[Openstack] [OpenStack][Neutron] configuring keystone middleware audit?
John Stanford
john at solinea.com
Fri Jul 17 23:29:43 UTC 2015
Hi,
Sorry about the resend, but subjects are good...
I’ve been trying to get the API audit data flowing based on this document:
http://docs.openstack.org/developer/keystonemiddleware/audit.html
So far, I’ve been able to get nova, cinder, and glance to do the right thing,
but neutron doesn’t seem to want to play. I am getting some events through
to ceilometer. For example, when I create a port, I get a start and end
event similar to this:
{
"_index": "events_2015-07-17",
"_type": "port.create.end",
"_id": "e1dbf819-3e77-4357-b8db-83a359ef7cd9",
"raw": { },
"timestamp": "2015-07-17T23:10:37.846477",
"traits": {
"user_id": "e70fcebd828349ca8f1393e62ac87756",
"service": "network.myhost.com",
"resource_id": "09c1388a-59fe-49e9-bb17-fb353fd8dd3a",
"tenant_id": "970f2364df174040862210c9185c80ce",
"request_id": "req-3e2722e6-1903-477c-9523-2e4926caa6fb",
"project_id": "970f2364df174040862210c9185c80ce"
}
For other services, I’ll see a CADF formatted http.request.audit event.
Here are the edits I’ve made to /etc/neutron/api-paste.ini file:
# added the audit filter to the keystone pipeline after authtoken
[composite:neutronapi_v2_0]
use = call:neutron.auth:pipeline_factory
noauth = request_id catch_errors extensions neutronapiapp_v2_0
keystone = request_id catch_errors authtoken keystonecontext audit extensions neutronapiapp_v2_0
# added the audit filter
[filter:audit]
paste.filter_factory = keystonemiddleware.audit:filter_factory
audit_map_file = /etc/neutron/neutron_api_audit_map.conf
The map file is snagged from here:
https://github.com/openstack/pycadf/blob/master/etc/pycadf/neutron_api_audit_map.conf
Any suggestions, war stories, requests for more detail, etc. are greatly appreciated.
Thanks,
John
@jxstanford
More information about the Openstack
mailing list