Add support for keystone audit middleware

This adds support for the keystone audit middleware... Closes-Bug: 1856555 Change-Id: I01ce984f083ec8c0f57fd5f85a01236d8d1272a6
2024-04-11 18:31:15 +00:00 · 2024-04-11 18:31:15 +00:00 · e1436ef108
parent 6697f415ea
commit e1436ef108
8 changed files with 228 additions and 2 deletions
--- a/charmhelpers/contrib/openstack/templates/section-audit-middleware-notifications
+++ b/charmhelpers/contrib/openstack/templates/section-audit-middleware-notifications
@ -0,0 +1,4 @@
+{% if audit_middleware -%}
+[audit_middleware_notifications]
+driver = log
+{% endif -%}
--- a/charmhelpers/contrib/openstack/templates/section-filter-audit
+++ b/charmhelpers/contrib/openstack/templates/section-filter-audit
@ -0,0 +1,6 @@
+{% if audit_middleware and service_name -%}
+[filter:audit]
+paste.filter_factory = keystonemiddleware.audit:filter_factory
+audit_map_file = /etc/{{ service_name }}/api_audit_map.conf
+service_name = {{ service_name }}
+{% endif -%}
--- a/config.yaml
+++ b/config.yaml
@ -12,6 +12,11 @@ options:
    default: False
    description: |
      Setting this to True will allow supporting services to log to syslog.
+  audit-middleware:
+    type: boolean
+    default: False
+    description: |
+      Enable auditing middleware for logging API calls.
  openstack-origin:
    type: string
    default: bobcat
--- a/hooks/cinder_utils.py
+++ b/hooks/cinder_utils.py
@ -167,6 +167,7 @@ CINDER_CONF_DIR = "/etc/cinder"
 CINDER_CONF = '%s/cinder.conf' % CINDER_CONF_DIR
 CINDER_API_CONF = '%s/api-paste.ini' % CINDER_CONF_DIR
 CINDER_POLICY_JSON = '%s/policy.json' % CINDER_CONF_DIR
+CINDER_AUDIT_MAP = '%s/api_audit_map.conf' % CINDER_CONF_DIR
 CEPH_CONF = '/etc/ceph/ceph.conf'

 HAPROXY_CONF = '/etc/haproxy/haproxy.cfg'
@ -237,18 +238,24 @@ BASE_RESOURCE_MAP = OrderedDict([
                     cinder_contexts.VolumeUsageAuditContext(),
                     context.MemcacheContext(),
                     cinder_contexts.SectionalConfigContext(),
-                     cinder_contexts.LVMContext()],
+                     cinder_contexts.LVMContext(),
+                     context.KeystoneAuditMiddleware(service='cinder')],
        'services': ['cinder-api', 'cinder-volume', 'cinder-scheduler',
                     'haproxy']
    }),
    (CINDER_API_CONF, {
-        'contexts': [context.IdentityServiceContext()],
+        'contexts': [context.IdentityServiceContext(),
+                     context.KeystoneAuditMiddleware(service='cinder')],
        'services': ['cinder-api'],
    }),
    (CINDER_POLICY_JSON, {
        'contexts': [],
        'services': ['cinder-api']
    }),
+    (CINDER_AUDIT_MAP, {
+        'contexts': [context.KeystoneAuditMiddleware(service='cinder')],
+        'services': ['cinder-api']
+    }),
    (ceph_config_file(), {
        'contexts': [context.CephContext()],
        'services': ['cinder-volume']
--- a/templates/yoga/api-paste.ini
+++ b/templates/yoga/api-paste.ini
@ -0,0 +1,86 @@
+#############
+# OpenStack #
+#############
+
+[composite:osapi_volume]
+use = call:cinder.api:root_app_factory
+/: apiversions
+/healthcheck: healthcheck
+/v1: openstack_volume_api_v1
+/v2: openstack_volume_api_v2
+/v3: openstack_volume_api_v3
+
+[composite:openstack_volume_api_v1]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv1
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv1
+
+[composite:openstack_volume_api_v2]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv2
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv2
+
+[composite:openstack_volume_api_v3]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3
+
+[filter:request_id]
+paste.filter_factory = oslo_middleware.request_id:RequestId.factory
+
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = cinder
+
+[filter:faultwrap]
+paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+
+[filter:noauth]
+paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
+
+[filter:sizelimit]
+paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
+
+[app:apiv1]
+paste.app_factory = cinder.api.v1.router:APIRouter.factory
+
+[app:apiv2]
+paste.app_factory = cinder.api.v2.router:APIRouter.factory
+
+[app:apiv3]
+paste.app_factory = cinder.api.v3.router:APIRouter.factory
+
+[pipeline:apiversions]
+pipeline = cors http_proxy_to_wsgi faultwrap osvolumeversionapp
+
+[app:osvolumeversionapp]
+paste.app_factory = cinder.api.versions:Versions.factory
+
+[pipeline:healthcheck]
+pipeline = request_id healthcheckapp
+
+[app:healthcheckapp]
+paste.app_factory = oslo_middleware:Healthcheck.app_factory
+backends = disable_by_file
+disable_by_file_path = /etc/cinder/healthcheck_disable
+
+##########
+# Shared #
+##########
+
+[filter:keystonecontext]
+paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+{% include "section-filter-audit" %}
--- a/templates/yoga/api_audit_map.conf
+++ b/templates/yoga/api_audit_map.conf
@ -0,0 +1,28 @@
+[DEFAULT]
+# default target endpoint type
+# should match the endpoint type defined in service catalog
+target_endpoint_type = None
+
+# map urls ending with specific text to a unique action
+[custom_actions]
+associate = update/associate
+disassociate = update/disassociate
+disassociate_all = update/disassociate_all
+associations = read/list/associations
+
+# possible end path of api requests
+[path_keywords]
+defaults = None
+detail = None
+limits = None
+os-quota-specs = project
+qos-specs = qos-spec
+snapshots = snapshot
+types = type
+volumes = volume
+
+# map endpoint type defined in service catalog to CADF typeURI
+[service_endpoints]
+volume = service/storage/block
+volumev2 = service/storage/block
+volumev3 = service/storage/block
--- a/templates/yoga/cinder.conf
+++ b/templates/yoga/cinder.conf
@ -0,0 +1,89 @@
+###############################################################################
+# [ WARNING ]
+# cinder configuration file maintained by Juju
+# local changes may be overwritten.
+###############################################################################
+[DEFAULT]
+rootwrap_config = /etc/cinder/rootwrap.conf
+api_paste_confg = /etc/cinder/api-paste.ini
+iscsi_helper = tgtadm
+verbose = {{ verbose }}
+debug = {{ debug }}
+use_syslog = {{ use_syslog }}
+auth_strategy = keystone
+state_path = /var/lib/cinder
+osapi_volume_workers = {{ workers }}
+
+{% if transport_url %}
+transport_url = {{ transport_url }}
+{% endif %}
+
+{% if use_internal_endpoints -%}
+swift_catalog_info = object-store:swift:internalURL
+keystone_catalog_info = identity:Identity Service:internalURL
+glance_catalog_info = image:glance:internalURL
+nova_catalog_info = compute:Compute Service:internalURL
+{% endif %}
+
+osapi_volume_listen = {{ bind_host }}
+{% if osapi_volume_listen_port -%}
+osapi_volume_listen_port = {{ osapi_volume_listen_port }}
+{% endif -%}
+
+{% if glance_api_servers -%}
+glance_api_servers = {{ glance_api_servers }}
+{% endif -%}
+
+{% if glance_api_version -%}
+glance_api_version = {{ glance_api_version }}
+{% endif -%}
+
+{% if region -%}
+os_region_name = {{ region }}
+{% endif -%}
+
+{% if user_config_flags -%}
+{% for key, value in user_config_flags.items() -%}
+{{ key }} = {{ value }}
+{% endfor -%}
+{% endif -%}
+
+volume_usage_audit_period = {{ volume_usage_audit_period }}
+
+{% if auth_host -%}
+cinder_internal_tenant_project_id = {{ admin_tenant_id }}
+{% if admin_user_id -%}
+cinder_internal_tenant_user_id = {{ admin_user_id }}
+{% else -%}
+cinder_internal_tenant_user_id = {{ admin_user }}
+{% endif -%}
+{% endif -%}
+
+{% include "parts/backends" %}
+{% include "section-keystone-authtoken-mitaka" %}
+
+{% if keystone_authtoken -%}
+{% include "section-service-user" %}
+{% endif -%}
+
+{% include "parts/section-database" %}
+
+{% include "section-oslo-messaging-rabbit-ocata" %}
+
+{% include "section-oslo-notifications" %}
+
+{% include "section-audit-middleware-notifications" %}
+
+[oslo_concurrency]
+lock_path = /var/lock/cinder
+
+[keymgr]
+# XXX: hack to work around http://pad.lv/1516085
+#      will be superseded by SRU to cinder package
+encryption_auth_url = {{ service_protocol }}://{{ service_host }}:{{ service_port }}/v3
+
+{% include "section-oslo-middleware" %}
+
+[nova]
+{% include "parts/service-auth" %}
+
--- a/tests/bundles/jammy-bobcat.yaml
+++ b/tests/bundles/jammy-bobcat.yaml
@ -152,6 +152,7 @@ applications:
      block-devices: '40G'
    options:
      openstack-origin: *openstack-origin
+      audit-middleware: true
      glance-api-version: 2
      block-device: None
      overwrite: "true"