Fixed audit notifications for l3-agent-router ops

l3-agent-router-add and l3-agent-router-remove do not
generate audit notifications which are used for security
compliance.
CRUD operations of core network resources are
handled by neutron/api/v2/base.py. In base.py, each of
create(), update(), delete() methods makes calls to
oslo.messaging.Notifier.info() to generate these notifications.
In the proposed fix, it is fixed in a similar fashion in
extensions/l3agentscheduler.py inside create() and delete()
methods by introducing info() method calls inside them.

Change-Id: I1354e51e4af24eda128c042926765683018b320b
Closes-Bug: 1317000

diff --git a/neutron/extensions/l3agentscheduler.py b/neutron/extensions/l3agentscheduler.py
index 689cc9ba910788009bdca15770f6e621c69244eb..8e110e10e9b4b8b35808d30f5c8c1e5cddf496b8 100644 (file)
--- a/neutron/extensions/l3agentscheduler.py
+++ b/neutron/extensions/l3agentscheduler.py
@@ -22,6 +22,7 @@ from neutron.api.v2 import base
 from neutron.api.v2 import resource
 from neutron.common import constants
 from neutron.common import exceptions
+from neutron.common import rpc as n_rpc
 from neutron.extensions import agent
 from neutron import manager
 from neutron.openstack.common import log as logging
@@ -63,18 +64,23 @@ class RouterSchedulerController(wsgi.Controller):
         policy.enforce(request.context,
                        "create_%s" % L3_ROUTER,
                        {})
-        return plugin.add_router_to_l3_agent(
-            request.context,
-            kwargs['agent_id'],
-            body['router_id'])
+        agent_id = kwargs['agent_id']
+        router_id = body['router_id']
+        result = plugin.add_router_to_l3_agent(request.context, agent_id,
+                                               router_id)
+        notify(request.context, 'l3_agent.router.add', router_id, agent_id)
+        return result
 
     def delete(self, request, id, **kwargs):
         plugin = self.get_plugin()
         policy.enforce(request.context,
                        "delete_%s" % L3_ROUTER,
                        {})
-        return plugin.remove_router_from_l3_agent(
-            request.context, kwargs['agent_id'], id)
+        agent_id = kwargs['agent_id']
+        result = plugin.remove_router_from_l3_agent(request.context, agent_id,
+                                                    id)
+        notify(request.context, 'l3_agent.router.remove', id, agent_id)
+        return result
 
 
 class L3AgentsHostingRouterController(wsgi.Controller):
@@ -192,3 +198,9 @@ class L3AgentSchedulerPluginBase(object):
     @abc.abstractmethod
     def list_l3_agents_hosting_router(self, context, router_id):
         pass
+
+
+def notify(context, action, router_id, agent_id):
+    info = {'id': agent_id, 'router_id': router_id}
+    notifier = n_rpc.get_notifier('router')
+    notifier.info(context, action, {'agent': info})

diff --git a/neutron/tests/unit/openvswitch/test_agent_scheduler.py b/neutron/tests/unit/openvswitch/test_agent_scheduler.py
index 04ef593b5aec53a53ecec3e0b1bfc5203aedb8c6..5da6c470813904ef2e4d716e2cc5ca0ea138fecc 100644 (file)
--- a/neutron/tests/unit/openvswitch/test_agent_scheduler.py
+++ b/neutron/tests/unit/openvswitch/test_agent_scheduler.py
@@ -35,6 +35,7 @@ from neutron import manager
 from neutron.openstack.common import timeutils
 from neutron.openstack.common import uuidutils
 from neutron.plugins.common import constants as service_constants
+from neutron.tests import fake_notifier
 from neutron.tests.unit import test_agent_ext_plugin
 from neutron.tests.unit import test_db_plugin as test_plugin
 from neutron.tests.unit import test_extensions
@@ -170,6 +171,10 @@ class AgentSchedulerTestMixIn(object):
         res = req.get_response(self.ext_api)
         self.assertEqual(res.status_int, expected_code)
 
+    def _assert_notify(self, notifications, expected_event_type):
+        event_types = [event['event_type'] for event in notifications]
+        self.assertIn(expected_event_type, event_types)
+
     def _register_one_agent_state(self, agent_state):
         callback = agents_db.AgentExtRpcCallback()
         callback.report_state(self.adminContext,
@@ -223,6 +228,9 @@ class OvsAgentSchedulerTestCaseBase(test_l3_plugin.L3NatTestCaseMixin,
         self.l3agentscheduler_dbMinxin = (
             manager.NeutronManager.get_service_plugins().get(
                 service_constants.L3_ROUTER_NAT))
+        self.notify_p = mock.patch(
+            'neutron.extensions.l3agentscheduler.notify')
+        self.patched_notify = self.notify_p.start()
 
     def restore_attribute_map(self):
         # Restore the original RESOURCE_ATTRIBUTE_MAP
@@ -1186,6 +1194,7 @@ class OvsL3AgentNotifierTestCase(test_l3_plugin.L3NatTestCaseMixin,
         attributes.RESOURCE_ATTRIBUTE_MAP.update(
             agent.RESOURCE_ATTRIBUTE_MAP)
         self.addCleanup(self.restore_attribute_map)
+        fake_notifier.reset()
 
     def restore_attribute_map(self):
         # Restore the original RESOURCE_ATTRIBUTE_MAP
@@ -1208,6 +1217,9 @@ class OvsL3AgentNotifierTestCase(test_l3_plugin.L3NatTestCaseMixin,
                     'router_added_to_agent',
                     payload=routers),
                 topic='l3_agent.hosta')
+            notifications = fake_notifier.NOTIFICATIONS
+            expected_event_type = 'l3_agent.router.add'
+            self._assert_notify(notifications, expected_event_type)
 
     def test_router_remove_from_l3_agent_notification(self):
         plugin = manager.NeutronManager.get_plugin()
@@ -1226,6 +1238,9 @@ class OvsL3AgentNotifierTestCase(test_l3_plugin.L3NatTestCaseMixin,
                     'router_removed_from_agent',
                     payload={'router_id': router1['router']['id']}),
                 topic='l3_agent.hosta')
+            notifications = fake_notifier.NOTIFICATIONS
+            expected_event_type = 'l3_agent.router.remove'
+            self._assert_notify(notifications, expected_event_type)
 
     def test_agent_updated_l3_agent_notification(self):
         plugin = manager.NeutronManager.get_plugin()