Enable Audit Middleware that comes with keystonemiddleware

This is a requirement from one of the customers to enable audit middleware.

Problem Description

Currently, manual changes are made to the configuration to enable audit middleware. This specification is for a configuration option that can be used to enable audit middleware in a charm. This can be applied, as required, to applicable OpenStack charms.

Proposed Change

Update existing charms to enable this feature.

The customer in question is currently running bionic queens. This spec is a basis for that request.

Alternatives

Do it manually.

Implementation

For each of the OpenStack charms that provides API, we need to do the following:

• Add a configuration option to enable or disable audit middleware.

• We need to add the specific sections that need to go into 3 files.

  • /etc/<project>/<project>.conf

  • /etc/<project>/api-paste.ini

  • /etc/<project>/api_audit_map.conf

• Test to see if the corresponding files are changed correctly.

• Write unit and functional tests.

Templates for /etc/<project>/api_audit_map.conf file can be found in https://github.com/openstack/pycadf/tree/master/etc/pycadf.

For further details on the implementation see https://docs.openstack.org/keystonemiddleware/latest/audit.html.

Assignee(s)

Primary assignee:

None

Gerrit Topic

Use Gerrit topic “audit-middleware” for all patches related to this spec.

git-review -t audit-middleware

Work Items

1. Understand the changes required for each project, maybe by changing by hand.

2. Common changes will be implemented in the charmhelpers library.

3. Write tests in charmhelpers for these changes.

4. For each of the projects:

   1. sync the new charmhelpers.

   2. Add the relevant updated templates.

      • /etc/<project>/<project>.conf

      • /etc/<project>/api-paste.ini

      • /etc/<project>/api_audit_map.conf

   3. Write the amulet or zaza tests to ensure that the changes are good.

Repositories

No new git repositories will need to be created. However, multiple git repositories will need to be touched for this implementation to work

These are the initial charms that are within the scope of this specification:

• https://github.com/openstack/charm-nova-cloud-controller

• https://github.com/openstack/charm-glance

• https://github.com/openstack/charm-cinder

• https://github.com/openstack/charm-gnocchi

• https://github.com/openstack/charm-heat

• https://github.com/openstack/charm-ironic

• https://github.com/openstack/charm-neutron-api

• https://github.com/openstack/charm-panko

The following repo will also need to be updated, so ensure that similar information is stored in one central place, rather than duplicating the contents in the above repositories.

• https://github.com/juju/charm-helpers

Initial work was tried in the following commits:

• https://github.com/arif-ali/charm-nova-cloud-controller/commit/3743f00384de56efe8b0a4ee2ab2e40de68b5e7f

• https://github.com/arif-ali/charm-helpers/commit/258cf87c83cca2faf601dd99285cd226e2e67b48

Documentation

It will be documented within each of the charms’ config.yaml.

Security

Enable API auditing for security compliance.

Testing

• Unit tests will be added to charm-helpers.

• Functional tests will need to be added for the new option, and checking that the configuration is changed correctly, and then disabled.

Dependencies

There are no further dependencies.