Commit Graph

183 Commits

Author SHA1 Message Date
Ghanshyam Mann b540700061 Retire patrole
Patrole project is not active anymore and its gate is broken.
We waited for couple of cycle to see if there is any interest
in this project and anyone can maintain it. But we did not get any
new maintainers and current QA team does not have bandwidth/interest
to continue maintaining it.

This project was for RBAc testing which is moving towards unit/functional
tests on service side as well as tempest plugins tests.

In QA 2023.2 PTG, we decided to retire this project

- https://etherpad.opendev.org/p/qa-bobcat-ptg

Change-Id: I7721cf06104e5871ec27cdd87d4608dace60a8b7
2023-04-10 22:29:00 -05:00
Ghanshyam Mann 7ce2d1472e Add releasenote to tag the Patrole for Yoga release
This commit adds the releasenote to tag Patrole for Yoga
release.

Change-Id: I52701cc3ec3b5c89d786dbd2e6e911114c203dd0
2022-03-02 10:27:42 -06:00
Ghanshyam Mann 588c33d6d7 [Fix gate]: Cinder policy change handling in tests
Cinder policies are made more granular and now we need
to adjust the patrole tests to handle those changed policies.

This commit introduces a new flag so that we test the old
policies in stable branches and new one in Xena onwards.

Change-Id: I4be60e3e92704f8e55d3acdb0e025078ae5b21f1
2021-09-21 22:38:37 +00:00
Ghanshyam Mann f304d7aaac Add release notes page for version 0.13.0
Patrole 0.13.0 has been released and this
commit adds a new page for 0.13.0 release notes.

Change-Id: Ib4975ffdc37ca9b347d241b652a165c427ba3821
2021-09-13 10:48:26 -05:00
Ghanshyam Mann 329f6a8dd7 Add releasenote to tag the Patrole for Xena release
This commit adds the releasenote to tag Patrole for Xena
release.

Change-Id: I9f1adc63e59581de90fea6426be665c71a9158c0
2021-09-11 00:39:08 -05:00
Sam Kumar f4bae14ce9 Fixed issue with backup delete
1) Updated class level create_backup function to wait for resource delete
2) Switched the wait_for_resource_deletion handler before delete_backup,
   the clean_up function uses list pop() to perform cleanup. The backup
   has to be deleted before the wait_handler is called

Depends-On https://review.opendev.org/c/openstack/tempest/+/781142

https://storyboard.openstack.org/#!/story/2008683

Change-Id: I6ebc6dcb729baa775e36026081cd8bbf0d5c203f
2021-04-02 19:50:03 +00:00
Martin Kopec 43bf0d78b4 Add release notes page for version 0.12.0
Patrole 0.12.0 has been released [1].
This commit adds a new page for 0.12.0 release notes.

[1] https://review.opendev.org/c/openstack/releases/+/783115

Change-Id: Ibbb1000d633372e2ca37b306fec3c284059905ba
2021-04-01 14:35:28 +00:00
Martin Kopec ff6c9e8815 Add release notes page for version 0.11.0
Patrole 0.11.0 has been released [1].
This commit adds a new page for 0.11.0 release notes.

[1] https://review.opendev.org/c/openstack/releases/+/767164

Change-Id: I123cf4ad83abcbf883ac33bfb376470e71dc8ae6
2021-04-01 14:34:22 +00:00
Ghanshyam Mann 54fc749ddc Add releasenote to tag the Patrole for Wallaby release
This commit adds the releasenote to tag Patrole for Wallaby
release.

Change-Id: Idf680e5749368b81de2bc6cd1e3e8d3ec88cfbd9
2021-03-25 13:36:38 -05:00
Ghanshyam Mann 5c466a2301 Add releasenote to tag the end of support for Stein
This relesenote also mark end of support for Stein release
in Patrole as it is in EM state[1].

[1] https://releases.openstack.org/

Change-Id: I8f7d60e8a8e1766e14b37cbcbc3649c212520d00
2020-12-14 23:57:15 +00:00
Ghanshyam Mann 1b8838f189 Fix gate: Add feature flag for nova policies removed in Wallaby
This patch set adds a new feature flag called
``removed_nova_policies_wallaby`` under the configuration
group ``[policy-feature-enabled]`` for skipping Nova
tests whose policies were removed in Wallaby. This feature flag
is currently applied to os-agents which is removed in nova
recently - https://review.opendev.org/#/c/749309

Change-Id: Iaa0ddbdca454b93bd8373ce749603f28c5c59180
2020-11-17 14:15:05 +00:00
Masayuki Igawa 99ff11fd42
Add release notes page for version 0.10.0
Patrole 0.10.0 has been released [1].
This commit adds a new page for 0.10.0 release notes.

[1] https://review.opendev.org/#/c/752785/

Change-Id: I1c26117b14d48e6bda7e8c94cd8f3f18b6f95514
2020-09-22 17:06:38 +09:00
Masayuki Igawa 782375db0a Add releasenote to tag the Patrole for Victoria release
This commit adds the releasenote to tag Patrole for Victoria
release.

Change-Id: I4b39e0f1d027c684efabb98b5cdcf9e467574b71
2020-09-18 15:05:58 +00:00
Ghanshyam Mann cfac16a78c Fix gate for multiple issues
1. To have mock installed for unit tests

unit tests jobs use tempest version released in pypi
which has use of mock but in recent changed mock requirement
is removed from requirements file and it end up failing.

- https://zuul.opendev.org/t/openstack/build/c3a33c501c054db9b1eecedb7d4b2c48

Let's add mock into the requirement file to be installed for unit tests
job until we bump the min version of tempest to latest.

2. Nova policy granular work
https://review.opendev.org/#/q/topic:bp/policy-defaults-refresh-deprecated-apis+(status:open+OR+status:merged)
Adding new flag to handle the policy changed in Victoria.

Depends-On: https://review.opendev.org/#/c/745158/

Change-Id: I3683cca390b44146c217ce8600f63a9894057058
2020-08-14 11:49:39 +00:00
Andreas Jaeger 5d65c587f2 Switch to newer openstackdocstheme and reno versions
Switch to openstackdocstheme 2.2.0 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems

Update Sphinx version as well.

Remove docs requirements from lower-constraints, they are not needed
during install or test but only for docs building.

openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.

Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.

Set openstackdocs_auto_name to use 'project' as name.

Change-Id: I80932c070dbddf9a75f64b0a4d4c614efd5a06ff
2020-05-19 20:26:58 +02:00
Zuul 1686d23f38 Merge "Cleanup py27 support" 2020-04-28 20:37:34 +00:00
Ghanshyam Mann 1d88d08149 Add release notes page for version 0.9.0
Patrole 0.9.0 has been released.
This commit adds a new page for 0.9.0 release notes.

Change-Id: I0802b5c934402b8d25113cea5eb55ab1f9494038
2020-04-23 17:07:22 -05:00
Ghanshyam Mann 6f0c119f9c Add releasenote to tag the Patrole for Ussuri release
This commit adds the releasenote to tag Patrole for ussuri
release.

Change-Id: I369fb27036d91f5b6effcc1561b7f5cded93966d
2020-04-23 04:05:02 +00:00
Ghanshyam Mann ee53f843fc Gate fix and update compute tests to adopt new policies
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.

With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.

This commit updates the security group and server password
policy tests to move to new policies from ussuri onwards.

Also add the already fixed instance action policy in reno

Also fix the gate to parse the combining of deprecated rule
check_str with oslo policy parser instead of string processing.

Story: #2007585
Task: #39516

[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html

Change-Id: If661299231d548ce40a2e340b1ddb9ebe8d3f964
2020-04-22 02:57:42 +00:00
Andreas Jaeger d69a6367a1 Cleanup py27 support
This repo is now testing only with Python 3, so let's make
a few cleanups:
- Remove python 2.7 stanza from setup.py
- Remove obsolete sections from setup.cfg
- Update classifiers
- Use newer openstackdocstheme and Sphinx versions
- Cleanup */source/conf.py to remove now obsolete content.
- Remove install_command from tox.ini, the default is fine
- Remove hacking requirements from lower-constraints, they
  are not needed for install

Change-Id: I150a5ee2cd08abf5ce9cf9daf2835007dea0dffd
2020-04-21 10:16:21 +00:00
Ghanshyam Mann 84cb426c16 Update compute hypervisor tests to adopt new policies
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.

With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.

This commit updates the hypervisors policy tests
to move to new policies from ussuri onwards.

[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html

Change-Id: Ic540a42be0b05fc7c53c7ca78f6ff8e5725340e1
2020-04-01 22:59:21 +00:00
Ghanshyam Mann be0154c17d Update compute instance-usage and agents tests to adopt new policies
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.

With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.

This commit updates the os-instance-usage-audit-log and os-agents tests
to move to new policies from ussuri onwards.

[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html

Change-Id: I9eb2964c0ffb7022d52fc94c97bbd25c76b6d6d8
2020-03-31 15:12:37 -05:00
Ghanshyam Mann 7564244a25 Update compute tests to adopt new policies
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.

With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.

This commit updates the os-deferred_delete and os-attach-interfaces
tests to move to new policies from ussuri onwards.

[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html

Change-Id: I399e9e2bf944cfbba4b47f05ba2f529cbc1b9ea1
2020-03-26 00:28:02 +00:00
Zuul f75396ceac Merge "[ussuri][goal] Drop python 2.7 support and testing" 2020-03-03 17:04:52 +00:00
Ghanshyam Mann 51368ef31c [ussuri][goal] Drop python 2.7 support and testing
OpenStack is dropping the py2.7 support in ussuri cycle.

patrole is ready with python 3 and ok to drop the
python 2.7 support.

Complete discussion & schedule can be found in
- http://lists.openstack.org/pipermail/openstack-discuss/2019-October/010142.html
- https://etherpad.openstack.org/p/drop-python2-support

Ussuri Communtiy-wide goal:
https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html

Change-Id: Ied5cfb29363401d713c21fc579f30e1ef9c1210f
2020-02-28 01:22:58 +00:00
Ghanshyam 2189883d20 Add release notes page for version 0.8.0
Patrole 0.8.0 has been released [1].
This commit adds a new page for 0.8.0 release notes.

[1] https://review.opendev.org/#/c/703523/

Change-Id: I61333ba564d6f067dd8063fd89847ac58ed93d1d
2020-01-22 14:58:30 -06:00
Ghanshyam 37d819201c Add releasenote to tag the end of support for Queens
This relesenote mark end of support for Queens release
in Patrole as Queens is in EM state[1].

[1] https://releases.openstack.org/

Change-Id: I863bc93ab65532c7ec3f02236198ac7c5d5b1329
2020-01-18 15:19:41 -06:00
Rick Bartra f8923d1ddf fix: admin and member gates are broken
The patrole-admin and patrole-member gates are broken because they
are trying to test a policy action ('os_compute_api:os-services') that
was changed in the Ussuri release. This commit adds a new policy feature
flag so that this policy test is backwards compatible.

Change-Id: Ia80279ae8ffcc17f10bed05338c41d0c23eea063
2020-01-06 14:31:29 -05:00
Ghanshyam Mann c33986b138 Add release notes page for version 0.7.0
Patrole 0.7.0 has been released [1].
This commit adds a new page for 0.7.0 release notes.

[1] https://review.opendev.org/#/c/685430/

Change-Id: I8420471c70abd17846529710100bf834581e41b0
2019-10-07 17:52:08 +00:00
Ghanshyam Mann 7ac8dfbaa4 Add releasenote to tag the Patrole for Train release
This commit adds the releasenote to tag Patrole for Train
and needed for version 0.7.0 to release.

Change-Id: Ie654d8634b887eaf1b24a7dba21751c3d18e088c
2019-09-30 10:59:06 +00:00
Rick Bartra 97fffede9e fix: admin, member, and reader gates broken
Recent changes in Keystone to move trust enforcement [0] to default
policies is currently breaking several voting gates in Patrole.
This commit updates the trusts_rbac tests to account for these changes.

Additionally, 'test_list_trusts' is updated so that it does indeed test
'identity:list_trusts'. If a 'trustor_user_id' or 'trustee_user_id' is passed
into list_trusts() then a different policy action will be enforced. A future
commit will add tests for the actions added here [1].

Added new feature flag called ``keystone_policy_enforcement_train`` under
the configuration group ``[policy-feature-enabled]`` to make ``test_list_trusts``
test backwards compatible, test the current release, and test the correct policy
action. The Keystone Trust API is enforced differently depending on passed arguments.

The new feature flag is needed so that all the voting gates pass, otherwise the
'test_list_trusts' is not backwards compatible and would not test the correct
policy action in the current release.

[0] https://review.opendev.org/#/q/topic:trust-policies+(status:open+OR+status:merged)
[1] https://review.opendev.org/#/c/675807/10/keystone/common/policies/trust.py

Change-Id: Ia5661e12977b26e1c16f09a074d1a805263c6c22
2019-09-12 23:57:40 -04:00
Ghanshyam Mann 416286a658 Add release notes page for version 0.6.0
Patrole 0.6.0 has been released [1].
This commit adds a new page for 0.6.0 release notes.

[1] https://review.opendev.org/#/c/672485/

Change-Id: Ife0ac2e4a38d96ea312e6c410f85b4e0a97c2f4a
2019-08-01 13:00:49 +00:00
Ghanshyam Mann bad5c037bd Add releasenote to tag the end of support for Pike
This relesenote also mark end of support for Pike release
in Patrole as Pike is in EM state[1].

[1] https://releases.openstack.org/

Change-Id: I71c211f91c320299c873652f46acd5cb93afb825
2019-07-17 12:59:58 +00:00
Ghanshyam Mann 5bb8f59557 Revert "Update master for stable/stein"
This reverts commit 27fdf563f0.

Change-Id: Id62e27156aefbac98a0eac27fa0fbdc55a21b138
2019-07-13 12:26:23 +00:00
OpenStack Release Bot 27fdf563f0 Update master for stable/stein
Add file to the reno documentation build to show release notes for
stable/stein.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.

Change-Id: I1b79f8a70ae21003eb9aaf3dea618356c11c2d25
Sem-Ver: feature
2019-04-11 16:29:31 +00:00
ghanshyam f04d671d15 Add release notes page for v0.5.0
Patrole 0.5.0 has been released [1].
This commit adds a new page for v0.5.0 release notes.

[1] https://review.openstack.org/#/c/645868/

Change-Id: I1a75d5b57db1b6982411aace96ef9dc326d1fa90
2019-03-25 23:44:32 +00:00
ghanshyam 87d83ea6f1 Add releasenote to tag the Patrole for Stein release
This commit adds the releasenote to tag Patrole for Stein
and needed for version 0.5.0 to release.

Change-Id: Ibffc826d207bbc57c0c4336810f91b6e0134330b
2019-03-22 04:51:23 +00:00
Sergey Vilgelm ace8ea37c8
Refactoring RbacUtils
Remove RbacUtils class and move all functionality to RbacUtilsMixin.

Story: 2002604
Task: 22223

Change-Id: If476be8fd3df78b28669ca940ebeb288af534899
2019-02-05 09:44:37 -06:00
Sergey Vilgelm 19e3becfc7
Support implied rules
Using keystone API[0] to get all role inference rules and makes it
possible to extend the used list of roles with implied roles.

[0] https://developer.openstack.org/api-ref/identity/v3/#list-all-role-inference-rules
Change-Id: Ia57351f3b21a82f4556ec61323abd295b427fc1e
2019-01-31 08:20:44 -06:00
Sergey Vilgelm 55e5dfe640
Fix OverPermission exception for keystone tests
Extend the roles in `access_token` according to the implementation[0]
of the bp basic-default-roles:
    `admin` implies `member` implies `reader`
Support deprecated rules.

[0] Ie18a269e3d1075d955fe494acaf634a393c6bd7b

Change-Id: I0d0de2a20b03548a7e5dab1ee7af7b72651abcb6
Story: 2004709
Task: 28740
2019-01-28 07:45:07 -06:00
Sergey Vilgelm bab9e9467c
Helper for validating RBAC list actions
List RBAC actions typically perform soft authorization checks meaning
that the response bodies omit resources that the user isn't authorized
to see.
For example, if an admin user creates a user, member role might not be
able to see that user when listing all the users in a tenant,
depending on the RBAC rule.
This patch set adds override_role_and_validate_list function to
RbacUtils to validate RBAC flows for API list actions.

Change-Id: I5f39efc8aa0004d4ad435cbd6b8fb037c33832d6
2018-11-14 12:58:52 -06:00
Zuul ba9829d547 Merge "RequirementsAuthority multi role support enhancement" 2018-11-13 22:26:26 +00:00
Mykola Yakovliev d02a8d836c RequirementsAuthority multi role support enhancement
This patchset eliminates different behaviour between
policy_authority and requirements_authority.

Problem description:

`rbac_test_roles = [member,]`

Policy authority:

`update_port: role:member and role:viewer`

Results in 403/False (we are member but not viewer).

Requirements authority:

```
req_auth:
    update_port:
        - member
        - viewer
```

Results in 200/True (member in update_port list).

Proposed solution:

Change requirements_authority file sytax to support
comma separated roles to be considered as logical and.

Depends-On: https://review.openstack.org/#/c/606110/
Change-Id: I2e2a4a2020f5e85af15f1836d69386bc91a2d2ec
Co-Authored-By: Felipe Monteiro <felipe.monteiro@att.com>
2018-11-08 14:44:09 +00:00
Felipe Monteiro 74f8e7d97f refactor: Break up RbacMalformedException into discrete exceptions
This patch set breaks up RbacMalformedException into the following
discrete exceptions:

* RbacMissingAttributeResponseBody
* RbacPartialResponseBody
* RbacEmptyResponseBody

Each of the exception classes deals with a different type of
failure related to a soft authorization failure [0] which
means that a failure occurred server side related to RBAC
authorization, but the result of which an incomplete, partial
or empty response body (with a 2xx status code).

* incomplete means that the response body (for show or list)
  is missing certain attributes
* partial means that a list response only returned a subset of
  the possible results available.
* empty means that the show or list response body is entirely
  empty

Because RbacMalformedException is not part of a stable library
it is removed altogether; we do not need to deprecate it.

[0] http://git.openstack.org/cgit/openstack/patrole/tree/doc/source/rbac-overview.rst#n232

Story: 2003843
Task: 26633
Change-Id: I2c76c3c4d226e4877fc9d1e93707edfc230a1be4
2018-11-07 16:23:51 -05:00
Mykola Yakovliev e0f35503c9 Multi role RBAC validation
This patchset replaces ``CONF.patrole.rbac_test_role`` with
``CONF.patrole.rbac_test_roles``, where instead of single role
we can specify list of roles to be assigned to test user.

Change-Id: Ia68bcbdbb523dfe7c4abd6107fb4c426a566ae9d
2018-10-31 20:45:13 +00:00
Felipe Monteiro c38aca7587 Add feature flag for Keystone policies removed in Stein
This patch set adds a new feature flag called
``removed_keystone_policies_stein`` under the configuration
group ``[policy-feature-enabled]`` for skipping Keystone
tests whose policies were removed in Stein. This feature flag
is currently applied to credentials-related policies, e.g.:
identity:[create|update|get|delete]_credential

More info on removed Keystone policies:

https://review.openstack.org/#/c/597187/16

Change-Id: Ibd16e658d0e1367b46a2d6730f2b6970a95ae221
2018-10-31 01:24:24 -04:00
Felipe Monteiro bf524fbcf5 Deprecate use of v2 roles client in rbac_utils.py
This patch set deprecates use of the v2 roles client for
role overriding operations. This is because the Keystone v2 API
is deprecated and slated for removal, so Patrole's use of the
v2 Tempest roles client is also deprecated and will be
removed in a future release. Patrole will only support the v3 Tempest
roles client for role overriding operations in the future.

Change-Id: I9b201677cf8244b25f3cc8ea3b48a95b2b83b95e
2018-10-19 00:27:41 +00:00
Felipe Monteiro 59f538fdbd Replace rule/expected_error_code with non-deprecated versions
This patch set replaces deprecated occurrences of rule with
rules and expected_error_code with expected_error_codes in
rbac_rule_validation.action decorator.

Along with removing the parameters from the decorator, all the
API tests have been changed to use the non-deprecated parameters
instead. Unit tests have also been updated.

Change-Id: I6485b6c57795b5fe75e2b339d5c9720da30be564
2018-10-04 17:23:16 +01:00
Zuul 404199107e Merge "Use oslo_policy.policy.Rules.load to load rules" 2018-09-27 22:23:32 +00:00
Chi Lo 8c04bd8780 Add granularity for volume_extension:volume_type_encryption
Use granular rules:
volume_extension:volume_type_encryption:create
volume_extension:volume_type_encryption:delete
volume_extension:volume_type_encryption:update
volume_extension:volume_type_encryption:get

for the corresponding create, delete, update, and
get volume_type_encryption test cases.

Depends-On: Iba58e785df934d1c4175c0877d266193ac0167b7

Change-Id: Ie5159166505d9bee3e99ca0d51949f6391c569b9
2018-09-16 06:31:39 -05:00