diff --git a/README.rst b/README.rst index c0afc7a..084c423 100644 --- a/README.rst +++ b/README.rst @@ -49,6 +49,8 @@ Neutron Server on the controller node host: 127.0.0.1 port: 8775 password: pass + audit: + enabled: false Neutron VXLAN tenant networks with Network Nodes (with DVR for East-West and Network node for North-South) @@ -165,6 +167,8 @@ Compute Node mechanism: ovs: driver: openvswitch + audit: + enabled: false Neutron VXLAN tenant networks with Network Nodes (non DVR) ========================================================== @@ -564,6 +568,25 @@ Client-side RabbitMQ HA setup virtual_host: '/openstack' .... +Enable auditing filter, ie: CADF + +.. code-block:: yaml + + neutron: + server: + audit: + enabled: true + .... + filter_factory: 'keystonemiddleware.audit:filter_factory' + map_file: '/etc/pycadf/neutron_api_audit_map.conf' + .... + compute: + audit: + enabled: true + .... + filter_factory: 'keystonemiddleware.audit:filter_factory' + map_file: '/etc/pycadf/neutron_api_audit_map.conf' + .... Usage diff --git a/neutron/files/liberty/api-paste.ini.Debian b/neutron/files/liberty/api-paste.ini.Debian index 4fa84c6..f3e4387 100644 --- a/neutron/files/liberty/api-paste.ini.Debian +++ b/neutron/files/liberty/api-paste.ini.Debian @@ -1,3 +1,4 @@ +{%- from "neutron/map.jinja" import server with context %} {%- if pillar.neutron.server is defined %} {%- set neutron = pillar.neutron.server %} {%- elif pillar.neutron.switch is defined %} @@ -13,7 +14,7 @@ use = egg:Paste#urlmap [composite:neutronapi_v2_0] use = call:neutron.auth:pipeline_factory noauth = request_id catch_errors extensions neutronapiapp_v2_0 -keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0 +keystone = request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0 [filter:request_id] paste.filter_factory = oslo_middleware:RequestId.factory @@ -42,3 +43,9 @@ paste.app_factory = neutron.api.versions:Versions.factory [app:neutronapiapp_v2_0] paste.app_factory = neutron.api.v2.router:APIRouter.factory + +{%- if server.audit.enabled %} +[filter:audit] +paste.filter_factory = {{ server.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }} +audit_map_file = {{ server.get("audit", {}).get("map_file", "/etc/pycadf/neutron_api_audit_map.conf") }} +{%- endif %} diff --git a/neutron/files/mitaka/api-paste.ini.Debian b/neutron/files/mitaka/api-paste.ini.Debian index 5902651..a984957 100644 --- a/neutron/files/mitaka/api-paste.ini.Debian +++ b/neutron/files/mitaka/api-paste.ini.Debian @@ -1,3 +1,4 @@ +{%- from "neutron/map.jinja" import server with context %} [composite:neutron] use = egg:Paste#urlmap /: neutronversions @@ -6,7 +7,7 @@ use = egg:Paste#urlmap [composite:neutronapi_v2_0] use = call:neutron.auth:pipeline_factory noauth = cors request_id catch_errors extensions neutronapiapp_v2_0 -keystone = cors request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0 +keystone = cors request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0 [filter:request_id] paste.filter_factory = oslo_middleware:RequestId.factory @@ -32,3 +33,9 @@ paste.app_factory = neutron.api.versions:Versions.factory [app:neutronapiapp_v2_0] paste.app_factory = neutron.api.v2.router:APIRouter.factory + +{%- if server.audit.enabled %} +[filter:audit] +paste.filter_factory = {{ server.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }} +audit_map_file = {{ server.get("audit", {}).get("map_file", "/etc/pycadf/neutron_api_audit_map.conf") }} +{%- endif %} diff --git a/neutron/map.jinja b/neutron/map.jinja index 6ace312..1af2a68 100644 --- a/neutron/map.jinja +++ b/neutron/map.jinja @@ -1,12 +1,18 @@ {% set compute = salt['grains.filter_by']({ 'Debian': { - 'pkgs': ['neutron-openvswitch-agent', 'openvswitch-switch', 'openvswitch-datapath-dkms'], - 'services': ['neutron-openvswitch-agent'] + 'pkgs': ['neutron-openvswitch-agent', 'openvswitch-switch', 'openvswitch-datapath-dkms', 'python-pycadf'], + 'services': ['neutron-openvswitch-agent'], + 'audit': { + 'enabled': false + } }, 'RedHat': { - 'pkgs': ['openstack-neutron-openvswitch', 'openvswitch'], - 'services': ['neutron-openvswitch-agent'] + 'pkgs': ['openstack-neutron-openvswitch', 'openvswitch', 'python-pycadf'], + 'services': ['neutron-openvswitch-agent'], + 'audit': { + 'enabled': false + } }, }, merge=pillar.neutron.get('compute', {})) %} @@ -23,16 +29,22 @@ {% set server = salt['grains.filter_by']({ 'Debian': { - 'pkgs': ['neutron-server','neutron-lbaas-agent', 'gettext-base'], + 'pkgs': ['neutron-server','neutron-lbaas-agent', 'gettext-base', 'python-pycadf'], 'pkgs_ml2': ['neutron-plugin-ml2'], 'services': ['neutron-server'], - 'notification': False + 'notification': False, + 'audit': { + 'enabled': false + } }, 'RedHat': { - 'pkgs_ml2': ['openstack-neutron-ml2'], + 'pkgs_ml2': ['openstack-neutron-ml2', 'python-pycadf'], 'pkgs': ['openstack-neutron'], 'services': ['neutron-server'], - 'notification': False + 'notification': False, + 'audit': { + 'enabled': false + } }, }, merge=pillar.neutron.get('server', {})) %} @@ -53,4 +65,4 @@ {%- endif %} -{%- endif %} \ No newline at end of file +{%- endif %} diff --git a/neutron/server.sls b/neutron/server.sls index cd2254b..370e402 100644 --- a/neutron/server.sls +++ b/neutron/server.sls @@ -69,6 +69,13 @@ neutron_db_manage: - require: - pkg: neutron_server_packages +/etc/neutron/api-paste.ini: + file.managed: + - source: salt://neutron/files/{{ server.version }}/api-paste.ini.{{ grains.os_family }} + - template: jinja + - require: + - pkg: neutron_server_packages + {%- if grains.os_family == "Debian" %} /etc/default/neutron-server: diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls index bc84995..583af2b 100644 --- a/tests/pillar/control_cluster.sls +++ b/tests/pillar/control_cluster.sls @@ -44,4 +44,8 @@ neutron: region: RegionOne user: nova password: password - tenant: service \ No newline at end of file + tenant: service + audit: + filter_factory: 'keystonemiddleware.audit:filter_factory' + map_file: '/etc/pycadf/neutron_api_audit_map.conf' +