Patrole project is not active anymore and its gate is broken.
We waited for couple of cycle to see if there is any interest
in this project and anyone can maintain it. But we did not get any
new maintainers and current QA team does not have bandwidth/interest
to continue maintaining it.
This project was for RBAc testing which is moving towards unit/functional
tests on service side as well as tempest plugins tests.
In QA 2023.2 PTG, we decided to retire this project
- https://etherpad.opendev.org/p/qa-bobcat-ptg
Change-Id: I7721cf06104e5871ec27cdd87d4608dace60a8b7
Cinder policies are made more granular and now we need
to adjust the patrole tests to handle those changed policies.
This commit introduces a new flag so that we test the old
policies in stable branches and new one in Xena onwards.
Change-Id: I4be60e3e92704f8e55d3acdb0e025078ae5b21f1
This patch set adds a new feature flag called
``removed_nova_policies_wallaby`` under the configuration
group ``[policy-feature-enabled]`` for skipping Nova
tests whose policies were removed in Wallaby. This feature flag
is currently applied to os-agents which is removed in nova
recently - https://review.opendev.org/#/c/749309
Change-Id: Iaa0ddbdca454b93bd8373ce749603f28c5c59180
Now we have stable/train branch ready for devstack
and so does for all service projects.
This commit adds the Patrole testing for stable/train
by adding new jobs running on stable/train version of
openstack.
Depends-On: https://review.opendev.org/#/c/701404/
Change-Id: I3655cf176f12685dd87c52d8e4979d8f8e000a38
The patrole-admin and patrole-member gates are broken because they
are trying to test a policy action ('os_compute_api:os-services') that
was changed in the Ussuri release. This commit adds a new policy feature
flag so that this policy test is backwards compatible.
Change-Id: Ia80279ae8ffcc17f10bed05338c41d0c23eea063
Nova API extensions policies were removed in stein but
flag to skip the tests for those policies is not correctly
set to False for Rocky.
Change-Id: I80cff7328c47081f20abaf25396f340d1482ff20
Recent changes in Keystone to move trust enforcement [0] to default
policies is currently breaking several voting gates in Patrole.
This commit updates the trusts_rbac tests to account for these changes.
Additionally, 'test_list_trusts' is updated so that it does indeed test
'identity:list_trusts'. If a 'trustor_user_id' or 'trustee_user_id' is passed
into list_trusts() then a different policy action will be enforced. A future
commit will add tests for the actions added here [1].
Added new feature flag called ``keystone_policy_enforcement_train`` under
the configuration group ``[policy-feature-enabled]`` to make ``test_list_trusts``
test backwards compatible, test the current release, and test the correct policy
action. The Keystone Trust API is enforced differently depending on passed arguments.
The new feature flag is needed so that all the voting gates pass, otherwise the
'test_list_trusts' is not backwards compatible and would not test the correct
policy action in the current release.
[0] https://review.opendev.org/#/q/topic:trust-policies+(status:open+OR+status:merged)
[1] https://review.opendev.org/#/c/675807/10/keystone/common/policies/trust.py
Change-Id: Ia5661e12977b26e1c16f09a074d1a805263c6c22
- When the URL refers to cloning or using git repositories, use the
cloning URL (https://git.openstack.org/<namespace>/<project>)
- When the URL refers to the browsable version of the repository, point to
the cgit frontend (https://git.openstack.org/cgit/<namespace>/<project>)
Change-Id: Iaeaa153a05aa85b9cf7451ae3c28aec56722222c
This patchset replaces ``CONF.patrole.rbac_test_role`` with
``CONF.patrole.rbac_test_roles``, where instead of single role
we can specify list of roles to be assigned to test user.
Change-Id: Ia68bcbdbb523dfe7c4abd6107fb4c426a566ae9d
This patch set adds a new feature flag called
``removed_keystone_policies_stein`` under the configuration
group ``[policy-feature-enabled]`` for skipping Keystone
tests whose policies were removed in Stein. This feature flag
is currently applied to credentials-related policies, e.g.:
identity:[create|update|get|delete]_credential
More info on removed Keystone policies:
https://review.openstack.org/#/c/597187/16
Change-Id: Ibd16e658d0e1367b46a2d6730f2b6970a95ae221
Use granular rules:
volume_extension:volume_type_encryption:create
volume_extension:volume_type_encryption:delete
volume_extension:volume_type_encryption:update
volume_extension:volume_type_encryption:get
for the corresponding create, delete, update, and
get volume_type_encryption test cases.
Depends-On: Iba58e785df934d1c4175c0877d266193ac0167b7
Change-Id: Ie5159166505d9bee3e99ca0d51949f6391c569b9
This patch set removes deprecated [patrole].enable_rbac
configuration option. It is better to use an appropriate
test regex to skip Patrole tests.
Change-Id: I639f3215f7aff8a85bc97dc55c1d97be3123e003
A new policy feature flag called
``[policy_feature_flag].removed_nova_policies_stein``
has been added to Patrole's config to handle Nova API
extension policies removed in Stein [0].
The policy feature flag is applied to tests that validate
response bodies for expected attributes previously returned
for the following policies that passed authorization:
- os_compute_api:os-config-drive
- os_compute_api:os-extended-availability-zone
- os_compute_api:os-extended-status
- os_compute_api:os-extended-volumes
- os_compute_api:os-keypairs
- os_compute_api:os-server-usage
- os_compute_api:os-flavor-rxtx
- os_compute_api:os-flavor-access (only from /flavors APIs)
- os_compute_api:image-size
Note that not all removed policies are included above because
test coverage is missing for them (like
os_compute_api:os-security-groups).
Also fixes test flows associated with image_size tests:
* endpoints are list images with details and show image (not
list image)
* both tests should check for OS-EXT-IMG-SIZE:size attribute
[0] https://review.openstack.org/#/c/586872/8
Story: 2003501
Change-Id: Ia6f8d255a540f7063beedd80a3ca1833f3987490
This adds a README.rst in the devstack folder with information
about DevStack and how to install Patrole plugin in Devstack.
Change-Id: I31a92351211a2f37403c08406215bc10f3c3222e
Due to a recent change [0], Member role is no longer
being found, as it has been renamed to member. This is
causing all the member-based gates to fail. Because "Member"
is legacy [1], this patchset uses "member" instead of "Member"
during the devstack Patrole plugin for master. For n-1
and n-2 releases "Member" is still used.
This patchset also specifies which role was not found in
the system while trying to resolve roles CONF.identity.admin_role
and CONF.patrole.rbac_test_role in order to make debugging
easier.
[0] https://review.openstack.org/#/c/572243/
[1] http://git.openstack.org/cgit/openstack-dev/devstack/tree/lib/keystone#n355
Change-Id: I7b59bab164041b26ed8a1a798546e493f22f6edd
A new configuration group ``[policy_feature_enabled]`` has been added to
Patrole which will be responsible for collecting the feature flags to be
used for newly introduced policies or policies that were changed in a
backwards-incompatible way.
* create_port_fixed_ips_ip_address_policy (Neutron)
* update_port_fixed_ips_ip_address_policy (Neutron)
* limits_extension_used_limits_policy (Cinder)
* volume_extension_volume_actions_attach_policy (Cinder)
* volume_extension_volume_actions_reserve_policy (Cinder)
* volume_extension_volume_actions_unreserve_policy (Cinder)
These feature flags will be supported until Pike release cycle
is EOL.
The motivation behind these feature flags is [0] which adds
Pike/Queens gating to Patrole. However, in Queens, Neutron
and Cinder renamed or removed a few policies in a backwards-
incompatible way. These policies can be reviewed here: [1].
This PS requires another PS [2] in devstack's lib/tempest
because Patrole, being a branchless project and hosting the
Patrole devstack plugin itself, must fall back to Tempest's
devstack script to list out the backwards-incompatible
policies in Pike.
A documentation update will also come in a follow up with
information on these feature flags.
[0] I76c4a9b8737bf94f230ab141def652b054120f3b
[1] e.g. http://logs.openstack.org/51/547851/4/check/patrole-member-pike/139c534/job-output.txt.gz#_2018-03-22_21_46_08_392229
[2] I00bdeff9474c54d38b6d6844a041b305bec01ad8
Change-Id: Ia0d9847908a8e723446c16465d68cd7f622c04cc
This PS removes the deprecated [rbac] config group. It was replaced
last release cycle with the [patrole] config group, which has
the exact same options. This is because [patrole] is more user-friendly
and congruent with the project name.
Change-Id: Id1a7af0445bd50f44ddcc4277f952391968726b8
The configuration option ``[patrole] strict_policy_check``
is deprecated and will be removed in the Rocky release cycle.
The default value for ``[patrole] strict_policy_check`` has
been changed to ``True`` because a Patrole test should always
fail if the policy action is invalid, to avoid false positives.
Change-Id: Idb902f23b1845bdbc9ac8fb490f3e74e262c1451
Adds devstack plugin for Patrole in order to correctly deploy
Patrole.
This commit:
- Adds the plugin.sh for orchestrating Patrole installation
via devstack
- The settings file for declaring global variables; allow
RBAC_TEST_ROLE to be overriden by global variable
RBAC_TEST_ROLE (i.e. export RBAC_TEST_ROLE=Member
from shell will override the rbac role at run time)
- Removes pre/post_test_hook since that logic is now
handled by updated infra jobs [0] and by
the devstack patrole plugin.
[0] https://review.openstack.org/#/c/468939/3/jenkins/jobs/patrole.yaml
Change-Id: I38c02cbcfea9334c9c0c10096e383efa9a9fc474
Implements: blueprint patrole-devstack-plugin