Enable audit pipeline for panko
This change adds the keystonemiddleware audit paste filter[0] and enables it for the panko-api service. This provides the ability to audit API requests for panko. [0] https://docs.openstack.org/keystonemiddleware/latest/audit.html Change-Id: I5c0e3c61317483d36fcb05ebff8b377941675c27
This commit is contained in:
parent
d544a556db
commit
ced3780967
@ -85,5 +85,6 @@ data:
|
|||||||
logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
|
logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
|
||||||
api_paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
|
api_paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
|
||||||
policy.json: {{ toJson .Values.conf.policy | b64enc }}
|
policy.json: {{ toJson .Values.conf.policy | b64enc }}
|
||||||
|
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
|
||||||
{{ include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_panko "key" "wsgi-panko.conf" "format" "Secret" ) | indent 2 }}
|
{{ include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_panko "key" "wsgi-panko.conf" "format" "Secret" ) | indent 2 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -96,6 +96,10 @@ spec:
|
|||||||
mountPath: /etc/panko/policy.json
|
mountPath: /etc/panko/policy.json
|
||||||
subPath: policy.json
|
subPath: policy.json
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
- name: panko-etc
|
||||||
|
mountPath: /etc/panko/api_audit_map.conf
|
||||||
|
subPath: api_audit_map.conf
|
||||||
|
readOnly: true
|
||||||
- name: panko-etc
|
- name: panko-etc
|
||||||
mountPath: /etc/apache2/conf-enabled/wsgi-panko.conf
|
mountPath: /etc/apache2/conf-enabled/wsgi-panko.conf
|
||||||
subPath: wsgi-panko.conf
|
subPath: wsgi-panko.conf
|
||||||
|
@ -220,7 +220,7 @@ conf:
|
|||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
paste:
|
paste:
|
||||||
pipeline:main:
|
pipeline:main:
|
||||||
pipeline: cors http_proxy_to_wsgi request_id authtoken api-server
|
pipeline: cors http_proxy_to_wsgi request_id authtoken audit api-server
|
||||||
app:api-server:
|
app:api-server:
|
||||||
paste.app_factory: panko.api.app:app_factory
|
paste.app_factory: panko.api.app:app_factory
|
||||||
filter:authtoken:
|
filter:authtoken:
|
||||||
@ -234,6 +234,9 @@ conf:
|
|||||||
filter:http_proxy_to_wsgi:
|
filter:http_proxy_to_wsgi:
|
||||||
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
|
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
|
||||||
oslo_config_project: panko
|
oslo_config_project: panko
|
||||||
|
filter:audit:
|
||||||
|
paste.filter_factory: keystonemiddleware.audit:filter_factory
|
||||||
|
audit_map_file: /etc/panko/api_audit_map.conf
|
||||||
policy:
|
policy:
|
||||||
context_is_admin: role:admin
|
context_is_admin: role:admin
|
||||||
segregation: rule:context_is_admin
|
segregation: rule:context_is_admin
|
||||||
@ -310,6 +313,16 @@ conf:
|
|||||||
class: oslo_log.formatters.ContextFormatter
|
class: oslo_log.formatters.ContextFormatter
|
||||||
formatter_default:
|
formatter_default:
|
||||||
format: "%(message)s"
|
format: "%(message)s"
|
||||||
|
api_audit_map:
|
||||||
|
DEFAULT:
|
||||||
|
target_endpoint_type: event
|
||||||
|
path_keywords:
|
||||||
|
events: message_id
|
||||||
|
capabilities: None
|
||||||
|
event_types: event_type
|
||||||
|
traits: event_type
|
||||||
|
service_endpoints:
|
||||||
|
event: service/event
|
||||||
|
|
||||||
# typically overriden by environmental
|
# typically overriden by environmental
|
||||||
# values, but should include all endpoints
|
# values, but should include all endpoints
|
||||||
|
Loading…
Reference in New Issue
Block a user