[ patrole ] Understanding RBAC Permission Exceptions

darumaseye darumaseye at protonmail.com
Mon Jul 12 09:16:41 UTC 2021


Hello,
I am a researcher studying security of the Openstack's Policies.
I'm very interested in the Patrole project and I would like to ask you some questions.
In the documentation it is stated that Patrole compares two different types of results:
- an expected one ( derived from oslo.policy )
- an actual one ( derived from an actual request to the API ).
Given that, Patrole's tests can return 3 different values:
1) "Success" if actual result and expected result are both True or both False;
2) "RbacOverPermissionException" if actual result is True but expected result is False;
3) "RbacUnderPermissionException" in the other case.

I can't understand in which cases the tests can return a value different from "Success".
As far as I know, an API call should always be validated internally by oslo.policy's rules, before being allowed.
So, in order for an API call to be accepted, oslo.policy's rules must allow that API call.
It seems to me that the "expected" result ( derived from oslo.policy ) is always included in the actual result.
Hoping that everything I said is correct, I would like to ask you:
What issue is allowing such a strange behavior in Openstack APIs ?
Why the expected results can be different from the actual ones?
Are there publicly available examples showing "Failure" values?
In general, are there any publicly available test cases that i can study to understand this?

I Would like to thank you very much in advance;
Best Regards,

Jacopo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210712/388ddab6/attachment-0001.html>


More information about the openstack-discuss mailing list