id, initiator.id)
         self.assertEqual(self.user_id, initiator.user_id)
 
+    def test_initiator_always_contains_username(self):
+        # Clear notifications
+        while self._notifications:
+            self._notifications.pop()
+
+        self.get_scoped_token()
+        self.assertEqual(len(self._notifications), 1)
+        note = self._notifications.pop()
+        initiator = note['initiator']
+        self.assertEqual(self.user['name'], initiator.username)
+
     def test_v3_authenticate_user_name_and_domain_id(self):
         user_id = self.user_id
         user_name = self.user['name']
diff --git a/releasenotes/notes/bug-1856904-101af15bb48eb3ca.yaml b/releasenotes/notes/bug-1856904-101af15bb48eb3ca.yaml
new file mode 100644
index 000000000..634b86a03
--- /dev/null
+++ b/releasenotes/notes/bug-1856904-101af15bb48eb3ca.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    [`Bug 1856904 <https://bugs.launchpad.net/keystone/+bug/1856904>`_]
+    The initiator object for CADF notifications now will always contain the
+    username for the user who initated the action. Previously, the initator
+    object only contained the user_id, which lead to issues mapping to users
+    when using LDAP-backed identity providers. This also helps the initiator
+    object better conform to the OpenStack standard for CADF.