Enable audit pipeline for glance

This change adds the keystonemiddleware audit paste filter[0]
and enables it for the glance-api and glance-registry services.
This provides the ability to audit API requests for glance.

[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html

Change-Id: I3b42717dbc11257c21b27e7c68dedc3283e1bd34
This commit is contained in:
Gage Hugo 2019-04-10 15:32:38 -05:00
parent 94ac3569f5
commit 4e4a4c389c
4 changed files with 30 additions and 4 deletions

View File

@ -170,5 +170,6 @@ data:
glance-registry.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.glance_registry | b64enc }}
glance-registry-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste_registry | b64enc }}
policy.json: {{ toJson .Values.conf.policy | b64enc }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }}
{{- end }}

View File

@ -135,6 +135,10 @@ spec:
mountPath: /etc/glance/policy.json
subPath: policy.json
readOnly: true
- name: glance-etc
mountPath: /etc/glance/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
- name: glance-etc
mountPath: {{ .Values.conf.glance.glance_store.swift_store_config_file }}
subPath: swift-store.conf

View File

@ -90,6 +90,10 @@ spec:
mountPath: /etc/glance/glance-registry.conf
subPath: glance-registry.conf
readOnly: true
- name: glance-etc
mountPath: /etc/glance/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
- name: glance-etc
mountPath: {{ .Values.conf.glance.DEFAULT.log_config_append }}
subPath: {{ base .Values.conf.glance.DEFAULT.log_config_append }}

View File

@ -164,11 +164,11 @@ conf:
pipeline:glance-api-cachemanagement:
pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
pipeline:glance-api-keystone:
pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context rootapp
pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context rootapp
pipeline:glance-api-keystone+caching:
pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache rootapp
pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context cache rootapp
pipeline:glance-api-keystone+cachemanagement:
pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache cachemanage rootapp
pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context cache cachemanage rootapp
pipeline:glance-api-trusted-auth:
pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context rootapp
pipeline:glance-api-trusted-auth+cachemanagement:
@ -201,6 +201,9 @@ conf:
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
delay_auth_decision: true
filter:audit:
paste.filter_factory: keystonemiddleware.audit:filter_factory
audit_map_file: /etc/glance/api_audit_map.conf
filter:gzip:
paste.filter_factory: glance.api.middleware.gzip:GzipMiddleware.factory
filter:osprofiler:
@ -356,11 +359,22 @@ conf:
formatter_default:
format: "%(message)s"
datefmt: "%Y-%m-%d %H:%M:%S"
api_audit_map:
DEFAULT:
target_endpoint_type: None
path_keywords:
detail: None
file: None
images: image
members: member
tags: tag
service_endpoints:
image: 'service/storage/image'
paste_registry:
pipeline:glance-registry:
pipeline: healthcheck osprofiler unauthenticated-context registryapp
pipeline:glance-registry-keystone:
pipeline: healthcheck osprofiler authtoken context registryapp
pipeline: healthcheck osprofiler authtoken audit context registryapp
pipeline:glance-registry-trusted-auth:
pipeline: healthcheck osprofiler context registryapp
app:registryapp:
@ -379,6 +393,9 @@ conf:
paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
hmac_keys: SECRET_KEY # DEPRECATED
enabled: yes # DEPRECATED
filter:audit:
paste.filter_factory: keystonemiddleware.audit:filter_factory
audit_map_file: /etc/glance/api_audit_map.conf
glance_registry:
DEFAULT:
# NOTE(portdirect): the bind port should not be defined, and is manipulated