RETIRED, Tempest plugin for testing and verifying RBAC policy enforcement.
Go to file
Felipe Monteiro 45fffa50e0 Prepare release notes for release 0.2.0
Adds prelude information for release 0.2.0 to release notes,
including information about currently supported projects
and backwards-compatibility information.

Change-Id: Ibf18f19a0f4775fe205e18095f1c0dcb4b257aab
2017-08-31 23:10:56 +01:00
devstack Patrole devstack plugin 2017-05-31 16:17:58 +00:00
doc/source Rename rbac_policy_parser to policy_authority 2017-08-31 04:00:45 +01:00
patrole_tempest_plugin Merge "Rename rbac_policy_parser to policy_authority" 2017-08-31 18:29:09 +00:00
releasenotes Prepare release notes for release 0.2.0 2017-08-31 23:10:56 +01:00
.coveragerc Initial Cookiecutter commit 2017-01-04 15:11:34 -05:00
.gitignore Initial Cookiecutter commit 2017-01-04 15:11:34 -05:00
.gitreview Added .gitreview 2016-12-21 08:20:20 +00:00
.mailmap Initial Cookiecutter commit 2017-01-04 15:11:34 -05:00
.testr.conf Update tox to correctly use OS_TEST_PATH 2017-08-06 05:47:27 +01:00
HACKING.rst Add a per-test log 2017-08-25 23:12:08 -04:00
LICENSE Initial Cookiecutter commit 2017-01-04 15:11:34 -05:00
README.rst Update and replace http with https for doc links in patrole 2017-08-14 22:46:21 -07:00
babel.cfg Initial Cookiecutter commit 2017-01-04 15:11:34 -05:00
requirements.txt Updated from global requirements 2017-08-24 05:59:05 +00:00
setup.cfg Update URLs in documents according to document migration 2017-07-20 21:35:35 -04:00
setup.py Updated from global requirements 2017-07-06 14:03:09 +00:00
test-requirements.txt Updated from global requirements 2017-08-24 05:59:05 +00:00
tox.ini Deprecate [rbac] configuration group. 2017-08-15 21:45:27 -04:00

README.rst

Team and repository tags

image

Patrole - RBAC Integration Tempest Plugin

Patrole is a security validation tool for verifying that Role-Based Access Control is correctly configured and enforced in a system. It runs Tempest-based API tests using specified RBAC roles, thus allowing deployments to verify that only intended roles have access to those APIs.

Patrole currently offers testing for the following OpenStack services: Nova, Neutron, Glance, Cinder and Keystone.

Features

  • Validation of default policy definitions located in policy.json files.
  • Validation of in-code policy definitions.
  • Validation of custom policy file definitions that override default policy definitions.
  • Built-in positive and negative testing. Positive and negative testing are performed using the same tests and role-switching.
  • Valdation of custom roles as well as default OpenStack roles.

Note

Patrole does not yet support policy.yaml files, the new file format for policy files in OpenStack.

How It Works

Patrole leverages oslo.policy (OpenStack's policy enforcement engine) to determine whether a given role is allowed to perform a policy action, given a specific role and OpenStack service. The output from oslo.policy (the expected result) and the actual result from test execution are compared to each other: if both results match, then the test passes; else it fails.

Quickstart

Tempest is a prerequisite for running Patrole. If you do not have Tempest installed, please reference the official Tempest documentation for guidance.

Assuming Tempest is installed, the simplest way to configure Patrole is:

1. Open up the tempest.conf configuration file and include the following settings:

[rbac]
enable_rbac = True
rbac_test_role = admin

These settings tell Patrole to run RBAC tests using the "admin" role (which is the default admin role in OpenStack) to verify the default policy definitions used by OpenStack services. Specifying a different role for rbac_test_role will run Patrole tests against that role. For additional information about Patrole's configuration settings, please refer to patrole-configuration and patrole-sampleconf for a sample configuration file.

2. You are now ready to run Patrole. To do so, you can use any testr-based test runner:

$ testr run patrole_tempest_plugin.tests.api

or:

$ ostestr --regex '(?!.*\[.*\bslow\b.*\])(^patrole_tempest_plugin\.tests\.api)'

It is also possible to run Patrole using tox:

tox -eall-plugin -- patrole_tempest_plugin.tests.api

Release Versioning

Patrole Release Notes shows which changes have been released for each version.

Patrole's release versioning follows Tempest's conventions. Like Tempest, Patrole is branchless and uses versioning instead.