enable cadf auditing support
Change-Id: I47d0787c3edd83aeaa186f6031cac452cdc93b52
This commit is contained in:
parent
af37e09a42
commit
61f7ab2206
23
README.rst
23
README.rst
|
@ -49,6 +49,8 @@ Neutron Server on the controller node
|
|||
host: 127.0.0.1
|
||||
port: 8775
|
||||
password: pass
|
||||
audit:
|
||||
enabled: false
|
||||
|
||||
Neutron VXLAN tenant networks with Network Nodes (with DVR for East-West
|
||||
and Network node for North-South)
|
||||
|
@ -165,6 +167,8 @@ Compute Node
|
|||
mechanism:
|
||||
ovs:
|
||||
driver: openvswitch
|
||||
audit:
|
||||
enabled: false
|
||||
|
||||
Neutron VXLAN tenant networks with Network Nodes (non DVR)
|
||||
==========================================================
|
||||
|
@ -564,6 +568,25 @@ Client-side RabbitMQ HA setup
|
|||
virtual_host: '/openstack'
|
||||
....
|
||||
|
||||
Enable auditing filter, ie: CADF
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
neutron:
|
||||
server:
|
||||
audit:
|
||||
enabled: true
|
||||
....
|
||||
filter_factory: 'keystonemiddleware.audit:filter_factory'
|
||||
map_file: '/etc/pycadf/neutron_api_audit_map.conf'
|
||||
....
|
||||
compute:
|
||||
audit:
|
||||
enabled: true
|
||||
....
|
||||
filter_factory: 'keystonemiddleware.audit:filter_factory'
|
||||
map_file: '/etc/pycadf/neutron_api_audit_map.conf'
|
||||
....
|
||||
|
||||
|
||||
Usage
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
{%- from "neutron/map.jinja" import server with context %}
|
||||
{%- if pillar.neutron.server is defined %}
|
||||
{%- set neutron = pillar.neutron.server %}
|
||||
{%- elif pillar.neutron.switch is defined %}
|
||||
|
@ -13,7 +14,7 @@ use = egg:Paste#urlmap
|
|||
[composite:neutronapi_v2_0]
|
||||
use = call:neutron.auth:pipeline_factory
|
||||
noauth = request_id catch_errors extensions neutronapiapp_v2_0
|
||||
keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
|
||||
keystone = request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
|
||||
|
||||
[filter:request_id]
|
||||
paste.filter_factory = oslo_middleware:RequestId.factory
|
||||
|
@ -42,3 +43,9 @@ paste.app_factory = neutron.api.versions:Versions.factory
|
|||
|
||||
[app:neutronapiapp_v2_0]
|
||||
paste.app_factory = neutron.api.v2.router:APIRouter.factory
|
||||
|
||||
{%- if server.audit.enabled %}
|
||||
[filter:audit]
|
||||
paste.filter_factory = {{ server.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }}
|
||||
audit_map_file = {{ server.get("audit", {}).get("map_file", "/etc/pycadf/neutron_api_audit_map.conf") }}
|
||||
{%- endif %}
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
{%- from "neutron/map.jinja" import server with context %}
|
||||
[composite:neutron]
|
||||
use = egg:Paste#urlmap
|
||||
/: neutronversions
|
||||
|
@ -6,7 +7,7 @@ use = egg:Paste#urlmap
|
|||
[composite:neutronapi_v2_0]
|
||||
use = call:neutron.auth:pipeline_factory
|
||||
noauth = cors request_id catch_errors extensions neutronapiapp_v2_0
|
||||
keystone = cors request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
|
||||
keystone = cors request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
|
||||
|
||||
[filter:request_id]
|
||||
paste.filter_factory = oslo_middleware:RequestId.factory
|
||||
|
@ -32,3 +33,9 @@ paste.app_factory = neutron.api.versions:Versions.factory
|
|||
|
||||
[app:neutronapiapp_v2_0]
|
||||
paste.app_factory = neutron.api.v2.router:APIRouter.factory
|
||||
|
||||
{%- if server.audit.enabled %}
|
||||
[filter:audit]
|
||||
paste.filter_factory = {{ server.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }}
|
||||
audit_map_file = {{ server.get("audit", {}).get("map_file", "/etc/pycadf/neutron_api_audit_map.conf") }}
|
||||
{%- endif %}
|
||||
|
|
|
@ -1,12 +1,18 @@
|
|||
|
||||
{% set compute = salt['grains.filter_by']({
|
||||
'Debian': {
|
||||
'pkgs': ['neutron-openvswitch-agent', 'openvswitch-switch', 'openvswitch-datapath-dkms'],
|
||||
'services': ['neutron-openvswitch-agent']
|
||||
'pkgs': ['neutron-openvswitch-agent', 'openvswitch-switch', 'openvswitch-datapath-dkms', 'python-pycadf'],
|
||||
'services': ['neutron-openvswitch-agent'],
|
||||
'audit': {
|
||||
'enabled': false
|
||||
}
|
||||
},
|
||||
'RedHat': {
|
||||
'pkgs': ['openstack-neutron-openvswitch', 'openvswitch'],
|
||||
'services': ['neutron-openvswitch-agent']
|
||||
'pkgs': ['openstack-neutron-openvswitch', 'openvswitch', 'python-pycadf'],
|
||||
'services': ['neutron-openvswitch-agent'],
|
||||
'audit': {
|
||||
'enabled': false
|
||||
}
|
||||
},
|
||||
}, merge=pillar.neutron.get('compute', {})) %}
|
||||
|
||||
|
@ -23,16 +29,22 @@
|
|||
|
||||
{% set server = salt['grains.filter_by']({
|
||||
'Debian': {
|
||||
'pkgs': ['neutron-server','neutron-lbaas-agent', 'gettext-base'],
|
||||
'pkgs': ['neutron-server','neutron-lbaas-agent', 'gettext-base', 'python-pycadf'],
|
||||
'pkgs_ml2': ['neutron-plugin-ml2'],
|
||||
'services': ['neutron-server'],
|
||||
'notification': False
|
||||
'notification': False,
|
||||
'audit': {
|
||||
'enabled': false
|
||||
}
|
||||
},
|
||||
'RedHat': {
|
||||
'pkgs_ml2': ['openstack-neutron-ml2'],
|
||||
'pkgs_ml2': ['openstack-neutron-ml2', 'python-pycadf'],
|
||||
'pkgs': ['openstack-neutron'],
|
||||
'services': ['neutron-server'],
|
||||
'notification': False
|
||||
'notification': False,
|
||||
'audit': {
|
||||
'enabled': false
|
||||
}
|
||||
},
|
||||
}, merge=pillar.neutron.get('server', {})) %}
|
||||
|
||||
|
@ -53,4 +65,4 @@
|
|||
|
||||
{%- endif %}
|
||||
|
||||
{%- endif %}
|
||||
{%- endif %}
|
||||
|
|
|
@ -69,6 +69,13 @@ neutron_db_manage:
|
|||
- require:
|
||||
- pkg: neutron_server_packages
|
||||
|
||||
/etc/neutron/api-paste.ini:
|
||||
file.managed:
|
||||
- source: salt://neutron/files/{{ server.version }}/api-paste.ini.{{ grains.os_family }}
|
||||
- template: jinja
|
||||
- require:
|
||||
- pkg: neutron_server_packages
|
||||
|
||||
{%- if grains.os_family == "Debian" %}
|
||||
|
||||
/etc/default/neutron-server:
|
||||
|
|
|
@ -44,4 +44,8 @@ neutron:
|
|||
region: RegionOne
|
||||
user: nova
|
||||
password: password
|
||||
tenant: service
|
||||
tenant: service
|
||||
audit:
|
||||
filter_factory: 'keystonemiddleware.audit:filter_factory'
|
||||
map_file: '/etc/pycadf/neutron_api_audit_map.conf'
|
||||
|
||||
|
|
Loading…
Reference in New Issue