Adding content about auditing with CADF

Created new Keystone section for Auditing, copied existing CADF content from keystone /developer docs. Change-Id: Ic85d6a7fb639a760035d7b6c4dca32ee5130dee1 Closes-Bug: #1281766
2016-02-17 16:51:36 +10:00 · 2016-02-17 16:51:36 +10:00 · 0be4bd83d7
commit 0be4bd83d7
parent 48ff66f1f0
2 changed files with 69 additions and 0 deletions
--- a/doc/config-reference/source/identity.rst
+++ b/doc/config-reference/source/identity.rst
@ -5,6 +5,7 @@ Identity service
 .. toctree::
   identity/caching.rst
   identity/auditing.rst
   identity/options.rst
   identity/sample-configuration-files.rst
   tables/conf-changes/keystone.rst
--- a/doc/config-reference/source/identity/auditing.rst
+++ b/doc/config-reference/source/identity/auditing.rst
@ -0,0 +1,68 @@
 ==================
 Auditing with CADF
 ==================
 The Identity service uses the `PyCADF`_ library to emit CADF (Cloud Auditing
 Data Federation) notifications. These events adhere to the DMTF (Distributed
 Management Task Force)`CADF`_ specification. The DMTF standard provides
 auditing capabilities for compliance with security, operational, and business
 processes and supports normalized and categorized event data for federation
 and aggregation.
 .. _PyCADF: http://docs.openstack.org/developer/pycadf
 .. _CADF: http://www.dmtf.org/standards/cadf
 CADF notifications include additional context data around the ``resource``,
 the ``action``, and the ``initiator``.
 CADF notifications may be emitted by changing the ``notification_format`` to
 ``cadf`` in the configuration file.
 The ``payload`` portion of a CADF notification is a CADF ``event``, which
 is represented as a JSON dictionary. For example:
 .. code-block:: javascript
    {
        "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event",
        "initiator": {
            "typeURI": "service/security/account/user",
            "host": {
                "agent": "curl/7.22.0(x86_64-pc-linux-gnu)",
                "address": "127.0.0.1"
            },
            "id": "<initiator_id>"
        },
        "target": {
            "typeURI": "<target_uri>",
            "id": "openstack:1c2fc591-facb-4479-a327-520dade1ea15"
        },
        "observer": {
            "typeURI": "service/security",
            "id": "openstack:3d4a50a9-2b59-438b-bf19-c231f9c7625a"
        },
        "eventType": "activity",
        "eventTime": "2014-02-14T01:20:47.932842+00:00",
        "action": "<action>",
        "outcome": "success",
        "id": "openstack:f5352d7b-bee6-4c22-8213-450e7b646e9f",
    }
 Where the following are defined:
 * ``<initiator_id>``: ID of the user that performed the operation
 * ``<target_uri>``: CADF specific target URI, (for example:
  data/security/project)
 * ``<action>``: The action being performed, typically:
  ``<operation>``. ``<resource_type>``
 Additionally there may be extra keys present depending on the operation being
 performed, these will be discussed below.
 .. note::
    The ``eventType`` property of the CADF payload is different from the
    ``event_type`` property of a notification. ``eventType`` is a CADF
    keyword which designates the type of event that is being measured:
    `activity`, `monitor` or `control`. Whereas ``event_type`` is described
    in previous sections as `identity.<resource_type>.<operation>`.