Keystone is expanding its support for federated identity to enable it to have a more seamless integration into enterprise environments and to leverage existing identity providers. The extra complexity associated with authentication and authorization in federated Keystone deployments demands suitable audit support to ensure the OpenStack environment is used in a compliant fashion. In this blueprint we describe proposed auditing support for Keystone federated identity operations using the DMTF Cloud Auditing Data Federation (CADF) Open Standard, and leveraging PyCADF.
For Keystone, we need to define and implement support for new CADF audit event records that capture the authentication and authorization behavior associated with the mapping of federated attributes to group-based role assignments. Also, for auditing purposes, we need to capture the user identity information that is derived from external identity providers. This is crucial because in the federated identity model for Keystone, user information is ephemeral and no longer stored in Keystone directly.
Proposed change is to add new CADF based audit event notifications for operations associated with federated identity. We intend to reuse the existing notification work from Icehouse release.
The data within the notification will be comprised of information relating to the federated user and the identity provider. Information such as: username, userid, identity provider, protocol, and groups that the user was mapped to, should be included within the notification.
For more details on what actions will trigger a notifications, please refer to the Notifications Impact section of this specification.
Auditing records need to be designed so that they do not accidentally publish sensitive data, such as token information or passwords.
New CADF notifications will need to be created for the following events:
Performance should be marginally impacted if the CADF event notification for federation support is enabled.
No new dependencies, however we will be using the PyCADF library, which is already a required library for Keystone.
Unit tests will be added for the new events.