enable cadf auditing support
Change-Id: I641b89a77b50a39faea9aadfc065b8046cb71633
diff --git a/README.rst b/README.rst
index 38734eb..9987ad1 100644
--- a/README.rst
+++ b/README.rst
@@ -52,6 +52,8 @@
multihost: true
multipath: true
pool: SAS7K2
+ audit:
+ enabled: false
cinder:
volume:
@@ -91,7 +93,8 @@
multihost: true
multipath: true
pool: SAS7K2
- w
+ audit:
+ enabled: false
Client-side RabbitMQ HA setup for controller
@@ -367,13 +370,34 @@
clustername: cluster1
sf_emulate_512: false
+
+
+Enable auditing filter, ie: CADF
+
+.. code-block:: yaml
+
+ cinder:
+ controller:
+ audit:
+ enabled: true
+ ....
+ filter_factory: 'keystonemiddleware.audit:filter_factory'
+ map_file: '/etc/pycadf/cinder_api_audit_map.conf'
+ ....
+ volume:
+ audit:
+ enabled: true
+ ....
+ filter_factory: 'keystonemiddleware.audit:filter_factory'
+ map_file: '/etc/pycadf/cinder_api_audit_map.conf'
+
Documentation and Bugs
============================
To learn how to deploy OpenStack Salt, consult the documentation available
online at:
- https://wiki.openstack.org/wiki/OpenStackSalt
+https://wiki.openstack.org/wiki/OpenStackSalt
In the unfortunate event that bugs are discovered, they should be reported to
the appropriate bug tracker. If you obtained the software from a 3rd party
diff --git a/cinder/files/liberty/api-paste.ini.controller.Debian b/cinder/files/liberty/api-paste.ini.controller.Debian
index 6ffb02e..3fe8975 100644
--- a/cinder/files/liberty/api-paste.ini.controller.Debian
+++ b/cinder/files/liberty/api-paste.ini.controller.Debian
@@ -2,6 +2,7 @@
# OpenStack #
#############
{%- from "cinder/map.jinja" import controller with context %}
+
[composite:osapi_volume]
use = call:cinder.api:root_app_factory
/: apiversions
@@ -11,14 +12,14 @@
[composite:openstack_volume_api_v1]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = request_id faultwrap sizelimit osprofiler noauth apiv1
-keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
-keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}apiv1
+keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}apiv1
[composite:openstack_volume_api_v2]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = request_id faultwrap sizelimit osprofiler noauth apiv2
-keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
-keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}apiv2
+keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}apiv2
[filter:request_id]
paste.filter_factory = oslo_middleware.request_id:RequestId.factory
@@ -68,3 +69,9 @@
admin_user = {{ controller.identity.user }}
admin_password = {{ controller.identity.password }}
auth_uri=http://{{ controller.identity.host }}:5000/{% if controller.identity.get('version', 2) == 3 %}v3{% endif %}
+
+{%- if controller.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ controller.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }}
+audit_map_file = {{ controller.get("audit", {}).get("map_file", "/etc/pycadf/cinder_api_audit_map.conf") }}
+{%- endif %}
diff --git a/cinder/files/liberty/api-paste.ini.volume.Debian b/cinder/files/liberty/api-paste.ini.volume.Debian
index 0d7ee9f..cbc9acf 100644
--- a/cinder/files/liberty/api-paste.ini.volume.Debian
+++ b/cinder/files/liberty/api-paste.ini.volume.Debian
@@ -2,6 +2,7 @@
# OpenStack #
#############
{%- from "cinder/map.jinja" import volume with context %}
+
[composite:osapi_volume]
use = call:cinder.api:root_app_factory
/: apiversions
@@ -11,14 +12,14 @@
[composite:openstack_volume_api_v1]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = request_id faultwrap sizelimit osprofiler noauth apiv1
-keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
-keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if volume.audit.enabled %}audit {% endif %}apiv1
+keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if volume.audit.enabled %}audit {% endif %}apiv1
[composite:openstack_volume_api_v2]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = request_id faultwrap sizelimit osprofiler noauth apiv2
-keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
-keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if volume.audit.enabled %}audit {% endif %}apiv2
+keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if volume.audit.enabled %}audit {% endif %}apiv2
[filter:request_id]
paste.filter_factory = oslo_middleware.request_id:RequestId.factory
@@ -68,3 +69,9 @@
admin_user = {{ volume.identity.user }}
admin_password = {{ volume.identity.password }}
auth_uri=http://{{ volume.identity.host }}:5000/{% if volume.identity.get('version', 2) == 3 %}v3{% endif %}
+
+{%- if volume.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ volume.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }}
+audit_map_file = {{ volume.get("audit", {}).get("map_file", "/etc/pycadf/cinder_api_audit_map.conf") }}
+{%- endif %}
diff --git a/cinder/files/mitaka/api-paste.ini.controller.Debian b/cinder/files/mitaka/api-paste.ini.controller.Debian
index 5914d81..5a03652 100644
--- a/cinder/files/mitaka/api-paste.ini.controller.Debian
+++ b/cinder/files/mitaka/api-paste.ini.controller.Debian
@@ -1,6 +1,7 @@
#############
# OpenStack #
#############
+{%- from "cinder/map.jinja" import controller with context %}
[composite:osapi_volume]
use = call:cinder.api:root_app_factory
@@ -12,14 +13,14 @@
[composite:openstack_volume_api_v1]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors request_id faultwrap sizelimit osprofiler noauth apiv1
-keystone = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
-keystone_nolimit = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}apiv1
+keystone_nolimit = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}apiv1
[composite:openstack_volume_api_v2]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors request_id faultwrap sizelimit osprofiler noauth apiv2
-keystone = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
-keystone_nolimit = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+keystone = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}apiv2
+keystone_nolimit = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}apiv2
[composite:openstack_volume_api_v3]
use = call:cinder.api.middleware.auth:pipeline_factory
@@ -73,3 +74,9 @@
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+{%- if controller.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ controller.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }}
+audit_map_file = {{ controller.get("audit", {}).get("map_file", "/etc/pycadf/cinder_api_audit_map.conf") }}
+{%- endif %}
diff --git a/cinder/files/mitaka/api-paste.ini.volume.Debian b/cinder/files/mitaka/api-paste.ini.volume.Debian
index 5914d81..7fd4619 100644
--- a/cinder/files/mitaka/api-paste.ini.volume.Debian
+++ b/cinder/files/mitaka/api-paste.ini.volume.Debian
@@ -1,6 +1,7 @@
#############
# OpenStack #
#############
+{%- from "cinder/map.jinja" import volume with context %}
[composite:osapi_volume]
use = call:cinder.api:root_app_factory
@@ -12,8 +13,8 @@
[composite:openstack_volume_api_v1]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors request_id faultwrap sizelimit osprofiler noauth apiv1
-keystone = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
-keystone_nolimit = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if volume.audit.enabled %}audit {% endif %}apiv1
+keystone_nolimit = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if volume.audit.enabled %}audit {% endif %}apiv1
[composite:openstack_volume_api_v2]
use = call:cinder.api.middleware.auth:pipeline_factory
@@ -73,3 +74,9 @@
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+{%- if volume.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ volume.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }}
+audit_map_file = {{ volume.get("audit", {}).get("map_file", "/etc/pycadf/cinder_api_audit_map.conf") }}
+{%- endif %}
diff --git a/cinder/files/newton/api-paste.ini.controller.Debian b/cinder/files/newton/api-paste.ini.controller.Debian
index a761f53..aada960 100644
--- a/cinder/files/newton/api-paste.ini.controller.Debian
+++ b/cinder/files/newton/api-paste.ini.controller.Debian
@@ -1,6 +1,7 @@
#############
# OpenStack #
#############
+{%- from "cinder/map.jinja" import controller with context %}
[composite:osapi_volume]
use = call:cinder.api:root_app_factory
@@ -12,14 +13,14 @@
[composite:openstack_volume_api_v1]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1
-keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
-keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}apiv1
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}apiv1
[composite:openstack_volume_api_v2]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
-keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
-keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}apiv2
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if controller.audit.enabled %}audit {% endif %}apiv2
[composite:openstack_volume_api_v3]
use = call:cinder.api.middleware.auth:pipeline_factory
@@ -73,3 +74,10 @@
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+{%- if controller.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ controller.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }}
+audit_map_file = {{ controller.get("audit", {}).get("map_file", "/etc/pycadf/cinder_api_audit_map.conf") }}
+{%- endif %}
+
diff --git a/cinder/files/newton/api-paste.ini.volume.Debian b/cinder/files/newton/api-paste.ini.volume.Debian
index a761f53..e4944ec 100644
--- a/cinder/files/newton/api-paste.ini.volume.Debian
+++ b/cinder/files/newton/api-paste.ini.volume.Debian
@@ -1,6 +1,7 @@
#############
# OpenStack #
#############
+{%- from "cinder/map.jinja" import volume with context %}
[composite:osapi_volume]
use = call:cinder.api:root_app_factory
@@ -12,8 +13,8 @@
[composite:openstack_volume_api_v1]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1
-keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
-keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if volume.audit.enabled %}audit {% endif %}apiv1
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext {% if volume.audit.enabled %}audit {% endif %}apiv1
[composite:openstack_volume_api_v2]
use = call:cinder.api.middleware.auth:pipeline_factory
@@ -73,3 +74,9 @@
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+{%- if volume.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ volume.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }}
+audit_map_file = {{ volume.get("audit", {}).get("map_file", "/etc/pycadf/cinder_api_audit_map.conf") }}
+{%- endif %}
diff --git a/cinder/map.jinja b/cinder/map.jinja
index e1c6ded..e0323a5 100644
--- a/cinder/map.jinja
+++ b/cinder/map.jinja
@@ -1,30 +1,42 @@
{% set controller = salt['grains.filter_by']({
'Debian': {
- 'pkgs': ['cinder-api', 'cinder-scheduler', 'lvm2', 'python-cinder', 'gettext-base', 'python-memcache'],
+ 'pkgs': ['cinder-api', 'cinder-scheduler', 'lvm2', 'python-cinder', 'gettext-base', 'python-memcache', 'python-pycadf'],
'services': ['cinder-api', 'cinder-scheduler'],
'wipe_method': 'none',
'notification': False,
+ 'audit': {
+ 'enabled': false
+ }
},
'RedHat': {
- 'pkgs': ['openstack-cinder', 'python-cinder', 'lvm2'],
+ 'pkgs': ['openstack-cinder', 'python-cinder', 'lvm2', 'python-pycadf'],
'services': ['openstack-cinder-api', 'openstack-cinder-scheduler'],
'wipe_method': 'none',
'notification': False,
+ 'audit': {
+ 'enabled': false
+ }
},
}, merge=pillar.cinder.get('controller', {})) %}
{% set volume = salt['grains.filter_by']({
'Debian': {
- 'pkgs': ['cinder-volume', 'lvm2', 'sysfsutils', 'sg3-utils', 'python-cinder','python-mysqldb','p7zip', 'gettext-base', 'python-memcache'],
+ 'pkgs': ['cinder-volume', 'lvm2', 'sysfsutils', 'sg3-utils', 'python-cinder','python-mysqldb','p7zip', 'gettext-base', 'python-memcache', 'python-pycadf'],
'services': ['cinder-volume'],
'wipe_method': 'none',
'notification': False,
+ 'audit': {
+ 'enabled': false
+ }
},
'RedHat': {
- 'pkgs': ['openstack-cinder', 'python-cinder', 'lvm2', 'sysfsutils', 'sg3_utils', 'device-mapper-multipath', 'device-mapper-multipath-libs'],
+ 'pkgs': ['openstack-cinder', 'python-cinder', 'lvm2', 'sysfsutils', 'sg3_utils', 'device-mapper-multipath', 'device-mapper-multipath-libs', 'python-pycadf'],
'services': ['openstack-cinder-volume'],
'wipe_method': 'none',
'notification': False,
+ 'audit': {
+ 'enabled': false
+ }
},
}, merge=pillar.cinder.get('volume', {})) %}
diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index b736446..ddb9e38 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls
@@ -40,3 +40,7 @@
port: 11211
- host: 127.0.0.1
port: 11211
+
+ audit:
+ filter_factory: 'keystonemiddleware.audit:filter_factory'
+ map_file: '/etc/pycadf/cinder_api_audit_map.conf'