openstack/ironic
Code Issues Proposed changes
ironic/doc/source/deploy/api-audit-support.rst
Devananda van der Veen d0e49e1b41 Documentation update 
This patch contains several changes to the documentation which
were brought about by, initially, removing the webapi/v1 page and
replacing it with a link to the /api-ref/ page.

As I did that, I saw that our front page (index.html) needed to
be updated as well, and decided that the front page needed to
actually be completely rerwitten -- while preserving all the links.

Some of the TOC links from the front page were malformed because
subpages included more than one H1 heading, so I had to make small
changes in the api-audit-support and code-contribution-guide and
dev-quickstart pages, in order for the front page to render properly.

As I corrected the headings on dev-quickstart, I realized the page
was not comprehensively organized, and so decided to reorganize the
sections and make it easier to navigate.

Here is a bullet-point summary of this change:
* Major changes to content and organization of index page
* Moved the version history from webapi/v1 to dev/webapi-version-history
* Added API conceptual guide at dev/webapi
* Replaced webapi/v1 with a link to dev/webapi, in case anyone
  bookmarked it
* Removed doc references to webapi/v1
* Merged the pages dev/contributing and dev/code-contribution-guide
* Removed duplicate H1 headers in deploy/api-audit-support
* Reorganized and renamed section headers in dev/dev-quickstart,
  and made some substantive corrections and changes as well
* Updated wording at the top of the index and deploy/user-guide pages.

Change-Id: Ib418e1d4fdfab4f0e15560270f39922e33df3f12
2016-08-23 12:49:04 -07:00

3.7 KiB
Raw Blame History

API Audit Logging

Audit middleware supports delivery of CADF audit events via Oslo messaging notifier capability. Based on notification_driver configuration, audit events can be routed to messaging infrastructure (notification_driver = messagingv2) or can be routed to a log file (notification_driver = log).

Audit middleware creates two events per REST API interaction. First event has information extracted from request data and the second one has request outcome (response).

Enabling API Audit Logging

Audit middleware is available as part of keystonemiddleware (>= 1.6) library. For infomation regarding how audit middleware functions refer here.

Auditing can be enabled for the Bare Metal service by making the following changes to /etc/ironic/ironic.conf.

  1. To enable audit logging of API requests:

    [audit]
...
enabled=true

  2. To customize auditing API requests, the audit middleware requires the audit_map_file setting to be defined. Update the value of configuration setting 'audit_map_file' to set its location. Audit map file configuration options for the Bare Metal service are included in the etc/ironic/ironic_api_audit_map.conf.sample file. To understand CADF format specified in ironic_api_audit_map.conf file refer to CADF Format.:

    [audit]
...
audit_map_file=/etc/ironic/ironic_api_audit_map.conf

  3. Comma separated list of Ironic REST API HTTP methods to be ignored during audit. For example: GET,POST. It is used only when API audit is enabled.

    [audit] ... ignore_req_list=GET,POST

Sample Audit Event

Following is the sample of audit event for ironic node list request.

{
   "event_type":"audit.http.request",
   "timestamp":"2016-06-15 06:04:30.904397",
   "payload":{
      "typeURI":"http://schemas.dmtf.org/cloud/audit/1.0/event",
      "eventTime":"2016-06-15T06:04:30.903071+0000",
      "target":{
         "id":"ironic",
         "typeURI":"unknown",
         "addresses":[
            {
               "url":"http://{ironic_admin_host}:6385",
               "name":"admin"
            },
           {
               "url":"http://{ironic_internal_host}:6385",
               "name":"private"
           },
           {
               "url":"http://{ironic_public_host}:6385",
               "name":"public"
           }
         ],
         "name":"ironic"
      },
      "observer":{
         "id":"target"
      },
      "tags":[
         "correlation_id?value=685f1abb-620e-5d5d-b74a-b4135fb32373"
      ],
      "eventType":"activity",
      "initiator":{
         "typeURI":"service/security/account/user",
         "name":"admin",
         "credential":{
            "token":"***",
            "identity_status":"Confirmed"
         },
         "host":{
            "agent":"python-ironicclient",
            "address":"10.1.200.129"
         },
         "project_id":"d8f52dd7d9e1475dbbf3ba47a4a83313",
         "id":"8c1a948bad3948929aa5d5b50627a174"
      },
      "action":"read",
      "outcome":"pending",
      "id":"061b7aa7-5879-5225-a331-c002cf23cb6c",
      "requestPath":"/v1/nodes/?associated=True"
   },
   "priority":"INFO",
   "publisher_id":"ironic-api",
   "message_id":"2f61ebaa-2d3e-4023-afba-f9fca6f21fc2"
}