Enable CADF notifications in Keystone¶

To enable the CADF format notifications in the Identity service:

1. Set the notification_format option to cadf in the default section of keystone.conf:

   [DEFAULT]
   notification_format = cadf
   

2. Set a notification driver by specifying one of the possible values: messaging, messagingv2, routing, log, test, noop for the driver option in the oslo_messaging_notifications section:

   [oslo_messaging_notifications]
   driver = messagingv2
   

   Note

   You can also use the notification_driver parameter in the default section, which has been deprecated, to specify a destination for notifications.

   Note

   You can specify multiple notification drivers. For example, messagingv2 and log to send a notification to the RabbitMQ, as well as to print to a local Keystone log.

3. (Optional) Set an AMQP topic and custom transport URL.

   Note

   By default, notifications are sent to the notifications.info queue in RabbitMQ. You do not need to specify transport_url and topics in this case.

   For example:

   [oslo_messaging_notifications]
   transport_url = rabbit://{{ rabbitmq.user }}:{{ rabbitmq.password }}@{{ address('rabbitmq', rabbitmq.port) }}
   topics = keystone_notifications
   

4. (Optional) You can unsubscribe from specific type of notifications by using notification_opt   .. code-block:: ini_out option in the default section. For example, to opt-out noisy notifications with successful authentication, specify:

   [DEFAULT]
   notification_opt_out = identity.authenticate.success
   

5. Restart the Apache service for changes to take effect:

   service apache2 restart
   

6. Verify if the Identity service sends notifications in the CADF format.

   • See the Keystone log /var/log/keystone/keystone-public.log if the notification driver is set to log.

     For example:

     2017-01-26 09:19:01.307 27791 INFO
     oslo.messaging.notification.identity.authenticate
     [req-bf5a6c59-7f0f-4436-84c1-
     6dde1699f9cc - - - - -] {"event_type": "identity.authenticate",
     "timestamp": "2017-01-26 09:19:01.241364", "payload": {"typeURI":
     "http://schemas.dmtf.org/cloud/audit/1.0/event",
     "initiator": {"typeURI": "service/security/account/user",
     "host": {"agent": "keystoneauth1/2.3.0 python-requests/2.9.1
     CPython/2.7.6", "address": "192.168.0.2"}, "user_id":
     "42ca947ab83c4b86b843fccd36826a21",
     "id": "42ca947ab83c4b86b843fccd36826a21"}, "target":
     {"typeURI": "service/security/account/user", "id":
     "17b4cc7f-0ddb-51c7-8a55-aba8304f943c"}, "observer":
     {"typeURI": "service/security", "id":
     "e14fa14a-fb58-55e3-b38a-0cff3f9bd6f1"},
     "eventType": "activity", "eventTime": "2017-01-26T09:19:01.139486+0000",
     "action": "authenticate", "outcome": "failure", "id":
     "d286943b-ce61-5e98-80b4-24aa5c92980a"},
     "priority": "INFO", "publisher_id": "identity.node-6.domain.tld",
     "message_id": "4879d940-505d-4dbf-9005-bafafd150f0c"}
     

   • If the notification driver is set to messaging or messagingv2, see the RabbitMQ messages in the notifications.info queue set by default or in the queue with the name specified in the topic option. For example:

     {"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \
     "950c821344064574bb401fb7bb58457f\", \"event_type\":
     \"identity.authenticate\", \"timestamp\": \"2017-01-25 15:29:37.003472\",
     \"publisher_id\": \"identity.node-6.domain.tld\", \"payload\":
     {\"typeURI\": \"http://schemas.dmtf.org/cloud/audit/1.0/event\",
     \"initiator\": {\"typeURI\": \"service/security/account/user\",
     \"host\": {\"agent\": \"keystoneauth1/2.3.0 python-requests/2.9.1
     CPython/2.7.6\", \"address\": \"192.168.0.2\"}, \"user_id\":
     \"42ca947ab83c4b86b843fccd36826a21\", \"id\":
     \"42ca947ab83c4b86b843fccd36826a21\"},
     \"target\": {\"typeURI\": \"service/security/account/user\",
     \"id\": \"d82204a0-d2a9-5034-affa-591d15a9391b\"}, \"observer\":
     {\"typeURI\": \"service/security\", \"id\":
     \"da9440a8-71ed-5a61-b747-9fc06164c2ee\"},
     \"eventType\": \"activity\", \"eventTime\":
     \"2017-01-25T15:29:36.316527+0000\",
     \"action\": \"authenticate\", \"outcome\": \"failure\", \"id\":
     \"c5cf0d09-d7e4-5526-bf22-fd20868ed7fd\"}, \"message_id\":
     \"3540d458-b03b-4c92-80bb-477e449112e5\"}", "oslo.version": "2.0"}
     

   • Use Ceilometer CLI to show the event of certain type:

     ceilometer event-list --query event_type=<EVENT_TYPE>
     

The example of the CADF Keystone notification formatted as a JSON document:

{
 "_unique_id": "950c821344064574bb401fb7bb58457f",
 "event_type": "identity.authenticate",
 "message_id": "3540d458-b03b-4c92-80bb-477e449112e5",
 "payload": {
 "action": "authenticate",
   "eventTime": "2017-01-25T15:29:36.316527+0000",
   "eventType": "activity",
   "id": "c5cf0d09-d7e4-5526-bf22-fd20868ed7fd",
   "initiator": {
   "host": {
   "address": "192.168.0.2",
   "agent": "keystoneauth1/2.3.0 python-requests/2.9.1 CPython/2.7.6"
   },
   "id": "42ca947ab83c4b86b843fccd36826a21",
   "typeURI": "service/security/account/user",
   "user_id": "42ca947ab83c4b86b843fccd36826a21"
   },
   "observer": {
   "id": "da9440a8-71ed-5a61-b747-9fc06164c2ee",
   "typeURI": "service/security"
   },
   "outcome": "failure",
   "target": {
   "id": "d82204a0-d2a9-5034-affa-591d15a9391b",
   "typeURI": "service/security/account/user"
   },
   "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
 },
 "priority": "INFO",
 "publisher_id": "identity.node-6.domain.tld",
 "timestamp": "2017-01-25 15:29:37.003472"
}