97fffede9e
Recent changes in Keystone to move trust enforcement [0] to default policies is currently breaking several voting gates in Patrole. This commit updates the trusts_rbac tests to account for these changes. Additionally, 'test_list_trusts' is updated so that it does indeed test 'identity:list_trusts'. If a 'trustor_user_id' or 'trustee_user_id' is passed into list_trusts() then a different policy action will be enforced. A future commit will add tests for the actions added here [1]. Added new feature flag called ``keystone_policy_enforcement_train`` under the configuration group ``[policy-feature-enabled]`` to make ``test_list_trusts`` test backwards compatible, test the current release, and test the correct policy action. The Keystone Trust API is enforced differently depending on passed arguments. The new feature flag is needed so that all the voting gates pass, otherwise the 'test_list_trusts' is not backwards compatible and would not test the correct policy action in the current release. [0] https://review.opendev.org/#/q/topic:trust-policies+(status:open+OR+status:merged) [1] https://review.opendev.org/#/c/675807/10/keystone/common/policies/trust.py Change-Id: Ia5661e12977b26e1c16f09a074d1a805263c6c22 |
||
|---|---|---|
| .. | ||
| README.rst | ||
| plugin.sh | ||
| settings | ||
README.rst
Enabling in Devstack
Warning
The stack.sh script must be run in a disposable VM that
is not being created automatically. See the README
file in the DevStack repository for more information.
Download DevStack:
git clone https://git.openstack.org/openstack-dev/devstack.git cd devstackPatrole can be installed like any other DevStack plugin by including the
enable_plugindirective inside local.conf:> cat local.conf [[local|localrc]] enable_plugin patrole https://git.openstack.org/openstack/patroleRun
stack.shfound in the DevStack repo.