Enable audit pipeline for neutron

This change adds the keystonemiddleware audit paste filter[0] and enables it for the neutron-server service. This provides the ability to audit API requests for neutron. [0] https://docs.openstack.org/keystonemiddleware/latest/audit.html Change-Id: I86b4df1436ae59bc9a151c28337af7c06c83e45f
2019-04-11 13:06:50 -05:00 · 2019-04-11 13:06:50 -05:00 · 6398d97d5a
commit 6398d97d5a
parent d544a556db
3 changed files with 34 additions and 1 deletions
--- a/neutron/templates/configmap-etc.yaml
+++ b/neutron/templates/configmap-etc.yaml
@ -181,6 +181,7 @@ data:
  policy.json: {{ toJson $envAll.Values.conf.policy | b64enc }}
  neutron.conf: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.neutron | b64enc }}
  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
  dhcp_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.dhcp_agent | b64enc }}
  l3_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.l3_agent | b64enc }}
  metadata_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.metadata_agent | b64enc }}
--- a/neutron/templates/deployment-server.yaml
+++ b/neutron/templates/deployment-server.yaml
@ -98,6 +98,10 @@ spec:
              mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
              subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
            - name: neutron-etc
              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
              subPath: ml2_conf.ini
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -785,7 +785,7 @@ conf:
    composite:neutronapi_v2_0:
      use: call:neutron.auth:pipeline_factory
      noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
-      keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
+      keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
    composite:neutronversions_composite:
      use: call:neutron.auth:pipeline_factory
      noauth: cors http_proxy_to_wsgi neutronversions
@ -803,6 +803,9 @@ conf:
      paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
    filter:authtoken:
      paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/neutron/api_audit_map.conf
    filter:extensions:
      paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
    app:neutronversions:
@ -1001,6 +1004,31 @@ conf:
    get_subports: ''
    add_subports: rule:admin_or_owner
    remove_subports: rule:admin_or_owner
+  api_audit_map:
+    DEFAULT:
+      target_endpoint_type: None
+    custom_actions:
+      add_router_interface: update/add
+      remove_router_interface: update/remove
+    path_keywords:
+      floatingips: ip
+      healthmonitors: healthmonitor
+      health_monitors: health_monitor
+      lb: None
+      members: member
+      metering-labels: label
+      metering-label-rules: rule
+      networks: network
+      pools: pool
+      ports: port
+      routers: router
+      quotas: quota
+      security-groups: security-group
+      security-group-rules: rule
+      subnets: subnet
+      vips: vip
+    service_endpoints:
+      network: service/network
  neutron_sudoers: |
    # This sudoers file supports rootwrap for both Kolla and LOCI Images.
    Defaults !requiretty