Patrole project is not active anymore and its gate is broken.
We waited for couple of cycle to see if there is any interest
in this project and anyone can maintain it. But we did not get any
new maintainers and current QA team does not have bandwidth/interest
to continue maintaining it.
This project was for RBAc testing which is moving towards unit/functional
tests on service side as well as tempest plugins tests.
In QA 2023.2 PTG, we decided to retire this project
- https://etherpad.opendev.org/p/qa-bobcat-ptg
Change-Id: I7721cf06104e5871ec27cdd87d4608dace60a8b7
Cinder policies are made more granular and now we need
to adjust the patrole tests to handle those changed policies.
This commit introduces a new flag so that we test the old
policies in stable branches and new one in Xena onwards.
Change-Id: I4be60e3e92704f8e55d3acdb0e025078ae5b21f1
1) Updated class level create_backup function to wait for resource delete
2) Switched the wait_for_resource_deletion handler before delete_backup,
the clean_up function uses list pop() to perform cleanup. The backup
has to be deleted before the wait_handler is called
Depends-On https://review.opendev.org/c/openstack/tempest/+/781142https://storyboard.openstack.org/#!/story/2008683
Change-Id: I6ebc6dcb729baa775e36026081cd8bbf0d5c203f
This relesenote also mark end of support for Stein release
in Patrole as it is in EM state[1].
[1] https://releases.openstack.org/
Change-Id: I8f7d60e8a8e1766e14b37cbcbc3649c212520d00
This patch set adds a new feature flag called
``removed_nova_policies_wallaby`` under the configuration
group ``[policy-feature-enabled]`` for skipping Nova
tests whose policies were removed in Wallaby. This feature flag
is currently applied to os-agents which is removed in nova
recently - https://review.opendev.org/#/c/749309
Change-Id: Iaa0ddbdca454b93bd8373ce749603f28c5c59180
Patrole 0.10.0 has been released [1].
This commit adds a new page for 0.10.0 release notes.
[1] https://review.opendev.org/#/c/752785/
Change-Id: I1c26117b14d48e6bda7e8c94cd8f3f18b6f95514
Switch to openstackdocstheme 2.2.0 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Remove docs requirements from lower-constraints, they are not needed
during install or test but only for docs building.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
Set openstackdocs_auto_name to use 'project' as name.
Change-Id: I80932c070dbddf9a75f64b0a4d4c614efd5a06ff
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.
With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.
This commit updates the security group and server password
policy tests to move to new policies from ussuri onwards.
Also add the already fixed instance action policy in reno
Also fix the gate to parse the combining of deprecated rule
check_str with oslo policy parser instead of string processing.
Story: #2007585
Task: #39516
[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html
Change-Id: If661299231d548ce40a2e340b1ddb9ebe8d3f964
This repo is now testing only with Python 3, so let's make
a few cleanups:
- Remove python 2.7 stanza from setup.py
- Remove obsolete sections from setup.cfg
- Update classifiers
- Use newer openstackdocstheme and Sphinx versions
- Cleanup */source/conf.py to remove now obsolete content.
- Remove install_command from tox.ini, the default is fine
- Remove hacking requirements from lower-constraints, they
are not needed for install
Change-Id: I150a5ee2cd08abf5ce9cf9daf2835007dea0dffd
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.
With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.
This commit updates the hypervisors policy tests
to move to new policies from ussuri onwards.
[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html
Change-Id: Ic540a42be0b05fc7c53c7ca78f6ff8e5725340e1
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.
With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.
This commit updates the os-instance-usage-audit-log and os-agents tests
to move to new policies from ussuri onwards.
[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html
Change-Id: I9eb2964c0ffb7022d52fc94c97bbd25c76b6d6d8
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.
With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.
This commit updates the os-deferred_delete and os-attach-interfaces
tests to move to new policies from ussuri onwards.
[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html
Change-Id: I399e9e2bf944cfbba4b47f05ba2f529cbc1b9ea1
Patrole 0.8.0 has been released [1].
This commit adds a new page for 0.8.0 release notes.
[1] https://review.opendev.org/#/c/703523/
Change-Id: I61333ba564d6f067dd8063fd89847ac58ed93d1d
This relesenote mark end of support for Queens release
in Patrole as Queens is in EM state[1].
[1] https://releases.openstack.org/
Change-Id: I863bc93ab65532c7ec3f02236198ac7c5d5b1329
The patrole-admin and patrole-member gates are broken because they
are trying to test a policy action ('os_compute_api:os-services') that
was changed in the Ussuri release. This commit adds a new policy feature
flag so that this policy test is backwards compatible.
Change-Id: Ia80279ae8ffcc17f10bed05338c41d0c23eea063
Patrole 0.7.0 has been released [1].
This commit adds a new page for 0.7.0 release notes.
[1] https://review.opendev.org/#/c/685430/
Change-Id: I8420471c70abd17846529710100bf834581e41b0
This commit adds the releasenote to tag Patrole for Train
and needed for version 0.7.0 to release.
Change-Id: Ie654d8634b887eaf1b24a7dba21751c3d18e088c
Recent changes in Keystone to move trust enforcement [0] to default
policies is currently breaking several voting gates in Patrole.
This commit updates the trusts_rbac tests to account for these changes.
Additionally, 'test_list_trusts' is updated so that it does indeed test
'identity:list_trusts'. If a 'trustor_user_id' or 'trustee_user_id' is passed
into list_trusts() then a different policy action will be enforced. A future
commit will add tests for the actions added here [1].
Added new feature flag called ``keystone_policy_enforcement_train`` under
the configuration group ``[policy-feature-enabled]`` to make ``test_list_trusts``
test backwards compatible, test the current release, and test the correct policy
action. The Keystone Trust API is enforced differently depending on passed arguments.
The new feature flag is needed so that all the voting gates pass, otherwise the
'test_list_trusts' is not backwards compatible and would not test the correct
policy action in the current release.
[0] https://review.opendev.org/#/q/topic:trust-policies+(status:open+OR+status:merged)
[1] https://review.opendev.org/#/c/675807/10/keystone/common/policies/trust.py
Change-Id: Ia5661e12977b26e1c16f09a074d1a805263c6c22
Patrole 0.6.0 has been released [1].
This commit adds a new page for 0.6.0 release notes.
[1] https://review.opendev.org/#/c/672485/
Change-Id: Ife0ac2e4a38d96ea312e6c410f85b4e0a97c2f4a
This relesenote also mark end of support for Pike release
in Patrole as Pike is in EM state[1].
[1] https://releases.openstack.org/
Change-Id: I71c211f91c320299c873652f46acd5cb93afb825
Add file to the reno documentation build to show release notes for
stable/stein.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.
Change-Id: I1b79f8a70ae21003eb9aaf3dea618356c11c2d25
Sem-Ver: feature
Patrole 0.5.0 has been released [1].
This commit adds a new page for v0.5.0 release notes.
[1] https://review.openstack.org/#/c/645868/
Change-Id: I1a75d5b57db1b6982411aace96ef9dc326d1fa90
This commit adds the releasenote to tag Patrole for Stein
and needed for version 0.5.0 to release.
Change-Id: Ibffc826d207bbc57c0c4336810f91b6e0134330b
Extend the roles in `access_token` according to the implementation[0]
of the bp basic-default-roles:
`admin` implies `member` implies `reader`
Support deprecated rules.
[0] Ie18a269e3d1075d955fe494acaf634a393c6bd7b
Change-Id: I0d0de2a20b03548a7e5dab1ee7af7b72651abcb6
Story: 2004709
Task: 28740
List RBAC actions typically perform soft authorization checks meaning
that the response bodies omit resources that the user isn't authorized
to see.
For example, if an admin user creates a user, member role might not be
able to see that user when listing all the users in a tenant,
depending on the RBAC rule.
This patch set adds override_role_and_validate_list function to
RbacUtils to validate RBAC flows for API list actions.
Change-Id: I5f39efc8aa0004d4ad435cbd6b8fb037c33832d6
This patchset eliminates different behaviour between
policy_authority and requirements_authority.
Problem description:
`rbac_test_roles = [member,]`
Policy authority:
`update_port: role:member and role:viewer`
Results in 403/False (we are member but not viewer).
Requirements authority:
```
req_auth:
update_port:
- member
- viewer
```
Results in 200/True (member in update_port list).
Proposed solution:
Change requirements_authority file sytax to support
comma separated roles to be considered as logical and.
Depends-On: https://review.openstack.org/#/c/606110/
Change-Id: I2e2a4a2020f5e85af15f1836d69386bc91a2d2ec
Co-Authored-By: Felipe Monteiro <felipe.monteiro@att.com>
This patch set breaks up RbacMalformedException into the following
discrete exceptions:
* RbacMissingAttributeResponseBody
* RbacPartialResponseBody
* RbacEmptyResponseBody
Each of the exception classes deals with a different type of
failure related to a soft authorization failure [0] which
means that a failure occurred server side related to RBAC
authorization, but the result of which an incomplete, partial
or empty response body (with a 2xx status code).
* incomplete means that the response body (for show or list)
is missing certain attributes
* partial means that a list response only returned a subset of
the possible results available.
* empty means that the show or list response body is entirely
empty
Because RbacMalformedException is not part of a stable library
it is removed altogether; we do not need to deprecate it.
[0] http://git.openstack.org/cgit/openstack/patrole/tree/doc/source/rbac-overview.rst#n232
Story: 2003843
Task: 26633
Change-Id: I2c76c3c4d226e4877fc9d1e93707edfc230a1be4
This patchset replaces ``CONF.patrole.rbac_test_role`` with
``CONF.patrole.rbac_test_roles``, where instead of single role
we can specify list of roles to be assigned to test user.
Change-Id: Ia68bcbdbb523dfe7c4abd6107fb4c426a566ae9d
This patch set adds a new feature flag called
``removed_keystone_policies_stein`` under the configuration
group ``[policy-feature-enabled]`` for skipping Keystone
tests whose policies were removed in Stein. This feature flag
is currently applied to credentials-related policies, e.g.:
identity:[create|update|get|delete]_credential
More info on removed Keystone policies:
https://review.openstack.org/#/c/597187/16
Change-Id: Ibd16e658d0e1367b46a2d6730f2b6970a95ae221
This patch set deprecates use of the v2 roles client for
role overriding operations. This is because the Keystone v2 API
is deprecated and slated for removal, so Patrole's use of the
v2 Tempest roles client is also deprecated and will be
removed in a future release. Patrole will only support the v3 Tempest
roles client for role overriding operations in the future.
Change-Id: I9b201677cf8244b25f3cc8ea3b48a95b2b83b95e
This patch set replaces deprecated occurrences of rule with
rules and expected_error_code with expected_error_codes in
rbac_rule_validation.action decorator.
Along with removing the parameters from the decorator, all the
API tests have been changed to use the non-deprecated parameters
instead. Unit tests have also been updated.
Change-Id: I6485b6c57795b5fe75e2b339d5c9720da30be564
Use granular rules:
volume_extension:volume_type_encryption:create
volume_extension:volume_type_encryption:delete
volume_extension:volume_type_encryption:update
volume_extension:volume_type_encryption:get
for the corresponding create, delete, update, and
get volume_type_encryption test cases.
Depends-On: Iba58e785df934d1c4175c0877d266193ac0167b7
Change-Id: Ie5159166505d9bee3e99ca0d51949f6391c569b9