enable cadf auditing support

Change-Id: I47d0787c3edd83aeaa186f6031cac452cdc93b52

README.rst

@@ -49,6 +49,8 @@ Neutron Server on the controller node
           host: 127.0.0.1
           port: 8775
           password: pass
+        audit:
+          enabled: false
 
 Neutron VXLAN tenant networks with Network Nodes (with DVR for East-West
  and Network node for North-South)
@@ -165,6 +167,8 @@ Compute Node
           mechanism:
             ovs:
               driver: openvswitch
+        audit:
+          enabled: false
 
 Neutron VXLAN tenant networks with Network Nodes (non DVR)
 ==========================================================
@@ -564,6 +568,25 @@ Client-side RabbitMQ HA setup
           virtual_host: '/openstack'
         ....
 
+Enable auditing filter, ie: CADF
+
+.. code-block:: yaml
+
+    neutron:
+      server:
+        audit:
+          enabled: true
+      ....
+          filter_factory: 'keystonemiddleware.audit:filter_factory'
+          map_file: '/etc/pycadf/neutron_api_audit_map.conf'
+      ....
+      compute:
+        audit:
+          enabled: true
+      ....
+          filter_factory: 'keystonemiddleware.audit:filter_factory'
+          map_file: '/etc/pycadf/neutron_api_audit_map.conf'
+      ....
 
 
 Usage

neutron/files/liberty/api-paste.ini.Debian

@@ -1,3 +1,4 @@
+{%- from "neutron/map.jinja" import server with context %}
 {%- if pillar.neutron.server is defined %}
 {%- set neutron = pillar.neutron.server %}
 {%- elif pillar.neutron.switch is defined %}
@@ -13,7 +14,7 @@ use = egg:Paste#urlmap
 [composite:neutronapi_v2_0]
 use = call:neutron.auth:pipeline_factory
 noauth = request_id catch_errors extensions neutronapiapp_v2_0
-keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
+keystone = request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
 
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
@@ -42,3 +43,9 @@ paste.app_factory = neutron.api.versions:Versions.factory
 
 [app:neutronapiapp_v2_0]
 paste.app_factory = neutron.api.v2.router:APIRouter.factory
+
+{%- if server.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ server.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory")   }}
+audit_map_file = {{ server.get("audit", {}).get("map_file", "/etc/pycadf/neutron_api_audit_map.conf")  }}
+{%- endif %}

neutron/files/mitaka/api-paste.ini.Debian

@@ -1,3 +1,4 @@
+{%- from "neutron/map.jinja" import server with context %}
 [composite:neutron]
 use = egg:Paste#urlmap
 /: neutronversions
@@ -6,7 +7,7 @@ use = egg:Paste#urlmap
 [composite:neutronapi_v2_0]
 use = call:neutron.auth:pipeline_factory
 noauth = cors request_id catch_errors extensions neutronapiapp_v2_0
-keystone = cors request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
+keystone = cors request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
 
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
@@ -32,3 +33,9 @@ paste.app_factory = neutron.api.versions:Versions.factory
 
 [app:neutronapiapp_v2_0]
 paste.app_factory = neutron.api.v2.router:APIRouter.factory
+
+{%- if server.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ server.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory")   }}
+audit_map_file = {{ server.get("audit", {}).get("map_file", "/etc/pycadf/neutron_api_audit_map.conf")  }}
+{%- endif %}

neutron/map.jinja

@@ -1,12 +1,18 @@
 
 {% set compute = salt['grains.filter_by']({
     'Debian': {
-        'pkgs': ['neutron-openvswitch-agent', 'openvswitch-switch', 'openvswitch-datapath-dkms'],
-        'services': ['neutron-openvswitch-agent']
+        'pkgs': ['neutron-openvswitch-agent', 'openvswitch-switch', 'openvswitch-datapath-dkms', 'python-pycadf'],
+        'services': ['neutron-openvswitch-agent'],
+        'audit': {
+          'enabled': false
+        }
     },
     'RedHat': {
-        'pkgs': ['openstack-neutron-openvswitch', 'openvswitch'],
-        'services': ['neutron-openvswitch-agent']
+        'pkgs': ['openstack-neutron-openvswitch', 'openvswitch', 'python-pycadf'],
+        'services': ['neutron-openvswitch-agent'],
+        'audit': {
+          'enabled': false
+        }
     },
 }, merge=pillar.neutron.get('compute', {})) %}
 
@@ -23,16 +29,22 @@
 
 {% set server = salt['grains.filter_by']({
     'Debian': {
-        'pkgs': ['neutron-server','neutron-lbaas-agent', 'gettext-base'],
+        'pkgs': ['neutron-server','neutron-lbaas-agent', 'gettext-base', 'python-pycadf'],
         'pkgs_ml2': ['neutron-plugin-ml2'],
         'services': ['neutron-server'],
-        'notification': False
+        'notification': False,
+        'audit': {
+          'enabled': false
+        }
     },
     'RedHat': {
-        'pkgs_ml2': ['openstack-neutron-ml2'],
+        'pkgs_ml2': ['openstack-neutron-ml2', 'python-pycadf'],
         'pkgs': ['openstack-neutron'],
         'services': ['neutron-server'],
-        'notification': False
+        'notification': False,
+        'audit': {
+          'enabled': false
+        }
     },
 }, merge=pillar.neutron.get('server', {})) %}
 
@@ -53,4 +65,4 @@
 
 {%- endif %}
 
-{%- endif %}
+{%- endif %}

neutron/server.sls

@@ -69,6 +69,13 @@ neutron_db_manage:
   - require:
     - pkg: neutron_server_packages
 
+/etc/neutron/api-paste.ini:
+  file.managed:
+    - source: salt://neutron/files/{{ server.version  }}/api-paste.ini.{{ grains.os_family  }}
+    - template: jinja
+    - require:
+      - pkg: neutron_server_packages
+
 {%- if grains.os_family == "Debian" %}
 
 /etc/default/neutron-server:

tests/pillar/control_cluster.sls

@@ -44,4 +44,8 @@ neutron:
       region: RegionOne
       user: nova
       password: password
-      tenant: service
+      tenant: service
+    audit:
+      filter_factory: 'keystonemiddleware.audit:filter_factory'
+      map_file: '/etc/pycadf/neutron_api_audit_map.conf'
+