Add CADF notifications for federated keystone

Event notifications are useful for those that need to keep an audit trail. Turned off by default as these logs contain user specific data and local data protection laws should be considered. The default notificiation_opt_outs follow the keystone documentation. Please see here for more information on CADF notifications: https://docs.openstack.org/keystone/pike/advanced-topics/event_notifications.html Change-Id: Id1867b6b50fc769757781eabc208ee9ead65f4c9
2020-07-20 13:44:48 +00:00 · 2020-07-20 13:44:48 +00:00 · e3294f0f91
commit e3294f0f91
parent 4c9642765e
2 changed files with 30 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -333,6 +333,11 @@ keystone_sp: {}
 #keystone_sp:
 #  cert_duration_years: 5
 #  apache_mod: shibboleth  #or mod_auth_openidc
+#  cadf_notifications: false
+#  cadf_notifications_opt_out:
+#    - identity.authenticate.failed
+#    - identity.authenticate.pending
+#    - identity.authenticate.success
 #  trusted_dashboard_list:
 #    - "https://{{ external_lb_vip_address }}/auth/websso/"
 #    - "https://{{ horizon_server_name }}/auth/websso/"
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@ -9,7 +9,19 @@ debug = {{ debug }}
 public_endpoint = {{ keystone_public_endpoint }}
 {% endif %}
 fatal_deprecations = {{ keystone_fatal_deprecations }}
-
+{% if keystone_sp != {} and (keystone_sp.cadf_notifications is defined) and (keystone_sp.cadf_notifications | bool) %}
+{% set cadf_notifications = true %}
+{% else %}
+{% set cadf_notifications = false %}
+{% endif %}
+{% if cadf_notifications | bool %}
+notification_format = cadf
+{% if keystone_sp.cadf_notifications_opt_out is defined %}
+{% for opt_out in keystone_sp.cadf_notifications_opt_out %}
+notification_opt_out = {{ opt_out }}
+{% endfor %}
+{% endif %}
+{% endif %}

 ## Oslo.Messaging RPC
 transport_url = {{ keystone_oslomsg_rpc_transport }}://{% for host in keystone_oslomsg_rpc_servers.split(',') %}{{ keystone_oslomsg_rpc_userid }}:{{ keystone_oslomsg_rpc_password }}@{{ host }}:{{ keystone_oslomsg_rpc_port }}{% if not loop.last %},{% else %}/{{ keystone_oslomsg_rpc_vhost }}{% if keystone_oslomsg_rpc_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}
@ -18,7 +30,18 @@ transport_url = {{ keystone_oslomsg_rpc_transport }}://{% for host in keystone_o
 ssl = {{ keystone_oslomsg_rpc_use_ssl }}

 [oslo_messaging_notifications]
-driver = {{ (keystone_ceilometer_enabled | bool) | ternary('messagingv2', 'noop') }}
+{% if keystone_ceilometer_enabled | bool %}
+driver = messagingv2
+{% set notification_driver = true %}
+{% endif %}
+{% if cadf_notifications | bool %}
+driver = log
+{% set notification_driver = true %}
+{% endif %}
+{% if notification_driver is not defined or notification_driver == false | bool %}
+driver = noop
+{% endif %}
+
 transport_url = {{ keystone_oslomsg_notify_transport }}://{% for host in keystone_oslomsg_notify_servers.split(',') %}{{ keystone_oslomsg_notify_userid }}:{{ keystone_oslomsg_notify_password }}@{{ host }}:{{ keystone_oslomsg_notify_port }}{% if not loop.last %},{% else %}/{{ keystone_oslomsg_notify_vhost }}{% if keystone_oslomsg_notify_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}

 {% if keystone_cache_servers | length > 0 %}