Merge "enable cadf auditing support"

README.rst

@@ -67,6 +67,8 @@ Nova services on the controller node
             tenant: service
         metadata:
           password: password
+        audit:
+          enabled: false
 
 
 Nova services from custom package repository
@@ -101,6 +103,20 @@ Client-side RabbitMQ HA setup
       ....
 
 
+Enable auditing filter, ie: CADF
+
+.. code-block:: yaml
+
+    nova:
+      controller:
+        autidt:
+          enabled: true
+      ....
+          filter_factory: 'keystonemiddleware.audit:filter_factory'
+          map_file: '/etc/pycadf/nova_api_audit_map.conf'
+      ....
+
+
 Compute nodes
 -------------
 

nova/files/liberty/api-paste.ini.Debian

@@ -1,6 +1,8 @@
 ############
 # Metadata #
 ############
+{%- from "nova/map.jinja" import controller with context %}
+
 [composite:metadata]
 use = egg:Paste#urlmap
 /: meta
@@ -83,18 +85,18 @@ use = call:nova.api.openstack.urlmap:urlmap_factory
 [composite:openstack_compute_api_legacy_v2]
 use = call:nova.api.auth:pipeline_factory
 noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_ratelimit osapi_compute_app_legacy_v2
-keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit osapi_compute_app_legacy_v2
-keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_legacy_v2
+keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit {% if controller.audit.enabled %}audit {% endif %}osapi_compute_app_legacy_v2
+keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}osapi_compute_app_legacy_v2
 
 [composite:openstack_compute_api_v21]
 use = call:nova.api.auth:pipeline_factory_v21
 noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
-keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21
+keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}osapi_compute_app_v21
 
 [composite:openstack_compute_api_v21_legacy_v2_compatible]
 use = call:nova.api.auth:pipeline_factory_v21
 noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
-keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
+keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible {% if controller.audit.enabled %}audit {% endif %}osapi_compute_app_v21
 
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
@@ -129,6 +131,13 @@ pipeline = faultwrap oscomputeversionapp
 [app:oscomputeversionapp]
 paste.app_factory = nova.api.openstack.compute.versions:Versions.factory
 
+{%- if controller.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ controller.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory")   }}
+audit_map_file = {{ controller.get("audit", {}).get("map_file", "/etc/pycadf/nova_api_audit_map.conf")  }}
+{%- endif %}
+
+
 ##########
 # Shared #
 ##########

nova/files/mitaka/api-paste.ini.Debian

@@ -1,6 +1,7 @@
 ############
 # Metadata #
 ############
+{%- from "nova/map.jinja" import controller with context %}
 [composite:metadata]
 use = egg:Paste#urlmap
 /: meta
@@ -39,18 +40,18 @@ use = call:nova.api.openstack.urlmap:urlmap_factory
 [composite:openstack_compute_api_legacy_v2]
 use = call:nova.api.auth:pipeline_factory
 noauth2 = cors compute_req_id faultwrap sizelimit noauth2 legacy_ratelimit osapi_compute_app_legacy_v2
-keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit osapi_compute_app_legacy_v2
-keystone_nolimit = cors compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_legacy_v2
+keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit {% if controller.audit.enabled %}audit {% endif %}osapi_compute_app_legacy_v2
+keystone_nolimit = cors compute_req_id faultwrap sizelimit authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}osapi_compute_app_legacy_v2
 
 [composite:openstack_compute_api_v21]
 use = call:nova.api.auth:pipeline_factory_v21
 noauth2 = cors compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
-keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21
+keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}osapi_compute_app_v21
 
 [composite:openstack_compute_api_v21_legacy_v2_compatible]
 use = call:nova.api.auth:pipeline_factory_v21
 noauth2 = cors compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
-keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
+keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible {% if controller.audit.enabled %}audit {% endif %}osapi_compute_app_v21
 
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
@@ -85,6 +86,13 @@ pipeline = faultwrap oscomputeversionapp
 [app:oscomputeversionapp]
 paste.app_factory = nova.api.openstack.compute.versions:Versions.factory
 
+{%- if controller.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ controller.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory")   }}
+audit_map_file = {{ controller.get("audit", {}).get("map_file", "/etc/pycadf/nova_api_audit_map.conf")  }}
+{%- endif %}
+
+
 ##########
 # Shared #
 ##########

nova/map.jinja

@@ -7,14 +7,20 @@
 
 {% set controller = salt['grains.filter_by']({
     'Debian': {
-        'pkgs': ['nova-consoleproxy', 'novnc', 'nova-api', 'nova-cert', 'nova-conductor', 'nova-consoleauth', 'nova-doc', 'nova-scheduler', 'python-novaclient', 'python-memcache', 'gettext-base'],
+        'pkgs': ['nova-consoleproxy', 'novnc', 'nova-api', 'nova-cert', 'nova-conductor', 'nova-consoleauth', 'nova-doc', 'nova-scheduler', 'python-novaclient', 'python-memcache', 'gettext-base', 'python-pycadf'],
         'services': ['nova-api', 'nova-cert', 'nova-consoleauth', 'nova-scheduler', 'nova-conductor', 'nova-novncproxy'],
         'debug': false,
+        'audit': {
+          'enabled': false
+        },
     },
     'RedHat': {
-        'pkgs': ['openstack-nova-novncproxy', 'python-nova', 'openstack-nova-api', 'openstack-nova-console', 'openstack-nova-scheduler', 'python-novaclient', 'openstack-nova-common', 'openstack-nova-conductor', 'openstack-nova-cert'],
+        'pkgs': ['openstack-nova-novncproxy', 'python-nova', 'openstack-nova-api', 'openstack-nova-console', 'openstack-nova-scheduler', 'python-novaclient', 'openstack-nova-common', 'openstack-nova-conductor', 'openstack-nova-cert', 'python-pycadf'],
         'services': ['openstack-nova-api', 'openstack-nova-cert', 'openstack-nova-consoleauth', 'openstack-nova-scheduler', 'openstack-nova-conductor', 'openstack-nova-novncproxy'],
         'debug': false,
+        'audit': {
+          'enabled': false
+        },
     },
 }, merge=pillar.nova.get('controller', {})) %}
 
@@ -60,4 +66,4 @@
 {%- if salt['pillar.get']('linux:system:repo:mirantis_openstack', False) %}
 {%- do compute.update({'libvirt_bin': '/etc/default/libvirtd'}) %}
 {%- do compute.update({'libvirt_service': 'libvirtd'}) %}
-{%- endif %}
+{%- endif %}

tests/pillar/control_cluster.sls

@@ -52,3 +52,7 @@ nova:
       mtu: 1500
     metadata:
       password: metadata
+    audit:
+      filter_factory: 'keystonemiddleware.audit:filter_factory'
+      map_file: '/etc/pycadf/nova_api_audit_map.conf'
+