Add audit middleware to OpenStack services
Summary
Add support for SAP audit middleware[1] for the (core) OpenStack services.
Use cases
For better audit logs we need a different middleware that can send detailed informations, e.g. to logs.
Proposal
Install audit middleware[1] at the images.
Add api-paste.ini and point to the api_audit_map - this should be optional, as not everyone want audit logging and may want different options -> default via cue defaults, change via service crd
Add option to mount api_audit_map.yaml
to /etc/$SERVICE/api_audit_map.yaml
. E.g. add an option to mount defined configmap at any path.
The configmap can be provided outside of yaook.
Specification
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this issue are to be interpreted in the spirit of RFC 2119, even though we're not technically doing protocol design.
- MUST install audit middleware[1] at cinder, glance, neutron and nova
- MUST change
api-paste.ini
path to/etc/$SERVICE/api-paste.ini
(e.g. at cue defaults) - MUST
api-paste.ini
to services - SHOULD be able to adjust
api-paste.ini
- MUST provide way to add
api_audit_map.yaml
for each service (e.g. add configmap name and mount path to service crd)