enable cadf auditing support
Change-Id: I47d0787c3edd83aeaa186f6031cac452cdc93b52
diff --git a/README.rst b/README.rst
index c0afc7a..084c423 100644
--- a/README.rst
+++ b/README.rst
@@ -49,6 +49,8 @@
host: 127.0.0.1
port: 8775
password: pass
+ audit:
+ enabled: false
Neutron VXLAN tenant networks with Network Nodes (with DVR for East-West
and Network node for North-South)
@@ -165,6 +167,8 @@
mechanism:
ovs:
driver: openvswitch
+ audit:
+ enabled: false
Neutron VXLAN tenant networks with Network Nodes (non DVR)
==========================================================
@@ -564,6 +568,25 @@
virtual_host: '/openstack'
....
+Enable auditing filter, ie: CADF
+
+.. code-block:: yaml
+
+ neutron:
+ server:
+ audit:
+ enabled: true
+ ....
+ filter_factory: 'keystonemiddleware.audit:filter_factory'
+ map_file: '/etc/pycadf/neutron_api_audit_map.conf'
+ ....
+ compute:
+ audit:
+ enabled: true
+ ....
+ filter_factory: 'keystonemiddleware.audit:filter_factory'
+ map_file: '/etc/pycadf/neutron_api_audit_map.conf'
+ ....
Usage
diff --git a/neutron/files/liberty/api-paste.ini.Debian b/neutron/files/liberty/api-paste.ini.Debian
index 4fa84c6..f3e4387 100644
--- a/neutron/files/liberty/api-paste.ini.Debian
+++ b/neutron/files/liberty/api-paste.ini.Debian
@@ -1,3 +1,4 @@
+{%- from "neutron/map.jinja" import server with context %}
{%- if pillar.neutron.server is defined %}
{%- set neutron = pillar.neutron.server %}
{%- elif pillar.neutron.switch is defined %}
@@ -13,7 +14,7 @@
[composite:neutronapi_v2_0]
use = call:neutron.auth:pipeline_factory
noauth = request_id catch_errors extensions neutronapiapp_v2_0
-keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
+keystone = request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
[filter:request_id]
paste.filter_factory = oslo_middleware:RequestId.factory
@@ -42,3 +43,9 @@
[app:neutronapiapp_v2_0]
paste.app_factory = neutron.api.v2.router:APIRouter.factory
+
+{%- if server.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ server.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }}
+audit_map_file = {{ server.get("audit", {}).get("map_file", "/etc/pycadf/neutron_api_audit_map.conf") }}
+{%- endif %}
diff --git a/neutron/files/mitaka/api-paste.ini.Debian b/neutron/files/mitaka/api-paste.ini.Debian
index 5902651..a984957 100644
--- a/neutron/files/mitaka/api-paste.ini.Debian
+++ b/neutron/files/mitaka/api-paste.ini.Debian
@@ -1,3 +1,4 @@
+{%- from "neutron/map.jinja" import server with context %}
[composite:neutron]
use = egg:Paste#urlmap
/: neutronversions
@@ -6,7 +7,7 @@
[composite:neutronapi_v2_0]
use = call:neutron.auth:pipeline_factory
noauth = cors request_id catch_errors extensions neutronapiapp_v2_0
-keystone = cors request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
+keystone = cors request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
[filter:request_id]
paste.filter_factory = oslo_middleware:RequestId.factory
@@ -32,3 +33,9 @@
[app:neutronapiapp_v2_0]
paste.app_factory = neutron.api.v2.router:APIRouter.factory
+
+{%- if server.audit.enabled %}
+[filter:audit]
+paste.filter_factory = {{ server.get("audit", {}).get("filter_factory", "keystonemiddleware.audit:filter_factory") }}
+audit_map_file = {{ server.get("audit", {}).get("map_file", "/etc/pycadf/neutron_api_audit_map.conf") }}
+{%- endif %}
diff --git a/neutron/map.jinja b/neutron/map.jinja
index 6ace312..1af2a68 100644
--- a/neutron/map.jinja
+++ b/neutron/map.jinja
@@ -1,12 +1,18 @@
{% set compute = salt['grains.filter_by']({
'Debian': {
- 'pkgs': ['neutron-openvswitch-agent', 'openvswitch-switch', 'openvswitch-datapath-dkms'],
- 'services': ['neutron-openvswitch-agent']
+ 'pkgs': ['neutron-openvswitch-agent', 'openvswitch-switch', 'openvswitch-datapath-dkms', 'python-pycadf'],
+ 'services': ['neutron-openvswitch-agent'],
+ 'audit': {
+ 'enabled': false
+ }
},
'RedHat': {
- 'pkgs': ['openstack-neutron-openvswitch', 'openvswitch'],
- 'services': ['neutron-openvswitch-agent']
+ 'pkgs': ['openstack-neutron-openvswitch', 'openvswitch', 'python-pycadf'],
+ 'services': ['neutron-openvswitch-agent'],
+ 'audit': {
+ 'enabled': false
+ }
},
}, merge=pillar.neutron.get('compute', {})) %}
@@ -23,16 +29,22 @@
{% set server = salt['grains.filter_by']({
'Debian': {
- 'pkgs': ['neutron-server','neutron-lbaas-agent', 'gettext-base'],
+ 'pkgs': ['neutron-server','neutron-lbaas-agent', 'gettext-base', 'python-pycadf'],
'pkgs_ml2': ['neutron-plugin-ml2'],
'services': ['neutron-server'],
- 'notification': False
+ 'notification': False,
+ 'audit': {
+ 'enabled': false
+ }
},
'RedHat': {
- 'pkgs_ml2': ['openstack-neutron-ml2'],
+ 'pkgs_ml2': ['openstack-neutron-ml2', 'python-pycadf'],
'pkgs': ['openstack-neutron'],
'services': ['neutron-server'],
- 'notification': False
+ 'notification': False,
+ 'audit': {
+ 'enabled': false
+ }
},
}, merge=pillar.neutron.get('server', {})) %}
@@ -53,4 +65,4 @@
{%- endif %}
-{%- endif %}
\ No newline at end of file
+{%- endif %}
diff --git a/neutron/server.sls b/neutron/server.sls
index cd2254b..370e402 100644
--- a/neutron/server.sls
+++ b/neutron/server.sls
@@ -69,6 +69,13 @@
- require:
- pkg: neutron_server_packages
+/etc/neutron/api-paste.ini:
+ file.managed:
+ - source: salt://neutron/files/{{ server.version }}/api-paste.ini.{{ grains.os_family }}
+ - template: jinja
+ - require:
+ - pkg: neutron_server_packages
+
{%- if grains.os_family == "Debian" %}
/etc/default/neutron-server:
diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index bc84995..583af2b 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls
@@ -44,4 +44,8 @@
region: RegionOne
user: nova
password: password
- tenant: service
\ No newline at end of file
+ tenant: service
+ audit:
+ filter_factory: 'keystonemiddleware.audit:filter_factory'
+ map_file: '/etc/pycadf/neutron_api_audit_map.conf'
+