Add user_id,project_id traits to audit events
The ceilometer audit events stored at the ceilometer database currently don't have user_id/project_id associated with them even though this information is available as part of the event message payload. The user_id and project_id information has to be stored as traits so that there's user/project context for each event and these traits are required to apply RBAC-based rules and filters on events. For eg., presence of these traits enable db queries - like get all events for a project/user against events. The audit event definition in the events yaml file already stores payload.initiator.id as initiator_id but the initiator_id trait is not a common trait across all events and thus this trait cannot be used to apply RBAC filter against events.This changeset will thus add user_id and project_id traits to the audit events namely *.http.* and add useri_id and project_id as default traits for all events. DocImpact Change-Id: If4034342c4e60d519f0ec96ae8895dcf78f8ad3b blueprint: events-rbac
This commit is contained in:
Divya
parent
c18d69a800
commit
6a532111bc
|
|
@ -154,6 +154,12 @@ class EventDefinition(object):
|
||||||
DEFAULT_TRAITS = dict(
|
DEFAULT_TRAITS = dict(
|
||||||
service=dict(type='text', fields='publisher_id'),
|
service=dict(type='text', fields='publisher_id'),
|
||||||
request_id=dict(type='text', fields='_context_request_id'),
|
request_id=dict(type='text', fields='_context_request_id'),
|
||||||
|
project_id=dict(type='text', fields=['payload.tenant_id',
|
||||||
|
'_context_tenant']),
|
||||||
|
user_id=dict(type='text', fields=['payload.user_id',
|
||||||
|
'_context_user_id']),
|
||||||
|
# TODO(dikonoor):tenant_id is old terminology and should
|
||||||
|
# be deprecated
|
||||||
tenant_id=dict(type='text', fields=['payload.tenant_id',
|
tenant_id=dict(type='text', fields=['payload.tenant_id',
|
||||||
'_context_tenant']),
|
'_context_tenant']),
|
||||||
)
|
)
|
||||||
|
|
|
||||||
|
|
@ -126,6 +126,8 @@ all events if the notification has the relevant data:
|
||||||
* service: (All notifications should have this) notification's publisher
|
* service: (All notifications should have this) notification's publisher
|
||||||
* tenant_id
|
* tenant_id
|
||||||
* request_id
|
* request_id
|
||||||
|
* project_id
|
||||||
|
* user_id
|
||||||
|
|
||||||
These do not have to be specified in the event definition, they are
|
These do not have to be specified in the event definition, they are
|
||||||
automatically added, but their definitions can be overridden for a given
|
automatically added, but their definitions can be overridden for a given
|
||||||
|
|
|
||||||
|
|
@ -331,6 +331,10 @@
|
||||||
fields: ['payload.ipsec_site_connection.id', 'payload.id']
|
fields: ['payload.ipsec_site_connection.id', 'payload.id']
|
||||||
- event_type: '*http.*'
|
- event_type: '*http.*'
|
||||||
traits: &http_audit
|
traits: &http_audit
|
||||||
|
project_id:
|
||||||
|
fields: payload.initiator.project_id
|
||||||
|
user_id:
|
||||||
|
fields: payload.initiator.id
|
||||||
typeURI:
|
typeURI:
|
||||||
fields: payload.typeURI
|
fields: payload.typeURI
|
||||||
eventType:
|
eventType:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue