Add support for keystone audit middleware
This adds support for the keystone audit middleware... Closes-Bug: 1856555 Change-Id: I01ce984f083ec8c0f57fd5f85a01236d8d1272a6
This commit is contained in:
parent
6697f415ea
commit
e1436ef108
|
@ -0,0 +1,4 @@
|
|||
{% if audit_middleware -%}
|
||||
[audit_middleware_notifications]
|
||||
driver = log
|
||||
{% endif -%}
|
|
@ -0,0 +1,6 @@
|
|||
{% if audit_middleware and service_name -%}
|
||||
[filter:audit]
|
||||
paste.filter_factory = keystonemiddleware.audit:filter_factory
|
||||
audit_map_file = /etc/{{ service_name }}/api_audit_map.conf
|
||||
service_name = {{ service_name }}
|
||||
{% endif -%}
|
|
@ -12,6 +12,11 @@ options:
|
|||
default: False
|
||||
description: |
|
||||
Setting this to True will allow supporting services to log to syslog.
|
||||
audit-middleware:
|
||||
type: boolean
|
||||
default: False
|
||||
description: |
|
||||
Enable auditing middleware for logging API calls.
|
||||
openstack-origin:
|
||||
type: string
|
||||
default: bobcat
|
||||
|
|
|
@ -167,6 +167,7 @@ CINDER_CONF_DIR = "/etc/cinder"
|
|||
CINDER_CONF = '%s/cinder.conf' % CINDER_CONF_DIR
|
||||
CINDER_API_CONF = '%s/api-paste.ini' % CINDER_CONF_DIR
|
||||
CINDER_POLICY_JSON = '%s/policy.json' % CINDER_CONF_DIR
|
||||
CINDER_AUDIT_MAP = '%s/api_audit_map.conf' % CINDER_CONF_DIR
|
||||
CEPH_CONF = '/etc/ceph/ceph.conf'
|
||||
|
||||
HAPROXY_CONF = '/etc/haproxy/haproxy.cfg'
|
||||
|
@ -237,18 +238,24 @@ BASE_RESOURCE_MAP = OrderedDict([
|
|||
cinder_contexts.VolumeUsageAuditContext(),
|
||||
context.MemcacheContext(),
|
||||
cinder_contexts.SectionalConfigContext(),
|
||||
cinder_contexts.LVMContext()],
|
||||
cinder_contexts.LVMContext(),
|
||||
context.KeystoneAuditMiddleware(service='cinder')],
|
||||
'services': ['cinder-api', 'cinder-volume', 'cinder-scheduler',
|
||||
'haproxy']
|
||||
}),
|
||||
(CINDER_API_CONF, {
|
||||
'contexts': [context.IdentityServiceContext()],
|
||||
'contexts': [context.IdentityServiceContext(),
|
||||
context.KeystoneAuditMiddleware(service='cinder')],
|
||||
'services': ['cinder-api'],
|
||||
}),
|
||||
(CINDER_POLICY_JSON, {
|
||||
'contexts': [],
|
||||
'services': ['cinder-api']
|
||||
}),
|
||||
(CINDER_AUDIT_MAP, {
|
||||
'contexts': [context.KeystoneAuditMiddleware(service='cinder')],
|
||||
'services': ['cinder-api']
|
||||
}),
|
||||
(ceph_config_file(), {
|
||||
'contexts': [context.CephContext()],
|
||||
'services': ['cinder-volume']
|
||||
|
|
|
@ -0,0 +1,86 @@
|
|||
#############
|
||||
# OpenStack #
|
||||
#############
|
||||
|
||||
[composite:osapi_volume]
|
||||
use = call:cinder.api:root_app_factory
|
||||
/: apiversions
|
||||
/healthcheck: healthcheck
|
||||
/v1: openstack_volume_api_v1
|
||||
/v2: openstack_volume_api_v2
|
||||
/v3: openstack_volume_api_v3
|
||||
|
||||
[composite:openstack_volume_api_v1]
|
||||
use = call:cinder.api.middleware.auth:pipeline_factory
|
||||
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1
|
||||
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv1
|
||||
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv1
|
||||
|
||||
[composite:openstack_volume_api_v2]
|
||||
use = call:cinder.api.middleware.auth:pipeline_factory
|
||||
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
|
||||
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv2
|
||||
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv2
|
||||
|
||||
[composite:openstack_volume_api_v3]
|
||||
use = call:cinder.api.middleware.auth:pipeline_factory
|
||||
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
|
||||
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3
|
||||
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3
|
||||
|
||||
[filter:request_id]
|
||||
paste.filter_factory = oslo_middleware.request_id:RequestId.factory
|
||||
|
||||
[filter:http_proxy_to_wsgi]
|
||||
paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
|
||||
|
||||
[filter:cors]
|
||||
paste.filter_factory = oslo_middleware.cors:filter_factory
|
||||
oslo_config_project = cinder
|
||||
|
||||
[filter:faultwrap]
|
||||
paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
|
||||
|
||||
[filter:osprofiler]
|
||||
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
|
||||
|
||||
[filter:noauth]
|
||||
paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
|
||||
|
||||
[filter:sizelimit]
|
||||
paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
|
||||
|
||||
[app:apiv1]
|
||||
paste.app_factory = cinder.api.v1.router:APIRouter.factory
|
||||
|
||||
[app:apiv2]
|
||||
paste.app_factory = cinder.api.v2.router:APIRouter.factory
|
||||
|
||||
[app:apiv3]
|
||||
paste.app_factory = cinder.api.v3.router:APIRouter.factory
|
||||
|
||||
[pipeline:apiversions]
|
||||
pipeline = cors http_proxy_to_wsgi faultwrap osvolumeversionapp
|
||||
|
||||
[app:osvolumeversionapp]
|
||||
paste.app_factory = cinder.api.versions:Versions.factory
|
||||
|
||||
[pipeline:healthcheck]
|
||||
pipeline = request_id healthcheckapp
|
||||
|
||||
[app:healthcheckapp]
|
||||
paste.app_factory = oslo_middleware:Healthcheck.app_factory
|
||||
backends = disable_by_file
|
||||
disable_by_file_path = /etc/cinder/healthcheck_disable
|
||||
|
||||
##########
|
||||
# Shared #
|
||||
##########
|
||||
|
||||
[filter:keystonecontext]
|
||||
paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
|
||||
|
||||
[filter:authtoken]
|
||||
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
|
||||
|
||||
{% include "section-filter-audit" %}
|
|
@ -0,0 +1,28 @@
|
|||
[DEFAULT]
|
||||
# default target endpoint type
|
||||
# should match the endpoint type defined in service catalog
|
||||
target_endpoint_type = None
|
||||
|
||||
# map urls ending with specific text to a unique action
|
||||
[custom_actions]
|
||||
associate = update/associate
|
||||
disassociate = update/disassociate
|
||||
disassociate_all = update/disassociate_all
|
||||
associations = read/list/associations
|
||||
|
||||
# possible end path of api requests
|
||||
[path_keywords]
|
||||
defaults = None
|
||||
detail = None
|
||||
limits = None
|
||||
os-quota-specs = project
|
||||
qos-specs = qos-spec
|
||||
snapshots = snapshot
|
||||
types = type
|
||||
volumes = volume
|
||||
|
||||
# map endpoint type defined in service catalog to CADF typeURI
|
||||
[service_endpoints]
|
||||
volume = service/storage/block
|
||||
volumev2 = service/storage/block
|
||||
volumev3 = service/storage/block
|
|
@ -0,0 +1,89 @@
|
|||
###############################################################################
|
||||
# [ WARNING ]
|
||||
# cinder configuration file maintained by Juju
|
||||
# local changes may be overwritten.
|
||||
###############################################################################
|
||||
[DEFAULT]
|
||||
rootwrap_config = /etc/cinder/rootwrap.conf
|
||||
api_paste_confg = /etc/cinder/api-paste.ini
|
||||
iscsi_helper = tgtadm
|
||||
verbose = {{ verbose }}
|
||||
debug = {{ debug }}
|
||||
use_syslog = {{ use_syslog }}
|
||||
auth_strategy = keystone
|
||||
state_path = /var/lib/cinder
|
||||
osapi_volume_workers = {{ workers }}
|
||||
|
||||
{% if transport_url %}
|
||||
transport_url = {{ transport_url }}
|
||||
{% endif %}
|
||||
|
||||
{% if use_internal_endpoints -%}
|
||||
swift_catalog_info = object-store:swift:internalURL
|
||||
keystone_catalog_info = identity:Identity Service:internalURL
|
||||
glance_catalog_info = image:glance:internalURL
|
||||
nova_catalog_info = compute:Compute Service:internalURL
|
||||
{% endif %}
|
||||
|
||||
osapi_volume_listen = {{ bind_host }}
|
||||
{% if osapi_volume_listen_port -%}
|
||||
osapi_volume_listen_port = {{ osapi_volume_listen_port }}
|
||||
{% endif -%}
|
||||
|
||||
{% if glance_api_servers -%}
|
||||
glance_api_servers = {{ glance_api_servers }}
|
||||
{% endif -%}
|
||||
|
||||
{% if glance_api_version -%}
|
||||
glance_api_version = {{ glance_api_version }}
|
||||
{% endif -%}
|
||||
|
||||
{% if region -%}
|
||||
os_region_name = {{ region }}
|
||||
{% endif -%}
|
||||
|
||||
{% if user_config_flags -%}
|
||||
{% for key, value in user_config_flags.items() -%}
|
||||
{{ key }} = {{ value }}
|
||||
{% endfor -%}
|
||||
{% endif -%}
|
||||
|
||||
volume_usage_audit_period = {{ volume_usage_audit_period }}
|
||||
|
||||
{% if auth_host -%}
|
||||
cinder_internal_tenant_project_id = {{ admin_tenant_id }}
|
||||
{% if admin_user_id -%}
|
||||
cinder_internal_tenant_user_id = {{ admin_user_id }}
|
||||
{% else -%}
|
||||
cinder_internal_tenant_user_id = {{ admin_user }}
|
||||
{% endif -%}
|
||||
{% endif -%}
|
||||
|
||||
{% include "parts/backends" %}
|
||||
{% include "section-keystone-authtoken-mitaka" %}
|
||||
|
||||
{% if keystone_authtoken -%}
|
||||
{% include "section-service-user" %}
|
||||
{% endif -%}
|
||||
|
||||
{% include "parts/section-database" %}
|
||||
|
||||
{% include "section-oslo-messaging-rabbit-ocata" %}
|
||||
|
||||
{% include "section-oslo-notifications" %}
|
||||
|
||||
{% include "section-audit-middleware-notifications" %}
|
||||
|
||||
[oslo_concurrency]
|
||||
lock_path = /var/lock/cinder
|
||||
|
||||
[keymgr]
|
||||
# XXX: hack to work around http://pad.lv/1516085
|
||||
# will be superseded by SRU to cinder package
|
||||
encryption_auth_url = {{ service_protocol }}://{{ service_host }}:{{ service_port }}/v3
|
||||
|
||||
{% include "section-oslo-middleware" %}
|
||||
|
||||
[nova]
|
||||
{% include "parts/service-auth" %}
|
||||
|
|
@ -152,6 +152,7 @@ applications:
|
|||
block-devices: '40G'
|
||||
options:
|
||||
openstack-origin: *openstack-origin
|
||||
audit-middleware: true
|
||||
glance-api-version: 2
|
||||
block-device: None
|
||||
overwrite: "true"
|
||||
|
|
Loading…
Reference in New Issue