32 lines
1.5 KiB
YAML
32 lines
1.5 KiB
YAML
---
|
|
features:
|
|
- |
|
|
Patrole now offers support for multiple policies. The ``rules`` argument
|
|
has been added to the ``rbac_rule_validation.action`` decorator, which
|
|
takes a list of policy names which Patrole will use to determine the
|
|
expected test result. This allows Patrole to more accurately determine
|
|
whether RBAC is configured correctly, since some API endpoints enforce
|
|
multiple policies.
|
|
|
|
Multiple policy support includes the capability to specify multiple
|
|
expected error codes, as some components may return different error codes
|
|
for different roles due to checking multiple policy rules. The
|
|
``expected_error_codes`` argument has been added to the
|
|
``rbac_rule_validation.action`` decorator, which is a list of error codes
|
|
expected when the corresponding rule in the ``rules`` list is disallowed
|
|
to perform the API action. For this reason, the error codes in the
|
|
``expected_error_codes`` list must appear in the same order as their
|
|
corresponding rules in the ``rules`` list. For example:
|
|
|
|
expected_error_codes[0] is the error code for the rules[0] rule.
|
|
expected_error_codes[1] is the error code for the rules[1] rule.
|
|
...
|
|
|
|
deprecations:
|
|
- |
|
|
The ``rule`` argument in the ``rbac_rule_validation.action`` decorator has
|
|
been deprecated in favor of ``rules``.
|
|
|
|
The ``expected_error_code`` argument in the ``rbac_rule_validation.action``
|
|
decorator has been deprecated in favor of ``expected_error_codes``.
|