Enable audit pipeline for glance

This change adds the keystonemiddleware audit paste filter[0] and enables it for the glance-api and glance-registry services. This provides the ability to audit API requests for glance. [0] https://docs.openstack.org/keystonemiddleware/latest/audit.html Change-Id: I3b42717dbc11257c21b27e7c68dedc3283e1bd34
2019-04-10 15:32:38 -05:00 · 2019-04-10 15:32:38 -05:00 · 4e4a4c389c
commit 4e4a4c389c
parent 94ac3569f5
4 changed files with 30 additions and 4 deletions
--- a/glance/templates/configmap-etc.yaml
+++ b/glance/templates/configmap-etc.yaml
@ -170,5 +170,6 @@ data:
  glance-registry.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.glance_registry | b64enc }}
  glance-registry-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste_registry | b64enc }}
  policy.json: {{ toJson .Values.conf.policy | b64enc }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
 {{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }}
 {{- end }}
--- a/glance/templates/deployment-api.yaml
+++ b/glance/templates/deployment-api.yaml
@ -135,6 +135,10 @@ spec:
              mountPath: /etc/glance/policy.json
              subPath: policy.json
              readOnly: true
+            - name: glance-etc
+              mountPath: /etc/glance/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
            - name: glance-etc
              mountPath: {{ .Values.conf.glance.glance_store.swift_store_config_file }}
              subPath: swift-store.conf
--- a/glance/templates/deployment-registry.yaml
+++ b/glance/templates/deployment-registry.yaml
@ -90,6 +90,10 @@ spec:
              mountPath: /etc/glance/glance-registry.conf
              subPath: glance-registry.conf
              readOnly: true
+            - name: glance-etc
+              mountPath: /etc/glance/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
            - name: glance-etc
              mountPath: {{ .Values.conf.glance.DEFAULT.log_config_append }}
              subPath: {{ base .Values.conf.glance.DEFAULT.log_config_append }}
--- a/glance/values.yaml
+++ b/glance/values.yaml
@ -164,11 +164,11 @@ conf:
    pipeline:glance-api-cachemanagement:
      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
    pipeline:glance-api-keystone:
-      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context  rootapp
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context  rootapp
    pipeline:glance-api-keystone+caching:
-      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache rootapp
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context cache rootapp
    pipeline:glance-api-keystone+cachemanagement:
-      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache cachemanage rootapp
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context cache cachemanage rootapp
    pipeline:glance-api-trusted-auth:
      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context rootapp
    pipeline:glance-api-trusted-auth+cachemanagement:
@ -201,6 +201,9 @@ conf:
    filter:authtoken:
      paste.filter_factory: keystonemiddleware.auth_token:filter_factory
      delay_auth_decision: true
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/glance/api_audit_map.conf
    filter:gzip:
      paste.filter_factory: glance.api.middleware.gzip:GzipMiddleware.factory
    filter:osprofiler:
@ -356,11 +359,22 @@ conf:
    formatter_default:
      format: "%(message)s"
      datefmt: "%Y-%m-%d %H:%M:%S"
+  api_audit_map:
+    DEFAULT:
+      target_endpoint_type: None
+    path_keywords:
+      detail: None
+      file: None
+      images: image
+      members: member
+      tags: tag
+    service_endpoints:
+      image: 'service/storage/image'
  paste_registry:
    pipeline:glance-registry:
      pipeline: healthcheck osprofiler unauthenticated-context registryapp
    pipeline:glance-registry-keystone:
-      pipeline: healthcheck osprofiler authtoken context registryapp
+      pipeline: healthcheck osprofiler authtoken audit context registryapp
    pipeline:glance-registry-trusted-auth:
      pipeline: healthcheck osprofiler context registryapp
    app:registryapp:
@ -379,6 +393,9 @@ conf:
      paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
      hmac_keys: SECRET_KEY  # DEPRECATED
      enabled: yes  # DEPRECATED
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/glance/api_audit_map.conf
  glance_registry:
    DEFAULT:
      # NOTE(portdirect): the bind port should not be defined, and is manipulated