Enable audit pipeline for panko

This change adds the keystonemiddleware audit paste filter[0] and enables it for the panko-api service. This provides the ability to audit API requests for panko. [0] https://docs.openstack.org/keystonemiddleware/latest/audit.html Change-Id: I5c0e3c61317483d36fcb05ebff8b377941675c27
2019-04-11 14:59:01 -05:00 · 2019-04-11 14:59:01 -05:00 · ced3780967
commit ced3780967
parent d544a556db
3 changed files with 19 additions and 1 deletions
--- a/panko/templates/configmap-etc.yaml
+++ b/panko/templates/configmap-etc.yaml
@ -85,5 +85,6 @@ data:
  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
  api_paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
  policy.json: {{  toJson .Values.conf.policy | b64enc }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
 {{ include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_panko "key" "wsgi-panko.conf" "format" "Secret" ) | indent 2 }}
 {{- end }}
--- a/panko/templates/deployment-api.yaml
+++ b/panko/templates/deployment-api.yaml
@ -96,6 +96,10 @@ spec:
              mountPath: /etc/panko/policy.json
              subPath: policy.json
              readOnly: true
+            - name: panko-etc
+              mountPath: /etc/panko/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
            - name: panko-etc
              mountPath: /etc/apache2/conf-enabled/wsgi-panko.conf
              subPath: wsgi-panko.conf
--- a/panko/values.yaml
+++ b/panko/values.yaml
@ -220,7 +220,7 @@ conf:
    </VirtualHost>
  paste:
    pipeline:main:
-      pipeline: cors http_proxy_to_wsgi request_id authtoken api-server
+      pipeline: cors http_proxy_to_wsgi request_id authtoken audit api-server
    app:api-server:
      paste.app_factory: panko.api.app:app_factory
    filter:authtoken:
@ -234,6 +234,9 @@ conf:
    filter:http_proxy_to_wsgi:
      paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
      oslo_config_project: panko
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/panko/api_audit_map.conf
  policy:
    context_is_admin: role:admin
    segregation: rule:context_is_admin
@ -310,6 +313,16 @@ conf:
      class: oslo_log.formatters.ContextFormatter
    formatter_default:
      format: "%(message)s"
+  api_audit_map:
+    DEFAULT:
+      target_endpoint_type: event
+    path_keywords:
+      events: message_id
+      capabilities: None
+      event_types: event_type
+      traits: event_type
+    service_endpoints:
+      event: service/event

 # typically overriden by environmental
 # values, but should include all endpoints