From 9c13e80492ea149518c994060beb9f7c9816308b Mon Sep 17 00:00:00 2001 From: Gage Hugo Date: Thu, 11 Apr 2019 12:38:06 -0500 Subject: [PATCH] Enable audit pipeline for heat This change adds the keystonemiddleware audit paste filter[0] and enables it for the heat-api, heat-cfn, and heat-cloudwatch services. This provides the ability to audit API requests for heat. [0] https://docs.openstack.org/keystonemiddleware/latest/audit.html Change-Id: Ib5a7dfd882416553ff6f43aa009e3e67871d7f4c --- heat/templates/configmap-etc.yaml | 1 + heat/templates/deployment-api.yaml | 4 +++ heat/templates/deployment-cfn.yaml | 4 +++ heat/templates/deployment-cloudwatch.yaml | 4 +++ heat/values.yaml | 36 +++++++++++++++++++++-- 5 files changed, 46 insertions(+), 3 deletions(-) diff --git a/heat/templates/configmap-etc.yaml b/heat/templates/configmap-etc.yaml index 054e0321c2..926a0daefc 100644 --- a/heat/templates/configmap-etc.yaml +++ b/heat/templates/configmap-etc.yaml @@ -138,6 +138,7 @@ data: logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }} api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }} policy.json: {{ toJson .Values.conf.policy | b64enc }} + api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }} {{- range $key, $value := $envAll.Values.conf.rally_tests.templates }} {{ printf "test_template_%d" $key }}: {{ $value.template | b64enc }} {{- end }} diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml index cf45cc553c..528a772690 100644 --- a/heat/templates/deployment-api.yaml +++ b/heat/templates/deployment-api.yaml @@ -102,6 +102,10 @@ spec: mountPath: /etc/heat/policy.json subPath: policy.json readOnly: true + - name: heat-etc + mountPath: /etc/heat/api_audit_map.conf + subPath: api_audit_map.conf + readOnly: true {{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-etc-heat diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml index 9f30ba62d2..e085f77a9b 100644 --- a/heat/templates/deployment-cfn.yaml +++ b/heat/templates/deployment-cfn.yaml @@ -102,6 +102,10 @@ spec: mountPath: /etc/heat/policy.json subPath: policy.json readOnly: true + - name: heat-etc + mountPath: /etc/heat/api_audit_map.conf + subPath: api_audit_map.conf + readOnly: true {{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-etc-heat diff --git a/heat/templates/deployment-cloudwatch.yaml b/heat/templates/deployment-cloudwatch.yaml index 1d58d5ff3d..b350cb4574 100644 --- a/heat/templates/deployment-cloudwatch.yaml +++ b/heat/templates/deployment-cloudwatch.yaml @@ -98,6 +98,10 @@ spec: mountPath: /etc/heat/policy.json subPath: policy.json readOnly: true + - name: heat-etc + mountPath: /etc/heat/api_audit_map.conf + subPath: api_audit_map.conf + readOnly: true {{ if $mounts_heat_cloudwatch.volumeMounts }}{{ toYaml $mounts_heat_cloudwatch.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-etc-heat diff --git a/heat/values.yaml b/heat/values.yaml index 84e9ebe1a9..77938afed3 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -283,17 +283,17 @@ conf: length: 40 paste: pipeline:heat-api: - pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation osprofiler authurl authtoken context apiv1app + pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation osprofiler authurl authtoken audit context apiv1app pipeline:heat-api-standalone: pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation authurl authpassword context apiv1app pipeline:heat-api-custombackend: pipeline: cors request_id faultwrap versionnegotiation context custombackendauth apiv1app pipeline:heat-api-cfn: - pipeline: cors http_proxy_to_wsgi cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app + pipeline: cors http_proxy_to_wsgi cfnversionnegotiation osprofiler ec2authtoken authtoken audit context apicfnv1app pipeline:heat-api-cfn-standalone: pipeline: cors http_proxy_to_wsgi cfnversionnegotiation ec2authtoken context apicfnv1app pipeline:heat-api-cloudwatch: - pipeline: cors versionnegotiation osprofiler ec2authtoken authtoken context apicwapp + pipeline: cors versionnegotiation osprofiler ec2authtoken authtoken audit context apicwapp pipeline:heat-api-cloudwatch-standalone: pipeline: cors versionnegotiation ec2authtoken context apicwapp app:apiv1app: @@ -334,6 +334,9 @@ conf: paste.filter_factory: heat.common.auth_password:filter_factory filter:custombackendauth: paste.filter_factory: heat.common.custom_backend_auth:filter_factory + filter:audit: + paste.filter_factory: keystonemiddleware.audit:filter_factory + audit_map_file: /etc/heat/api_audit_map.conf filter:request_id: paste.filter_factory: oslo_middleware.request_id:RequestId.factory filter:osprofiler: @@ -471,6 +474,33 @@ conf: enable_proxy_headers_parsing: true oslo_messaging_rabbit: rabbit_ha_queues: True + audit_api_map: + DEFAULT: + target_endpoint_type: None + path_keywords: + stacks: stack + resources: resource + preview: None + detail: None + abandon: None + snapshots: snapshot + restore: None + outputs: output + metadata: server + signal: None + events: event + template: None + template_versions: template_version + functions: None + validate: None + resource_types: resource_type + build_info: None + actions: None + software_configs: software_config + software_deployments: software_deployment + services: None + service_endpoints: + orchestration:service/orchestration logging: loggers: keys: