From 4fea33dd64b0476be9c0c01a9c67e39071ff8703 Mon Sep 17 00:00:00 2001 From: Gage Hugo Date: Thu, 11 Apr 2019 13:50:29 -0500 Subject: [PATCH] Enable audit pipeline for ceilometer This change adds the keystonemiddleware audit paste filter[0] and enables it for the ceilometer-api service. This provides the ability to audit API requests for ceilometer. [0] https://docs.openstack.org/keystonemiddleware/latest/audit.html Change-Id: I9d49769bc04f9623ecf5ba4276665dc3b5bebd07 --- ceilometer/templates/configmap-etc.yaml | 1 + ceilometer/templates/deployment-api.yaml | 4 ++++ ceilometer/values.yaml | 15 ++++++++++++++- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/ceilometer/templates/configmap-etc.yaml b/ceilometer/templates/configmap-etc.yaml index c48a3b8b11..8a515a9d9e 100644 --- a/ceilometer/templates/configmap-etc.yaml +++ b/ceilometer/templates/configmap-etc.yaml @@ -120,6 +120,7 @@ data: ceilometer.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.ceilometer | b64enc }} api_paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }} policy.json: {{ toJson .Values.conf.policy | b64enc }} + api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }} event_pipeline.yaml: {{ toYaml .Values.conf.event_pipeline | b64enc }} pipeline.yaml: {{ toYaml .Values.conf.pipeline | b64enc }} event_definitions.yaml: {{ toYaml .Values.conf.event_definitions | b64enc }} diff --git a/ceilometer/templates/deployment-api.yaml b/ceilometer/templates/deployment-api.yaml index 8022f7718a..dadd0e5c5e 100644 --- a/ceilometer/templates/deployment-api.yaml +++ b/ceilometer/templates/deployment-api.yaml @@ -88,6 +88,10 @@ spec: mountPath: /etc/ceilometer/policy.json subPath: policy.json readOnly: true + - name: ceilometer-etc + mountPath: /etc/ceilometer/api_audit_map.conf + subPath: api_audit_map.conf + readOnly: true - name: ceilometer-etc mountPath: /etc/ceilometer/event_definitions.yaml subPath: event_definitions.yaml diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml index e6ae7e3a17..1b5af549ea 100644 --- a/ceilometer/values.yaml +++ b/ceilometer/values.yaml @@ -1268,6 +1268,9 @@ conf: 'filter:authtoken': paste.filter_factory: 'keystonemiddleware.auth_token:filter_factory' oslo_config_project: 'ceilometer' + 'filter:audit': + paste.filter_factory: 'keystonemiddleware.audit:filter_factory' + audit_map_file: '/etc/ceilometer/api_audit_map.conf' 'filter:cors': oslo_config_project: 'ceilometer' paste.filter_factory: 'oslo_middleware.cors:filter_factory' @@ -1278,7 +1281,7 @@ conf: oslo_config_project: 'ceilometer' paste.filter_factory: 'oslo_middleware:RequestId.factory' 'pipeline:main': - pipeline: cors http_proxy_to_wsgi request_id authtoken api-server + pipeline: cors http_proxy_to_wsgi request_id authtoken audit api-server polling: sources: - name: all_pollsters @@ -1387,6 +1390,16 @@ conf: 'telemetry:get_sample': '' 'telemetry:get_samples': '' 'telemetry:query_sample': '' + audit_api_map: + DEFAULT: + target_endpoint_type: None + path_keywords: + meters: meter_name + resources: resource_id + statistics: None + samples: sample_id + service_endpoints: + metering: service/metering wsgi_ceilometer: | Listen 0.0.0.0:{{ tuple "metering" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}