Merge "Spec for adding audit capability using CADF specification."

2015-06-23 13:59:05 +00:00 · 2015-06-23 13:59:05 +00:00 · 88e2e6d5b7
parent 5ba18b8aaa 3bb84f6b85
commit 88e2e6d5b7
1 changed files with 257 additions and 0 deletions
--- a/specs/liberty/audit-cadf-events.rst
+++ b/specs/liberty/audit-cadf-events.rst
@ -0,0 +1,257 @@
+..
+ This work is licensed under a Creative Commons Attribution 3.0 Unported
+ License.
+
+ http://creativecommons.org/licenses/by/3.0/legalcode
+
+==========================================================
+Add auditing capability via CADF based notification events
+==========================================================
+
+https://blueprints.launchpad.net/barbican/+spec/audit-cadf-events
+
+This proposal is to add auditing capability in Barbican using CADF (Cloud Audit
+Data Federation) specification. The idea is to identify auditable attributes and
+construct audit data record as per CADF event specification and provide delivery
+option via OpenStack notification framework to interested services and consumers.
+
+DMTF CADF standard provides auditing capabilities for compliance with security,
+operational and business processes. See References section in end for more details
+around CADF specification.
+
+Problem Description
+===================
+
+Large number of enterprise faces challenge when moving to OpenStack cloud.
+And most of these challenges have nothing to do with OpenStack service capabilities.
+Instead, the challenges are in terms of auditing and monitoring their workload and
+data in accordance with their strict corporate, industry or regional policies and
+compliance requirements (FIPS-140-2, PCI-DSS, SoX, ISO 27017 etc).
+Barbican, being a security component in a cloud, has similar auditing requirement.
+
+In addition, Barbican has this concept of soft deletes where it keeps resources in
+database even after they are marked deleted and are no longer used in live systems.
+The idea is to have a sense of audit trail of its resources state. This approach
+does not provide much value in terms of audit other than when it was marked deleted.
+
+Proposed Change
+===============
+
+To add auditing capability in Barbican, proposal is to leverage a existing standard
+instead of creating own semantics and audit data model. In OpenStack ecosystem,
+number of services (Ceilometer, Keystone) are using CADF based event data model to
+report activities on its resources. Using CADF standard for auditing will allow
+consistent reporting across services and will allow customers to use common audit
+tools and processes for their audit data.
+
+The CADF model can answer critical questions about activity or event happening on
+rest resources in a normative manner using CADF's seven W's of auditing (What,
+When, Who, On What, Where, From Where, To Where). See Auditing Event Details section
+below.
+
+The overhead of adding audit data interaction can be minimized by publishing
+audit event as OpenStack notifications where event publisher does not have to wait
+for response/ acknowledgment. This way audit event delivery is decoupled and can
+still benefit from messaging infrastructure durability and delivery guarantees.
+
+Auditing Event Details
+-----------------------
+
+Audit event data is constructed using who initiated request, request outcome, resource
+operated on, resource identifier and event type information. Following is sample
+of seven W\'s of auditing values for Barbican rest resources.
+
+  +-------------+-------------+----------------------+------------------------------+
+  | W Component | Resource    | CADF                 | Possible                     |
+  |             |             | Properties           | Values                       |
+  +=============+=============+======================+==============================+
+  |  What       | POST/PUT/   | event.type           |activity/monitor/control      |
+  |             | DELETE      | event.outcome        |success/failure/pending       |
+  |             | v1/secrets  |                      |                              |
+  +-------------+-------------+----------------------+------------------------------+
+  |  When       |             | event.eventTime      |{event generation timestamp}  |
+  +-------------+-------------+----------------------+------------------------------+
+  |  Who        |             | initiator.id         |{token user id}               |
+  |             |             | initiator.type       |service/security/account/user |
+  |             |             | initiator.project_id |{scoped token project id}     |
+  +-------------+-------------+----------------------+------------------------------+
+  |  From Where |             | initiator.host       |environemnt REMOTE_ADDR       |
+  |             |             | initiator.agent      |environment HTTP_USER_AGENT   |
+  +-------------+-------------+----------------------+------------------------------+
+  |  On What    |             | target.id            |resource id (secret/container)|
+  |             |             | target.type          |data/keymgr/secret            |
+  +-------------+-------------+----------------------+------------------------------+
+  |  Where      |             | observer.id          |target                        |
+  |             |             | observer.type        |service/keymgr                |
+  +-------------+-------------+----------------------+------------------------------+
+  |  To Where   |             |                      |                              |
+  +-------------+-------------+----------------------+------------------------------+
+
+CADF extension properties (mentioned below) can be used to capture domain specific
+data available as part of rest request. Currently there is no plan to add these
+properties as this may need per resource awareness in common decorator logic.
+
+- event.attachments (structured or unstructured data)
+- event.tags (domain specific identifiers/ classifications)
+
+
+**pyCADF changes**
+
+Creation of audit event requires oslo pyCADF library. pyCADF library needs to be
+updated to reflect Barbican specific resource types. As per pyCADF contributors,
+either use existing types or create very few new generic types. Following Barbican
+specific resource types are going to be added in pyCADF resource taxonomy.
+
+#. data/keymgr/secret
+
+#. data/keymgr/container
+
+#. data/keymgr/order
+
+#. data/keymgr  - general placeholder for all other remaining resourcs.
+
+#. service/keymgr
+
+Above types are going to be added in pyCADF taxonomy as mentioned in link below.
+
+* pyCADF resource taxonomy
+  https://github.com/openstack/pycadf/blob/master/pycadf/cadftaxonomy.py#L111
+
+Audit Event Generation
+----------------------
+
+For API requests, audit event are going to be generated using audit middleware approach.
+This middleware is now available as part of keystonemiddleware (> 1.5) library. This
+library has Keystone middleware which is used by Barbican for Keystone token validation.
+
+Audit middleware is going to create two events per Barbican REST API invocation. One with
+information extracted from request data and the second correlated one with request outcome
+(response). The mapping information is going to be managed via barbican specific configuration
+file which is going to be similar to files described in following pycadf samples link.
+https://github.com/openstack/pycadf/tree/master/etc/pycadf
+
+For asynchronous task processing workers, audit event is constructed using task related
+data. It can be be implemented as a decorator which can be added to each task common
+methods (handle_processing, handle_success and handle_error) or can be added on base task
+process method. This audit event is going to be published as notification to same queue
+which is used by audit middleware as well.
+
+
+Audit Event Delivery
+--------------------
+
+Internally audit middleware uses an oslo messaging based notifier to publish CADF
+events to configured messaging infrastructure. Audit decorators will use similar
+approach.
+
+Audit middleware is added to Barbican request pipeline via additional filter in
+`barbican-api-paste.ini` where related audit mapping file path is defined. Delivery of
+audit event via decorator needs to be configurable as developer boxes may not necessarily
+have the needed setup. By default, audit delivery as notification is going to disabled.
+
+The oslo messaging framework supports publish of this audit data to messaging queue via
+'messagingv2' driver or can be written to log files via its 'log' driver.
+
+
+Alternatives
+------------
+
+We could rely on Barbican existing logging but that does not provide a complete
+and consistent picture of service audit data. Non-standard logging means that cloud
+provider need service specific audit tools to aggregate and analyze the logs.
+
+Security impact
+---------------
+
+This improves security in the stack by providing audit capability. This will
+help in addressing some of compliance requirements expected from Barbican service.
+
+Notifications & Audit Impact
+----------------------------
+
+Will have additional notification capability to publish audit events.
+
+Other end user impact
+---------------------
+
+None
+
+Performance Impact
+------------------
+
+Audit events are published as notifications to queue and does not have to wait for
+response/acknowledgment so overall associated overhead should be very minimal.
+When notifications are written to log files, related overhead should still be low and
+can be comparable to logic of adding 2 log statements.
+
+Other deployer impact
+---------------------
+
+To enable audit event delivery via notifications, deployer will need to change
+default configuration.
+
+Developer impact
+----------------
+
+None.
+
+Implementation
+==============
+
+Assignee(s)
+
+Primary assignee:
+    arunkant
+
+Work Items
+----------
+
+* Add new blueprint and update oslo pyCADF library.
+
+* Define pipeline filter with audit map configuration file barbican_api_audit_map.conf
+
+* Add new decorator to create CADF event data for asynchronous worker processing logic.
+  Add decorator to related worker task methods.
+
+* Add ability to turn on audit event generation. By default it needs to be off.
+
+
+Dependencies
+============
+
+* pyCADF library (with barbican specific updated taxonomy).
+
+Testing
+=======
+
+The new unit tests are going to be added for middleware and order processing flow.
+For middleware unit tests, configuration override is needed for paste and api ini files.
+Oslo test driver https://github.com/openstack/oslo.messaging/blob/master/oslo_messaging/notify/_impl_test.py
+can be used to verify message content in addition to mock patched methods approach.
+
+
+Documentation Impact
+====================
+
+CADF event usage should be documented. For order processing flow, document what audit
+related changes, if any, are needed to add audit support for new order types.
+
+References
+==========
+
+* CADF Working Group. http://www.dmtf.org/standards/cadf
+
+* CADF representation for OpenStack
+  http://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.0.0.pdf
+ 
+* Audit Middleware
+  http://docs.openstack.org/developer/keystonemiddleware/audit.html
+
+* PyCADF developer docs
+  http://docs.openstack.org/developer/pycadf/
+
+* CADF event model and taxonomies
+  https://wiki.openstack.org/w/images/e/e1/Introduction_to_Cloud_Auditing_using_CADF_Event_Model_and_Taxonomy_2013-10-22.pdf
+
+* Ceilometer CADF support
+  https://wiki.openstack.org/wiki/Ceilometer/blueprints/support-standard-audit-formats