Commit Graph

10 Commits

Author SHA1 Message Date
Ghanshyam Mann b540700061 Retire patrole
Patrole project is not active anymore and its gate is broken.
We waited for couple of cycle to see if there is any interest
in this project and anyone can maintain it. But we did not get any
new maintainers and current QA team does not have bandwidth/interest
to continue maintaining it.

This project was for RBAc testing which is moving towards unit/functional
tests on service side as well as tempest plugins tests.

In QA 2023.2 PTG, we decided to retire this project

- https://etherpad.opendev.org/p/qa-bobcat-ptg

Change-Id: I7721cf06104e5871ec27cdd87d4608dace60a8b7
2023-04-10 22:29:00 -05:00
Mykola Yakovliev cd2c5fdbb9 Requirements yaml expected service names to be lowercase
Fix comments

Change-Id: I2d96c7a210e73326ed5e56c46db3be2cb53cf61d
2019-01-15 13:48:15 -06:00
Mykola Yakovliev e0f35503c9 Multi role RBAC validation
This patchset replaces ``CONF.patrole.rbac_test_role`` with
``CONF.patrole.rbac_test_roles``, where instead of single role
we can specify list of roles to be assigned to test user.

Change-Id: Ia68bcbdbb523dfe7c4abd6107fb4c426a566ae9d
2018-10-31 20:45:13 +00:00
Felipe Monteiro f16b6b3a1d Update overpermission/underpermission rbac exceptions
This patchset updates rbac_exceptions by bringing the concept
of under-permission and over-permission together. An over-permission
occurs when an unauthorized role is allowed to perform an action
and an under-permission occurs when an authorized role is not
allowed to perform an action. Both of these are important failure
scenarios.

Current Patrole has an RbacOverPermission Exception but uses
a "Forbidden" as a pseudonym for the under-permission version
but this is not ideal for the following reasons:

* Patrole can expect a 404 Not Found due to Neutron policy enforcement [0]
* The naming is inconsistent with RbacOverPermission
* It should have a Patrole wrapper exception (NotFound is used directly
  from Tempest)

So, this patchset:

* renames RbacOverPermission to RbacOverPermissionException
* replaces Forbidden exception with RbacUnderPermissionException
* updates documentation, docstrings and unit tests

In addition, this patchset introduces a new exception called
RbacExpectedWrongException which is raised when the expected
exception does not match the actual exception and both are instances
of 403 and 404, which means that the RBAC test uses the wrong
expected_error_codes.

Change-Id: I681610448cbe0269f02c34ea6afaaaf29c306121
2018-06-29 04:51:33 +00:00
Felipe Monteiro 66d54a9266 Docs: Add requirements authority module to documentation
This patchset includes documentation on the rbac_authority
and the requirements_authority modules. In addition,
the documentation for the policy_authority module is
expanded. All 3 modules are explained together, explaining
that the rbac_authority module contains an abstract
class consumed by the classes in the other two modules.

The use cases for each validation approach is also included
in the documentation.

Finally, some documentation syntax issues are corrected.

Change-Id: I33bbe2da67683faafd0749b687b99237ac815009
2018-06-09 00:30:30 -04:00
Felipe Monteiro 97117b0cc1 Fix typos for custom requirements config options descriptions
This simply corrects some types for the custom requirements-related
config options' descriptions.

Change-Id: Ibcf4ef0895b365ad75a6714a9a9ec6445037422d
2018-05-23 16:38:11 -07:00
Felipe Monteiro 739041fb9c feature flag: Policy feature enabled config group
A new configuration group ``[policy_feature_enabled]`` has been added to
Patrole which will be responsible for collecting the feature flags to be
used for newly introduced policies or policies that were changed in a
backwards-incompatible way.

    * create_port_fixed_ips_ip_address_policy (Neutron)
    * update_port_fixed_ips_ip_address_policy (Neutron)
    * limits_extension_used_limits_policy (Cinder)
    * volume_extension_volume_actions_attach_policy (Cinder)
    * volume_extension_volume_actions_reserve_policy (Cinder)
    * volume_extension_volume_actions_unreserve_policy (Cinder)

These feature flags will be supported until Pike release cycle
is EOL.

The motivation behind these feature flags is [0] which adds
Pike/Queens gating to Patrole. However, in Queens, Neutron
and Cinder renamed or removed a few policies in a backwards-
incompatible way. These policies can be reviewed here: [1].

This PS requires another PS [2] in devstack's lib/tempest
because Patrole, being a branchless project and hosting the
Patrole devstack plugin itself, must fall back to Tempest's
devstack script to list out the backwards-incompatible
policies in Pike.

A documentation update will also come in a follow up with
information on these feature flags.

[0] I76c4a9b8737bf94f230ab141def652b054120f3b
[1] e.g. http://logs.openstack.org/51/547851/4/check/patrole-member-pike/139c534/job-output.txt.gz#_2018-03-22_21_46_08_392229
[2] I00bdeff9474c54d38b6d6844a041b305bec01ad8

Change-Id: Ia0d9847908a8e723446c16465d68cd7f622c04cc
2018-05-19 16:24:33 +01:00
Felipe Monteiro 4ef7e5309c Remove already-deprecated strict_policy_check option
The option ``[patrole].strict_policy_check`` was deprecated
during the last release cycle (Queens). This was because the
option could be set to False in order to skip tests which
might result in false positives.

This PS, then, removes strict_policy_check references in the code,
updates documentation, and adds a releasenote.

Change-Id: I7f7eda39c0472bd3d70892c801fc4d14db0c0426
2018-03-26 19:44:15 +01:00
Felipe Monteiro b58c1197e9 Remove deprecrated [rbac] config group
This PS removes the deprecated [rbac] config group. It was replaced
last release cycle with the [patrole] config group, which has
the exact same options. This is because [patrole] is more user-friendly
and congruent with the project name.

Change-Id: Id1a7af0445bd50f44ddcc4277f952391968726b8
2017-11-27 04:58:28 +00:00
Felipe Monteiro 098a8cd057 Auto-generate sample config file
This PS auto-generates the sample config file using
oslo-config-generator which is how every project should reliably
produce a config file.

In addition, the Patrole documentation was updated to link to the
generated config file, so that the documentation accurately
shows config options.

Change-Id: Ib3c39084b4c2b5a0078d1293d882cf9a9050b29b
Closes-Bug: #1709490
2017-10-04 01:17:13 +00:00