OpenStack Identity (keystone)

Provide real targets in cadf events produced by audit middleware

Registered by jobrs

Currently the audit middleware populates the target.id field with the ID of the service from the catalog. With this information, the reader of audit report cannot identify the actual resources affected by the change. The "What?" question cannot be answered that way. We suggest to extend the mapping rule engine, so that is able to extract the IDs of the actual objects affected by the change.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
jobrs
Direction:
Needs approval
Assignee:
None
Definition:
Obsolete
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Lance Bragstad

Related branches

Sprints

Whiteboard

The target field would then read like this:

target:
    typeURI: compute/server # instead of service/compute/servers/server
    id: <server-id>

To be able to produce that information a slighly more complex but also more intuitive syntax for mapping rules needs to be invented.

The new mapping rules are essentially a model of resources. Due to REST principles, this model implies how the HTTP API requests are formed. Additional hints are added to address exceptions.

The following model and syntax is proposed:

# default target endpoint type
# should match the endpoint type defined in service catalog
target_endpoint_type: public # as before

# list of resources exposed by the REST API
# URL paths follow one of the following patterns:
# - /<resource>s: HTTP POST for create, GET for list
# - /<resource>s/<resource-id>: HTTP GET for read, PUT for update, DELETE for remove
# - /<resource>s/<resource-id>/<custom-action>: specified per resource
# - /<resource>s/<resource-id>/<child-resource>: like parent
# - /<resource>s/<resource-id>/<child-resource>/<child-resource-id>: like parent
# - /<resource>s/<resource-id>/<attribute>: singleton resource, ID inherited from parent
resources:
    server: # resource name, placed first in the URL path (with an added "s"), followed by the ID
        # typeURI of the resource, defaults to <service-key>/<resource name>
        typeURI: compute/server
        # URL-endcoded actions, last part of the URL path, following the ID of the target (child-)resource
        # or "action" in which case the actual action is the first and only element of the JSON payload
        custom_actions:
            # simple
            # <url-path-suffix>: <cadf-action>
            startup: start/startup
        # child resources, placed after the parent resource ID in the URL path
        children:
           migration:
                # typeURI of the resource, defaults to <parent-typeURI>/<resource name>
                typeURI: compute/server/migration
           os-server-password:
                # there is only a single resource per parent (it's an attribute), no pluralization
                singleton: true

(lbragstad) 19-02-15: I'm marking this as obsolete based on the plan socialized on the mailing list [0]. If you'd like to continue discussing this feature, please don't hesitate to propose a specification to the openstack/keystone-specs repository or open an RFE bug [1].

[0] http://lists.openstack.org/pipermail/openstack-discuss/2019-February/002672.html
[1] https://bugs.launchpad.net/keystone/

(?)

Work Items

Work items:
Specify rule syntax: DONE
Mapping rule engine: TODO
Integrate engine: TODO

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.