The pyCADF library contains middleware which enables the ability to audit API calls to a given service. The audit middleware utilizes the identity data provided by the auth_token middleware.
Auditing is heavily tied to identity but currently the audit middleware exists in pyCADF library while the identity middleware are contained in openstack/keystonemiddleware. This requires deployers to explicitly pull in multiple dependencies. Since there’s a logical association between them, the middleware should be grouped accordingly.
Currently, the audit middleware exists in pyCADF library the proposed solution is to move this middleware into keystonemiddleware. This solution brings in a dependency on oslo.messaging as the current audit middleware places audit events to message queue. It also has a dependency on pyCADF to generate audit events.
The proposed solution will have the middleware send two notifications per API request: one for the request and another for the response. It can be configured to only audit certain API requests (for example, just GET requests) to minimize notifications.
Users need to consume audit middleware from a python package (keystonemiddleware.audit).
Documentation will be moved from the old location to a new location in keystonemiddleware.
This will create more load on message queue if enabled. This audit filter is optional.
If enabled, deployers need to enable notifications in the service where middleware is being configured. After that, they can add audit middleware to WSGI pipeline as described in documentation.
Copy documentation for enabling middleware: http://docs.openstack.org/developer/pycadf/middleware.html