Enable audit pipeline for panko

This change adds the keystonemiddleware audit paste filter[0]
and enables it for the panko-api service.
This provides the ability to audit API requests for panko.

[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html

Change-Id: I5c0e3c61317483d36fcb05ebff8b377941675c27
This commit is contained in:
Gage Hugo 2019-04-11 14:59:01 -05:00
parent d544a556db
commit ced3780967
3 changed files with 19 additions and 1 deletions

View File

@ -85,5 +85,6 @@ data:
logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }} logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
api_paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }} api_paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
policy.json: {{ toJson .Values.conf.policy | b64enc }} policy.json: {{ toJson .Values.conf.policy | b64enc }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
{{ include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_panko "key" "wsgi-panko.conf" "format" "Secret" ) | indent 2 }} {{ include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_panko "key" "wsgi-panko.conf" "format" "Secret" ) | indent 2 }}
{{- end }} {{- end }}

View File

@ -96,6 +96,10 @@ spec:
mountPath: /etc/panko/policy.json mountPath: /etc/panko/policy.json
subPath: policy.json subPath: policy.json
readOnly: true readOnly: true
- name: panko-etc
mountPath: /etc/panko/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
- name: panko-etc - name: panko-etc
mountPath: /etc/apache2/conf-enabled/wsgi-panko.conf mountPath: /etc/apache2/conf-enabled/wsgi-panko.conf
subPath: wsgi-panko.conf subPath: wsgi-panko.conf

View File

@ -220,7 +220,7 @@ conf:
</VirtualHost> </VirtualHost>
paste: paste:
pipeline:main: pipeline:main:
pipeline: cors http_proxy_to_wsgi request_id authtoken api-server pipeline: cors http_proxy_to_wsgi request_id authtoken audit api-server
app:api-server: app:api-server:
paste.app_factory: panko.api.app:app_factory paste.app_factory: panko.api.app:app_factory
filter:authtoken: filter:authtoken:
@ -234,6 +234,9 @@ conf:
filter:http_proxy_to_wsgi: filter:http_proxy_to_wsgi:
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
oslo_config_project: panko oslo_config_project: panko
filter:audit:
paste.filter_factory: keystonemiddleware.audit:filter_factory
audit_map_file: /etc/panko/api_audit_map.conf
policy: policy:
context_is_admin: role:admin context_is_admin: role:admin
segregation: rule:context_is_admin segregation: rule:context_is_admin
@ -310,6 +313,16 @@ conf:
class: oslo_log.formatters.ContextFormatter class: oslo_log.formatters.ContextFormatter
formatter_default: formatter_default:
format: "%(message)s" format: "%(message)s"
api_audit_map:
DEFAULT:
target_endpoint_type: event
path_keywords:
events: message_id
capabilities: None
event_types: event_type
traits: event_type
service_endpoints:
event: service/event
# typically overriden by environmental # typically overriden by environmental
# values, but should include all endpoints # values, but should include all endpoints