sapcc / openstack-audit-middleware Goto Github PK

OpenStack middleware to produce an CADF audit trail from API calls

License: Apache License 2.0

Python 99.26% Shell 0.74%

openstack cadf audit-middleware cadf-audit-trail audit-event openstack-middleware cadf-events

openstack-audit-middleware's Introduction

openstack-audit-middleware

Paste middleware to produce a CADF audit trail from OpenStack API calls. Currently the following OpenStack services are supported out-of-the-box today:

Nova
Neutron
Cinder
Designate
Manila
Glance
Barbican
Ironic
Octavia

Additional APIs can be supported without major code changes through templates.

It is a major redesign of the original audit module within the keystonemiddleware. It has been invented to produce a more verbose audit trail that can be consumed by auditors, end users and complex event processing infrastructures alike.

For that reason it does not adhere to the existing OpenStack taxonomy for CADF. The biggest difference is that it populates the target part of the CADF event with the actual resource/object affected by the action. This is a prerequisite to user friendly presentation of events, e.g. navigation from event to target objects. Previously, the essential information which target object has been affected by an audit-relevant action had been buried in the requestPath attribute or was not available at all.

For operators the difference is minor though. The integration of the new middleware in the OpenStack service works the same way with the only change being different mapping files and of course the new binaries.

The figure above shows the middleware in Nova's pipeline.

Embedding

To enable auditing, oslo.messaging should be installed. If not, the middleware will write audit events to the application log instead.

Auditing is enabled by editing the services's api-paste.ini file to include the following filter definition:

[filter:audit]
paste.filter_factory = auditmiddleware:filter_factory
audit_map_file = /etc/nova/api_audit_map.yaml

The filter must be included after Keystone middleware's authtoken filter so it can utilise request header variables set by it.

Below is an example using Nova's WSGI pipeline::

[composite:openstack_compute_api_v2]
use = call:nova.api.auth:pipeline_factory
noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v2
keystone = faultwrap sizelimit authtoken keystonecontext ratelimit audit osapi_compute_app_v2
keystone_nolimit = faultwrap sizelimit authtoken keystonecontext audit osapi_compute_app_v2

Configuration

API Mapping

To properly audit api requests, the audit middleware requires a mapping file. The mapping files describes how to generate CADF events out of REST API calls.

The location of the mapping file should be specified explicitly by adding the path to the audit_map_file option of the filter definition::

[filter:audit]
paste.filter_factory = auditmiddleware:filter_factory
audit_map_file = /etc/nova/api_audit_map.yaml

For each supported OpenStack services, a mapping file named <service>_api_audit_map.yaml is included in the etc folder of this repo.

Additional options can be set:

Certain types of HTTP requests can be ignored entirely. Typically GET and HEAD requests should not cause the creation of an audit events due to sheer volume.

# ignore any GET or HEAD requests
ignore_req_list = GET, HEAD

Payload Recording

The payload of the API response to a CRUD request can be attached to the event optionally. This will increase the size of the events, but brings a lot of value when it comes to diagnostics. Sensitive information can be filtered out using the payloads attribute of the resource mapping specification (see below).

# turn on logging on request payloads
record_payloads = True

Oslo Messaging

Audit middleware can be configured to use its own exclusive notification driver and topic(s) value. This can be useful when the service is already using oslo messaging notifications and wants to use a different driver for auditing e.g. service has existing notifications sent to queue via 'messagingv2' and wants to send audit notifications to a log file via 'log' driver.

The oslo messaging configuration for the audit middleware is at the same place as service's oslo messaging configuration: the service configuration file (e.g. neutron.conf)

Example shown below:

[audit_middleware_notifications]
driver = log

When audit events are sent via 'messagingv2' or 'messaging', middleware can specify a transport URL if its transport URL needs to be different from the service's own messaging transport setting. Other Transport related settings are read from oslo messaging sections defined in service configuration e.g. 'oslo_messaging_rabbit'.

Example shown below:

[audit_middleware_notifications]
driver = messagingv2
transport_url = rabbit://user2:passwd@host:5672/another_virtual_host

Statistics and Operational Metrics

The middleware can emit statistics on emitted events using tagged statsd metrics. This requires a DogStatsD compatible statsd service like the Prometheus StatsD exporter.

# turn on metrics
metrics_enabled = True

The default StatsD host and port can be customized using environment variables:

STATSD_HOST     the statsd hostname
STATSD_PORT     the statsd portnumber

The following metrics and dimensions are supported

Metric	Description	Dimensions/Tags
openstack_audit_events	Statistics on audit events per tenant. This includes not yet delivered ones.	action: CADF action ID, project_id: OpenStack project/domain ID, service: OpenStack service type, target_type: CADF type URI of the target resource, outcome: failed/success/unknown
openstack_audit_events_backlog	Events buffered in memory waiting for message queue to catch up
openstack_audit_messaging_overflows	Number of lost events due to message queue latency or downtime
openstack_audit_messaging_errors	Failed attempts to push to message queue, leading to events dumped into log files

Mapping Rules

The creation of audit events is driven by so called mapping rules. The CADF mapping rules are essentially a model of resources. Using OpenStack API design patterns, this model implies how the HTTP API requests are formed.

The path of an HTTP request specifies the resource that is the target of the request. It consists of a prefix and a resource path. The resource path is denoting the resource. The prefix is used for versioning and routing. Sometimes it is even used to specify the target project of an operation (e.g. in Cinder).

In the mapping file, the prefix is specified using a regular expression. In those cases where the prefix contains the target project id, the regular expression needs to capture the relevant part of the prefix using a named match group called project_id

prefix: '/v2.0/(?P<project_id>[0-9a-f\-]*)'

The resource path is a concatenation of resource names and IDs. URL paths follow one of the following patterns:

/<resources>: HTTP POST for create, GET for list
/<resources>/<resource-id>: HTTP GET for read, PUT for update, DELETE for remove
/<resources>/<resource-id>/action: POST to perform an action specified by the payload. The payload is expressed as {<action>: {<parameter1>: <pvalue1>, ...}}
/<resources>/<resource-id>/<custom-action>: perform a custom action specified in the mapping (otherwise this is interpreted as a key, see below)
/<resources>/<resource-id>/<key>: update a key of a resource
/<resources>/<resource-id>/<child-resource>: like top-level resource
/<resources>/<resource-id>/<child-resource>/<child-resource-id>: like top-level resource

For singletons, i.e. resources with only a single instance, the <resource-id> parts are omitted.

Additional hints are added to address exceptions to these design patterns.

Elements by Example

The mapping file starts with general information on the service:

service_type: The type of service according to the CADF type taxonomy, i.e. the root of the type hierarchy. All resources of the service are added beneath that root.

prefix: The URL prefix used by the service. Some OpenStack services specify the target project/domain in the URL, others rely on the authorization scope or special parameters.

  # service type as configured in the OpenStack catalog
  service_type: compute
  # configure prefix, use the named match group 'project_id' to mark the tenant
  prefix: '/v2[0-9\.]*/(?P<project_id>[0-9a-f\-]*)'

This is followed by a description of the service's resource hierarchy.

The following defines a resource with the typeURI compute/servers.

     resources:
        servers:
            # type_uri: compute/servers (default)
            # el_type_uri: compute/server (default)
        custom_actions:
          startup: start/startup
        custom_attributes:
          # always attach the security_groups attribute value
          # which has type compute/server/security-groups
          security_groups: compute/server/security-groups

In addition to the basic resource actions implied by the HTTP method, OpenStack services can expose custom actions that go beyond CRUD. Two ways how to encoded action names in the HTTP request are common:

payload-encoded: the last component of the URL path is the action name (example)
path-encoded: the last component of the URL path is action and the payload contains the action name as the first JSON element (example

Usually all custom actions should be listed in the mapping because otherwise the last path component will be taken as a custom key of the resource or ignored right-away:

custom_actions: map custom action names to the CADF action taxonomy (default: []).

The mapping of actions is complex: For payload-encoded actions a default-mapping will be applied which determines the primary action (e.g. update) from the HTTP method and adds the action name from the payload (e.g. update/myaction).

For path-encoded actions you can reach a similar behaviour with a generic rule of the form "<method>:*": "<action>" (e.g. "POST:*": "read"). You can refer to the actual action name in the path via * (e.g. "POST:*": "update/*"). If the right side of the rule is null, the entire request will be suppressed, so that no event is emitted (e.g. "POST:*": null).

If there is no rule matching the path suffix, it will be interpreted as a key, not as an action. That means that the action will be determined from the HTTP method only and an attachment with the name key and the name of the key as content will be added to the event.

Attributes of special importance can be added to every update-like event by specifying custom attributes:

custom_attributes: list attributes of special importance whose values should always be attached to the event; Assign a type URI, so they can be shown in UIs properly (default: [])

A singleton resource is a api url call that will always lead to only one resource. Some resources exist only once, i.e. they only have a single instance and thus no unique ID. This is controlled by the following attribute:

singleton: true when only a single instance of a resource exists. Otherwise the resource is a collection, i.e. an ID needs to be specified for address individual resource instances in a URL (default: false)

For some resources, some API designs do not follow the common OpenStack naming patterns. Those exceptions can be modelled with the following settings:

api_name: resource name in the URL path (default: <resource-name>); must be unique
type_uri: type-URI of the resource, used in the target.typeURI attribute of the produced CADF event (default: <parent-typeURI>/<resource-name>)
el_type_uri: type-URI of the resource instances (default: type_uri omitting the last character); not applicable to singletons
custom_id: indicate which resource attribute contains the unique resource ID (default: id)
custom_name: indicate which resource attribute contains the resource readable name (default: name)
type_name: JSON name for the resource, used by API designs that wrap the resource attributes into a single top-level attribute (default: api_name without leading os- prefix resp. the original resource name, but with - replaced by _)
el_type_name: JSON name of the resource instances (default: type_name omitting the last character)

Resources can be nested, meaning that a resource is part of another resource. Nesting is used to model various design patterns:

composition: a resource is really part of another resource, so that e.g. the resource is deleted when its parent is deleted.

grouping: a singleton resource is used to group related resources or custom fields.

children:
  metadata:
    # collection of fields/keys
    singleton: true
    # wrapped in a JSON element named "meta"
    type_name: meta
  migrations:
    # defaults are all fine for this resource
  interfaces:
    # for some reason Nova does not use plural for the os-interfaces of a server
    api_name: 'os-interface'
    # in JSON payloads the resource attributes are wrapped in an element called 'interfaceAttachment'
    type_name: interfaceAttachments
    # the unique ID of an os-interface is located in attribute 'port_id' (not 'id')
    custom_id: port_id

The configuration option to record request payloads needs some special consideration when sensitive or bulky information in involved:

payloads: controls which attributes of the request payload may not be attached to the event (e.g. because they contain very sensitive information)
- enabled: set to false to disable payload recording for this resource entirely (default: true)
- exclude: exclude these payload attributes from the payload attachment (black-list approach, default: [])
- include: only include these payload attributes in the payload attachment(white-list approach, default: all)

In our example this looks like this:

      ...
      os-server-password:
           singleton: true
        payloads:
          # never record payloads for the os-server-password resource
          enabled: False
flavors:
  payloads:
    exclude:
      # filter lengthy fields with no real diagnostic value
      - description
      - links

Undeclared Resources

Resources that are not declared in the mapping file will be reported as unknown in the operational logs. Still the middleware tries to create events for them based on heuristics. They can be recognized by the X prefix in the resource name.

When those X-resources show up, the mapping file should be extended with an appropriate resource definition. The reason is that the heuristics to discover and map undeclared resources are not covering all kinds of requests. There are ambiguities.

Developing Audit Middleware

Contributing

This project is open for external contributions. The issue list shows what is planned for upcoming releases.

Pull-requests are welcome as long as you follow a few rules:

Ensure that the middleware cannot degrade availabilty (no crashes, no deadlocks, no synchronous remote calls)
Do not degrade performance
Include unit tests for new or modified code
Pass the static code checks
Keep the architecture intact, don't add shortcuts, layers, ...

Software Design

The purpose of this middleware is to create audit records from API calls.

Each record describes a user or system activity following the 5W1H principle:

who: which user?
what: which action? which parameters?
where: on which target resource?
when: what timestamp?
why: which service URL?
how: with what outcome (outcome, HTTP response code)

This information is gathered from the URL path and the exchanged payloads which may contain important information like resource IDs or names. Discovering that information based on the hints in the mapping file is what most of the code is about.

Complexity comes from:

different styles of encoding actions and payloads
create calls, where the target resource ID needs to be fetched from the result payload
mass vs. single operations

Components/Packages

api: Implementation of actual pipeline filter
notifier: Implementation of the asynchronous event push to the oslo bus
tests: unit and component tests

openstack-audit-middleware's People

Contributors

Stargazers

Watchers

Forkers

notque entercloudsuite jobrs pagolin

openstack-audit-middleware's Issues

do not block API calls

The event publication shall not block the webserver threads serving the API calls. Failures must not affect the API functionality.

This could be done by having either fail-fast publication of events with minimal timeouts, no immediate retries and in-memory queueing on error. Or we could move the event publication into a background thread.

The background thread approach might come with some not-so-unexpected complications:

green-threads: Darren learned the hard way that they do not offer preemptive multitasking but rather interfere with the parent process
multi-processing: a separate Python process requires interprocess communication. For sure not with files ... But do we have something like memory-pipes or shared-memory queues in Python?

The fail-fast approach would try to circumvent additional threads with the following strategy:

set time-outs to near zero
disable automatic retries by RabbitMQ client
queue events that could not be published and deliver them alongside the next event
back-off in case of sequential errors (queueing the events that arrive in the back-off period)
limit the queue and drop anything that does not fit in

Record Payload

Record the payload on create/update events in an attachment, so that the actual changes to a resource can be reconstructed from the audit events.

For this purpose, a section payloads is introduced to the resource definition. It controls whether the payload of requests is dumped into an attachment and which attributes are included/excluded (via regular expression). By default everything is included.

Custom attributes can be used to extract specific attributes from the response (!) to attachments. These fields will be more visible and more importantly machine-readable since they include type-information.

resources:
  networks:
    payloads:
      enabled: False 
  ports:
    payloads:
      exclude: id,name
    custom_attributes:
      allowed_address_pairs: string
      security_groups: network/security-group

When the payload of a POST, PUT or PATCH request for said resource contains a custom attributes, an attachment with the same name will be added to event.

JSON Request Payload:

{
  "port": {
      "security_groups": [
         "ce0179d6-8a94-4f7c-91c2-f3038e2acbd0"
      ],
  }
}

JSON Response Payload:

{
    "port": {
        "admin_state_up": true,
        "allowed_address_pairs": [],
        "created_at": "2016-03-08T20:19:41",
       ...
        "revision_number": 1,
        "security_groups": [
            "f0ac4394-7e4a-4409-9701-ba8be283dbc3"
        ],
        "status": "DOWN",
        "tenant_id": "d6700c0c9ffa4f1cb322cd4a1f3906fa",
        "updated_at": "2016-03-08T20:19:41"
    }
}```

Event Payload:

{
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event",
"id": "d9188938-b391-5e20-ab67-2dbfc4e67850",
"eventTime": "2017-12-15T10:42:49.492100+0000",
"action": "create",
"eventType": "activity",
"outcome": "success",
"initiator": {...},
"target": {
"typeURI": "network/port",
"id": "e34a74fa-47a3-493b-b7f0-46464261a842",
},

here we go ...

"attachments": [
{
"content": "{"port": { "security_groups": [ "ce0179d6-8a94-4f7c-91c2-f3038e2acbd0"],}}",
"contentType": "string",
"name": "payload"
}
{
"content": "["ce0179d6-8a94-4f7c-91c2-f3038e2acbd0"]",
"contentType": "network/security-group",
"name": "security_groups"
{
"content": "[]",
"contentType": "data/string",
"name": "allowed_address_pairs"
}
}
]
}

Remove python 2 support (six)

All services use python 3 at this point, time to remove six.

Support target project_id different to scoped project_id

Actions by service users or cloud-admins are often targeted at projects different than the user scope. Currently events are only stored in the scoped project, so that those actions are not visible to members of affected projects.

Target projects usually are specified using a project_id (or tenant_id) field in the request payload.

Example: Ports that are created by the neutron service user as part of a higher-level operation.

Support Glance

mapping file plus engine enhancements if needed

Support Cinder

Add support for the above OpenStack services.

This includes support for a new REST style: Cinder specifies the target project of an operation as path prefix, e.g. /v3/<project-id>/types

Use one observer type per service

Do not create the observer typeURI per service resource, but instead use a single value for the entire service.

Move the address information to the target.

audit event on CRUD

record CADF events on create, read, update, delete calls of the following scheme:

Action	Method	Path
create	POST	<resource>s
read	GET	<resource>s/<id>
read (singleton)	GET	<resource>s
list	GET	<resource>s/
update	PUT	<resource>s/<id>
update (singleton)	PUT	<resource>s/
delete	DELETE	<resource>s/<id>

Paths can be concatenated with "/" to address child resources.

Requirements

typeURI set according to taxonomy (<service>/<resource>)
id (openstack:<resource-id>)
name (where available)
other attributes set like in the old audit middleware

Support Manila

Add openstack's request id to event

This is a feature request to add openstack's request-id and/or global-request-id to the event data.

Global and local request ID's are used to trace the execution steps in openstack services. Admins relies on them to search logs and analyse the root cause of failed events/actions. In addition, the global request id's can be used to correlate a series of events between different openstack components.

Add Application Credentials to audit logging

Currently Application Credentials are not a part of our openstack audit middleware. This has been added in the keystonemiddleware, and will be used as the basis for our implemention.

SAPCC OpenStack Audit Middleware -
https://github.com/sapcc/openstack-audit-middleware/blob/master/auditmiddleware/_api.py#L489

Keystone Middleware
https://opendev.org/openstack/keystonemiddleware/src/branch/master/keystonemiddleware/audit/_api.py#L301

In Keystonemiddleware's audit logger on line 301 credential field is being added, and contains token body. If application credential is being used, it is in the token (token.token.application_credential).

remove dependency to keystonemiddleware internals

remove the dependency to the _common package which is used to read the applications oslo messaging configuration

from keystonemiddleware._common import config

Round of Security Sweeps

Need to do another round of security sweeps to make sure no sensitive information makes it through. Update audit maps, clear events.

It's currently high effort to do the clearing, it would probably make sense to devote time to making a less effort intensive version.

Currently it's kind of hacky to do it, and moving it all to a consistent golang script would make the most sense.

prometheus can't get openstack_audit metric

I config neutron to use auditmiddleware and audit map file, and config driver=log in neutron.conf. I test creating and removing network, and can see audit log in neutron-server.log. When I add statsd_exporter and config prometheus to use this exporter, I can't see openstack_audit_* metric in prometheus targets.

The config of api-paste.ini in neutron dir is like this:
[filter:audit]
paste.filter_factory = auditmiddleware:filter_factory
audit_map_file = /etc/neutron/api_audit_map.yaml
ignore_req_list = GET, HEAD
record_payloads = True
metrics_enabled = True

The command of statsd_exporter start is like this:
./statsd_exporter -statsd.listen-address=":9125" -statsd.mapping-config="/etc/neutron/api_audit_map.yaml" -web.listen-address=":9102" -web.telemetry-path="/metrics"

The output of exporter metric is like this:
statsd_exporter_build_info{branch="",goversion="go1.10",revision="",version=""} 1
statsd_exporter_lines_total 5
statsd_exporter_loaded_mappings 0
statsd_exporter_sample_errors_total{reason="malformed_component"} 4
statsd_exporter_sample_errors_total{reason="malformed_line"} 1
statsd_exporter_samples_total 4
statsd_exporter_tag_errors_total 0
statsd_exporter_tags_total 0
statsd_exporter_tcp_connection_errors_total 0
statsd_exporter_tcp_connections_total 1
statsd_exporter_tcp_too_long_lines_total 0
statsd_exporter_udp_packets_total 0

@majewsky @BugRoger @notque @databus23 @dhague

Neutron event errors with a payload as a string instead of dict

ERROR:

An exception occurred processing the API call with args: (<auditmiddleware.AuditMiddleware object at 0x7f4ebd86d430>, <Request at 0x7f4eaa3d2af0 POST https:///v2.0/nsxt-ops>, <Response at 0x7f4eaa13e730 201 Created>){}

Exception(most recent call first)

AttributeError: 'str' object has no attribute 'get'
File "auditmiddleware/init.py", line 84, in wrapper
return fn(*args, **kwargs)
File "auditmiddleware/init.py", line 136, in _process_request
events = self._cadf_audit.create_events(request, response)
File "auditmiddleware/_api.py", line 255, in create_events
return self._build_events(target_project, self._resource_specs,
File "auditmiddleware/_api.py", line 306, in _build_events
return self._build_events(target_project, sub_res_spec, None, None,
File "auditmiddleware/_api.py", line 281, in _build_events
return self._create_events(target_project, res_id,
File "auditmiddleware/_api.py", line 382, in _create_events
isinstance(res_payload.get(res_spec.type_name), list):

Looks to be from nsxt-ops which I'm unfamiliar with. Will dig further.

Audit mapping for Neutron

Provide a neutron_audit_map.yaml to create audit events from Neutron calls.

Requires #9 for network bulk-create

delete of subresources mapped to wrong action

DELETE /v2/a759dcc2a2384a76b0386bb985952373/servers/805780cd-9934-42bd-a0b3-6db177a656b5/os-volume_attachments/e733127c-4bae-429c-bd01-a89ff0b109a2

yields the wrong event:

{
  "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event",
  "id": "a83e639a-1725-5f35-8d21-3c0365c12676",
  "eventTime": "2017-11-23T16:34:29.510688+0000",
  "action": "delete/e733127c-4bae-429c-bd01-a89ff0b109a2",
  "eventType": "activity",
  "outcome": "failure",
  "initiator": {
    "typeURI": "service/security/account/user",
    "id": "bfa90acd1cad19d456bd101b5b4febf7444ee08d53dd7679ce35b322525776b2",
    "project_id": "a759dcc2a2384a76b0386bb985952373",
    "host": {
      "agent": "python-novaclient",
      "address": "127.0.0.1"
    }
  },
  "target": {
    "typeURI": "compute/server/volume-attachments",
    "id": "805780cd-9934-42bd-a0b3-6db177a656b5"
  },
  "observer": {
    "typeURI": "service/compute/server/volume-attachments",
    "id": "616890ec-b08c-5e44-8a68-f8147e5e1409"
  }
}

Missing openstack-audit-middleware in pypi repository

Hi, for long time we are building this python package and adding to our downstream kolla git repository and building images for openstack.

As a core for kolla and kolla-ansible I would like to add this middleware to kolla images to upstream master branch. Do you think you can upload and maintain this openstack-audit-middleware to pypi repository ? If yes, then I will just add one line to install this package.

PS: I am accessible on email or on freenode IRC #kolla

Thanks,
Michal Arbet (kevko)

Check all x- events in all services

x- is attached to events that aren't mapped, go through all x- events for all services, and get them mapped and updated.

It would also be nice to create an alert whenever an x- message comes in. Info alert. But we need to get it all cleaned up first for that to make sense.

Do not ignore unknown resources

Guess the mapping for resources not declared in the mapping file, so that no activities are left unnoticed.

Currently, resources that are not known by the mapping file are ignored.

Audit Statistics

This issue implements https://issues.wdf.sap.corp/browse/CCM-4764

Key idea is provide counters on the events produced and thus the underlying activities. The counters should be sliced by the following labels/dimensions:

service
action
target project ID
target resource type

Additional dimensions about the service instance can be added by the prom-stats container running side-by-side, so we can omit them here.

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

chore(deps): update dependency datadog to v0.49.1
chore(deps): update actions/checkout action to v4
chore(deps): update actions/setup-python action to v5
chore(deps): update dependency hacking to v6
Click on this checkbox to rebase all open PRs at once

Detected dependencies

github-actions

.github/workflows/python-package.yml

actions/checkout v3

actions/setup-python v3

pip_requirements

doc/requirements.txt

doc8 >=0.6.0

openstackdocstheme >=1.18.1

reno >=2.5.0

sphinx !=1.6.6,!=1.6.7,>=1.6.2

sphinxcontrib-apidoc >=0.2.0

mock >=2.0.0

oslotest >=3.2.0

requests-mock >=1.2.0

testresources >=2.0.0

python-memcached >=1.56

WebTest >=2.0.27

oslo.messaging >=5.29.0

requirements.txt

keystoneauth1 >=3.4.0

oslo.config >=5.2.0

oslo.serialization !=2.19.1,>=2.18.0

pycadf !=2.0.0,>=1.1.0

requests >=2.14.2

WebOb >=1.7.1

six >=1.10.0

test-requirements.txt

datadog ==0.46.0

hacking >=3.0.1,<4.0.0

flake8-docstrings ~=1.7.0

coverage !=4.4,>=4.0

fixtures >=3.0.0

mock >=3.0.0

oslotest >=3.8.0

requests-mock >=1.2.0

stestr >=2.0.0

testresources >=2.0.0

testtools >=2.2.0

WebTest >=2.0.27

oslo.messaging >=5.29.0

bandit >=1.1.0

pip_setup

setup.py

pbr >=2.0.0

Check this box to trigger a request for Renovate to run again on this repository

Support Designate

mapping file plus engine enhancements if needed

Switch to eventlet-safe oslo.cache's MemcacheClientPool

Check in with services team as well to see if they are seeing the issues that create the problem. May be a big help.

Log disabled/forced_down changes on services

For auditing reason, we have to create and process an audit event whenever a service was enabled/disabled and keep the audit trail in Octobus. Example: nova-compute-bbXXX service enable/disable with reason

Requestor: Fabian Kroenner

A similar ServiceStatusNotification has been already added to the operational logs.

Keystone add additional audit detail

Considering an amount of auth methods it would be useful to log keystone token details along with the event details.
It would be useful to list an auth method, token roles, when the token was issued, when it will expire, audit IDs, etc.

eventTime date format invalid

The date format of the eventTime field is not appropriate:

actual format: "eventTime": "2017-12-11T13:36:01.263944+0000"

expected format: "eventTime": "2017-12-11T13:36:01.263944+00:00"

This bug is inherited from pycadf. See https://bugs.launchpad.net/pycadf/+bug/1738737

audit event on custom actions

Create CADF events on custom actions triggered by API calls of the following scheme:

Path: /<resource>s/<resource-id>/<custom-action>
Path: /<resource>s/<resource-id>/action
- Payload: <action>: ...

Debian packaging

Hello guys,

Firstly I want to appreciate your work on openstack-audit-middleware and also want to say that we love your work in Ultimum.

I'm contacting you because I'm debian developer and want to package your work and add package to oficial debian repository.

Unfortunately I can't do it right now because there are some steps I want to ask you to be done.

Can you release some version ? I mean, can you tag your "stable" release commit in git ?
Can you fix unit tests as now they are not working ? ( tox -e py35 , log in attachment )
OR delete if they are obsolete ..

Git repository: https://github.com/sapcc/openstack-audit-middleware.git

Thank you very much,

Best regards,
Michal Arbet ( kevko )

openstack-audit-middleware-unit-test.log

Look into Test issues

Middleware continues to work fine, but I'm having difficulties with tests. Need to sort out and fix.

Support bulk operations / multiple events per API call

Report IDs of resources changed in bulk operations. Since the CADF event format does not support multiple targets and a target only has a single resource ID, we have to create one event per resource.