Adding audit middleware to keystonemiddleware

Adding audit middleware to keystonemiddleware

Auditing middleware

The pyCADF library contains middleware which enables the ability to audit API calls to a given service. The audit middleware utilizes the identity data provided by the auth_token middleware.

Problem Description

Auditing is heavily tied to identity but currently the audit middleware exists in pyCADF library while the identity middleware are contained in openstack/keystonemiddleware. This requires deployers to explicitly pull in multiple dependencies. Since there’s a logical association between them, the middleware should be grouped accordingly.

Proposed Change

Currently, the audit middleware exists in pyCADF library the proposed solution is to move this middleware into keystonemiddleware. This solution brings in a dependency on oslo.messaging as the current audit middleware places audit events to message queue. It also has a dependency on pyCADF to generate audit events.

Alternatives

Two alternatives:

  • Keep things as-is. If the user wants to audit, they should pull in pyCADF and notifiermiddleware and add audit middleware.
  • Pull in audit middleware from pyCADF but leave off oslo.messaging dependency. Notifications can be delegated to notifiermiddleware but requires a change to notifiermiddleware to properly audit both request and response.

Security Impact

None

Notifications Impact

The proposed solution will have the middleware send two notifications per API request: one for the request and another for the response. It can be configured to only audit certain API requests (for example, just GET requests) to minimize notifications.

Other End User Impact

Users need to consume audit middleware from a python package (keystonemiddleware.audit).

Documentation will be moved from the old location to a new location in keystonemiddleware.

Performance Impact

This will create more load on message queue if enabled. This audit filter is optional.

Other Deployer Impact

If enabled, deployers need to enable notifications in the service where middleware is being configured. After that, they can add audit middleware to WSGI pipeline as described in documentation.

Developer Impact

None

Implementation

Assignee(s)

Primary assignee:
chungg
Other contributors:
None

Work Items

  • Move audit middleware to keystonemiddleware and make appropriate code changes to get it working, providing backwards compatibility in pyCADF.
  • Update keystonemiddleware docs to include middleware configuration docs.

Dependencies

  • Need pyCADF and oslo.messaging libraries

Documentation Impact

Copy documentation for enabling middleware: http://docs.openstack.org/developer/pycadf/middleware.html

References

None

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.

identity-specs