RETIRED, Tempest plugin for testing and verifying RBAC policy enforcement.

Go to file

Felipe Monteiro b006983525 Add releasenotes to mark the start of Queens support This commit adds the releasenote to start the Queens support and needed for version 0.3.0 to release. Change-Id: I5eecc125b5a09e33d15fdccdcd39f5ad68b115fe		2018-02-25 17:07:05 +00:00
devstack	Remove deprecrated [rbac] config group	2017-11-27 04:58:28 +00:00
doc/source	[docs] Fix weird indentation in documentation	2018-01-09 17:05:09 +09:00
etc	Remove deprecrated [rbac] config group	2017-11-27 04:58:28 +00:00
patrole_tempest_plugin	Remove all v2.0 identity API tests	2018-02-20 04:46:51 +00:00
playbooks	Remove unnecessary dir 'legacy'	2018-01-29 18:06:50 +05:30
releasenotes	Add releasenotes to mark the start of Queens support	2018-02-25 17:07:05 +00:00
.coveragerc	Initial Cookiecutter commit	2017-01-04 15:11:34 -05:00
.gitignore	[docs] Fix weird indentation in documentation	2018-01-09 17:05:09 +09:00
.gitreview	Added .gitreview	2016-12-21 08:20:20 +00:00
.mailmap	Design principles README section	2017-11-15 22:33:48 +00:00
.stestr.conf	Switch to use stestr for unit tests directly	2017-12-01 17:35:44 +00:00
.zuul.yaml	Merge "Remove unnecessary dir 'legacy'"	2018-01-30 18:01:20 +00:00
HACKING.rst	Add a per-test log	2017-08-25 23:12:08 -04:00
LICENSE	Initial Cookiecutter commit	2017-01-04 15:11:34 -05:00
README.rst	Design principles README section	2017-11-15 22:33:48 +00:00
babel.cfg	Initial Cookiecutter commit	2017-01-04 15:11:34 -05:00
requirements.txt	Optimize test_requireemtns.txt and requirements.txt	2018-01-18 13:38:29 +05:30
setup.cfg	Update patrole entry_point plugin name	2017-12-07 14:12:48 +05:30
setup.py	Updated from global requirements	2017-07-06 14:03:09 +00:00
test-requirements.txt	Updated from global requirements	2018-01-27 02:39:16 +00:00
tox.ini	Replace curly quotes with straight quotes	2018-02-05 16:13:34 +00:00

README.rst

Team and repository tags

Patrole - RBAC Integration Tempest Plugin

Patrole is a security validation tool for verifying that Role-Based Access Control is correctly configured and enforced in a system. It runs Tempest-based API tests using specified RBAC roles, thus allowing deployments to verify that only intended roles have access to those APIs.

Patrole currently offers testing for the following OpenStack services: Nova, Neutron, Glance, Cinder and Keystone.

Patrole is currently undergoing heavy development. As more projects move toward policy in code, Patrole will align its testing with the appropriate documentation.

Design Principles

Patrole borrows some design principles from Tempest, but not all, as its testing scope is confined to policies.

Stability. Patrole uses OpenStack public interfaces. Tests in Patrole should only touch public OpenStack APIs.
Atomicity. Patrole tests should be atomic: they should test policies in isolation. Unlike Tempest, a Patrole test strives to only call a single endpoint at a time.
Holistic coverage. Patrole strives for complete coverage of the OpenStack API. Additionally, Patrole strives to test the API-to-policy mapping contained in each project's policy in code documentation.
Self-contained. Patrole should attempt to clean up after itself; whenever possible we should tear down resources when done.

Note

Patrole modifies roles dynamically in the background, which affects pre-provisioned credentials. Work is currently underway to clean up modifications made to pre-provisioned credentials.
Self-tested. Patrole should be self-tested.

Features

Validation of default policy definitions located in policy.json files.
Validation of in-code policy definitions.
Validation of custom policy file definitions that override default policy definitions.
Built-in positive and negative testing. Positive and negative testing are performed using the same tests and role-switching.
Valdation of custom roles as well as default OpenStack roles.

Note

Patrole does not yet support policy.yaml files, the new file format for policy files in OpenStack.

How It Works

Patrole leverages oslo.policy (OpenStack's policy enforcement engine) to determine whether a given role is allowed to perform a policy action, given a specific role and OpenStack service. The output from oslo.policy (the expected result) and the actual result from test execution are compared to each other: if both results match, then the test passes; else it fails.

Documentation: https://docs.openstack.org/patrole/latest/
Bugs: https://bugs.launchpad.net/patrole

Quickstart

Tempest is a prerequisite for running Patrole. If you do not have Tempest installed, please reference the official Tempest documentation for guidance.

Assuming Tempest is installed, the simplest way to configure Patrole is:

1. Open up the tempest.conf configuration file and include the following settings:

[rbac]
enable_rbac = True
rbac_test_role = admin

These settings tell Patrole to run RBAC tests using the "admin" role (which is the default admin role in OpenStack) to verify the default policy definitions used by OpenStack services. Specifying a different role for rbac_test_role will run Patrole tests against that role. For additional information about Patrole's configuration settings, please refer to patrole-configuration and patrole-sampleconf for a sample configuration file.

2. You are now ready to run Patrole. To do so, you can use any testr-based test runner:

$ testr run patrole_tempest_plugin.tests.api

or:

$ ostestr --regex '(?!.*\[.*\bslow\b.*\])(^patrole_tempest_plugin\.tests\.api)'

It is also possible to run Patrole using tox:

tox -eall-plugin -- patrole_tempest_plugin.tests.api

Release Versioning

Patrole Release Notes shows which changes have been released for each version.

Patrole's release versioning follows Tempest's conventions. Like Tempest, Patrole is branchless and uses versioning instead.