[release-announce] patrole 0.4.0 (rocky)
no-reply at openstack.org
no-reply at openstack.org
Thu Aug 16 13:14:06 UTC 2018
We are jazzed to announce the release of:
patrole 0.4.0: Patrole is a tool for verifying that Role-Based Access
Control is being enforced across OpenStack deployments.
This release is part of the rocky release series.
The source is available from:
https://git.openstack.org/cgit/openstack/patrole
Download the package from:
https://tarballs.openstack.org/patrole/
Please report issues through launchpad:
https://bugs.launchpad.net/patrole
For more details, please see below.
0.4.0
^^^^^
Prelude
*******
This release is to tag the Patrole for OpenStack Rocky release. After
this release, Patrole will support below OpenStack Releases:
* Rocky
* Queens
* Pike
Current development of Patrole is for OpenStack Stein development
cycle. Every Patrole commit is also tested against master during the
Stein cycle. However, this does not necessarily mean that using
Patrole as of this tag will work against a Stein (or future release)
cloud.
New Features
************
* In order to strive toward complete test coverage for the services
it tests, Patrole now offers RBAC coverage for the APIs included in
neutron-tempest-plugin. If this plugin is not installed or enabled,
then Patrole will skip those tests.
* A new configuration group "[policy_feature_enabled]" has been
added to Patrole which will be responsible for collecting the
feature flags to be used for newly introduced policies or policies
that were changed in a backwards-incompatible way.
* create_port_fixed_ips_ip_address_policy (Neutron)
* update_port_fixed_ips_ip_address_policy (Neutron)
* limits_extension_used_limits_policy (Cinder)
* volume_extension_volume_actions_attach_policy (Cinder)
* volume_extension_volume_actions_reserve_policy (Cinder)
* volume_extension_volume_actions_unreserve_policy (Cinder)
These feature flags will be supported until Pike release cycle is
EOL.
* Patrole now offers support for multiple policies. The "rules"
argument has been added to the "rbac_rule_validation.action"
decorator, which takes a list of policy names which Patrole will use
to determine the expected test result. This allows Patrole to more
accurately determine whether RBAC is configured correctly, since
some API endpoints enforce multiple policies.
Multiple policy support includes the capability to specify multiple
expected error codes, as some components may return different error
codes for different roles due to checking multiple policy rules. The
"expected_error_codes" argument has been added to the
"rbac_rule_validation.action" decorator, which is a list of error
codes expected when the corresponding rule in the "rules" list is
disallowed to perform the API action. For this reason, the error
codes in the "expected_error_codes" list must appear in the same
order as their corresponding rules in the "rules" list. For example:
expected_error_codes[0] is the error code for the rules[0] rule.
expected_error_codes[1] is the error code for the rules[1] rule.
...
Upgrade Notes
*************
* The "admin_only" kwarg has been removed from
"rbac_rule_validation" decorator because it is no longer used by any
tests. Besides that, it should not be used because Patrole is
dedicated to RBAC testing and an admin-only check is not RBAC
because it does not use "oslo.policy" library.
* The "switch_role" method in "rbac_utils" module has been removed
because it is a clunky way of manipulating Tempest roles to achieve
RBAC testing. Use "override_role" instead.
* The "[patrole].strict_policy_check" was deprecated during the
Queens release cycle. It is removed in this release cycle because
Patrole should always fail on invalid policies.
Deprecation Notes
*****************
* The "[patrole].enable_rbac" option is deprecated and will be
removed during the "S" release. This is a legacy option that was
meaningful downstream when Patrole was a suite of tests inside
Tempest itself. Now that Patrole exists upstream as a Tempest
plugin, it is paradoxical to install the Patrole plugin yet have an
option that allows all Patrole tests to be skipped. This option is
at odds with current Patrole architecture.
To skip RBAC tests going forward, with Patrole Tempest plugin
already installed, use an appropriate regex.
* The "rule" argument in the "rbac_rule_validation.action" decorator
has been deprecated in favor of "rules".
The "expected_error_code" argument in the
"rbac_rule_validation.action" decorator has been deprecated in favor
of "expected_error_codes".
Changes in patrole 0.3.0..0.4.0
-------------------------------
9ee07cf Fix 'ref' format errors in README file
cad317e Add releasenote to tag the Patrole for Rocky release
73d9f95 Add tests to cover flavors
2cc271c Add tests to cover auto_allocated_topology
3e98fe4 Update segments rbac tests with error codes
1d82978 Reset ntp_client cached token in override_role context
a137576 Improve tests for test_volume_basic_crud.py
8390341 Deprecate enable_rbac configuration option
d48d892 Remove misleading todo from config.py
d067148 Add tests to cover segments
2ee0db0 Add list backups with details for backup:backup_project_attribute
9d45e40 Adds create_network tests for missing policy actions
f8d1c74 Adds the following tests for update_network:
1884c57 Increase test stability of backup RBAC tests
e917655 Docs: Add RBAC overview documentation
fdc4514 trivial: Fix HACKING.rst nits causing rendering issues
f6ffb8b Add README in the devstack folder
eb197db Add REVIEWING documentation
51299a1 Improve exception that is raised following invalid service
561d028 Cap additional nova-network tests at Queens
299b9d4 Bump hacking to 1.1.0
1bbf48e followup: Include spec/discussion references
f800a1c Add documentation explaining why Patrole tests aren't in Tempest
e5ee4be docs: Add symlink to readme from overview documentation
f16b6b3 Update overpermission/underpermission rbac exceptions
d91c124 Change Neutron tests to use multi-policy support
f5ed588 trivial: Drop empty services folder under patrole_tempest_plugin
318fa3b Use tempest-multinode-full parent for multinode Zuul jobs
c0cb7eb multi policy: Fix logging issues with multiple policies
543f7b9 docs: Add Patrole overview documentation
ddac38b Limit .zuul.yaml gate jobs to most important jobs only
1bed58b Add fixed ip cleanup to test_add_fixed_ip
e7679f7 Fix Neutron-related return values on some list APIs
35a7711 Add support for handling multiple error codes
2fc2929 Gate fix: Rename Member (legacy) to member role
5da0aad Gate fix: Cap nova-network tests at Queens
383960d Drop old README file
ece376d Remove duplicate test_unmanage_volume test
57ab8c4 Remove duplicate subnet tests fromt test_networks_rbac module
3056b98 Wait for interface to detach for all interface tests
d0ddf7d Add RBAC tests for identity v3 application credentials API
8251477 Refactor `test_confirm_resize_server` to pass for all roles
68f4c2f fix tox python3 overrides
66d54a9 Docs: Add requirements authority module to documentation
bc865df Fix test_volume_upload BadRequest error
2880cad Remove RBAC test_volume_list_image_metadata test case
ac3e85d Move VirtualInterfacesRbacTest into separate module
778b780 Add docstrings for requirements_authority module
31e308e Move RbacAuthority class into separate module
9ae705d Docs: Add documentation on policy feature flags
f1ba5ae Wait for interface to detach for required tests
97117b0 Fix typos for custom requirements config options descriptions
7cd2161 fix typos in documentation
443d39c docs: Add Patrole RBAC field guide
94fc2ca [trivial] Update short-hand doc reference with real link
44d7784 Update rbac_rule_validation for multi-policy support
4c3ae9b Make patrole-member job run for queens and pike branches
739041f feature flag: Policy feature enabled config group
3896908 Create or attach interface should use specific network
58515ed Gate fix: Cap hacking to avoid gate failure
6c0f40a Add waiters to Nova tests to prevent tearDown failures
af81f05 Add skip check to 'test_update_volume_attachment'
d737199 Rephrase Patrole skip message for better sorting
7dec873 Always use correct host for aggregates test suite
05c8597 [TrivialFix] Use tempest.config instead of oslo_config.cfg
d0c6929 Add RBAC tests for identity v3 project tags
8d29e70 Fix test_show_server_usage not checking expected attributes
c330bab Add max microversion = 2.42 for compute host tests
88d4fc7 Set max microversion for some hypervisor tests to 2.52
0ad6bde Increase RBAC test coverage for floating ips bulk API
04352ea Set max_microversion 2.43 for virtual_interfaces tests
3d8623d Fix: Set max_microversion to 2.38 for image metadata compute tests
b43c486 Drop min_microversion = '2.10' from compute test
445c48b RBAC test for Keystone v3 OS-ENDPOINT-POLICY API
2fe986d Add functools.wraps decorator to rbac_rule_validation
4ef7e53 Remove already-deprecated strict_policy_check option
1c8620a Remove deprecated switch_role method
8669a51 add lower-constraints job
932b81d Update docs building
bb46c5a Fix a bug in patrole documentation.
6da23e6 Fix tests for snapshots extended_snapshot_attributes policy
f918e08 Add RBAC test for listing snapshots with details
55bc499 Updated from global requirements
097d94c Patrole base job as zuulv3 native
5ca7ada Add releasenotes page for v0.3.0
3f67a39 [Fix Gate] Fix network segments policy test raising 503
f9ace2b [docs] Add information about supported & stable tests
318a0bf Remove admin_only kwarg from rbac_rule_validation decorator
0548f03 Add v0.2.0 releasenotes page
6e86fc1 Increase coverage for volume metadata tests
bb1ebaa Fix test_limits_rbac not checking for expected response
b437ae1 Add RBAC test for show_encryption_specs_item
Diffstat (except docs and test files)
-------------------------------------
.zuul.yaml | 156 ++++++-
HACKING.rst | 113 +++--
README.rst | 200 +++++++--
REVIEWING.rst | 136 ++++++
devstack/README.rst | 25 ++
devstack/plugin.sh | 25 +-
etc/patrole.conf.sample | 110 +++--
lower-constraints.txt | 84 ++++
patrole_tempest_plugin/README.rst | 5 -
patrole_tempest_plugin/config.py | 121 ++++--
patrole_tempest_plugin/hacking/checks.py | 4 +-
patrole_tempest_plugin/plugin.py | 21 +-
patrole_tempest_plugin/policy_authority.py | 24 +-
patrole_tempest_plugin/rbac_authority.py | 38 ++
patrole_tempest_plugin/rbac_exceptions.py | 30 +-
patrole_tempest_plugin/rbac_rule_validation.py | 326 ++++++++++-----
patrole_tempest_plugin/rbac_utils.py | 92 ++--
patrole_tempest_plugin/requirements_authority.py | 54 ++-
patrole_tempest_plugin/services/__init__.py | 0
.../api/compute/test_floating_ips_bulk_rbac.py | 68 ++-
.../test_server_misc_policy_actions_rbac.py | 130 ++++--
.../compute/test_server_volume_attachments_rbac.py | 9 +
.../api/compute/test_virtual_interfaces_rbac.py | 64 +++
.../v3/test_application_credentials_rbac.py | 85 ++++
.../identity/v3/test_policy_association_rbac.py | 152 +++++++
.../api/identity/v3/test_project_tags_rbac.py | 96 +++++
.../network/test_auto_allocated_topology_rbac.py | 44 ++
.../api/network/test_metering_label_rules_rbac.py | 5 +-
.../api/network/test_network_segments_rbac.py | 122 ++++++
.../network/test_networks_multiprovider_rbac.py | 99 -----
.../api/volume/test_snapshots_metadata_rbac.py | 9 -
.../api/volume/test_volume_basic_crud_rbac.py | 33 +-
.../api/volume/test_volumes_snapshots_rbac.py | 88 ++--
playbooks/patrole-admin/post.yaml | 80 ----
playbooks/patrole-admin/run.yaml | 60 ---
playbooks/patrole-member/post.yaml | 80 ----
playbooks/patrole-member/run.yaml | 61 ---
playbooks/patrole-multinode-admin/post.yaml | 80 ----
playbooks/patrole-multinode-admin/run.yaml | 63 ---
playbooks/patrole-multinode-member/post.yaml | 80 ----
playbooks/patrole-multinode-member/run.yaml | 63 ---
playbooks/patrole-py35-member/post.yaml | 80 ----
playbooks/patrole-py35-member/run.yaml | 70 ----
...on-tempest-plugin-clients-c031e232021b390c.yaml | 7 +
...patible-rule-feature-flag-ebe8b44c0aa663a8.yaml | 16 +
...recate-enable-rbac-option-1e499bb0914cdee8.yaml | 13 +
.../multi-policy-support-4e5c8b4e9e25ad9d.yaml | 31 ++
.../patrole-rocky-release-e6f36691306bec7e.yaml | 14 +
.../remove-admin-only-kwarg-919f1a4797318a33.yaml | 8 +
...ve-deprecated-switch-role-148c9a5c6796857f.yaml | 6 +
...emove-strict-policy-check-480e3d664f7b2d96.yaml | 6 +
releasenotes/source/index.rst | 8 +-
releasenotes/source/v0.2.0.rst | 6 +
releasenotes/source/v0.3.0.rst | 6 +
requirements.txt | 2 +-
setup.cfg | 6 -
test-requirements.txt | 6 +-
tox.ini | 30 +-
106 files changed, 4350 insertions(+), 1789 deletions(-)
Requirements updates
--------------------
diff --git a/requirements.txt b/requirements.txt
index 35c6038..cc13aa9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -6 +6 @@ oslo.log>=3.36.0 # Apache-2.0
-oslo.config>=5.1.0 # Apache-2.0
+oslo.config>=5.2.0 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index add2388..9085c07 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -4,5 +4 @@
-hacking>=1.0.0 # Apache-2.0
-
-sphinx!=1.6.6,>=1.6.2 # BSD
-openstackdocstheme>=1.18.1 # Apache-2.0
-reno>=2.5.0 # Apache-2.0
+hacking>=1.1.0,<1.2.0 # Apache-2.0
More information about the Release-announce
mailing list