Enable audit pipeline for cinder

This change adds the keystonemiddleware audit paste filter[0] and enables it for the cinder-api and cinder-scheduler services. This provides the ability to audit API requests for cinder. [0] https://docs.openstack.org/keystonemiddleware/latest/audit.html Change-Id: If81b88a4003bc4394ef4a378626cf5d6edb9c4ae
2019-04-11 10:53:02 -05:00 · 2019-04-11 10:53:02 -05:00 · 2f46c057a4
commit 2f46c057a4
parent 94ac3569f5
3 changed files with 34 additions and 6 deletions
--- a/cinder/templates/configmap-etc.yaml
+++ b/cinder/templates/configmap-etc.yaml
@ -119,6 +119,7 @@ data:
  backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }}
  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
  policy.json: {{ toJson .Values.conf.policy | b64enc }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
  cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }}
  rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
  resource_filters.json: {{ toJson .Values.conf.resource_filters | b64enc }}
--- a/cinder/templates/deployment-api.yaml
+++ b/cinder/templates/deployment-api.yaml
@ -118,6 +118,10 @@ spec:
              mountPath: /etc/cinder/policy.json
              subPath: policy.json
              readOnly: true
+            - name: cinder-etc
+              mountPath: /etc/cinder/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
            - name: cinder-etc
              mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }}
              subPath: resource_filters.json
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@ -312,18 +312,18 @@ conf:
    composite:openstack_volume_api_v1:
      use: call:cinder.api.middleware.auth:pipeline_factory
      noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1
-      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
-      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv1
+      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv1
    composite:openstack_volume_api_v2:
      use: call:cinder.api.middleware.auth:pipeline_factory
      noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
-      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
-      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv2
+      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv2
    composite:openstack_volume_api_v3:
      use: call:cinder.api.middleware.auth:pipeline_factory
      noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
-      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
-      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
+      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv3
+      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv3
    filter:request_id:
      paste.filter_factory: oslo_middleware.request_id:RequestId.factory
    filter:http_proxy_to_wsgi:
@ -353,6 +353,9 @@ conf:
      paste.filter_factory: cinder.api.middleware.auth:CinderKeystoneContext.factory
    filter:authtoken:
      paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/cinder/api_audit_map.conf
  policy:
    context_is_admin: role:admin
    admin_or_owner: is_admin:True or project_id:%(project_id)s
@ -469,6 +472,26 @@ conf:
    clusters:get: rule:admin_api
    clusters:get_all: rule:admin_api
    clusters:update: rule:admin_api
+  api_audit_map:
+    DEFAULT:
+      target_endpoint_type: None
+    custom_actions:
+      associate: update/associate
+      disassociate: update/disassociate_all
+      disassociate_all: update/disassociate_all
+      associations: read/list/associations
+    path_keywords:
+      defaults: None
+      detail: None
+      limits: None
+      os-quota-specs: project
+      qos-specs: qos-spec
+      snapshots: snapshot
+      types: type
+      volumes: volume
+    service_endpoints:
+      volume: service/storage/block
+      volumev2: service/storage/block
  cinder_sudoers: |
    # This sudoers file supports rootwrap for both Kolla and LOCI Images.
    Defaults !requiretty