kolla

PyCADF library not installing audit maps to /etc/pycadf

Bug #2047941 reported by Michal Arbet
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Fix Released
Undecided
Michal Arbet

Bug Description

Hi,

As we are using PyCADF lib for auditing [1] (and fixing issue in downstream git repositories for now), we would like to finally merge a fix to kolla and kolla-ansible gits.

When pycadf for auditing is used, there are missing audit maps in /etc/pycadf so auditing can't work.
The reason is that pycadf PIP package installing them to /var/lib/kolla/venv/etc/pycadf/, not /etc/pycadf, and moreover there are not all of them as below :

(venv) (glance-api)[root@controller0 /]# . /var/lib/kolla/venv/bin/activate
(venv) (glance-api)[root@controller0 /]#
(venv) (glance-api)[root@controller0 /]# pip3 freeze | grep pycadf
pycadf==3.1.1

(venv) (glance-api)[root@controller0 /]# ls -la /var/lib/kolla/venv/etc/pycadf/
total 36
drwxr-xr-x 2 root root 4096 Oct 9 07:09 .
drwxr-xr-x 1 root root 4096 Oct 9 07:11 ..
-rw-r--r-- 1 root root 376 Oct 9 07:09 ceilometer_api_audit_map.conf
-rw-r--r-- 1 root root 689 Oct 9 07:09 cinder_api_audit_map.conf
-rw-r--r-- 1 root root 364 Oct 9 07:09 glance_api_audit_map.conf
-rw-r--r-- 1 root root 710 Oct 9 07:09 neutron_api_audit_map.conf
-rw-r--r-- 1 root root 1592 Oct 9 07:09 nova_api_audit_map.conf
-rw-r--r-- 1 root root 340 Oct 9 07:09 swift_api_audit_map.conf
-rw-r--r-- 1 root root 500 Oct 9 07:09 trove_api_audit_map.conf

Audit maps which should be included - all of them >>

https://github.com/openstack/pycadf/tree/3.1.1/etc/pycadf

So, fix will be in kolla project to just include default ones, and kolla-ansible to allow override per project.

[1] https://docs.openstack.org/mitaka/config-reference/identity/auditing.html

Thanks,
Michal Arbet (kevko)

Michal Arbet (michalarbet)
Changed in kolla:
assignee: nobody → Michal Arbet (michalarbet)
Revision history for this message
Michal Arbet (michalarbet) wrote :

Oh, forgot to say that services without mapping reporting something as below :

>>

No such file or directory: '/etc/pycadf/cinder_api_audit_map.conf'

<<

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla/+/904576

Changed in kolla:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (master)

Reviewed: https://review.opendev.org/c/openstack/kolla/+/904576
Committed: https://opendev.org/openstack/kolla/commit/7f5a904e98d7dd1213517257132d2eff23dfeadb
Submitter: "Zuul (22348)"
Branch: master

commit 7f5a904e98d7dd1213517257132d2eff23dfeadb
Author: Michal Arbet <email address hidden>
Date: Wed Jan 3 15:30:27 2024 +0100

    Fix openstack CADF audit maps and installation

    This patch fixes missing pycadf's audit maps
    for services and change the way how pycadf
    is installed.

    Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/905858

    Closes-Bug: #2047941
    Change-Id: I9b43d1a9990ad8aa7381ea81b0f2d692967be949

Changed in kolla:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.