Enable audit pipeline for heat

This change adds the keystonemiddleware audit paste filter[0]
and enables it for the heat-api, heat-cfn, and heat-cloudwatch
services. This provides the ability to audit API requests
for heat.

[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html

Change-Id: Ib5a7dfd882416553ff6f43aa009e3e67871d7f4c
This commit is contained in:
Gage Hugo 2019-04-11 12:38:06 -05:00
parent d544a556db
commit 9c13e80492
5 changed files with 46 additions and 3 deletions

View File

@ -138,6 +138,7 @@ data:
logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
policy.json: {{ toJson .Values.conf.policy | b64enc }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
{{- range $key, $value := $envAll.Values.conf.rally_tests.templates }}
{{ printf "test_template_%d" $key }}: {{ $value.template | b64enc }}
{{- end }}

View File

@ -102,6 +102,10 @@ spec:
mountPath: /etc/heat/policy.json
subPath: policy.json
readOnly: true
- name: heat-etc
mountPath: /etc/heat/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-etc-heat

View File

@ -102,6 +102,10 @@ spec:
mountPath: /etc/heat/policy.json
subPath: policy.json
readOnly: true
- name: heat-etc
mountPath: /etc/heat/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-etc-heat

View File

@ -98,6 +98,10 @@ spec:
mountPath: /etc/heat/policy.json
subPath: policy.json
readOnly: true
- name: heat-etc
mountPath: /etc/heat/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
{{ if $mounts_heat_cloudwatch.volumeMounts }}{{ toYaml $mounts_heat_cloudwatch.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-etc-heat

View File

@ -283,17 +283,17 @@ conf:
length: 40
paste:
pipeline:heat-api:
pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation osprofiler authurl authtoken context apiv1app
pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation osprofiler authurl authtoken audit context apiv1app
pipeline:heat-api-standalone:
pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation authurl authpassword context apiv1app
pipeline:heat-api-custombackend:
pipeline: cors request_id faultwrap versionnegotiation context custombackendauth apiv1app
pipeline:heat-api-cfn:
pipeline: cors http_proxy_to_wsgi cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app
pipeline: cors http_proxy_to_wsgi cfnversionnegotiation osprofiler ec2authtoken authtoken audit context apicfnv1app
pipeline:heat-api-cfn-standalone:
pipeline: cors http_proxy_to_wsgi cfnversionnegotiation ec2authtoken context apicfnv1app
pipeline:heat-api-cloudwatch:
pipeline: cors versionnegotiation osprofiler ec2authtoken authtoken context apicwapp
pipeline: cors versionnegotiation osprofiler ec2authtoken authtoken audit context apicwapp
pipeline:heat-api-cloudwatch-standalone:
pipeline: cors versionnegotiation ec2authtoken context apicwapp
app:apiv1app:
@ -334,6 +334,9 @@ conf:
paste.filter_factory: heat.common.auth_password:filter_factory
filter:custombackendauth:
paste.filter_factory: heat.common.custom_backend_auth:filter_factory
filter:audit:
paste.filter_factory: keystonemiddleware.audit:filter_factory
audit_map_file: /etc/heat/api_audit_map.conf
filter:request_id:
paste.filter_factory: oslo_middleware.request_id:RequestId.factory
filter:osprofiler:
@ -471,6 +474,33 @@ conf:
enable_proxy_headers_parsing: true
oslo_messaging_rabbit:
rabbit_ha_queues: True
audit_api_map:
DEFAULT:
target_endpoint_type: None
path_keywords:
stacks: stack
resources: resource
preview: None
detail: None
abandon: None
snapshots: snapshot
restore: None
outputs: output
metadata: server
signal: None
events: event
template: None
template_versions: template_version
functions: None
validate: None
resource_types: resource_type
build_info: None
actions: None
software_configs: software_config
software_deployments: software_deployment
services: None
service_endpoints:
orchestration:service/orchestration
logging:
loggers:
keys: