diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml index 5ed73db66d..16cde920ed 100644 --- a/cinder/templates/configmap-etc.yaml +++ b/cinder/templates/configmap-etc.yaml @@ -119,6 +119,7 @@ data: backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }} api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }} policy.json: {{ toJson .Values.conf.policy | b64enc }} + api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }} cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }} rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }} resource_filters.json: {{ toJson .Values.conf.resource_filters | b64enc }} diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml index e940b1c2f7..aef21a4df3 100644 --- a/cinder/templates/deployment-api.yaml +++ b/cinder/templates/deployment-api.yaml @@ -118,6 +118,10 @@ spec: mountPath: /etc/cinder/policy.json subPath: policy.json readOnly: true + - name: cinder-etc + mountPath: /etc/cinder/api_audit_map.conf + subPath: api_audit_map.conf + readOnly: true - name: cinder-etc mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }} subPath: resource_filters.json diff --git a/cinder/values.yaml b/cinder/values.yaml index 0256bf3f08..8607241c12 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -312,18 +312,18 @@ conf: composite:openstack_volume_api_v1: use: call:cinder.api.middleware.auth:pipeline_factory noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1 - keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1 - keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1 + keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv1 + keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv1 composite:openstack_volume_api_v2: use: call:cinder.api.middleware.auth:pipeline_factory noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2 - keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 - keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 + keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv2 + keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv2 composite:openstack_volume_api_v3: use: call:cinder.api.middleware.auth:pipeline_factory noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3 - keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3 - keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3 + keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv3 + keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv3 filter:request_id: paste.filter_factory: oslo_middleware.request_id:RequestId.factory filter:http_proxy_to_wsgi: @@ -353,6 +353,9 @@ conf: paste.filter_factory: cinder.api.middleware.auth:CinderKeystoneContext.factory filter:authtoken: paste.filter_factory: keystonemiddleware.auth_token:filter_factory + filter:audit: + paste.filter_factory: keystonemiddleware.audit:filter_factory + audit_map_file: /etc/cinder/api_audit_map.conf policy: context_is_admin: role:admin admin_or_owner: is_admin:True or project_id:%(project_id)s @@ -469,6 +472,26 @@ conf: clusters:get: rule:admin_api clusters:get_all: rule:admin_api clusters:update: rule:admin_api + api_audit_map: + DEFAULT: + target_endpoint_type: None + custom_actions: + associate: update/associate + disassociate: update/disassociate_all + disassociate_all: update/disassociate_all + associations: read/list/associations + path_keywords: + defaults: None + detail: None + limits: None + os-quota-specs: project + qos-specs: qos-spec + snapshots: snapshot + types: type + volumes: volume + service_endpoints: + volume: service/storage/block + volumev2: service/storage/block cinder_sudoers: | # This sudoers file supports rootwrap for both Kolla and LOCI Images. Defaults !requiretty