Merge pull request #882 from vyzigold/ci-enable-audit

[OSPRH-29177] Add Zuul job and Ansible role for CADF audit logging

Author: openshift-merge-bot[bot]

README.md

@@ -71,6 +71,12 @@ This operator deploys a multiple telemetry agents, both in the control plane and
     oc patch --type merge openstackversions openstack-galera-network-isolation --patch-file=ci/files/master-openstackclient-patch.yaml # required for "openstack metric" commands to work correctly
     ```
 
+    4.e. Enable CADF audit logging for OpenStack services (barbican, cinder, glance, keystone, neutron, nova):
+
+    ```bash
+    ansible-playbook ci/enable-audit-logging.yml -e enable_audit_logging_local_apply=true
+    ```
+
     Return to the install_yamls directory before continuing.
 
 5. Deploy dataplane operator

ci/enable-audit-logging.yml

@@ -0,0 +1,11 @@
+---
+- name: "Enable audit logging for OpenStack services"
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  gather_facts: false
+  environment:
+    KUBECONFIG: "{{ cifmw_openshift_kubeconfig | default(ansible_env.HOME + '/.kube/config') }}"
+    PATH: "{{ cifmw_path | default(ansible_env.PATH) }}"
+  tasks:
+    - name: Enable audit logging
+      ansible.builtin.import_role:
+        name: enable-audit-logging

ci/enable-audit-logging/README.md

@@ -0,0 +1,46 @@
+enable-audit-logging
+=========
+
+A role for enabling CADF audit logging on OpenStack services deployed by openstack-k8s-operators. The role creates the necessary audit configuration secrets and applies kustomizations to the OpenStackControlPlane CR.
+
+Currently supported services:
+- Cinder
+- Glance
+- Keystone
+- Neutron
+
+Services not yet supported (config files included for future use):
+- Barbican (blocked by [OSPRH-25781](https://issues.redhat.com/browse/OSPRH-25781))
+- Nova (blocked by a nova-operator issue with audit map file naming)
+
+Audit map files
+----------------
+The `*_api_audit_map.conf` files in `files/` are copies of the upstream pycadf defaults from https://github.com/openstack/pycadf/tree/master/etc/pycadf. If the upstream files change, the local copies should be updated to match.
+
+Requirements
+------------
+- An OpenStack deployed with the openstack-k8s-operators
+- `oc` CLI configured with cluster access
+
+Side effects
+------------
+After the role runs, the following secrets are created in the `openstack` namespace:
+- `cinder-audit-config-secret`
+- `glance-audit-config-secret`
+- `neutron-audit-config-secret`
+
+The OpenStackControlPlane CR is patched (via kustomization) to mount these secrets and enable the audit middleware notification driver for each service.
+
+Role Variables
+--------------
+- enable\_audit\_logging\_local\_apply: When `true`, the role fetches the live OSCP CR and applies the kustomization directly. When `false` (default), the kustomization is copied to the ci-framework kustomizations directory for pre-deploy use.
+
+Example Playbook
+----------------
+
+    ansible-playbook ci/enable-audit-logging.yml -e enable_audit_logging_local_apply=true
+
+License
+-------
+
+Apache 2

ci/enable-audit-logging/defaults/main.yml

@@ -0,0 +1,5 @@
+enable_audit_logging_namespace: "{{ cifmw_openstack_namespace | default('openstack') }}"
+# Set to true to apply the kustomization against a live OSCP CR.
+# When false (default), the kustomization is only copied to the
+# ci-framework kustomizations directory for pre-deploy use.
+enable_audit_logging_local_apply: false

ci/enable-audit-logging/files/barbican-api-paste.ini

@@ -0,0 +1,77 @@
+[composite:main]
+use = egg:Paste#urlmap
+/: barbican_version
+/healthcheck: healthcheck
+/v1: barbican-api-keystone-audit
+
+# Use this pipeline for Barbican API - versions no authentication
+[pipeline:barbican_version]
+pipeline = cors http_proxy_to_wsgi microversion versionapp
+
+# Use this pipeline for Barbican API - DEFAULT no authentication
+[pipeline:barbican_api]
+pipeline = cors http_proxy_to_wsgi unauthenticated-context microversion apiapp
+
+#Use this pipeline to activate a repoze.profile middleware and HTTP port,
+#  to provide profiling information for the REST API processing.
+[pipeline:barbican-profile]
+pipeline = cors http_proxy_to_wsgi unauthenticated-context microversion egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
+
+#Use this pipeline for keystone auth
+[pipeline:barbican-api-keystone]
+pipeline = cors http_proxy_to_wsgi authtoken context microversion apiapp
+
+#Use this pipeline for keystone auth with audit feature
+[pipeline:barbican-api-keystone-audit]
+pipeline = http_proxy_to_wsgi authtoken context microversion audit apiapp
+
+[app:apiapp]
+paste.app_factory = barbican.api.app:create_main_app
+
+[app:versionapp]
+paste.app_factory = barbican.api.app:create_version_app
+
+[filter:simple]
+paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory
+
+[filter:unauthenticated-context]
+paste.filter_factory = barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory
+
+[filter:context]
+paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory
+
+[filter:microversion]
+paste.filter_factory = barbican.api.middleware.microversion:MicroversionMiddleware.factory
+
+[filter:audit]
+paste.filter_factory = keystonemiddleware.audit:filter_factory
+audit_map_file = /etc/barbican/api_audit_map.conf
+use_oslo_messaging = false
+log_name = barbican.audit
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+[filter:profile]
+use = egg:repoze.profile
+log_filename = myapp.profile
+cachegrind_filename = cachegrind.out.myapp
+discard_first_request = true
+path = /__profile__
+flush_at_shutdown = true
+unwind = false
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = barbican
+
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory
+
+[app:healthcheck]
+paste.app_factory = oslo_middleware:Healthcheck.app_factory
+backends = disable_by_file
+disable_by_file_path = /etc/barbican/healthcheck_disable
+
+[server:main]
+use = egg:gunicorn#main

ci/enable-audit-logging/files/cinder-api-paste.ini

@@ -0,0 +1,74 @@
+#############
+# OpenStack #
+#############
+
+[composite:osapi_volume]
+use = call:cinder.api:root_app_factory
+/: apiversions
+/healthcheck: healthcheck
+/v3: openstack_volume_api_v3
+
+[composite:openstack_volume_api_v3]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = request_id cors http_proxy_to_wsgi faultwrap sizelimit osprofiler noauth apiv3
+noauth_include_project_id = request_id cors http_proxy_to_wsgi faultwrap sizelimit osprofiler noauth_include_project_id apiv3
+keystone = request_id cors http_proxy_to_wsgi faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3
+keystone_nolimit = request_id cors http_proxy_to_wsgi faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3
+
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = cinder
+
+[filter:faultwrap]
+paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+
+[filter:noauth]
+paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
+
+[filter:noauth_include_project_id]
+paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddlewareIncludeProjectID.factory
+
+[filter:sizelimit]
+paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
+
+[app:apiv3]
+paste.app_factory = cinder.api.v3.router:APIRouter.factory
+
+[pipeline:apiversions]
+pipeline = request_id cors http_proxy_to_wsgi faultwrap osvolumeversionapp
+
+[app:osvolumeversionapp]
+paste.app_factory = cinder.api.versions:Versions.factory
+
+[pipeline:healthcheck]
+pipeline = request_id healthcheckapp
+
+[app:healthcheckapp]
+paste.app_factory = oslo_middleware:Healthcheck.app_factory
+backends = disable_by_file
+disable_by_file_path = /etc/cinder/healthcheck_disable
+
+##########
+# Shared #
+##########
+
+[filter:keystonecontext]
+paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+[filter:request_id]
+paste.filter_factory = cinder.api.middleware.request_id:RequestId.factory
+
+[filter:audit]
+paste.filter_factory = keystonemiddleware.audit:filter_factory
+audit_map_file = /etc/cinder/custom/cinder_api_audit_map.conf
+use_oslo_messaging = false
+log_name = cinder.audit

ci/enable-audit-logging/files/cinder_api_audit_map.conf

@@ -0,0 +1,26 @@
+[DEFAULT]
+# default target endpoint type
+# should match the endpoint type defined in service catalog
+target_endpoint_type = None
+
+# map urls ending with specific text to a unique action
+[custom_actions]
+associate = update/associate
+disassociate = update/disassociate
+disassociate_all = update/disassociate_all
+associations = read/list/associations
+
+# possible end path of api requests
+[path_keywords]
+defaults = None
+detail = None
+limits = None
+os-quota-specs = project
+qos-specs = qos-spec
+snapshots = snapshot
+types = type
+volumes = volume
+
+# map endpoint type defined in service catalog to CADF typeURI
+[service_endpoints]
+volumev3 = service/storage/block

ci/enable-audit-logging/files/glance-api-paste.ini

@@ -0,0 +1,78 @@
+# Use this pipeline for no auth or image caching - DEFAULT
+[pipeline:glance-api]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context rootapp
+
+# Use this pipeline for image caching and no auth
+[pipeline:glance-api-caching]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache rootapp
+
+# Use this pipeline for caching w/ management interface but no auth
+[pipeline:glance-api-cachemanagement]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
+
+# Use this pipeline for keystone auth
+[pipeline:glance-api-keystone]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context audit rootapp
+
+# Use this pipeline for keystone auth with image caching
+[pipeline:glance-api-keystone+caching]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache audit rootapp
+
+# Use this pipeline for keystone auth with caching and cache management
+[pipeline:glance-api-keystone+cachemanagement]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache cachemanage audit rootapp
+
+[composite:rootapp]
+paste.composite_factory = glance.api:root_app_factory
+/: apiversions
+/v2: apiv2app
+
+[app:apiversions]
+paste.app_factory = glance.api.versions:create_resource
+
+[app:apiv2app]
+paste.app_factory = glance.api.v2.router:API.factory
+
+[filter:healthcheck]
+paste.filter_factory = oslo_middleware:Healthcheck.factory
+backends = disable_by_file
+disable_by_file_path = /etc/glance/healthcheck_disable
+
+[filter:versionnegotiation]
+paste.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory
+
+[filter:cache]
+paste.filter_factory = glance.api.middleware.cache:CacheFilter.factory
+
+[filter:cachemanage]
+paste.filter_factory = glance.api.middleware.cache_manage:CacheManageFilter.factory
+
+[filter:context]
+paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
+
+[filter:unauthenticated-context]
+paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+delay_auth_decision = true
+
+[filter:gzip]
+paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+
+[filter:cors]
+paste.filter_factory =  oslo_middleware.cors:filter_factory
+oslo_config_project = glance
+oslo_config_program = glance-api
+
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory
+
+[filter:audit]
+paste.filter_factory = keystonemiddleware.audit:filter_factory
+audit_map_file = /etc/glance/custom/glance_api_audit_map.conf
+use_oslo_messaging = false
+log_name = glance.audit

ci/enable-audit-logging/files/glance_api_audit_map.conf

@@ -0,0 +1,16 @@
+[DEFAULT]
+# default target endpoint type
+# should match the endpoint type defined in service catalog
+target_endpoint_type = None
+
+# possible end path of api requests
+[path_keywords]
+detail = None
+file = None
+images = image
+members = member
+tags = tag
+
+# map endpoint type defined in service catalog to CADF typeURI
+[service_endpoints]
+image = service/storage/image