Emit event notifications
The blocker for nova to resolve bug 967832 is that keystone currently has no way of notifying other services of impactful events such as user/project/domain deletion or disablement.
Note (Sep 16, 2013): the scope of this blueprint was reduced to exclude domains due to time constraints- follow up work is being tracked here: https:/
keystone should use oslo.notify ( https:/
- enable project
- disable project
- delete project
Note that disabling or deleting a domain should result in a corresponding set of disable/delete notifications for owned projects.
Consider constructing this notification framework (adhering to Oslo) around Cloud Audit Data Foundation specifications (CADF) as outlined in the following:
https:/
This would ensure the auditing format in Keystone is implemented from a standardized format. Which is what Keystone was already planning to do by pulling in an implementing the notifier from Oslo-incubator.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Medium
- Drafter:
- Dolph Mathews
- Direction:
- Approved
- Assignee:
- Lance Bragstad
- Definition:
- Discussion
- Series goal:
- Accepted for havana
- Implementation:
- Implemented
- Milestone target:
- 2013.2
- Started by
- Dolph Mathews
- Completed by
- Dolph Mathews
Related branches
Related bugs
Sprints
Whiteboard
(boden) -------
We have a requirement to consume AMQP events for most major resources in Keystone.
This includes create/
* CUD based AMQP events for project/
As part of this eventing, we will also need support for Qpid based notifications (rather than via Rabbit), but hopefully this is "for free" given the common event publishers.
At the current moment, I don't see a need to include passwords in AMQP events -- so a create user event would not need to include the user's password.
Note that I believe Brant K (on the Keystone team) is available to help with this implementation need be. Therefore if you cannot contain the requirements mentioned above could you please let him know?
Thanks
----------
(dolph) ---------------
My thinking for implementation was to simply emit an ID (or perhaps a full URL? there are some complications there surround API versioning, however) of the resource as the message body, using the topic to describe the event (e.g. identity.
I also hadn't remotely considered role assignments; again, why??
--------------
(boden) -----------
I was assuming the events would have some high level metadata, but that was just an assumption based on the other events have seen to date... The idea was to get as much data in the event as made sense to save the consumer a trip back to Keystone to query the resource change. However if the events had enough structure to indicate the type of event and the resource type/id (URI or other) that would probably be a good enough start.
(dolph) ---------------
I definitely don't want to expose another complicated API where we have to maintain backwards compatibility etc, so I'd like to keep it as simple as possible.
(boden) -----------
On the role assignments -- we have Cloud managers which "sit atop" openstack and manage metadata about identity artifacts like users/projects/
------------
(dolph) ---------------
This just sounds like keystone shouldn't own your authn/z data.
(boden) ------------
regarding events for role grants; maybe the example I gave wasn't a good one and isn't obvious without getting into arch details. however consider a few others which fall into the BAMA space:
* As a Cloud provider, I need my billing application to initiate accounting information when a user is granted access to a project.
* As a Cloud provider, I need my auditing application to record/track project membership and role assignment
the above are just a few... the idea here (IMO) is that the eventing provided should be as generic as possible to fulfill a broad spectrum of use cases; as such i think it should cover CUD of most persistent metadata in Keystone, including role grants.
also i didn't mention this before, but we also need CUD events related to service/endpoints. for example:
* As a Cloud provider, I need my management system notified when an endpoint is added/updated/
* As a Cloud provider, I need my management system notified when a service is added/updated/
(dolph) -----
I think the use case of being notified for a user's role assignments changing should simply be a topic like identity.
Gerrit topic: https:/
Addressed by: https:/
Initial notification commit
Addressed by: https:/
Sync notifier module from Oslo
Addressed by: https:/
Implement notifications in Keystone
Addressed by: https:/
Document usage notifications
Addressed by: https:/
Add project CRUD to assignment_api Manager
Gerrit topic: https:/
Gerrit topic: https:/
Addressed by: https:/
add 'project' notifications to docs
Addressed by: https:/
Remove kwargs from trust_api.
Addressed by: https:/
Implement notifications for trusts
(amichon) -----
I really need this use case for my needs
* As a Cloud provider, I need my auditing application to record/track project membership and role assignment
In assignement/core.py I only found delete_grant but no create_grant. I've implemented it (quite simple) but the payload does not contain any info on project_id, role_id, only on user_id that ceilometer (notification consumer) could manage
@dolph you saw something different : a message with only the resource Id, responsibility for the event consumer (resp ceilometer) to request keystone for the resource (project, role) related to ?
I will commit a change soon for create_grant anyway
Gerrit topic: https:/
Addressed by: https:/
Add notifications for role assignment created and deleted events
Work Items
Dependency tree
* Blueprints in grey have been implemented.