openstack/keystonemiddleware
Code Issues Proposed changes

Fix audit target service selection

Browse Source 
The keystonemiddleware audit code would select the wrong OpenStack service
endpoint for a request if the cloud is not using unique TCP ports for each
service endpoint. As most services are no longer using a port per service,
but instead using unique paths, this caused the audit to select the wrong
target service. This leads to incorrect audit logging due to the wrong
audit map being used.

This patch checks the request to see if a TCP port was present in the request,
and if not, fall back to using the target_endpoint_type configured in the
audit map file.

Change-Id: Ie2e0bf74ecca485d599a4041bb770bd6e296bc99
Closes-bug: 1797584
This commit is contained in:
Michael Johnson 2018-10-12 09:05:10 -07:00
parent 536a8701ed
commit 782729b6e9
3 changed files with 46 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
keystonemiddleware/audit/_api.py
View File

@ -272,8 +272,8 @@ class OpenStackAuditApi(object):
public_urlparse = urlparse.urlparse(
endpoint_urls.get('publicURL', ''))
req_url = urlparse.urlparse(req.host_url)
if (req_url.netloc == admin_urlparse.netloc
or req_url.netloc == public_urlparse.netloc):
if req_url.port and (req_url.netloc == admin_urlparse.netloc
or req_url.netloc == public_urlparse.netloc):
service_info = self._get_service_info(endp)
break
elif (self._MAP.default_target_endpoint_type and

38
keystonemiddleware/tests/unit/audit/test_audit_api.py
View File

@ -320,6 +320,44 @@ class AuditApiLogicTest(base.BaseAuditMiddlewareTest):
payload = self.get_payload('GET', url, environ=env_headers)
self.assertEqual(payload['target']['name'], "unknown")
def test_endpoint_no_service_port(self):
with open(self.audit_map, "w") as f:
f.write("[DEFAULT]\n")
f.write("target_endpoint_type = load-balancer\n")
f.write("[path_keywords]\n")
f.write("loadbalancers = loadbalancer\n\n")
f.write("[service_endpoints]\n")
f.write("load-balancer = service/load-balancer")
env_headers = {'HTTP_X_SERVICE_CATALOG':
'''[{"endpoints_links": [],
"endpoints": [{"adminURL":
"http://admin_host/compute",
"region": "RegionOne",
"publicURL":
"http://public_host/compute"}],
"type": "compute",
"name": "nova"},
{"endpoints_links": [],
"endpoints": [{"adminURL":
"http://admin_host/load-balancer",
"region": "RegionOne",
"publicURL":
"http://public_host/load-balancer"}],
"type": "load-balancer",
"name": "octavia"}]''',
'HTTP_X_USER_ID': 'user_id',
'HTTP_X_USER_NAME': 'user_name',
'HTTP_X_AUTH_TOKEN': 'token',
'HTTP_X_PROJECT_ID': 'tenant_id',
'HTTP_X_IDENTITY_STATUS': 'Confirmed',
'REQUEST_METHOD': 'GET'}
url = ('http://admin_host/load-balancer/v2/loadbalancers/' +
str(uuid.uuid4()))
payload = self.get_payload('GET', url, environ=env_headers)
self.assertEqual(payload['target']['id'], 'octavia')
def test_no_auth_token(self):
# Test cases where API requests such as Swift list public containers
# which does not require an auth token. In these cases, CADF event

6
releasenotes/notes/fix-audit-no-service-endpoint-ports-72b2009d631dcf19.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
[`bug 1797584 <https://bugs.launchpad.net/keystonemiddleware/+bug/1797584>`_]
Fixed a bug where the audit code would select the wrong target service
if the OpenStack service endpoints were not using unique TCP ports.