enable cadf auditing support
Change-Id: Ia66f67c175aa2ad74458f4c5307cf463e3a3aa5c
diff --git a/README.rst b/README.rst
index 8783516..7fa9cd9 100644
--- a/README.rst
+++ b/README.rst
@@ -70,6 +70,8 @@
file: cirros-0.3.1-x86_64-disk.img
source: http://cdn.download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64-disk.img
public: true
+ audit:
+ enabled: false
Client-side RabbitMQ HA setup
@@ -91,6 +93,20 @@
....
+Enable auditing filter, ie: CADF
+
+.. code-block:: yaml
+
+ glance:
+ server:
+ audit:
+ enabled: true
+ ....
+ filter_factory: 'keystonemiddleware.audit:filter_factory'
+ map_file: '/etc/pycadf/glance_api_audit_map.conf'
+ ....
+
+
Keystone and cinder region
============================
diff --git a/glance/files/liberty/glance-api-paste.ini b/glance/files/liberty/glance-api-paste.ini
index 5b0e6b4..4480f62 100644
--- a/glance/files/liberty/glance-api-paste.ini
+++ b/glance/files/liberty/glance-api-paste.ini
@@ -1,38 +1,39 @@
+{%- from "glance/map.jinja" import server with context %}
# Use this pipeline for no auth or image caching - DEFAULT
[pipeline:glance-api]
-pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context rootapp
+pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context {% if server.audit.enabled %}audit {% endif%}rootapp
# Use this pipeline for image caching and no auth
[pipeline:glance-api-caching]
-pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp
+pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache {% if server.audit.enabled %}audit {% endif%}rootapp
# Use this pipeline for caching w/ management interface but no auth
[pipeline:glance-api-cachemanagement]
-pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
+pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage {% if server.audit.enabled %}audit {% endif%}rootapp
# Use this pipeline for keystone auth
[pipeline:glance-api-keystone]
-pipeline = healthcheck versionnegotiation osprofiler authtoken context rootapp
+pipeline = healthcheck versionnegotiation osprofiler authtoken context {% if server.audit.enabled %}audit {% endif%}rootapp
# Use this pipeline for keystone auth with image caching
[pipeline:glance-api-keystone+caching]
-pipeline = healthcheck versionnegotiation osprofiler authtoken context cache rootapp
+pipeline = healthcheck versionnegotiation osprofiler authtoken context cache {% if server.audit.enabled %}audit {% endif%}rootapp
# Use this pipeline for keystone auth with caching and cache management
[pipeline:glance-api-keystone+cachemanagement]
-pipeline = healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp
+pipeline = healthcheck versionnegotiation osprofiler authtoken context cache cachemanage {% if server.audit.enabled %}audit {% endif%}rootapp
# Use this pipeline for authZ only. This means that the registry will treat a
# user as authenticated without making requests to keystone to reauthenticate
# the user.
[pipeline:glance-api-trusted-auth]
-pipeline = healthcheck versionnegotiation osprofiler context rootapp
+pipeline = healthcheck versionnegotiation osprofiler context {% if server.audit.enabled %}audit {% endif%}rootapp
# Use this pipeline for authZ only. This means that the registry will treat a
# user as authenticated without making requests to keystone to reauthenticate
# the user and uses cache management
[pipeline:glance-api-trusted-auth+cachemanagement]
-pipeline = healthcheck versionnegotiation osprofiler context cache cachemanage rootapp
+pipeline = healthcheck versionnegotiation osprofiler context cache cachemanage {% if server.audit.enabled %}audit {% endif%}rootapp
[composite:rootapp]
paste.composite_factory = glance.api:root_app_factory
@@ -84,3 +85,9 @@
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
hmac_keys = SECRET_KEY
enabled = yes
+
+{%- if server.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ server.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }}
+audit_map_file = {{ server.get("audit", {}).get("map_file", "/etc/pycadf/glance_api_audit_map.conf") }}
+{%- endif %}
diff --git a/glance/files/mitaka/glance-api-paste.ini b/glance/files/mitaka/glance-api-paste.ini
index 9efd19f..5564493 100644
--- a/glance/files/mitaka/glance-api-paste.ini
+++ b/glance/files/mitaka/glance-api-paste.ini
@@ -1,38 +1,39 @@
+{%- from "glance/map.jinja" import server with context %}
# Use this pipeline for no auth or image caching - DEFAULT
[pipeline:glance-api]
-pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context {% if server.audit.enabled %}audit {% endif% }rootapp
# Use this pipeline for image caching and no auth
[pipeline:glance-api-caching]
-pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache {% if server.audit.enabled %}audit {% endif% }rootapp
# Use this pipeline for caching w/ management interface but no auth
[pipeline:glance-api-cachemanagement]
-pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage {% if server.audit.enabled %}audit {% endif% }rootapp
# Use this pipeline for keystone auth
[pipeline:glance-api-keystone]
-pipeline = cors healthcheck versionnegotiation osprofiler authtoken context rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler authtoken context {% if server.audit.enabled %}audit {% endif% }rootapp
# Use this pipeline for keystone auth with image caching
[pipeline:glance-api-keystone+caching]
-pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache{% if server.audit.enabled %}audit {% endif% }rootapp
# Use this pipeline for keystone auth with caching and cache management
[pipeline:glance-api-keystone+cachemanagement]
-pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache cachemanage {% if server.audit.enabled %}audit {% endif% }rootapp
# Use this pipeline for authZ only. This means that the registry will treat a
# user as authenticated without making requests to keystone to reauthenticate
# the user.
[pipeline:glance-api-trusted-auth]
-pipeline = cors healthcheck versionnegotiation osprofiler context rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler context {% if server.audit.enabled %}audit {% endif% }rootapp
# Use this pipeline for authZ only. This means that the registry will treat a
# user as authenticated without making requests to keystone to reauthenticate
# the user and uses cache management
[pipeline:glance-api-trusted-auth+cachemanagement]
-pipeline = cors healthcheck versionnegotiation osprofiler context cache cachemanage rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler context cache cachemanage {% if server.audit.enabled %}audit {% endif% }rootapp
[composite:rootapp]
paste.composite_factory = glance.api:root_app_factory
@@ -81,6 +82,12 @@
hmac_keys = SECRET_KEY #DEPRECATED
enabled = yes #DEPRECATED
+{%- if server.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ server.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }}
+audit_map_file = {{ server.get("audit", {}).get("map_file", "/etc/pycadf/glance_api_audit_map.conf") }}
+{%- endif %}
+
[filter:cors]
paste.filter_factory = oslo_middleware.cors:filter_factory
oslo_config_project = glance
diff --git a/glance/map.jinja b/glance/map.jinja
index ec0b8d5..a79bade 100644
--- a/glance/map.jinja
+++ b/glance/map.jinja
@@ -1,13 +1,19 @@
{% set server = salt['grains.filter_by']({
'Debian': {
- 'pkgs': ['glance', 'glance-api', 'glance-registry', 'glance-common', 'python-glance', 'python-glance-store', 'python-glanceclient', 'gettext-base', 'python-memcache'],
+ 'pkgs': ['glance', 'glance-api', 'glance-registry', 'glance-common', 'python-glance', 'python-glance-store', 'python-glanceclient', 'gettext-base', 'python-memcache', 'python-pycadf'],
'services': ['glance-api', 'glance-registry'],
'notification': False,
+ 'audit': {
+ 'enabled': false
+ }
},
'RedHat': {
- 'pkgs': ['openstack-glance', 'python-glanceclient'],
+ 'pkgs': ['openstack-glance', 'python-glanceclient','python-pycadf'],
'services': ['openstack-glance-api', 'openstack-glance-registry'],
'notification': False,
+ 'audit': {
+ 'enabled': false
+ }
},
-}, merge=pillar.glance.get('server', {})) %}
\ No newline at end of file
+}, merge=pillar.glance.get('server', {})) %}
diff --git a/tests/pillar/cluster.sls b/tests/pillar/cluster.sls
index fef0501..ec8f989 100644
--- a/tests/pillar/cluster.sls
+++ b/tests/pillar/cluster.sls
@@ -37,3 +37,6 @@
virtual_host: '/openstack'
storage:
engine: file
+ audit:
+ filter_factory: 'keystonemiddleware.audit:filter_factory'
+ map_file: '/etc/pycadf/glance_api_audit_map.conf'