OpenStack Identity (keystone)

Cloud Audit Support for Keystone Authentication

Registered by Brad Topol

This blueprint has been superseded. See the newer blueprint "Audit events" for updated plans.

In order to properly audit the access or management of data or workloads governed by a cloud platform, regardless of industry (e.g. Banking, Financial, Healthcare, etc.) or compliance regulations (e.g. Basil, SSAE16, HIPAA, ISO 27000, etc.), all low-level security decisions based upon security identities and policies (including access control groups management and administrator/privileged actions) need precise audit information to be recorded.

Ceilometer has recently added support for standardized auditing of external OpenStack APIs using the DMTF Cloud Audit Standard ( http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0b.pd ). Here we leverage this work to add internal auditing of keystone authentication operations.

More information on Ceilometer's standards auditing support can be found at https://wiki.openstack.org/wiki/Ceilometer/blueprints/support-standard-audit-formats#Provide_support_for_auditing_events_in_standardized_formats

More details from the icehouse design summit on this feature can be found at https://etherpad.openstack.org/p/icehouse-auditing

Blueprint information

Status:
Complete
Approver:
Dolph Mathews
Priority:
Undefined
Drafter:
Brad Topol
Direction:
Needs approval
Assignee:
Brad Topol
Definition:
Superseded
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Dolph Mathews

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/cloud-audit-authentication,n,z

Addressed by: https://review.openstack.org/69632
    Adds Cloud Audit (DMTF CADF) Support for keystone authentication

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.