From ced37809671b2fa7be4abb99c56a71a92b5ba762 Mon Sep 17 00:00:00 2001 From: Gage Hugo Date: Thu, 11 Apr 2019 14:59:01 -0500 Subject: [PATCH] Enable audit pipeline for panko This change adds the keystonemiddleware audit paste filter[0] and enables it for the panko-api service. This provides the ability to audit API requests for panko. [0] https://docs.openstack.org/keystonemiddleware/latest/audit.html Change-Id: I5c0e3c61317483d36fcb05ebff8b377941675c27 --- panko/templates/configmap-etc.yaml | 1 + panko/templates/deployment-api.yaml | 4 ++++ panko/values.yaml | 15 ++++++++++++++- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/panko/templates/configmap-etc.yaml b/panko/templates/configmap-etc.yaml index 41f6980e31..b00e7b6ce4 100644 --- a/panko/templates/configmap-etc.yaml +++ b/panko/templates/configmap-etc.yaml @@ -85,5 +85,6 @@ data: logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }} api_paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }} policy.json: {{ toJson .Values.conf.policy | b64enc }} + api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }} {{ include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_panko "key" "wsgi-panko.conf" "format" "Secret" ) | indent 2 }} {{- end }} diff --git a/panko/templates/deployment-api.yaml b/panko/templates/deployment-api.yaml index 3efa5a0fc8..06e6baf8a4 100644 --- a/panko/templates/deployment-api.yaml +++ b/panko/templates/deployment-api.yaml @@ -96,6 +96,10 @@ spec: mountPath: /etc/panko/policy.json subPath: policy.json readOnly: true + - name: panko-etc + mountPath: /etc/panko/api_audit_map.conf + subPath: api_audit_map.conf + readOnly: true - name: panko-etc mountPath: /etc/apache2/conf-enabled/wsgi-panko.conf subPath: wsgi-panko.conf diff --git a/panko/values.yaml b/panko/values.yaml index 7adefd039b..009902cb8e 100644 --- a/panko/values.yaml +++ b/panko/values.yaml @@ -220,7 +220,7 @@ conf: paste: pipeline:main: - pipeline: cors http_proxy_to_wsgi request_id authtoken api-server + pipeline: cors http_proxy_to_wsgi request_id authtoken audit api-server app:api-server: paste.app_factory: panko.api.app:app_factory filter:authtoken: @@ -234,6 +234,9 @@ conf: filter:http_proxy_to_wsgi: paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory oslo_config_project: panko + filter:audit: + paste.filter_factory: keystonemiddleware.audit:filter_factory + audit_map_file: /etc/panko/api_audit_map.conf policy: context_is_admin: role:admin segregation: rule:context_is_admin @@ -310,6 +313,16 @@ conf: class: oslo_log.formatters.ContextFormatter formatter_default: format: "%(message)s" + api_audit_map: + DEFAULT: + target_endpoint_type: event + path_keywords: + events: message_id + capabilities: None + event_types: event_type + traits: event_type + service_endpoints: + event: service/event # typically overriden by environmental # values, but should include all endpoints