RETIRED, Tempest plugin for testing and verifying RBAC policy enforcement.

Go to file

raiesmh08 8590c0c628 Removal of re-switching of rbac-role from tearDown Currently, for every test case class, we need to add re-switching rbac role in tearDown method. Thus for every testcase using the tearDown method becomes mandatory. This patch removes tearDown dependency for re-switching rbac-role. Co-Authored-By: Mh Raies <mh.raies@ericsson.com> Co-Authored-By: Felipe Monteiro <felipe.monteiro@att.com> Implements: blueprint refactor-teardown-switch-roles Change-Id: I3f0026533255c87b8128f2bf3a4aa488382a2523		2017-03-14 15:08:46 -04:00
contrib	Decrease overall run time when identity auth is set to v3.	2017-03-13 21:17:31 +00:00
doc/source	Copyright and other information correctness	2017-02-06 19:36:35 +00:00
patrole_tempest_plugin	Removal of re-switching of rbac-role from tearDown	2017-03-14 15:08:46 -04:00
releasenotes	Copyright and other information correctness	2017-02-06 19:36:35 +00:00
.coveragerc	Initial Cookiecutter commit	2017-01-04 15:11:34 -05:00
.gitignore	Initial Cookiecutter commit	2017-01-04 15:11:34 -05:00
.gitreview	Added .gitreview	2016-12-21 08:20:20 +00:00
.mailmap	Initial Cookiecutter commit	2017-01-04 15:11:34 -05:00
.testr.conf	Initial Cookiecutter commit	2017-01-04 15:11:34 -05:00
CONTRIBUTING.rst	Initial Cookiecutter commit	2017-01-04 15:11:34 -05:00
HACKING.rst	Initial Cookiecutter commit	2017-01-04 15:11:34 -05:00
LICENSE	Initial Cookiecutter commit	2017-01-04 15:11:34 -05:00
README.rst	Improve documentation	2017-01-20 11:12:54 -05:00
babel.cfg	Initial Cookiecutter commit	2017-01-04 15:11:34 -05:00
requirements.txt	Switch to oslo_log	2017-01-19 14:41:13 +05:30
setup.cfg	update homepage with developer documentation page	2017-01-19 13:43:10 +05:30
setup.py	Fixed AT&T Copyright statements	2017-01-27 12:46:27 -05:00
test-requirements.txt	Fix test coverage tox command for patrole.	2017-03-04 23:27:31 +00:00
test-whitelist.txt	Changes tox to only run unit tests and moves unit tests to tests/unit.	2017-02-28 16:03:08 -05:00
tox.ini	Fix test coverage tox command for patrole.	2017-03-04 23:27:31 +00:00

README.rst

patrole

Patrole is a tool for verifying that Role-Based Access Control is being enforced.

Patrole allows users to run API tests using specified RBAC roles. This allows deployments to verify that only intended roles have access to those APIs. This is critical to ensure security, especially in large deployments with custom roles.

Free software: Apache license
Documentation: http://docs.openstack.org/developer/patrole
Source: http://git.openstack.org/cgit/openstack/patrole
Bugs: http://bugs.launchpad.net/patrole

Features

Patrole offers RBAC testing for various OpenStack RBAC policies. It includes a decorator that wraps around tests which verifies that when the test calls the corresponding api endpoint, access is only granted for correct roles.

There are several possible test flows.

If the rbac_test_role is allowed to access the endpoint

The test passes if no 403 forbidden or RbacActionFailed exception is raised.

If the rbac_test_role is not allowed to access the endpoint

If the endpoint returns a 403 forbidden exception the test will pass
If the endpoint returns something other than a 403 forbidden to indicate that the role is not allowed, the test will raise an RbacActionFailed exception.