From e1436ef1085192c41409045b4c64559bbb8df6d2 Mon Sep 17 00:00:00 2001 From: Myles Penner Date: Thu, 11 Apr 2024 18:31:15 +0000 Subject: [PATCH] Add support for keystone audit middleware This adds support for the keystone audit middleware... Closes-Bug: 1856555 Change-Id: I01ce984f083ec8c0f57fd5f85a01236d8d1272a6 --- .../section-audit-middleware-notifications | 4 + .../openstack/templates/section-filter-audit | 6 ++ config.yaml | 5 ++ hooks/cinder_utils.py | 11 ++- templates/yoga/api-paste.ini | 86 ++++++++++++++++++ templates/yoga/api_audit_map.conf | 28 ++++++ templates/yoga/cinder.conf | 89 +++++++++++++++++++ tests/bundles/jammy-bobcat.yaml | 1 + 8 files changed, 228 insertions(+), 2 deletions(-) create mode 100644 charmhelpers/contrib/openstack/templates/section-audit-middleware-notifications create mode 100644 charmhelpers/contrib/openstack/templates/section-filter-audit create mode 100644 templates/yoga/api-paste.ini create mode 100644 templates/yoga/api_audit_map.conf create mode 100644 templates/yoga/cinder.conf diff --git a/charmhelpers/contrib/openstack/templates/section-audit-middleware-notifications b/charmhelpers/contrib/openstack/templates/section-audit-middleware-notifications new file mode 100644 index 00000000..1f88014f --- /dev/null +++ b/charmhelpers/contrib/openstack/templates/section-audit-middleware-notifications @@ -0,0 +1,4 @@ +{% if audit_middleware -%} +[audit_middleware_notifications] +driver = log +{% endif -%} \ No newline at end of file diff --git a/charmhelpers/contrib/openstack/templates/section-filter-audit b/charmhelpers/contrib/openstack/templates/section-filter-audit new file mode 100644 index 00000000..11512aee --- /dev/null +++ b/charmhelpers/contrib/openstack/templates/section-filter-audit @@ -0,0 +1,6 @@ +{% if audit_middleware and service_name -%} +[filter:audit] +paste.filter_factory = keystonemiddleware.audit:filter_factory +audit_map_file = /etc/{{ service_name }}/api_audit_map.conf +service_name = {{ service_name }} +{% endif -%} \ No newline at end of file diff --git a/config.yaml b/config.yaml index 55b4dec8..d0c55e99 100644 --- a/config.yaml +++ b/config.yaml @@ -12,6 +12,11 @@ options: default: False description: | Setting this to True will allow supporting services to log to syslog. + audit-middleware: + type: boolean + default: False + description: | + Enable auditing middleware for logging API calls. openstack-origin: type: string default: bobcat diff --git a/hooks/cinder_utils.py b/hooks/cinder_utils.py index fa1d519f..83dd0f8d 100644 --- a/hooks/cinder_utils.py +++ b/hooks/cinder_utils.py @@ -167,6 +167,7 @@ CINDER_CONF_DIR = "/etc/cinder" CINDER_CONF = '%s/cinder.conf' % CINDER_CONF_DIR CINDER_API_CONF = '%s/api-paste.ini' % CINDER_CONF_DIR CINDER_POLICY_JSON = '%s/policy.json' % CINDER_CONF_DIR +CINDER_AUDIT_MAP = '%s/api_audit_map.conf' % CINDER_CONF_DIR CEPH_CONF = '/etc/ceph/ceph.conf' HAPROXY_CONF = '/etc/haproxy/haproxy.cfg' @@ -237,18 +238,24 @@ BASE_RESOURCE_MAP = OrderedDict([ cinder_contexts.VolumeUsageAuditContext(), context.MemcacheContext(), cinder_contexts.SectionalConfigContext(), - cinder_contexts.LVMContext()], + cinder_contexts.LVMContext(), + context.KeystoneAuditMiddleware(service='cinder')], 'services': ['cinder-api', 'cinder-volume', 'cinder-scheduler', 'haproxy'] }), (CINDER_API_CONF, { - 'contexts': [context.IdentityServiceContext()], + 'contexts': [context.IdentityServiceContext(), + context.KeystoneAuditMiddleware(service='cinder')], 'services': ['cinder-api'], }), (CINDER_POLICY_JSON, { 'contexts': [], 'services': ['cinder-api'] }), + (CINDER_AUDIT_MAP, { + 'contexts': [context.KeystoneAuditMiddleware(service='cinder')], + 'services': ['cinder-api'] + }), (ceph_config_file(), { 'contexts': [context.CephContext()], 'services': ['cinder-volume'] diff --git a/templates/yoga/api-paste.ini b/templates/yoga/api-paste.ini new file mode 100644 index 00000000..767210c4 --- /dev/null +++ b/templates/yoga/api-paste.ini @@ -0,0 +1,86 @@ +############# +# OpenStack # +############# + +[composite:osapi_volume] +use = call:cinder.api:root_app_factory +/: apiversions +/healthcheck: healthcheck +/v1: openstack_volume_api_v1 +/v2: openstack_volume_api_v2 +/v3: openstack_volume_api_v3 + +[composite:openstack_volume_api_v1] +use = call:cinder.api.middleware.auth:pipeline_factory +noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1 +keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv1 +keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv1 + +[composite:openstack_volume_api_v2] +use = call:cinder.api.middleware.auth:pipeline_factory +noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2 +keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv2 +keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv2 + +[composite:openstack_volume_api_v3] +use = call:cinder.api.middleware.auth:pipeline_factory +noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3 +keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3 +keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3 + +[filter:request_id] +paste.filter_factory = oslo_middleware.request_id:RequestId.factory + +[filter:http_proxy_to_wsgi] +paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory + +[filter:cors] +paste.filter_factory = oslo_middleware.cors:filter_factory +oslo_config_project = cinder + +[filter:faultwrap] +paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory + +[filter:osprofiler] +paste.filter_factory = osprofiler.web:WsgiMiddleware.factory + +[filter:noauth] +paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory + +[filter:sizelimit] +paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory + +[app:apiv1] +paste.app_factory = cinder.api.v1.router:APIRouter.factory + +[app:apiv2] +paste.app_factory = cinder.api.v2.router:APIRouter.factory + +[app:apiv3] +paste.app_factory = cinder.api.v3.router:APIRouter.factory + +[pipeline:apiversions] +pipeline = cors http_proxy_to_wsgi faultwrap osvolumeversionapp + +[app:osvolumeversionapp] +paste.app_factory = cinder.api.versions:Versions.factory + +[pipeline:healthcheck] +pipeline = request_id healthcheckapp + +[app:healthcheckapp] +paste.app_factory = oslo_middleware:Healthcheck.app_factory +backends = disable_by_file +disable_by_file_path = /etc/cinder/healthcheck_disable + +########## +# Shared # +########## + +[filter:keystonecontext] +paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory + +[filter:authtoken] +paste.filter_factory = keystonemiddleware.auth_token:filter_factory + +{% include "section-filter-audit" %} \ No newline at end of file diff --git a/templates/yoga/api_audit_map.conf b/templates/yoga/api_audit_map.conf new file mode 100644 index 00000000..17889f8c --- /dev/null +++ b/templates/yoga/api_audit_map.conf @@ -0,0 +1,28 @@ +[DEFAULT] +# default target endpoint type +# should match the endpoint type defined in service catalog +target_endpoint_type = None + +# map urls ending with specific text to a unique action +[custom_actions] +associate = update/associate +disassociate = update/disassociate +disassociate_all = update/disassociate_all +associations = read/list/associations + +# possible end path of api requests +[path_keywords] +defaults = None +detail = None +limits = None +os-quota-specs = project +qos-specs = qos-spec +snapshots = snapshot +types = type +volumes = volume + +# map endpoint type defined in service catalog to CADF typeURI +[service_endpoints] +volume = service/storage/block +volumev2 = service/storage/block +volumev3 = service/storage/block \ No newline at end of file diff --git a/templates/yoga/cinder.conf b/templates/yoga/cinder.conf new file mode 100644 index 00000000..42f7421f --- /dev/null +++ b/templates/yoga/cinder.conf @@ -0,0 +1,89 @@ +############################################################################### +# [ WARNING ] +# cinder configuration file maintained by Juju +# local changes may be overwritten. +############################################################################### +[DEFAULT] +rootwrap_config = /etc/cinder/rootwrap.conf +api_paste_confg = /etc/cinder/api-paste.ini +iscsi_helper = tgtadm +verbose = {{ verbose }} +debug = {{ debug }} +use_syslog = {{ use_syslog }} +auth_strategy = keystone +state_path = /var/lib/cinder +osapi_volume_workers = {{ workers }} + +{% if transport_url %} +transport_url = {{ transport_url }} +{% endif %} + +{% if use_internal_endpoints -%} +swift_catalog_info = object-store:swift:internalURL +keystone_catalog_info = identity:Identity Service:internalURL +glance_catalog_info = image:glance:internalURL +nova_catalog_info = compute:Compute Service:internalURL +{% endif %} + +osapi_volume_listen = {{ bind_host }} +{% if osapi_volume_listen_port -%} +osapi_volume_listen_port = {{ osapi_volume_listen_port }} +{% endif -%} + +{% if glance_api_servers -%} +glance_api_servers = {{ glance_api_servers }} +{% endif -%} + +{% if glance_api_version -%} +glance_api_version = {{ glance_api_version }} +{% endif -%} + +{% if region -%} +os_region_name = {{ region }} +{% endif -%} + +{% if user_config_flags -%} +{% for key, value in user_config_flags.items() -%} +{{ key }} = {{ value }} +{% endfor -%} +{% endif -%} + +volume_usage_audit_period = {{ volume_usage_audit_period }} + +{% if auth_host -%} +cinder_internal_tenant_project_id = {{ admin_tenant_id }} +{% if admin_user_id -%} +cinder_internal_tenant_user_id = {{ admin_user_id }} +{% else -%} +cinder_internal_tenant_user_id = {{ admin_user }} +{% endif -%} +{% endif -%} + +{% include "parts/backends" %} +{% include "section-keystone-authtoken-mitaka" %} + +{% if keystone_authtoken -%} +{% include "section-service-user" %} +{% endif -%} + +{% include "parts/section-database" %} + +{% include "section-oslo-messaging-rabbit-ocata" %} + +{% include "section-oslo-notifications" %} + +{% include "section-audit-middleware-notifications" %} + +[oslo_concurrency] +lock_path = /var/lock/cinder + +[keymgr] +# XXX: hack to work around http://pad.lv/1516085 +# will be superseded by SRU to cinder package +encryption_auth_url = {{ service_protocol }}://{{ service_host }}:{{ service_port }}/v3 + +{% include "section-oslo-middleware" %} + +[nova] +{% include "parts/service-auth" %} + diff --git a/tests/bundles/jammy-bobcat.yaml b/tests/bundles/jammy-bobcat.yaml index 3925c1d5..9c3ffc51 100644 --- a/tests/bundles/jammy-bobcat.yaml +++ b/tests/bundles/jammy-bobcat.yaml @@ -152,6 +152,7 @@ applications: block-devices: '40G' options: openstack-origin: *openstack-origin + audit-middleware: true glance-api-version: 2 block-device: None overwrite: "true"