commit e3294f0f911c888b578ffef50be237ade0955ac6
Author: Georgina <georgina.shippey@bbc.co.uk>
Date:   Mon Jul 20 13:44:48 2020 +0000

    Add CADF notifications for federated keystone
    
    Event notifications are useful for those that need to keep an audit
    trail. Turned off by default as these logs contain user specific data
    and local data protection laws should be considered.
    The default notificiation_opt_outs follow the keystone documentation.
    Please see here for more information on CADF notifications:
    https://docs.openstack.org/keystone/pike/advanced-topics/event_notifications.html
    
    Change-Id: Id1867b6b50fc769757781eabc208ee9ead65f4c9

diff --git a/defaults/main.yml b/defaults/main.yml
index 8ed6e54..122c352 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -333,6 +333,11 @@ keystone_sp: {}
 #keystone_sp:
 #  cert_duration_years: 5
 #  apache_mod: shibboleth  #or mod_auth_openidc
+#  cadf_notifications: false
+#  cadf_notifications_opt_out:
+#    - identity.authenticate.failed
+#    - identity.authenticate.pending
+#    - identity.authenticate.success
 #  trusted_dashboard_list:
 #    - "https://{{ external_lb_vip_address }}/auth/websso/"
 #    - "https://{{ horizon_server_name }}/auth/websso/"
diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2
index c01c98a..f638ea6 100644
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@@ -9,7 +9,19 @@ debug = {{ debug }}
 public_endpoint = {{ keystone_public_endpoint }}
 {% endif %}
 fatal_deprecations = {{ keystone_fatal_deprecations }}
-
+{% if keystone_sp != {} and (keystone_sp.cadf_notifications is defined) and (keystone_sp.cadf_notifications | bool) %}
+{% set cadf_notifications = true %}
+{% else %}
+{% set cadf_notifications = false %}
+{% endif %}
+{% if cadf_notifications | bool %}
+notification_format = cadf
+{% if keystone_sp.cadf_notifications_opt_out is defined %}
+{% for opt_out in keystone_sp.cadf_notifications_opt_out %}
+notification_opt_out = {{ opt_out }}
+{% endfor %}
+{% endif %}
+{% endif %}
 
 ## Oslo.Messaging RPC
 transport_url = {{ keystone_oslomsg_rpc_transport }}://{% for host in keystone_oslomsg_rpc_servers.split(',') %}{{ keystone_oslomsg_rpc_userid }}:{{ keystone_oslomsg_rpc_password }}@{{ host }}:{{ keystone_oslomsg_rpc_port }}{% if not loop.last %},{% else %}/{{ keystone_oslomsg_rpc_vhost }}{% if keystone_oslomsg_rpc_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}
@@ -18,7 +30,18 @@ transport_url = {{ keystone_oslomsg_rpc_transport }}://{% for host in keystone_o
 ssl = {{ keystone_oslomsg_rpc_use_ssl }}
 
 [oslo_messaging_notifications]
-driver = {{ (keystone_ceilometer_enabled | bool) | ternary('messagingv2', 'noop') }}
+{% if keystone_ceilometer_enabled | bool %}
+driver = messagingv2
+{% set notification_driver = true %}
+{% endif %}
+{% if cadf_notifications | bool %}
+driver = log
+{% set notification_driver = true %}
+{% endif %}
+{% if notification_driver is not defined or notification_driver == false | bool %}
+driver = noop
+{% endif %}
+
 transport_url = {{ keystone_oslomsg_notify_transport }}://{% for host in keystone_oslomsg_notify_servers.split(',') %}{{ keystone_oslomsg_notify_userid }}:{{ keystone_oslomsg_notify_password }}@{{ host }}:{{ keystone_oslomsg_notify_port }}{% if not loop.last %},{% else %}/{{ keystone_oslomsg_notify_vhost }}{% if keystone_oslomsg_notify_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}
 
 {% if keystone_cache_servers | length > 0 %}