Open Stack

We high-spiritedly announce the release of:

patrole 0.1.0: Patrole is a tool for verifying that Role-Based Access
Control is being enforced across OpenStack deployments.

This is the first release of patrole. This release is part of the pike
release series.

The source is available from:

    http://git.openstack.org/cgit/openstack/patrole

Download the package from:

    https://tarballs.openstack.org/patrole/

Please report issues through launchpad:

    http://bugs.launchpad.net/patrole

For more details, please see below.

0.1.0
^^^^^

This release marks the first release for Patrole, tagged as 0.1.0.


New Features
************

* Add additional compute hypervisor RBAC tests, so that the
  previously missing hypervisor endpoints are covered. Tests for the
  following endpoints were written: * show_hypervisor *
  list_servers_on_hypervisor * show_hypervisor_statistics *
  show_hypervisor_uptime * search_hypervisor

* Added an RBAC test for force-deleting a backup which enforces the
  cinder policy action:
  "volume_extension:backup_admin_actions:force_delete".

* Adds test for glance's add_metadef_resource_type_association
  policy.

* Add RBAC tests for cinder os-quota-class-sets API, which cover the
  policy action "volume_extension:quota_classes".

* Refactored framework to remove unused "path" argument. Added
  config options to allow the path to the policy.json files for Nova,
  Keystone, Cinder, Neutron, and Glance to be configured without
  needing to manually change code.

* Adds RBAC tests for the domain configuration Keystone v3 extension
  API.

* Adds RBAC tests for the encryption types client.

* Adds RBAC tests for the project-related endpoints belonging to the
  OS-EP-FILTER Keystone v3 extension API.

* Add RBAC test for listing hypervisors with details.

* Merges *rbac_auth* with *rbac_rule_validation*, because
  *rbac_auth* decentralized logic from *rbac_rule_validation* without
  providing any authentication-related utility. This change
  facilitates code maintenance and code readability.

* Adds RBAC tests for the Nova os-volumes API which is deprecated
  from microversion 2.36 onward.

* Added RBAC test for the volume services API, which covers the
  following policy action: "volume_extension:services:index".

* Added test for volume summary API.

* Added tests for volumes client functions set bootable, reserve,
  unreserve, and update metadata.


Bug Fixes
*********

* Corrected the policy action in the "rbac_rule_validation"
  decorator for the test "test_snapshot_force_delete" from
  "volume_extension:volume_admin_actions:force_delete" to
  "volume_extension:snapshot_admin_actions:force_delete".

* Removed "rule" kwarg from "rbac_rule_validation" decorator for
  identity v2 admin tests, because the identity v2 admin API does not
  do policy enforcement, and instead checks whether the request object
  has "context_is_admin".


Other Notes
***********

* Patrole currently supports RBAC testing for Cinder, Glance, Nova,
  Neutron and Keystone.

  The release under current development as of this tag is Pike,
  meaning that every Patrole commit is also tested against master
  branch during the Pike cycle. However, this does not necessarily
  mean that using Patrole as of this tag will work against Pike (or
  future releases) cloud. In addition, backward compatibility with
  previous releases is not guaranteed.

* Updated the class names for identity v2 tests to include the
  "Admin" substring, to convey the fact that these tests are only
  intended to test the v2 admin API, not the v2 API.

* Renamed update metadata item and delete metadata item tests to
  accurately reflect what actions are being performed.

Changes in patrole 859beb410fa8aaba4a7e6c52a8a5c9ffcd451fea..0.1.0
------------------------------------------------------------------

b6f415f List hypervisors with details rbac test
0441eab Adds volume summary test reno
e52cbc6 Fix rbac_rule_validation log statement raises TypeError
944e8bc Fix compute create volume test race condition
9621202 Remove incorrect compute min_microversions
682a598 Prepare release notes for release 0.1.0
20359be Fix setup.cfg using incorrect entry point
83cb0be Add oslo.policy requirement to requirements.txt
fba3135 Removes client aliases
b35de58 Remove singleton from RbacUtils constructor
1461ddc Fix plugin.py test directory
20e780f Include class name in resource names for resource cleanup debugging
4bf66a2 Hacking: enable extensions H106, H203 and H904
980bff3 Extra hypervisor rbac tests
c15af32 [Gate fix] Fix volume metadata RBAC tests
4cf2ffb Identity V3 Tests - Domain Configurations
d12d2eb Remove enforce_type=True from oslo.config set_override
d2e2074 Nova test for Volume client
581268e Remove unnecessary create_volume calls
b18f98b Add RBAC tests for v3 auth policy actions
d55e786 Rename "Rbac Flag" to "Rbac testing" in skip exceptions
0854ded Adds initial hacking checks to Patrole
7cec526 Corrects compute microversion docstrings
f1bd2b0 Volume services rbac test
4e9a496 Remove cinder v1 artifacts from code base
f6b69e2 Change "admin" literal for admin role to CONF admin_role
bbde022 Added stable interface and release information to documentation
3c3fc9a Consolidates rbac_base for v2 and v3 identity tests
d7120bb Add force detach volume test.
2c9e3a4 Removes force_backup_delete test
6345995 Adds create metadef resource test
e7e552e [Fix gate] Fix failing identity v2 admin tests
45c2b35 Remove heat tests from patrole
d0b747b Add RBAC tests for cinder os-quota-class-sets API
b45a05e Add RBAC test for force-deleting a backup
f568d04 Adds missing volumes client tests
c82ce14 Replace generic api_extensions checks
78fc489 Merge rbac_auth with rbac_rule_validation
85f79d7 Creates config options for policy.json paths
edcdbec Stop using aliases for creds manager
b059d49 Fix up test_volume_actions_rbac
1fa5b2e Keystone v3 tests for endpoint filters for projects
e2bfb85 Add additional tests to test_images_rbac
6704253 Add encryption types test
b89e584 Move tests from volumes into volumes actions.
2297aa1 Add RBAC test cases to manage cinder volume
7bc35dc Improve patrole core documentation
ae7d7bb Fix: the tox cover job was not updating coverage report.
6ed0e03 Adding server evacuate test
e46a27d Remove skip exception from virtual interfaces test
e7df9c4 Increase unit test coverage for policy parser.
5c4b97d Add volume user messages rbac test
3f4158d Identity V3 Tests - Domains
fd1db98 Identity trust rbac tests
a810851 Add capabilities and scheduler stats tests
a7a2916 Create heat-specific patrole gate
94c1cc6 Add RBAC tests for namespace_tags_client.
6a99c56 Remove admin namespace throughout Patrole - Identity tests
4d6264c Fix non-existent cinder policy action tests.
9909ac6 Remove admin namespace throughout Patrole - Nova tests
706fd34 Remove admin namespace throughout Patrole - Volume tests
ba4881b Fix _validate_switch_role throwing incorrect error message
1529351 Fix rbac_rule_validation test being incorrectly skipped
75f2363 Renames switchToRbacRole to toggle_rbac_role
a7409cf Fix volume transfers rbac test
6b6c610 Add py3.5 support in setup.cfg
521e5c1 Fix role validation edge case bug in rbac_utils
f01a48f RBAC test for compute os-multinic policy action.
b83861c Add RBAC tests for the Nova images API.
aa19530 Add implied roles rbac tests to identity v3.
7aae506 Fix test_migration_live throwing AttributeError.
9af4e53 Update installation guide
fa01d5f Add role-switching validation to Patrole framework.
f512433 Identity V3 (ext) Tests - Oauth Consumers
90c7eef Update post_test_hook to use multinode environment.
fb18579 Add role assignments rbac tests to identity v3.
78b1925 Fix check-uuid not working
934acae Refactor identity v3 rbac_base to use classmethods.
6da4d21 Identity V3 Tests - Roles
ae2ebab Modify policy parser to combine custom and default policy files.
d4a4aa6 Add heat resource types rbac tests.
ee0205d Compute API Compute Flavor Rxtx Test.
06e3bc6 Tag additional slow tests to run in slow gate.
dcddd6e Network tests should take advantage of net_utils to find unused ip.
0d88008 Improve Patrole config options
59c886c Add new regex for "slow test" gate
8eda8cc Refactors exceptions in rbac_rule_validation decorator.
2d95e9d Remove special_fields definition from volume tests.
42933e5 Add server tests for nova.
68015d1 Adding compute server tests
479c603 Add missing requirements
ae9db6f Fix oslo_debug_helper not running
e1014be Standardize tox
89f498f Configure devstack gate to use UUID tokens
8ec953f Identity V3 rbac_base method refactor
7bae840 Identity V3 tests - Regions
6ebeed0 Fixes IpAddressAlreadyAllocated thrown by fixed_ip port tests.
d5d76b8 Fix failing v2 identity user tests by adding admin_only kwarg.
c01b1e6 Fix failing neutron port tests for Member role.
ca8844b Enhance test_server_actions_rbac with create image actions.
0d537ea Fixes server fault thrown by delete password compute rbac test.
1299894 Enhance validation decorator with error code
280a2a0 Fixes failing flavor access tests for Member role.
9abe87d Fixes router external_fixed_ip tests sometimes failing with Conflict.
da03cc0 Update Cinder test that incorrectly handles 404
23923f0 Partially revert removal of time.sleep if v3 auth enabled in conf.
18120de Fixes instance actions compute rbac test failing for Member role.
68d9223 Fixes v3 identity tests with policy actions with rule admin_or_owner.
48c913d Throw skipException for invalid policy actions.
09698bb Fixes test_volume_backup_delete failing during tearDown.
3874300 Fix broken volume tests
426f3cb Compute API Quota Sets RBAC tests.
8590c0c Removal of re-switching of rbac-role from tearDown
61b9049 Switch to admin role during client set up to fix some gate bugs.
dbea7df Fixes test_images_member_rbac missing os credentials for image v2.
86fdd63 Decrease overall run time when identity auth is set to v3.
d5bd33b Add switchToRbacRole=True to test instance actions in compute.
503c557 Add service validation to Patrole framework
8a8b59f Fix for V2 image failing test cases.
613de66 Fixes many failing identity tests for member.
ef1d21d Removing unused admin_client
e68ac0b Add negative lookahead to post_test_hook to skip slow tests.
18d92b5 Add @test.attr(type='slow') to slow tests to reduce test run time.
69dacff Fix failing compute volume attachment tests.
52c5565 Add post_test_hook.sh to Patrole.
4a611bf Switch to use stable data_utils
6448b4a Add pip install patrole command to pre_test_hook.sh.
9dd3d31 Compute API Server Actions Test
2c0c55a Default rbac_flag = True for testing in gates.
ac64829 Neutron tests - Security Groups
1ee5f4d Fix test coverage tox command for patrole.
d028a7e Orchestration API config tests
1272679 Users RBAC test for Keystone API v2 users
313a7f8 Add pre_test_hook.sh for devstack tempest gates.
b3b7bc8 Increase unit test coverage for rbac_utils.
8deb578 Compute API Keypairs
e6aa86b Cinder tests - Volume types
c27904d Cinder tests for Volume hosts policy actions
8913879 Compute API Server Tags Test
34a138c Refactors Patrole framework to only use admin tenant credential type.
889264e Enhance rbac policy parser to correctly interpret user_id policy actions.
fc29958 Compute API Suspend Server Test
df95870 Changes tox to only run unit tests and moves unit tests to tests/unit.
89cc76d Assisted Volume snapshot RBAC test for Compute v2.1 API roles
bada30a Compute API Server Password Test
34552b1 Roles RBAC test for Keystone API v2 roles
322c5b6 Change name of rbac_role_converter to rbac_policy_parser.
e87b92e Compute API Server Actions Test
bd75098 Adds missing switch to rbac role function call to hypervisors compute test.
8c8e417 Add compute API test for config_drive policy action.
5b9ff75 Compute API Deferred Delete Tests
82443c7 Compute API Availability Zone Tests
1dc1125 Add Subnetpool test cases for RBAC. Rename FloatingIps class name to follow naming convention.
6e8f1e3 Fix for few failing network rbac tests
48c36ce Add floating IP test cases for RBAC.
b0475fa Enhance test_server_actions_rbac with index/detail/show server actions.
874222f Add multi-provider networks test cases for RBAC.
8337289 Add metering labels and metering label rules test cases for RBAC.
3a6e3ca Compute API Compute Tenant Networks Tests.
dc0ef43 Compute API Instance Usage Audit Log Test.
43ffff3 Compute API Compute Flavor Extra Specs Test.
1b17ee2 Fix for typo of correct volume status
b911cc2 Fix for V3 identity failing test cases.
d8e4e20 Compute API Aggregates Tests
317b0cc Fix for V2 identity failing test cases.
47056d5 Compute API Floating Ip Pools Test
d972919 Renamed Glance test file
7029349 Identity V3 Tests - Policies
c3f1c61 Compute API Floating Ips Bulk Tests.
cf937f1 Compute API Floating Ips Tests.
84d6d9f Remove discoverable test from compute tests.
33e707d Compute API Agents Tests
83cfad3 Compute API Attach Interfaces Tests.
ec28743 Compute API Ips Tests.
7990e52 Compute Admin Server Actions Test
7c46d45 Services test for Keystone version 2 api services
3094936 Compute API Hosts Tests.
e9babc6 Identity V3 Tests - Groups
6770009 Projects test for Keystone version 2 api projects
b46c30c Compute API Flavor Access Tests.
f170f8a Keystone tests - v2 Endpoints
ba6c929 Identity V3 tests - Endpoints
1a2186b Neutron tests - Routers
bbf9369 Tests for compute security groups.
1246308 Compute API Hypervisor Tests.
afddb37 Removes test_access_ips_rbac test because it cannot be tested.
3485a3c Identity V3 Tests - Services
5e05bdd Fixes test_absolute_limits testing the wrong action.
4b51a0d Compute API Instance Actions Tests.
ffc2100 Neutron tests - Ports
09cd3a7 Identity V3 Tests - Projects
26b46da Identity V3 Tests - Credentials
9d0d7d6 Identity V3 tests -  Users
aab4feb Compute API Migrations Tests.
7807ced Compute API Rescue Test.
2d2b890 Compute API Server Diagnostics Test.
2e3bbd3 Compute API Server Groups Test.
d203a1c Compute API Server Usage Test.
cef6e13 Fix volume transfers RBAC tests
193c7e3 Compute API Server Volume Attachments Test.
a6348e1 Copyright and other information correctness
ac7c230 Cinder tests - Volume snapshot metadata
ebb7c44 Compute Access IPs tests
b0c0486 Compute API Services Test.
0066e2b Compute API Simple Tenant Usage Tests
9fc782e Fixes policy rules in neutron containing the keyword tenant_id.
e679c14 Cinder tests - Volume backend
f17ed2d Cinder tests - Volume transfers
be97eb2 Cinder tests - Volume actions
575dd64 Glance tests - Image Metadef Namespace Properties
9c97850 Improve is_admin support in Patrole converter framework.
a6fab3b Glance tests - Image Metadef Namespace Resource Types
1d60d6a Glance tests - Image Metadef Namespace and Namespace Objects
b25f93d Fixed AT&T Copyright statements
eb7e7be Cinder tests - Volume List
5e93025 Cinder tests - Volume Snapshots
652e2a2 Removing rbac_roles from config.py.
bf335e9 Cinder tests - Volume QOS
5f8c46b Glance tests - API version 1
e178c30 Rbac tests for compute absolute limits
71704ba Cinder tests - Volume Extend
e36e59a Cinder tests - Volume Extensions
c079936 Cinder tests - Volume Availability Zone
511c46e Fix volume test copyrights
cbd0617 Add try/except block to rbac_rule_validation.
b059565 Fixes converter not working for certain edge cases.
d1c72e3 Fixes outdated CONF setting in test_networks_rbac.
2006807 Refactor rbac_base class
b71cf16 Initial neutron tests
db7f981 Glance tests - Image Member
45bc1a6 Improve documentation
3589f2b Initial Cinder tests
d35eef2 Cinder tests - Volume Quotas
36eba5e Initial Cinder tests
7cff6d2 Initial Cinder tests
da434a2 Initial Cinder tests
25fc8c5 Remove 'MANIFEST.in'
645dfc9 Switch to oslo_log
3bbdd62 update homepage with developer documentation page
617a2a5 Initial glance tests
029d8c3 Initial functionality framework. Includes: rbac_util - Utility for switching between roles for tests. rbac_auth - Determines if a given role is valid for a given api call. rbac_rule_validation - Determines if a allowed proper access and denied improper access (403 error) rbac_role_converter - Converts policy.json files into a list of api's and the roles that can access them.
663aedf Initial Cookiecutter commit




Requirements updates
--------------------

diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..6871057
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,11 @@
+# The order of packages is significant, because pip processes them in the order
+# of appearance. Changing the order has an impact on the overall integration
+# process, which may cause wedges in the gate later.
+hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
+pbr>=1.8 # Apache-2.0
+urllib3>=1.15.1 # MIT
+oslo.log>=3.11.0 # Apache-2.0
+oslo.config>=3.22.0  # Apache-2.0
+oslo.policy>=1.17.0  # Apache-2.0
+tempest>=14.0.0  # Apache-2.0
+stevedore>=1.20.0  # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
new file mode 100644
index 0000000..7c97fa7
--- /dev/null
+++ b/test-requirements.txt
@@ -0,0 +1,16 @@
+# The order of packages is significant, because pip processes them in the order
+# of appearance. Changing the order has an impact on the overall integration
+# process, which may cause wedges in the gate later.
+hacking>=0.12.0,!=0.13.0,<0.14  # Apache-2.0
+
+sphinx>=1.2.1,!=1.3b1,<1.4  # BSD
+oslosphinx>=4.7.0 # Apache-2.0
+reno>=1.8.0 # Apache-2.0
+mock>=2.0 # BSD
+coverage>=4.0 # Apache-2.0
+nose # LGPL
+nosexcover # BSD
+oslotest>=1.10.0 # Apache-2.0
+oslo.policy>=1.17.0  # Apache-2.0
+oslo.log>=3.11.0 # Apache-2.0
+tempest>=12.1.0  # Apache-2.0