Enable audit pipeline for heat

This change adds the keystonemiddleware audit paste filter[0] and enables it for the heat-api, heat-cfn, and heat-cloudwatch services. This provides the ability to audit API requests for heat. [0] https://docs.openstack.org/keystonemiddleware/latest/audit.html Change-Id: Ib5a7dfd882416553ff6f43aa009e3e67871d7f4c
2019-04-11 12:38:06 -05:00 · 2019-04-11 12:38:06 -05:00 · 9c13e80492
commit 9c13e80492
parent d544a556db
5 changed files with 46 additions and 3 deletions
--- a/heat/templates/configmap-etc.yaml
+++ b/heat/templates/configmap-etc.yaml
@ -138,6 +138,7 @@ data:
  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
  policy.json: {{ toJson .Values.conf.policy | b64enc }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
 {{- range $key, $value := $envAll.Values.conf.rally_tests.templates }}
  {{ printf "test_template_%d" $key }}: {{ $value.template | b64enc }}
 {{- end }}
--- a/heat/templates/deployment-api.yaml
+++ b/heat/templates/deployment-api.yaml
@ -102,6 +102,10 @@ spec:
              mountPath: /etc/heat/policy.json
              subPath: policy.json
              readOnly: true
+            - name: heat-etc
+              mountPath: /etc/heat/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
 {{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-etc-heat
--- a/heat/templates/deployment-cfn.yaml
+++ b/heat/templates/deployment-cfn.yaml
@ -102,6 +102,10 @@ spec:
              mountPath: /etc/heat/policy.json
              subPath: policy.json
              readOnly: true
+            - name: heat-etc
+              mountPath: /etc/heat/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
 {{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-etc-heat
--- a/heat/templates/deployment-cloudwatch.yaml
+++ b/heat/templates/deployment-cloudwatch.yaml
@ -98,6 +98,10 @@ spec:
              mountPath: /etc/heat/policy.json
              subPath: policy.json
              readOnly: true
+            - name: heat-etc
+              mountPath: /etc/heat/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
 {{ if $mounts_heat_cloudwatch.volumeMounts }}{{ toYaml $mounts_heat_cloudwatch.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-etc-heat
--- a/heat/values.yaml
+++ b/heat/values.yaml
@ -283,17 +283,17 @@ conf:
                length: 40
  paste:
    pipeline:heat-api:
-      pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation osprofiler authurl authtoken context apiv1app
+      pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation osprofiler authurl authtoken audit context apiv1app
    pipeline:heat-api-standalone:
      pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation authurl authpassword context apiv1app
    pipeline:heat-api-custombackend:
      pipeline: cors request_id faultwrap versionnegotiation context custombackendauth apiv1app
    pipeline:heat-api-cfn:
-      pipeline: cors http_proxy_to_wsgi cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app
+      pipeline: cors http_proxy_to_wsgi cfnversionnegotiation osprofiler ec2authtoken authtoken audit context apicfnv1app
    pipeline:heat-api-cfn-standalone:
      pipeline: cors http_proxy_to_wsgi cfnversionnegotiation ec2authtoken context apicfnv1app
    pipeline:heat-api-cloudwatch:
-      pipeline: cors versionnegotiation osprofiler ec2authtoken authtoken context apicwapp
+      pipeline: cors versionnegotiation osprofiler ec2authtoken authtoken audit context apicwapp
    pipeline:heat-api-cloudwatch-standalone:
      pipeline: cors versionnegotiation ec2authtoken context apicwapp
    app:apiv1app:
@ -334,6 +334,9 @@ conf:
      paste.filter_factory: heat.common.auth_password:filter_factory
    filter:custombackendauth:
      paste.filter_factory: heat.common.custom_backend_auth:filter_factory
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/heat/api_audit_map.conf
    filter:request_id:
      paste.filter_factory: oslo_middleware.request_id:RequestId.factory
    filter:osprofiler:
@ -471,6 +474,33 @@ conf:
      enable_proxy_headers_parsing: true
    oslo_messaging_rabbit:
      rabbit_ha_queues: True
+  audit_api_map:
+    DEFAULT:
+      target_endpoint_type: None
+    path_keywords:
+      stacks: stack
+      resources: resource
+      preview: None
+      detail: None
+      abandon: None
+      snapshots: snapshot
+      restore: None
+      outputs: output
+      metadata: server
+      signal: None
+      events: event
+      template: None
+      template_versions: template_version
+      functions: None
+      validate: None
+      resource_types: resource_type
+      build_info: None
+      actions: None
+      software_configs: software_config
+      software_deployments: software_deployment
+      services: None
+    service_endpoints:
+      orchestration:service/orchestration
  logging:
    loggers:
      keys: