Audit Support for Keystone Federation¶
Keystone is expanding its support for federated identity to enable it to have a more seamless integration into enterprise environments and to leverage existing identity providers. The extra complexity associated with authentication and authorization in federated Keystone deployments demands suitable audit support to ensure the OpenStack environment is used in a compliant fashion. In this blueprint we describe proposed auditing support for Keystone federated identity operations using the DMTF Cloud Auditing Data Federation (CADF) Open Standard, and leveraging PyCADF.
For Keystone, we need to define and implement support for new CADF audit event records that capture the authentication and authorization behavior associated with the mapping of federated attributes to group-based role assignments. Also, for auditing purposes, we need to capture the user identity information that is derived from external identity providers. This is crucial because in the federated identity model for Keystone, user information is ephemeral and no longer stored in Keystone directly.
Proposed change is to add new CADF based audit event notifications for operations associated with federated identity. We intend to reuse the existing notification work from Icehouse release.
The data within the notification will be comprised of information relating to the federated user and the identity provider. Information such as: username, userid, identity provider, protocol, and groups that the user was mapped to, should be included within the notification.
For more details on what actions will trigger a notifications, please refer to the Notifications Impact section of this specification.
Data Model Impact¶
REST API Impact¶
Auditing records need to be designed so that they do not accidentally publish sensitive data, such as token information or passwords.
New CADF notifications will need to be created for the following events:
Federated user attempts to authenticate and retrieve an unscoped token.
Federated user attempts to retrieve a list of projects.
Federated user attempts to retrieve a list of domains.
Federated user attempts to authenticate and retrieve a scoped token.
Other End User Impact¶
Performance should be marginally impacted if the CADF event notification for federation support is enabled.
Other Deployer Impact¶
Define new audit event formats.
Implement notifications for the new events.
Create unit tests for the new events.
Document new notifications events.
No new dependencies, however we will be using the PyCADF library, which is already a required library for Keystone.
Unit tests will be added for the new events.
New audit events that have been added should be documented here.