Enable audit pipeline for neutron

This change adds the keystonemiddleware audit paste filter[0]
and enables it for the neutron-server service.
This provides the ability to audit API requests for neutron.

[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html

Change-Id: I86b4df1436ae59bc9a151c28337af7c06c83e45f
This commit is contained in:
Gage Hugo 2019-04-11 13:06:50 -05:00
parent d544a556db
commit 6398d97d5a
3 changed files with 34 additions and 1 deletions

View File

@ -181,6 +181,7 @@ data:
policy.json: {{ toJson $envAll.Values.conf.policy | b64enc }}
neutron.conf: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.neutron | b64enc }}
logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
dhcp_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.dhcp_agent | b64enc }}
l3_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.l3_agent | b64enc }}
metadata_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.metadata_agent | b64enc }}

View File

@ -98,6 +98,10 @@ spec:
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
subPath: ml2_conf.ini

View File

@ -785,7 +785,7 @@ conf:
composite:neutronapi_v2_0:
use: call:neutron.auth:pipeline_factory
noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
composite:neutronversions_composite:
use: call:neutron.auth:pipeline_factory
noauth: cors http_proxy_to_wsgi neutronversions
@ -803,6 +803,9 @@ conf:
paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
filter:audit:
paste.filter_factory: keystonemiddleware.audit:filter_factory
audit_map_file: /etc/neutron/api_audit_map.conf
filter:extensions:
paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
app:neutronversions:
@ -1001,6 +1004,31 @@ conf:
get_subports: ''
add_subports: rule:admin_or_owner
remove_subports: rule:admin_or_owner
api_audit_map:
DEFAULT:
target_endpoint_type: None
custom_actions:
add_router_interface: update/add
remove_router_interface: update/remove
path_keywords:
floatingips: ip
healthmonitors: healthmonitor
health_monitors: health_monitor
lb: None
members: member
metering-labels: label
metering-label-rules: rule
networks: network
pools: pool
ports: port
routers: router
quotas: quota
security-groups: security-group
security-group-rules: rule
subnets: subnet
vips: vip
service_endpoints:
network: service/network
neutron_sudoers: |
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
Defaults !requiretty