[release-announce] [quality] patrole 0.2.0 (pike)

no-reply at openstack.org no-reply at openstack.org
Wed Sep 6 00:29:54 UTC 2017


We enthusiastically announce the release of:

patrole 0.2.0: Patrole is a tool for verifying that Role-Based Access
Control is being enforced across OpenStack deployments.

This release is part of the pike release series.

Download the package from:

    https://tarballs.openstack.org/patrole/

Please report issues through launchpad:

    https://bugs.launchpad.net/patrole

For more details, please see below.

0.2.0
^^^^^


Prelude
*******

This release marks the start of support for the Pike release in
Patrole.


New Features
************

* Add security groups and server security groups tests to Nova RBAC
  tests.

* Add additional port-related RBAC tests to "test_ports_rbac" in the
  network module, providing coverage for the following policy actions:
  * create_port:device_owner * create_port:port_security_enabled *
  create_port:binding:profile * update_port:device_owner

* Add additional RBAC tests for network routers API, providing
  coverage for the following policy actions:

     * create_router:ha

     * create_router:distributed

     * get_router:distributed

     * update_router:ha

     * update_router:distributed

* Added tests to test_agents_rbac.py for PUT and DELETE endpoints.

* Add RBAC test for communitizing image, providing coverage for the
  policy action "communitize_image".

* Adds tests for compute snapshot APIs.

* Adds tests for os-console-output and os-remote-console to compute
  module.

* Added RBAC network test for listing dhcp agents on a hosting
  network, providing coverage for the "get_dhcp-agents" policy.

* Add new configuration option "[rbac] custom_policy_files",
  allowing users to specify list of the paths to search for custom
  policy files. Each policy path assumes that the service name is
  included in the path once. Also assumes Patrole is on the same host
  as the policy files. The paths should be ordered by precedence, with
  high- priority paths before low-priority paths. The first path that
  is found to contain the service's policy file will be used.

* Add group-specific RBAC tests for the identity v3 extension API,
  OS- EP-FILTER, providing coverage for the following policy actions:

     * identity:create_endpoint_group

     * identity:list_endpoint_groups

     * identity:show_endpoint_group (get endpoint group)

     * identity:check_endpoint_group

     * identity:list_endpoint_group (get endpoint groups)

     * identity:update_endpoint_group

     * identity:delete_endpoint_group

* Add RBAC tests for APIs that enforce "os_compute_api:os-extended-
  availability-zone".

* Added RBAC tests for volume type access and volume type extra
  specs APIs, providing coverage for the following policy actions:

     * "volume_extension:types_extra_specs"

     * "volume_extension:volume_type_access"

     * "volume_extension:volume_type_access:addProjectAccess"

     * "volume_extension:volume_type_access:removeProjectAccess"

* Add test coverage for the os-flavor-manage compute API, which
  includes tests for the following policy actions:

     * "os_compute_api:os-flavor-manage:create"

     * "os_compute_api:os-flavor-manage:delete"

* Add RBAC tests related to the "image_size" compute policy action:
  "os_compute_api:image-size".

* Adds tests for Nova's lock_server policies: lock, unlock, and
  unlock_override.

* Add additional RBAC tests to "VolumesBackupsRbacTest", providing
  coverage for "volume_extension:backup_admin_actions:reset_status".

* Add Patrole DevStack plugin, allowing Patrole to be installed
  using DevStack by adding "enable_plugin patrole" to "local" section
  of local.conf.

* Added in a new logging feature which logs the result of each
  Patrole test

  The format of the new log output is:

     "[Service]: %s, [Test]: %s, [Rule]: %s, [Expected]: %s, [Actual]:
     %s"

     where each "%s" is a string that contains:

     * [Service] - The openstack service being tested (Nova,
       Neutron, etc)

     * [Test] - The name of the test function being invoked (eg:
       test_list_aggregate_rbac)

     * [Rule] - The name of the rule the Patrole test is testing
       (eg: os_compute_api:os-aggregates)

     * [Expected] - The expected outcome (one of Allowed/Denied)

     * [Actual] - The actual outcome from the Patrole test (one of
       Allowed/Denied/Error)

  This logging feature has two config variables:

     These variables are part of a new config group "patrole_log"

     * enable_reporting:

          This enables or disables the enhanced rbac reporting

     * report_log_name:

          This variable specifies the name of the log file to write

     * report_log_path:

          This variable specifies the path (relative or absolute) of
          the log file to write

* Add RBAC tests for os_compute_api:os-extended-status, which
  validate that the following attributes:

     * OS-EXT-STS:task_state

     * OS-EXT-STS:vm_state

     * OS-EXT-STS:power_state

  are present in the relevant response bodies.

* Add RBAC tests for os-extended-volumes:volumes_attached policies,
  which validate that "os-extended-volumes:volumes_attached" is
  returned in the response body.

* Implements RBAC tests for Tempest network agents_client, providing
  coverage for the following policies:

     * update_agent

     * get_agent

     * create_dhcp-network

     * delete_dhcp-network

     * get_dhcp-networks

     * create_l3-router

     * delete_l3-router

     * get_l3-routers

* Add RBAC tests for compute quota class sets API, providing
  coverage for the following policy actions:

     * os_compute_api:os-quota-class-sets:show

     * os_compute_api:os-quota-class-sets:update

* Add RBAC tests for the compute server metadata API, providing
  coverage for the following policy actions:

     * os_compute_api:server-metadata:index

     * os_compute_api:server-metadata:update_all

     * os_compute_api:server-metadata:create

     * os_compute_api:server-metadata:show

     * os_compute_api:server-metadata:update

     * os_compute_api:server-metadata:delete

* Adds test for Neutron's get_service_provider policy.

* Add RBAC tests for network subnet endpoints, providing coverage
  for the following policy actions:

     * create_subnet

     * get_subnet

     * update_subnet

     * delete_subnet

* Add RBAC test for updating the default subnetpool, providing
  coverage for the policy action: "update_subnetpool:is_default".

* Add support of running Patrole against a custom requirements YAML
  that defines RBAC requirements. The YAML file lists all the APIs and
  the roles that should have access to the APIs. The purpose of
  running Patrole against a requirements YAML is to verify that the
  RBAC policy is in accordance to deployment specific requirements.
  Running Patrole against a requirements YAML is completely optional
  and can be enabled by setting the "[rbac] test_custom_requirements"
  option to True in Tempest's configuration file. The requirements
  YAML must be located on the same host that Patrole runs on.

* Add test_oauth_tokens_rbac.py with RBAC test cases related to the
  OS-OAUTH1 Keystone v3 extension API.

* Added RBAC test scenarios for the token-related v3 identity API

* Added RBAC test scenarios for the token-related admin v2 identity
  API.

* Add test for updating a volume group, providing coverage for
  group:update policy action.

* Add RBAC test to provide coverage for the following cinder policy:
  "volume_extension:volume_actions:upload_public".

* Add RBAC tests for the volume v3 groups and group types APIs,
  providing coverage for the following policy actions:

  * group:create

  * group:get

  * group:get_all

  * group:delete

  * group:group_types_manage

  * group:access_group_types_specs


Deprecation Notes
*****************

* The "[rbac]" configuration group has been deprecated and will be
  removed in the next release. Use "[patrole]" group instead, which
  has the exact same options.

* Deprecate the following configuration options from "[rbac]" group:

  * cinder_policy_file

  * glance_policy_file

  * keystone_policy_file

  * neutron_policy_file

  * nova_policy_file

  It is better to use "[rbac] custom_policy_files" which supports any
  OpenStack service.

* Glance v1 APIs are deprecated and v2 APIs are current. Glance v1
  APIs are removed from volume tests and Glance v1 RBAC tests are
  removed.

* Remove assisted volume snapshot RBAC tests, because the Tempest
  client does not yet exist.


Bug Fixes
*********

* Add microversion check to test_security_groups_rbac as tests in
  this file will fail with a 404 after 2.36.

* Rename test_server_security_groups to test_list_security_groups to
  properly reflect the test actually being run.

* Add "test.requires_ext" above tests that require the "binding"
  extension.


Other Notes
***********

* OpenStack Releases supported after this release are **Pike**. The
  release under current development of this tag is Queens, meaning
  that every Patrole commit is also tested against master during the
  Queens cycle. However, this does not necessarily mean that using
  Patrole as of this tag will work against a Queens (or future
  release) cloud.

Changes in patrole 0.1.0..0.2.0
-------------------------------

45fffa5 Prepare release notes for release 0.2.0
88a5bab Rename rbac_policy_parser to policy_authority
7f8993f Add a per-test log
3983d13 RBAC tests for os-extended-volumes policies
c27a62f Fix router tests expecting wrong error code
25b1281 [TrivialFix] Move security group tests into correct test file
bc39ee8 Do not use test.get_service_list()
d889ffd Updated from global requirements
dc73cff Remove identity v3 change_password test
9d086ab Use create_test_server for attach volume server test
146735d Test coverage for compute flavor_manage policies
5f72954 RBAC tests for extended availability zone policies
6056d6b Move some slow tests into the multinode gate
2a3b513 Docstring for RbacAuthority class.
39c460b Updated from global requirements
3e14f47 Use configured admin creds in rbac utils
01d633b Update rbac_rule_validation docstrings
f6eb862 Deprecate [rbac] configuration group.
b6a9c21 Adds unit tests for hacking checks
11b0232 Update and replace http with https for doc links in patrole
2693bf7 Only sleep following a role switch
d2fcf03 Add RBAC test for updating volume group
36bea05 Adds meaningful exceptions for missing attributes
6f663e0 Update the documentation link
0df097d Remove usage of credentials_factory.AdminManager
4360a29 Fix a comment issue
428c44a Adds update and delete agent tests
7de1905 Update tox to correctly use OS_TEST_PATH
8a043fb Change rbac_utils.RbacUtils is_admin to function
0328650 RBAC tests for os-extended-status policies
10fdf98 Move instance actions test into misc policy actions file
7b9ae3f Updated from global requirements
d8e0d08 Updated from global requirements
7be94e8 Switch to enabled version of identity clients
c7880ac Replace test.attr with decorators.attr
ffa47e6 Create rbac utils fixture and refactor tests
864b0f3 Add missing test for os-instance-usage-audit-log
268b71d Update URLs in documents according to document migration
7c7b570 README: Fix headers
e8d93e0 Remove need to include admin in credentials in base classes
780210d Rewrite Patrole README to be high-level document
ccfa23e Add missing v3 token related testcases
8a5f69a docs: Update configuration docs
c8a5e29 Update test.attr to decorators.attr
e922e1e Updates test_volume_types_extra_specs_rbac
6c068fc Move config drive tests into misc policy actions file
d55dec5 Updated from global requirements
6b1a2f4 [Gate fix] Fix volumes_client AttributeError
e85d266 Replace inconsistent skipException messages
529988b Correct policy action for check_endpoint_group test
0cef808 Unit tests for dynamic policy file discovery
d982731 Move virtual interfaces test into misc policy actions file
3ab2c35 Dynamic policy file discovery
7de839d Doc warnings as errors
ed95005 Add support for testing custom RBAC requirements
a7d9425 Group together tests that create server and require network resources
4047a19 Move tenant usage tests into misc policy actions file
c971b45 Updated from global requirements
dea1384 Add docstring for rbac_rule_validation is_authorized
3203253 Replace os with os_primary
9f1b60f Add test cases for oauth1 token related APIs.
1430ac2 RBAC tests for volume v3 groups and group types
a662f82 Minimize number of servers created for more tests
6661e2f Additional volume v2 backup RBAC tests
34193e3 Switch from oslosphinx to openstackdocstheme
0f010a5 RBAC tests for compute quota class sets
4781dc9 Replace the usage of 'admin_manager' with 'os_admin'
7a52b61 Policy update for volume v2 qos-specs RBAC tests
a20add2 Use admin creds for waiting
5c12849 Remove unusued create_test_server
1e0a20d Remove unnecessary LOG/CONF statements
f85cedc Add missing v2 token related testcases
c5ebd76 Identity v3 RBAC Tests - EP Filter Groups
54959dd Minimize number of servers created for certain tests
973a1bc Docstring for rbac_rule_validation _get_exception_type
d9607c4 Refactor policy parser init so that validate service is in helper
c471d41 Volume test for volume_extension:volume_actions:upload_public
93dae2a Add waiter to test_volume_backup_delete
747e029 Adds lock server tests
65ce70d Fix snapshot rbac test race condition
e8f7917 Additional network router RBAC tests
3c1de67 Subnet rbac tests
1442d57 RBAC tests for Tempest network agents_client
7b761b8 Adds server security group tests
4aa609e Fix test_volumes_snapshots_rbac throwing BadRequest
c458932 Show team and repo badges on README
1b7d5d5 Adds service_providers client tests
f98d8b8 Patrole should only test glance v2 api.
f129686 Fix volume backup tests throwing BadRequest
94c9a47 Update Patrole documentation
7888d97 Clean up test_admin_password_rbac
8fe31c2 Adds extension skip checks for Neutron tests
57127fd Remove support for py34
12a52d9 Add vol extra specs/type access RBAC tests
757ea55 Fix test_force_detach_volume_from_instance
189e138 Adds console output RBAC tests
b573cea Update plugin.py
c1f67b2 Correct reno list formatting
9a6f20f Adds tests for compute snapshots API
31b968d Optimize the link address
9817838 RBAC test for update_subnetpool:is_default
7ae2ff1 Add a page for release 0.1.0 to release notes
3fde3cb RBAC test for "dhcp_agent_scheduler" network policy
7942336 Update test/installation documentation
dca00e8 Add RBAC test for communitize_image policy
17e9b49 Add rbac_utils is_admin helper method
ace85ac RBAC tests for image_size compute policy action.
eeb271a [Gate fix] Fix py35 gate due to incompatible import
dd02c62 Additional port-related RBAC tests
a44dddf Patrole devstack plugin
6e78dca [Gate fix] Fix test_server_actions raising BadRequest
cd87077 Add hacking check to enforce no client aliases
96f826d Compute server metadata rbac tests
e6fbe0f Remove assisted volume snapshot RBAC tests


Diffstat (except docs and test files)
-------------------------------------

.testr.conf                                        |   2 +-
CONTRIBUTING.rst                                   |  17 -
HACKING.rst                                        |  13 +-
README.rst                                         | 206 +++----
contrib/post_test_hook.sh                          |  83 ---
contrib/pre_test_hook.sh                           |  18 -
devstack/plugin.sh                                 |  35 ++
devstack/settings                                  |   8 +
patrole_tempest_plugin/config.py                   | 146 ++++-
patrole_tempest_plugin/hacking/checks.py           |  43 +-
patrole_tempest_plugin/plugin.py                   |  50 +-
patrole_tempest_plugin/policy_authority.py         | 264 +++++++++
patrole_tempest_plugin/rbac_exceptions.py          |  31 +-
patrole_tempest_plugin/rbac_policy_parser.py       | 232 --------
patrole_tempest_plugin/rbac_rule_validation.py     | 267 ++++++---
patrole_tempest_plugin/rbac_utils.py               | 173 ++++--
patrole_tempest_plugin/requirements_authority.py   |  72 +++
.../api/compute/test_admin_server_actions_rbac.py  |  65 ---
.../compute/test_assisted_volume_snapshot_rbac.py  |  73 ---
.../api/compute/test_attach_interfaces_rbac.py     |  92 ----
.../api/compute/test_flavor_extra_specs_rbac.py    |   2 +-
.../api/compute/test_instance_actions_rbac.py      |  56 --
.../compute/test_instance_usages_audit_log_rbac.py |  18 +-
.../api/compute/test_quota_class_sets_rbac.py      |  84 +++
.../api/compute/test_server_diagnostics_rbac.py    |  44 --
.../api/compute/test_server_migrations_rbac.py     |   7 +-
.../test_server_misc_policy_actions_rbac.py        | 599 +++++++++++++++++++++
.../compute/test_server_virtual_interfaces_rbac.py |  41 --
.../compute/test_server_volume_attachments_rbac.py |   9 +-
.../api/compute/test_simple_tenant_usage_rbac.py   |  56 --
.../api/identity/v3/test_endpoint_filter_rbac.py   |  91 ----
.../api/identity/v3/test_ep_filter_groups_rbac.py  | 108 ++++
.../identity/v3/test_ep_filter_projects_rbac.py    |  90 ++++
.../api/identity/v3/test_oauth_consumers_rbac.py   |   8 +-
.../api/identity/v3/test_oauth_tokens_rbac.py      | 138 +++++
.../api/identity/v3/test_tokens_negative_rbac.py   | 100 ++++
.../api/image/test_image_namespace_objects_rbac.py | 106 ++++
.../image/test_image_namespace_property_rbac.py    |  97 ++++
.../api/image/test_image_namespace_tags_rbac.py    | 109 ++++
.../api/image/test_image_resource_types_rbac.py    |  72 +++
.../image/v2/test_image_namespace_objects_rbac.py  | 106 ----
.../image/v2/test_image_namespace_property_rbac.py |  97 ----
.../api/image/v2/test_image_namespace_rbac.py      |  76 ---
.../api/image/v2/test_image_namespace_tags_rbac.py | 109 ----
.../api/image/v2/test_image_resource_types_rbac.py |  72 ---
.../api/network/test_metering_label_rules_rbac.py  |   2 -
.../network/test_networks_multiprovider_rbac.py    |   5 +-
.../api/network/test_service_providers_rbac.py     |  29 +
.../api/volume/test_volume_types_access_rbac.py    |  81 +++
.../volume/test_volume_types_extra_specs_rbac.py   |  86 ++-
.../api/volume/test_volumes_snapshots_rbac.py      |  12 +
patrole_tempest_plugin/version.py                  |  18 +
releasenotes/notes/agents-ca4a5e232ce242a5.yaml    |   5 +
...mmunitize-image-rbac-test-bdf1109e58a6c2e0.yaml |   5 +
releasenotes/notes/console-6db96c4e329c0ab2.yaml   |   5 +
.../deprecate-rbac-group-148e222913dc74cc.yaml     |   6 +
...dhcp-agent-scheduler-test-842fc1df45799def.yaml |   5 +
...mic-policy-file-discovery-104cbfc64b55d605.yaml |  22 +
...vailability-zone-policies-2ec19e8bbb9ce158.yaml |   5 +
.../glance-v1-api-deprecated-1aba7b6ae0b6e063.yaml |   4 +
.../notes/lock-server-460767a02d15bb29.yaml        |   5 +
.../patrole-devstack-plugin-551c9af3325723c9.yaml  |   6 +
.../notes/rbac-per-test-log-071a530e957c1c26.yaml  |  28 +
...r-compute-extended-status-ef00256e58b66223.yaml |  11 +
...-compute-extended-volumes-7f3ccab122d22737.yaml |   6 +
...ests-for-quota-class-sets-20d874b185902308.yaml |   8 +
.../notes/service-provider-bc71da578e717c3a.yaml   |   4 +
.../start-of-pike-support-360e27b4d192e3d2.yaml    |  10 +
...ls_update_is_default_test-d3540a87469b6dc8.yaml |   5 +
...support_requirements_yaml-a90e0188a19421ba.yaml |  12 +
.../test_oauth_tokens_rbac-13e1d3b5decbaf79.yaml   |   4 +
.../notes/test_tokens_rbac-63a93e507d079a03.yaml   |   3 +
.../notes/test_tokens_rbac-7f36919b786e9ffc.yaml   |   3 +
.../update-group-volume-test-06c7475ccbe36aa8.yaml |   5 +
...volume-upload-public-test-f8e741a838ae7607.yaml |   5 +
releasenotes/source/conf.py                        |  21 +-
releasenotes/source/index.rst                      |   7 +-
releasenotes/source/v0.1.0.rst                     |   6 +
requirements.txt                                   |  14 +-
setup.cfg                                          |   4 +-
setup.py                                           |   5 +-
test-requirements.txt                              |  19 +-
test-whitelist.txt                                 |   1 -
tox.ini                                            |  11 +-
177 files changed, 7107 insertions(+), 4231 deletions(-)


Requirements updates
--------------------

diff --git a/requirements.txt b/requirements.txt
index 6871057..00c7e64 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,7 +5,7 @@ hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
-pbr>=1.8 # Apache-2.0
-urllib3>=1.15.1 # MIT
-oslo.log>=3.11.0 # Apache-2.0
-oslo.config>=3.22.0  # Apache-2.0
-oslo.policy>=1.17.0  # Apache-2.0
-tempest>=14.0.0  # Apache-2.0
-stevedore>=1.20.0  # Apache-2.0
+pbr!=2.1.0,>=2.0.0 # Apache-2.0
+urllib3>=1.21.1 # MIT
+oslo.log>=3.30.0 # Apache-2.0
+oslo.config!=4.3.0,!=4.4.0,>=4.0.0 # Apache-2.0
+oslo.policy>=1.23.0 # Apache-2.0
+tempest>=16.1.0 # Apache-2.0
+stevedore>=1.20.0 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index 7c97fa7..0657438 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -4 +4 @@
-hacking>=0.12.0,!=0.13.0,<0.14  # Apache-2.0
+hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
@@ -6,5 +6,6 @@ hacking>=0.12.0,!=0.13.0,<0.14  # Apache-2.0
-sphinx>=1.2.1,!=1.3b1,<1.4  # BSD
-oslosphinx>=4.7.0 # Apache-2.0
-reno>=1.8.0 # Apache-2.0
-mock>=2.0 # BSD
-coverage>=4.0 # Apache-2.0
+sphinx>=1.6.2 # BSD
+openstackdocstheme>=1.16.0 # Apache-2.0
+reno>=2.5.0 # Apache-2.0
+fixtures>=3.0.0 # Apache-2.0/BSD
+mock>=2.0.0 # BSD
+coverage!=4.4,>=4.0 # Apache-2.0
@@ -14,3 +15,3 @@ oslotest>=1.10.0 # Apache-2.0
-oslo.policy>=1.17.0  # Apache-2.0
-oslo.log>=3.11.0 # Apache-2.0
-tempest>=12.1.0  # Apache-2.0
+oslo.policy>=1.23.0 # Apache-2.0
+oslo.log>=3.30.0 # Apache-2.0
+tempest>=16.1.0 # Apache-2.0






More information about the Release-announce mailing list