Add support for keystone audit middleware
This adds support for the keystone audit middleware... Closes-Bug: 1856555 Change-Id: I01ce984f083ec8c0f57fd5f85a01236d8d1272a6
This commit is contained in:
parent
6697f415ea
commit
e1436ef108
|
@ -0,0 +1,4 @@
|
||||||
|
{% if audit_middleware -%}
|
||||||
|
[audit_middleware_notifications]
|
||||||
|
driver = log
|
||||||
|
{% endif -%}
|
|
@ -0,0 +1,6 @@
|
||||||
|
{% if audit_middleware and service_name -%}
|
||||||
|
[filter:audit]
|
||||||
|
paste.filter_factory = keystonemiddleware.audit:filter_factory
|
||||||
|
audit_map_file = /etc/{{ service_name }}/api_audit_map.conf
|
||||||
|
service_name = {{ service_name }}
|
||||||
|
{% endif -%}
|
|
@ -12,6 +12,11 @@ options:
|
||||||
default: False
|
default: False
|
||||||
description: |
|
description: |
|
||||||
Setting this to True will allow supporting services to log to syslog.
|
Setting this to True will allow supporting services to log to syslog.
|
||||||
|
audit-middleware:
|
||||||
|
type: boolean
|
||||||
|
default: False
|
||||||
|
description: |
|
||||||
|
Enable auditing middleware for logging API calls.
|
||||||
openstack-origin:
|
openstack-origin:
|
||||||
type: string
|
type: string
|
||||||
default: bobcat
|
default: bobcat
|
||||||
|
|
|
@ -167,6 +167,7 @@ CINDER_CONF_DIR = "/etc/cinder"
|
||||||
CINDER_CONF = '%s/cinder.conf' % CINDER_CONF_DIR
|
CINDER_CONF = '%s/cinder.conf' % CINDER_CONF_DIR
|
||||||
CINDER_API_CONF = '%s/api-paste.ini' % CINDER_CONF_DIR
|
CINDER_API_CONF = '%s/api-paste.ini' % CINDER_CONF_DIR
|
||||||
CINDER_POLICY_JSON = '%s/policy.json' % CINDER_CONF_DIR
|
CINDER_POLICY_JSON = '%s/policy.json' % CINDER_CONF_DIR
|
||||||
|
CINDER_AUDIT_MAP = '%s/api_audit_map.conf' % CINDER_CONF_DIR
|
||||||
CEPH_CONF = '/etc/ceph/ceph.conf'
|
CEPH_CONF = '/etc/ceph/ceph.conf'
|
||||||
|
|
||||||
HAPROXY_CONF = '/etc/haproxy/haproxy.cfg'
|
HAPROXY_CONF = '/etc/haproxy/haproxy.cfg'
|
||||||
|
@ -237,18 +238,24 @@ BASE_RESOURCE_MAP = OrderedDict([
|
||||||
cinder_contexts.VolumeUsageAuditContext(),
|
cinder_contexts.VolumeUsageAuditContext(),
|
||||||
context.MemcacheContext(),
|
context.MemcacheContext(),
|
||||||
cinder_contexts.SectionalConfigContext(),
|
cinder_contexts.SectionalConfigContext(),
|
||||||
cinder_contexts.LVMContext()],
|
cinder_contexts.LVMContext(),
|
||||||
|
context.KeystoneAuditMiddleware(service='cinder')],
|
||||||
'services': ['cinder-api', 'cinder-volume', 'cinder-scheduler',
|
'services': ['cinder-api', 'cinder-volume', 'cinder-scheduler',
|
||||||
'haproxy']
|
'haproxy']
|
||||||
}),
|
}),
|
||||||
(CINDER_API_CONF, {
|
(CINDER_API_CONF, {
|
||||||
'contexts': [context.IdentityServiceContext()],
|
'contexts': [context.IdentityServiceContext(),
|
||||||
|
context.KeystoneAuditMiddleware(service='cinder')],
|
||||||
'services': ['cinder-api'],
|
'services': ['cinder-api'],
|
||||||
}),
|
}),
|
||||||
(CINDER_POLICY_JSON, {
|
(CINDER_POLICY_JSON, {
|
||||||
'contexts': [],
|
'contexts': [],
|
||||||
'services': ['cinder-api']
|
'services': ['cinder-api']
|
||||||
}),
|
}),
|
||||||
|
(CINDER_AUDIT_MAP, {
|
||||||
|
'contexts': [context.KeystoneAuditMiddleware(service='cinder')],
|
||||||
|
'services': ['cinder-api']
|
||||||
|
}),
|
||||||
(ceph_config_file(), {
|
(ceph_config_file(), {
|
||||||
'contexts': [context.CephContext()],
|
'contexts': [context.CephContext()],
|
||||||
'services': ['cinder-volume']
|
'services': ['cinder-volume']
|
||||||
|
|
|
@ -0,0 +1,86 @@
|
||||||
|
#############
|
||||||
|
# OpenStack #
|
||||||
|
#############
|
||||||
|
|
||||||
|
[composite:osapi_volume]
|
||||||
|
use = call:cinder.api:root_app_factory
|
||||||
|
/: apiversions
|
||||||
|
/healthcheck: healthcheck
|
||||||
|
/v1: openstack_volume_api_v1
|
||||||
|
/v2: openstack_volume_api_v2
|
||||||
|
/v3: openstack_volume_api_v3
|
||||||
|
|
||||||
|
[composite:openstack_volume_api_v1]
|
||||||
|
use = call:cinder.api.middleware.auth:pipeline_factory
|
||||||
|
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1
|
||||||
|
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv1
|
||||||
|
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv1
|
||||||
|
|
||||||
|
[composite:openstack_volume_api_v2]
|
||||||
|
use = call:cinder.api.middleware.auth:pipeline_factory
|
||||||
|
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
|
||||||
|
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv2
|
||||||
|
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv2
|
||||||
|
|
||||||
|
[composite:openstack_volume_api_v3]
|
||||||
|
use = call:cinder.api.middleware.auth:pipeline_factory
|
||||||
|
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
|
||||||
|
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3
|
||||||
|
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3
|
||||||
|
|
||||||
|
[filter:request_id]
|
||||||
|
paste.filter_factory = oslo_middleware.request_id:RequestId.factory
|
||||||
|
|
||||||
|
[filter:http_proxy_to_wsgi]
|
||||||
|
paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
|
||||||
|
|
||||||
|
[filter:cors]
|
||||||
|
paste.filter_factory = oslo_middleware.cors:filter_factory
|
||||||
|
oslo_config_project = cinder
|
||||||
|
|
||||||
|
[filter:faultwrap]
|
||||||
|
paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
|
||||||
|
|
||||||
|
[filter:osprofiler]
|
||||||
|
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
|
||||||
|
|
||||||
|
[filter:noauth]
|
||||||
|
paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
|
||||||
|
|
||||||
|
[filter:sizelimit]
|
||||||
|
paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
|
||||||
|
|
||||||
|
[app:apiv1]
|
||||||
|
paste.app_factory = cinder.api.v1.router:APIRouter.factory
|
||||||
|
|
||||||
|
[app:apiv2]
|
||||||
|
paste.app_factory = cinder.api.v2.router:APIRouter.factory
|
||||||
|
|
||||||
|
[app:apiv3]
|
||||||
|
paste.app_factory = cinder.api.v3.router:APIRouter.factory
|
||||||
|
|
||||||
|
[pipeline:apiversions]
|
||||||
|
pipeline = cors http_proxy_to_wsgi faultwrap osvolumeversionapp
|
||||||
|
|
||||||
|
[app:osvolumeversionapp]
|
||||||
|
paste.app_factory = cinder.api.versions:Versions.factory
|
||||||
|
|
||||||
|
[pipeline:healthcheck]
|
||||||
|
pipeline = request_id healthcheckapp
|
||||||
|
|
||||||
|
[app:healthcheckapp]
|
||||||
|
paste.app_factory = oslo_middleware:Healthcheck.app_factory
|
||||||
|
backends = disable_by_file
|
||||||
|
disable_by_file_path = /etc/cinder/healthcheck_disable
|
||||||
|
|
||||||
|
##########
|
||||||
|
# Shared #
|
||||||
|
##########
|
||||||
|
|
||||||
|
[filter:keystonecontext]
|
||||||
|
paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
|
||||||
|
|
||||||
|
[filter:authtoken]
|
||||||
|
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
|
||||||
|
|
||||||
|
{% include "section-filter-audit" %}
|
|
@ -0,0 +1,28 @@
|
||||||
|
[DEFAULT]
|
||||||
|
# default target endpoint type
|
||||||
|
# should match the endpoint type defined in service catalog
|
||||||
|
target_endpoint_type = None
|
||||||
|
|
||||||
|
# map urls ending with specific text to a unique action
|
||||||
|
[custom_actions]
|
||||||
|
associate = update/associate
|
||||||
|
disassociate = update/disassociate
|
||||||
|
disassociate_all = update/disassociate_all
|
||||||
|
associations = read/list/associations
|
||||||
|
|
||||||
|
# possible end path of api requests
|
||||||
|
[path_keywords]
|
||||||
|
defaults = None
|
||||||
|
detail = None
|
||||||
|
limits = None
|
||||||
|
os-quota-specs = project
|
||||||
|
qos-specs = qos-spec
|
||||||
|
snapshots = snapshot
|
||||||
|
types = type
|
||||||
|
volumes = volume
|
||||||
|
|
||||||
|
# map endpoint type defined in service catalog to CADF typeURI
|
||||||
|
[service_endpoints]
|
||||||
|
volume = service/storage/block
|
||||||
|
volumev2 = service/storage/block
|
||||||
|
volumev3 = service/storage/block
|
|
@ -0,0 +1,89 @@
|
||||||
|
###############################################################################
|
||||||
|
# [ WARNING ]
|
||||||
|
# cinder configuration file maintained by Juju
|
||||||
|
# local changes may be overwritten.
|
||||||
|
###############################################################################
|
||||||
|
[DEFAULT]
|
||||||
|
rootwrap_config = /etc/cinder/rootwrap.conf
|
||||||
|
api_paste_confg = /etc/cinder/api-paste.ini
|
||||||
|
iscsi_helper = tgtadm
|
||||||
|
verbose = {{ verbose }}
|
||||||
|
debug = {{ debug }}
|
||||||
|
use_syslog = {{ use_syslog }}
|
||||||
|
auth_strategy = keystone
|
||||||
|
state_path = /var/lib/cinder
|
||||||
|
osapi_volume_workers = {{ workers }}
|
||||||
|
|
||||||
|
{% if transport_url %}
|
||||||
|
transport_url = {{ transport_url }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if use_internal_endpoints -%}
|
||||||
|
swift_catalog_info = object-store:swift:internalURL
|
||||||
|
keystone_catalog_info = identity:Identity Service:internalURL
|
||||||
|
glance_catalog_info = image:glance:internalURL
|
||||||
|
nova_catalog_info = compute:Compute Service:internalURL
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
osapi_volume_listen = {{ bind_host }}
|
||||||
|
{% if osapi_volume_listen_port -%}
|
||||||
|
osapi_volume_listen_port = {{ osapi_volume_listen_port }}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
{% if glance_api_servers -%}
|
||||||
|
glance_api_servers = {{ glance_api_servers }}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
{% if glance_api_version -%}
|
||||||
|
glance_api_version = {{ glance_api_version }}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
{% if region -%}
|
||||||
|
os_region_name = {{ region }}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
{% if user_config_flags -%}
|
||||||
|
{% for key, value in user_config_flags.items() -%}
|
||||||
|
{{ key }} = {{ value }}
|
||||||
|
{% endfor -%}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
volume_usage_audit_period = {{ volume_usage_audit_period }}
|
||||||
|
|
||||||
|
{% if auth_host -%}
|
||||||
|
cinder_internal_tenant_project_id = {{ admin_tenant_id }}
|
||||||
|
{% if admin_user_id -%}
|
||||||
|
cinder_internal_tenant_user_id = {{ admin_user_id }}
|
||||||
|
{% else -%}
|
||||||
|
cinder_internal_tenant_user_id = {{ admin_user }}
|
||||||
|
{% endif -%}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
{% include "parts/backends" %}
|
||||||
|
{% include "section-keystone-authtoken-mitaka" %}
|
||||||
|
|
||||||
|
{% if keystone_authtoken -%}
|
||||||
|
{% include "section-service-user" %}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
{% include "parts/section-database" %}
|
||||||
|
|
||||||
|
{% include "section-oslo-messaging-rabbit-ocata" %}
|
||||||
|
|
||||||
|
{% include "section-oslo-notifications" %}
|
||||||
|
|
||||||
|
{% include "section-audit-middleware-notifications" %}
|
||||||
|
|
||||||
|
[oslo_concurrency]
|
||||||
|
lock_path = /var/lock/cinder
|
||||||
|
|
||||||
|
[keymgr]
|
||||||
|
# XXX: hack to work around http://pad.lv/1516085
|
||||||
|
# will be superseded by SRU to cinder package
|
||||||
|
encryption_auth_url = {{ service_protocol }}://{{ service_host }}:{{ service_port }}/v3
|
||||||
|
|
||||||
|
{% include "section-oslo-middleware" %}
|
||||||
|
|
||||||
|
[nova]
|
||||||
|
{% include "parts/service-auth" %}
|
||||||
|
|
|
@ -152,6 +152,7 @@ applications:
|
||||||
block-devices: '40G'
|
block-devices: '40G'
|
||||||
options:
|
options:
|
||||||
openstack-origin: *openstack-origin
|
openstack-origin: *openstack-origin
|
||||||
|
audit-middleware: true
|
||||||
glance-api-version: 2
|
glance-api-version: 2
|
||||||
block-device: None
|
block-device: None
|
||||||
overwrite: "true"
|
overwrite: "true"
|
||||||
|
|
Loading…
Reference in New Issue