Enable audit pipeline for cinder

This change adds the keystonemiddleware audit paste filter[0]
and enables it for the cinder-api and cinder-scheduler services.
This provides the ability to audit API requests for cinder.

[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html

Change-Id: If81b88a4003bc4394ef4a378626cf5d6edb9c4ae

cinder/templates/configmap-etc.yaml

@@ -119,6 +119,7 @@ data:
   backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }}
   api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
   policy.json: {{ toJson .Values.conf.policy | b64enc }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
   cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }}
   rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
   resource_filters.json: {{ toJson .Values.conf.resource_filters | b64enc }}

cinder/templates/deployment-api.yaml

@@ -118,6 +118,10 @@ spec:
               mountPath: /etc/cinder/policy.json
               subPath: policy.json
               readOnly: true
+            - name: cinder-etc
+              mountPath: /etc/cinder/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
             - name: cinder-etc
               mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }}
               subPath: resource_filters.json

cinder/values.yaml

@@ -312,18 +312,18 @@ conf:
     composite:openstack_volume_api_v1:
       use: call:cinder.api.middleware.auth:pipeline_factory
       noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1
-      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv1
-      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv1
     composite:openstack_volume_api_v2:
       use: call:cinder.api.middleware.auth:pipeline_factory
       noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
-      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv2
-      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv2
     composite:openstack_volume_api_v3:
       use: call:cinder.api.middleware.auth:pipeline_factory
       noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
-      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
+      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv3
-      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
+      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv3
     filter:request_id:
       paste.filter_factory: oslo_middleware.request_id:RequestId.factory
     filter:http_proxy_to_wsgi:
@@ -353,6 +353,9 @@ conf:
       paste.filter_factory: cinder.api.middleware.auth:CinderKeystoneContext.factory
     filter:authtoken:
       paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/cinder/api_audit_map.conf
   policy:
     context_is_admin: role:admin
     admin_or_owner: is_admin:True or project_id:%(project_id)s
@@ -469,6 +472,26 @@ conf:
     clusters:get: rule:admin_api
     clusters:get_all: rule:admin_api
     clusters:update: rule:admin_api
+  api_audit_map:
+    DEFAULT:
+      target_endpoint_type: None
+    custom_actions:
+      associate: update/associate
+      disassociate: update/disassociate_all
+      disassociate_all: update/disassociate_all
+      associations: read/list/associations
+    path_keywords:
+      defaults: None
+      detail: None
+      limits: None
+      os-quota-specs: project
+      qos-specs: qos-spec
+      snapshots: snapshot
+      types: type
+      volumes: volume
+    service_endpoints:
+      volume: service/storage/block
+      volumev2: service/storage/block
   cinder_sudoers: |
     # This sudoers file supports rootwrap for both Kolla and LOCI Images.
     Defaults !requiretty