sapcc
diff --git a/‎ChangeLog‎
Lines changed: 58 additions & 0 deletions b/‎ChangeLog‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 60 additions & 157 deletions b/‎README.md‎
Lines changed: 60 additions & 157 deletions
@@ -1,6 +1,64 @@
 CHANGES
 =======
 
+* fix name mapping. use path\_keywords
+
+1.0.14
+------
+
+* neturon name mapping
+
+1.0.13
+------
+
+* fix cinder, nova name mapping
+
+1.0.12
+------
+
+* fix manila mapping, regex
+
+1.0.11
+------
+
+* add ironic support and tests
+
+1.0.10
+------
+
+* manila, nova name lookup fix
+* add doc
+
+1.0.9
+-----
+
+* add manila mapping and tests
+* add pep8 style check
+* add build status
+* add travis
+
+1.0.8
+-----
+
+* glance naming
+* fix keystone target\_type\_uri name mapping
+* fix keystone test
+
+1.0.7
+-----
+
+* enhanced the keystone uri strategy to properly map name lookups to target\_type\_uri
+
+1.0.6
+-----
+
+* readme
+* Latency and status (#3)
+* enable check body of authentication requests
+* client\_addr->host\_address
+* add /endpoints and test
+* [swift] it's not /v1/info but /info
+* dry requirements
 * bump to 1.0.0
 * fix logging
 * default target.project\_id to initiator.project\_id if discovery fails
 
@@ -14,19 +14,21 @@ The OpenStack Watcher is a WSGI middleware capable of analyzing OpenStack traffi
 
 ## Principles
 
-The watcher distinguishes between `initiator` and `target` of an action. 
-`Initiator` describes the resource or the user that starts the request, ` Target` refers to the resource against which the action was performed.
+The watcher middleware classifies OpenStack requests based on the Cloud Auditing Data Federation (CADF) specification.
+It distinguishes between `initiator` and `target` of an action. 
+`Initiator` describes the resource or the user who sent the request, `Target` refers to the resource against which the action was performed.
 
 ### CADF Specification
 
-Requests are classified according to the CADF specification.
-A comprehensive list of of OpenStack requests and their CADF representation can be found here: [Cloud Audit Data Federation - OpenStack Profile (CADF-OpenStack)](https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf).  
-This middleware follows DMTF specification DSP2038, version 1.1.0 as of 27 April 2015.
+The Cloud Audit Data Federation (CADF) specification defines a model for events within the OpenStack platform.
+This data model is used by the watcher middleware to classify requests.
+More information is provided in the [documentation](./doc/cadf.md).
 
 #### Classification
 
-The watcher classifies requests and records the following attributes.
-These are emitted as Prometheus metrics and passed in the GCI environment with the `WATCHER` prefix and in capital letters.
+The following attributes are recorded and passed via the WSGI environment through the pipeline.
+Moreover, this meta data is emitted as Prometheus metrics.  
+Note: The attributes in the environment are capitalized.
 For example: `WATCHER.ACTION`, `WATCHER.INITIATOR_PROJECT_ID`, `WATCHER.TARGET_PROJECT_ID`, etc. .
 
 - `action`:       the CADF action
@@ -48,141 +50,15 @@ For example: `WATCHER.ACTION`, `WATCHER.INITIATOR_PROJECT_ID`, `WATCHER.TARGET_P
 
 - Swift (object-store):
     - `target.container_id`: the name/id of the swift container. `None` if not relevant. `Unknown` if it could not be determined.
-    
-
-#### Determine target project 
-
-Determining the target of an operation can be hard. The watcher offers 3 mutually exclusive approaches to that:   
-1. Extract target project id from token.
-Assumptions: Initiator is authenticated. Initiator and target are in the same project.
-In which case the initiator.project_id as seen in the keystone token will be equal to the target.project_id. 
-While this may be correct in most cases, if the services policy allows cross-project operations, one of the following approaches is suggested.
-
-2. Extract target project id from request path.  
-Assumptions: Initiator may be anonymous (not authenticated). The request path contains the project id.  
-For example swift (object-store) requests might contain the uid of the target project id in the format `../<version>/AUTH_<target_project_id>/..`
-This does not allow conclusions on the initiator, but on the target. 
-
-3. Extract target project id from service catalog.
-Assumption: Initiator is authenticated. The token is scoped to the target project and its service catalog contains endpoint(s) for the relevant service 
-that include the project id in the format `http(s)://<service>:<port>/<version>/<target_project_id>`.
-This requires `include_service_catalog = true` in the keystone.auth_token middleware and does not work when unauthenticated requests are allowed.
-See section [keystone auth_token middleware](#keystone-auth_token-middleware). 
- 
-#### CADF actions
-
-Actions characterize the operation performed by the initiator of a request against a target. 
-A comprehensive definition of these actions is provided by the CADF specification mentioned above.
-The watcher is capable of classifying request actions based on the HTTP method and path as follows:
-```
-|---------------|-------------------|-------------------|
-| HTTP method   | Path              | Action            |
-|---------------|-------------------|-------------------|
-| GET           |                   | read              |
-| GET           | ../detail         | read/list         | 
-| HEAD          |                   | read              |
-| PUT           |                   | update            |
-| PATCH         |                   | update            |
-| POST          |                   | create            |
-| POST          | ../auth/tokens    | authenticate      |
-| DELETE        |                   | delete            |
-| COPY          |                   | create/copy       |
-|---------------|-------------------|-------------------|        
-```
-
-Using this mapping the watcher is capable of classifying request actions correctly in most cases.  
-However, some cases require a different mapping to alternative actions.
-The default classification can be overwritten using a custom_actions mapping
-  
-An example for swift (object-store) looks like this:
-```yaml
-custom_actions:
-  account:
-    - method:       GET
-      action_type:  read/list
-    - method:       POST
-      action_type:  update
-
-    - container:
-        - method:       GET
-          action_type:  read/list
-        - method:       POST
-          action_type:  update
-
-        - object:
-            - method:       POST
-              action_type:  update
-```
-This configuration results in the following mapping:
-```
-|---------------|-----------------------------------|-------------------|
-| HTTP method   | Path                              | Action            |
-|---------------|-----------------------------------|-------------------|
-| GET           | ../v1/account                     | read/list         |
-| POST          | ../v1/account                     | update            |
-| GET           | ../v1/account/container           | read/list         |
-| POST          | ../v1/account/container           | update            | 
-| POST          | ../v1/account/container/object    | update            |
-| ...           |                                   |                   |
-|---------------|-----------------------------------|-------------------|    
-````
-
-#### Action requests
-
-Some requests may use `POST` or `PUT` with a path including `/action` or `/os-instance-actions` and a json body to perform an action on a resource.
-In which case the middleware evaluates the request body to determine the action.
-The default mapping will return a CADF action in the following format: `update/<action>`.
-A `os-` prefix will be trimmed from the action.  
-
-Example: Nova (compute) add security group to an instance and reset state
-````
-|---------------|-----------------------------------|-------------------------------------------|---------------------------|
-| HTTP method   | Path                              | JSON body                                 | CADF action               |
-|---------------|-----------------------------------|-------------------------------------------|---------------------------|
-| POST          | /servers/{server_id}/action       | { "addSecurityGroup": { "name": "test" }} | update/addSecurityGroup   |
-| POST          | /servers/{server_id}/action       | { "os-resetState": { "state": "active" }} | update/resetState         |
-| ...           | ...                               |                                           |                           |
-|---------------|-----------------------------------|-------------------------------------------|---------------------------|
-````
-  
-The default behaviour can be overwritten by providing the following configuration:
-```
-custom_actions:
-  servers:
-    server:
-      action:
-        - <original_action>: <cadf_action>
-        - addSecurityGroup: update/addSecurityGroup
-        - os-resetState: update/os-resetState
-```
-
-#### CADF target type URI
-
-The *target type URI* is a CADF specific representation of the request's target URI consisting of
-a service-specific prefix and the target URI without version or UUID strings. 
-
-In most cases this middleware builds the target type URI by concatenating the `service/<service_type>` prefix and
-all parts of the target URI which do not contain a UUID.
-In case a UUID is found, it's substituted by the singular of the previous part.  
-Should this default behaviour not suffice, writing a [custom strategy](./watcher/target_type_uri_strategy.py) might be required.
-
-Examples:
-```
-|-------------|-------------------------------------------------|-----------------------------------------------|
-| Service     | Target URI                                      | CADF Target Type URI                          |
-|-------------|-------------------------------------------------|-----------------------------------------------|
-| compute     | /servers/{server_uuid}/action                   | service/compute/servers/server/action         |
-| dns         | /v2/zones/{zone_id}/recordsets/{recordset_id}   | service/dns/zones/zone/recordsets/recordset   |
-| ...         | ...                                             | ...                                           |
-|-------------|-------------------------------------------------|-----------------------------------------------|
-```
 
 ### Metrics
 
 The openstack-watcher-middleware exposes the following Prometheus metrics via statsD.
 
-`openstack_watcher_api_requests_total`              - total count of api requests
-`openstack_watcher_api_requests_duration_seconds`   - request latency
+`openstack_watcher_api_requests_total`                  - total count of api requests
+`openstack_watcher_api_requests_duration_seconds`       - request latency in seconds
+`openstack_watcher_api_requests_duration_seconds_count` - total number of samples of the request duration metric
+`openstack_watcher_api_requests_duration_seconds_sum`   - sum of request latency
 
 ## Supported Services
 
@@ -201,6 +77,7 @@ This middleware currently provides CADF-compliant support for the following Open
 | Ironic                | baremetal             |
 |-----------------------|-----------------------|
 ````
+
 Configurations for these services are provided [here](./etc) 
 Support for additional OpenStack services might require additional action configurations.
 
@@ -211,29 +88,16 @@ Install via
 pip install git+https://github.com/sapcc/openstack-watcher-middleware.git 
 ```
 
-### Keystone auth_token middleware
-
-The watcher determines the initiator of an action via its keystone token,
-thus the middleware needs to be added *after* the [keystone.auth_token middleware](https://docs.openstack.org/keystone/queens/admin/identity-auth-token-middleware.html).  
-Setting `include_service_catalog = true` includes the service catalog on token validation, 
-which enables the watcher to determine the target project id for a service based on the endpoint(s) found in this scoped catalog.
-
-**Note**:
-Setting`delay_auth_decision = true`, configures the auth_token middleware to delegate the authorization decision to downstream WSGI components.
-This enables unauthenticated requests, hence the initators project, domain and user uid *cannot* be determined via the keystone token and are `Unknown`.
-In which case the initiator can only be characterized by its client address.
-Furthermore, the *target.project_id* cannot be extracted from the token nor the service catalog.
-If the request path does not include the target.project_id, it will be `Unknown`. 
-
 ### Pipeline 
 
-The watcher should be added after the auth_token middleware.
+The watcher should be added after the keystone auth_token middleware to be able to obtain information on the scope (project/domain) of the action.
 ```
 pipeline = .. auth_token watcher ..
 ```
 
-### Watcher configuration
-and configure by adding the following snippet to the paste.ini:
+### WSGI configuration
+
+Configuration options in the paste.ini as shown below
 ```yaml
 [filter:watcher]
 use = egg:watcher-middleware#watcher
@@ -252,15 +116,54 @@ project_id_from_path = true | false
 # determine the project id from the service catalog
 project_id_from_service_catalog = true | false
 
-# per default the target.type_uri is prefixed by 'service/<service_type>/'.
+# per default the target.type_uri is prefixed by 'service/<service_type>/'
 # if the cadf spec. requires a different prefix, it might be given here 
 # example: swift (object-store)
-# service_type = object-store would result in 'service/object-store/', but cadf requires 'service/storage/object/',
-# so one needs to set cadf_service_name = service/storage/object
+# service_type = object-store
+# cadf_service_name = service/storage/object
 cadf_service_name = <service_name>
 
 # metrics are emitted via StatsD
 statsd_host = 127.0.0.1
 statsd_port = 9125
 statsd_namespace = openstack_watcher
 ```
+
+#### Configuration file
+
+Additionally, the watcher might require a configuration file.  
+For existing services these can be found in the [examples](./etc).
+More details are provided [here](./doc/cadf.md)
+
+The following snippet provides an overview of configuration options for a service.
+```yaml
+# keywords in a request path are followed by the UUID or name of a resource.
+# in the target type URI the UUID or name of a resource is replaced by the singular of the keyword.
+# a custom value for the singular can also be provided by a mapping <plural>:<singular>
+# moreover, if a path ends with a keyword the action will be 'read/list'
+path_keywords:
+    - users
+    - tokens
+    - availability-zones: zone
+    ..
+
+# per default every word following a path keyword is replaced. 
+# however, exclusions can be configured by this list 
+path_exclusions:
+    - OS-PKI
+    - ..
+
+# some request path' are quite hard to map to their target type URI as the replacements can't be derived from the previous part.
+# thus, in some cases providing a mapping of <path_regex>: <target_type_URI> might be inevitable
+# note: the complete path (including versions, etc. ) needs to be reflected in the regex 
+regex_path_mapping:
+  - '\S+/domains/config/[0-9a-zA-Z_]+/default$': 'domains/config/group/default'
+
+# CADF actions are determined by the request method and their path as outlined in the table in the CADF section of this documentation
+# however, these can be overwritten using the target type URI and the request method with a custom action_type
+custom_actions:
+  tokens:
+    - token:
+        - method: GET
+          action_type: custom_action
+```