Enable audit pipeline for cinder

This change adds the keystonemiddleware audit paste filter[0]
and enables it for the cinder-api and cinder-scheduler services.
This provides the ability to audit API requests for cinder.

[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html

Change-Id: If81b88a4003bc4394ef4a378626cf5d6edb9c4ae
This commit is contained in:
Gage Hugo 2019-04-11 10:53:02 -05:00
parent 94ac3569f5
commit 2f46c057a4
3 changed files with 34 additions and 6 deletions

View File

@ -119,6 +119,7 @@ data:
backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }} backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }}
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }} api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
policy.json: {{ toJson .Values.conf.policy | b64enc }} policy.json: {{ toJson .Values.conf.policy | b64enc }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }} cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }}
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }} rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
resource_filters.json: {{ toJson .Values.conf.resource_filters | b64enc }} resource_filters.json: {{ toJson .Values.conf.resource_filters | b64enc }}

View File

@ -118,6 +118,10 @@ spec:
mountPath: /etc/cinder/policy.json mountPath: /etc/cinder/policy.json
subPath: policy.json subPath: policy.json
readOnly: true readOnly: true
- name: cinder-etc
mountPath: /etc/cinder/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
- name: cinder-etc - name: cinder-etc
mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }} mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }}
subPath: resource_filters.json subPath: resource_filters.json

View File

@ -312,18 +312,18 @@ conf:
composite:openstack_volume_api_v1: composite:openstack_volume_api_v1:
use: call:cinder.api.middleware.auth:pipeline_factory use: call:cinder.api.middleware.auth:pipeline_factory
noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1 noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1
keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1 keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv1
keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1 keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv1
composite:openstack_volume_api_v2: composite:openstack_volume_api_v2:
use: call:cinder.api.middleware.auth:pipeline_factory use: call:cinder.api.middleware.auth:pipeline_factory
noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2 noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv2
keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv2
composite:openstack_volume_api_v3: composite:openstack_volume_api_v3:
use: call:cinder.api.middleware.auth:pipeline_factory use: call:cinder.api.middleware.auth:pipeline_factory
noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3 noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3 keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv3
keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3 keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv3
filter:request_id: filter:request_id:
paste.filter_factory: oslo_middleware.request_id:RequestId.factory paste.filter_factory: oslo_middleware.request_id:RequestId.factory
filter:http_proxy_to_wsgi: filter:http_proxy_to_wsgi:
@ -353,6 +353,9 @@ conf:
paste.filter_factory: cinder.api.middleware.auth:CinderKeystoneContext.factory paste.filter_factory: cinder.api.middleware.auth:CinderKeystoneContext.factory
filter:authtoken: filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory paste.filter_factory: keystonemiddleware.auth_token:filter_factory
filter:audit:
paste.filter_factory: keystonemiddleware.audit:filter_factory
audit_map_file: /etc/cinder/api_audit_map.conf
policy: policy:
context_is_admin: role:admin context_is_admin: role:admin
admin_or_owner: is_admin:True or project_id:%(project_id)s admin_or_owner: is_admin:True or project_id:%(project_id)s
@ -469,6 +472,26 @@ conf:
clusters:get: rule:admin_api clusters:get: rule:admin_api
clusters:get_all: rule:admin_api clusters:get_all: rule:admin_api
clusters:update: rule:admin_api clusters:update: rule:admin_api
api_audit_map:
DEFAULT:
target_endpoint_type: None
custom_actions:
associate: update/associate
disassociate: update/disassociate_all
disassociate_all: update/disassociate_all
associations: read/list/associations
path_keywords:
defaults: None
detail: None
limits: None
os-quota-specs: project
qos-specs: qos-spec
snapshots: snapshot
types: type
volumes: volume
service_endpoints:
volume: service/storage/block
volumev2: service/storage/block
cinder_sudoers: | cinder_sudoers: |
# This sudoers file supports rootwrap for both Kolla and LOCI Images. # This sudoers file supports rootwrap for both Kolla and LOCI Images.
Defaults !requiretty Defaults !requiretty