openstack/pycadf
Code Issues Proposed changes

add audit_maps for more OpenStack components

Browse Source 
add audit_maps for:
- cinder
- glance
- neutron

Change-Id: If324c1296f852e57f3a376ccfc485ed1b3df75e3
Blueprint: audit-all-apis
This commit is contained in:
Gordon Chung 2014-02-13 12:51:22 -05:00
parent 6ac553173d
commit c575e6d1df
8 changed files with 106 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
etc/pycadf/cinder_api_audit_map.conf Normal file
View File

@ -0,0 +1,27 @@
[DEFAULT]
# default target endpoint type
# should match the endpoint type defined in service catalog
target_endpoint_type = None
# map urls ending with specific text to a unique action
[custom_actions]
associate = update/associate
disassociate = update/disassociate
disassociate_all = update/disassociate_all
associations = read/list/associations
# possible end path of api requests
[path_keywords]
defaults = None
detail = None
limits = None
os-quota-specs = project
qos-specs = qos-spec
snapshots = snapshot
types = type
volumes = volume
# map endpoint type defined in service catalog to CADF typeURI
[service_endpoints]
volume = service/storage/block
volumev2 = service/storage/block

16
etc/pycadf/glance_api_audit_map.conf Normal file
View File

@ -0,0 +1,16 @@
[DEFAULT]
# default target endpoint type
# should match the endpoint type defined in service catalog
target_endpoint_type = None
# possible end path of api requests
[path_keywords]
detail = None
file = None
images = image
members = member
tags = tag
# map endpoint type defined in service catalog to CADF typeURI
[service_endpoints]
image = service/storage/image

31
etc/pycadf/neutron_api_audit_map.conf Normal file
View File

@ -0,0 +1,31 @@
[DEFAULT]
# default target endpoint type
# should match the endpoint type defined in service catalog
target_endpoint_type = None
[custom_actions]
add_router_interface = update/add
remove_router_interface = update/remove
# possible end path of api requests
[path_keywords]
floatingips = ip
healthmonitors = healthmonitor
health_monitors = health_monitor
lb = None
members = member
metering-labels = label
metering-label-rules = rule
networks = network
pools = pool
ports = port
routers = router
quotas = quota
security-groups = security-group
security-group-rules = rule
subnets = subnet
vips = vip
# map endpoint type defined in service catalog to CADF typeURI
[service_endpoints]
network = service/network

11
etc/pycadf/api_audit_map.conf → etc/pycadf/nova_api_audit_map.conf
View File

@ -50,7 +50,7 @@ os-keypairs = keypair
os-migrations = None
os-networks = network
os-quota-sets = tenant
os-security-groups = security-group
os-security-groups = security_group
os-security-group-rules = rule
os-server-password = None
os-services = None
@ -66,13 +66,6 @@ shutdown = None
startup = None
statistics = None
# map endpoint type defined in service catalog to CADF typeURI
[service_endpoints]
identity = service/security
object-store = service/storage/object
volume = service/storage/block
image = service/storage/image
network = service/network
compute = service/compute
metering = service/bss/metering
compute = service/compute

9
pycadf/audit/api.py
View File

@ -124,6 +124,10 @@ class OpenStackAuditApi(object):
map_file = cfg.CONF.find_file(CONF.audit.api_audit_map)
self._MAP = _configure_audit_map(map_file)
@staticmethod
def _clean_path(value):
return value[:-5] if value.endswith('.json') else value
def _get_action(self, req):
"""Take a given Request, parse url path to calculate action type.
@ -140,7 +144,7 @@ class OpenStackAuditApi(object):
"""
path = req.path[:-1] if req.path.endswith('/') else req.path
url_ending = path[path.rfind('/') + 1:]
url_ending = self._clean_path(path[path.rfind('/') + 1:])
method = req.method
if url_ending + '/' + method.lower() in self._MAP.custom_actions:
@ -167,7 +171,7 @@ class OpenStackAuditApi(object):
action = taxonomy.ACTION_LIST
else:
action = taxonomy.ACTION_READ
elif method == 'PUT':
elif method == 'PUT' or method == 'PATCH':
action = taxonomy.ACTION_UPDATE
elif method == 'DELETE':
action = taxonomy.ACTION_DELETE
@ -201,6 +205,7 @@ class OpenStackAuditApi(object):
type_uri = ''
prev_key = None
for key in re.split('/', req.path):
key = self._clean_path(key)
if key in self._MAP.path_kw:
type_uri += '/' + key
elif prev_key in self._MAP.path_kw:

4
pycadf/tests/audit/test_api.py
View File

@ -45,7 +45,7 @@ class TestAuditApi(base.TestCase):
def setUp(self):
super(TestAuditApi, self).setUp()
self.audit_api = api.OpenStackAuditApi(
'etc/pycadf/api_audit_map.conf')
'etc/pycadf/nova_api_audit_map.conf')
def api_request(self, method, url):
self.ENV_HEADERS['REQUEST_METHOD'] = method
@ -58,7 +58,7 @@ class TestAuditApi(base.TestCase):
def test_get_list_with_cfg(self):
cfg.CONF.set_override(
'api_audit_map',
self.path_get('etc/pycadf/api_audit_map.conf'),
self.path_get('etc/pycadf/nova_api_audit_map.conf'),
group='audit')
self.audit_api = api.OpenStackAuditApi()
req = self.api_request('GET',

34
pycadf/tests/middleware/test_audit.py
View File

@ -58,13 +58,13 @@ class AuditMiddlewareTest(base.TestCase):
def setUp(self):
super(AuditMiddlewareTest, self).setUp()
self.map_file = 'etc/pycadf/api_audit_map.conf'
self.map_file = 'etc/pycadf/nova_api_audit_map.conf'
def test_api_request(self):
middleware = audit.AuditMiddleware(FakeApp(),
audit_map_file=
'etc/pycadf/api_audit_map.conf',
service_name='pycadf')
middleware = audit.AuditMiddleware(
FakeApp(),
audit_map_file='etc/pycadf/nova_api_audit_map.conf',
service_name='pycadf')
self.ENV_HEADERS['REQUEST_METHOD'] = 'GET'
req = webob.Request.blank('/foo/bar',
environ=self.ENV_HEADERS)
@ -95,10 +95,10 @@ class AuditMiddlewareTest(base.TestCase):
self.assertEqual(request['CADF_EVENT']['outcome'], 'success')
def test_api_request_failure(self):
middleware = audit.AuditMiddleware(FakeFailingApp(),
audit_map_file=
'etc/pycadf/api_audit_map.conf',
service_name='pycadf')
middleware = audit.AuditMiddleware(
FakeFailingApp(),
audit_map_file='etc/pycadf/nova_api_audit_map.conf',
service_name='pycadf')
self.ENV_HEADERS['REQUEST_METHOD'] = 'GET'
req = webob.Request.blank('/foo/bar',
environ=self.ENV_HEADERS)
@ -137,10 +137,10 @@ class AuditMiddlewareTest(base.TestCase):
raise Exception('error')
self.stubs.Set(cadf_api.OpenStackAuditApi, 'append_audit_event',
func_error)
middleware = audit.AuditMiddleware(FakeApp(),
audit_map_file=
'etc/pycadf/api_audit_map.conf',
service_name='pycadf')
middleware = audit.AuditMiddleware(
FakeApp(),
audit_map_file='etc/pycadf/nova_api_audit_map.conf',
service_name='pycadf')
req = webob.Request.blank('/foo/bar',
environ={'REQUEST_METHOD': 'GET'})
middleware.process_request(req)
@ -150,10 +150,10 @@ class AuditMiddlewareTest(base.TestCase):
raise Exception('error')
self.stubs.Set(cadf_api.OpenStackAuditApi, 'mod_audit_event',
func_error)
middleware = audit.AuditMiddleware(FakeApp(),
audit_map_file=
'etc/pycadf/api_audit_map.conf',
service_name='pycadf')
middleware = audit.AuditMiddleware(
FakeApp(),
audit_map_file='etc/pycadf/nova_api_audit_map.conf',
service_name='pycadf')
req = webob.Request.blank('/foo/bar',
environ={'REQUEST_METHOD': 'GET'})
middleware.process_response(req, webob.response.Response())

5
setup.cfg
View File

@ -22,7 +22,10 @@ packages =
pycadf
data_files =
etc/pycadf =
etc/pycadf/api_audit_map.conf
etc/pycadf/cinder_api_audit_map.conf
etc/pycadf/glance_api_audit_map.conf
etc/pycadf/neutron_api_audit_map.conf
etc/pycadf/nova_api_audit_map.conf
[global]
setup-hooks =