[release-announce] [quality] patrole 0.3.0 (queens)
no-reply at openstack.org
no-reply at openstack.org
Tue Mar 13 23:14:40 UTC 2018
We jubilantly announce the release of:
patrole 0.3.0: Patrole is a tool for verifying that Role-Based Access
Control is being enforced across OpenStack deployments.
This release is part of the queens release series.
Download the package from:
https://tarballs.openstack.org/patrole/
Please report issues through launchpad:
https://bugs.launchpad.net/patrole
For more details, please see below.
0.3.0
^^^^^
Prelude
*******
This release marks the start of Queens release support in Patrole.
New Features
************
* Add RBAC test for "backup:backup_project_attribute" which verifies
that the "os-backup-project-attr:project_id" attribute appears in
the response body once policy enforcement succeeds.
* Implemented a new method "override_role" in "rbac_utils" module,
which provides the exact same functionality as the now-deprecated
"switch_role" method, with one difference: "override_role" is a
contextmanager which provides better policy validation granularity.
This means that immediately after the contextmanager's code has
executed, the role is switched back to the admin role automatically.
* Add complete RBAC test coverage for the compute APIs that enforce:
"os_compute_api:os-extended-server-attributes".
* test_flavor_rxtx_rbac now offers complete coverage for the os-
flavor-rxtx policy.
* Adds tests to see if key_name is returned in server response to
test_server_misc_policy_actions_rbac.
* Add RBAC test for creating a server backup, providing coverage for
the policy action: "os_compute_api:os-create-backup".
Upgrade Notes
*************
* All of the identity v2.0 API tests have been removed from Patrole
because the majority of the v2.0 API has been removed from the
identity project.
* The "[rbac]" config group has been removed. Use the "[patrole]"
group instead which contains the exact same options.
Deprecation Notes
*****************
* The "switch_role" method in "rbac_utils" module has been
deprecated and will be removed during the Rocky release cycle.
* The configuration option "[patrole] strict_policy_check" is
deprecated and will be removed in the Rocky release cycle.
* Removed the following deprecated Patrole configuration options:
* cinder_policy_file
* glance_policy_file
* keystone_policy_file
* neutron_policy_file
* nova_policy_file
To specify the location of a custom policy file, use "[patrole]
custom_policy_files" instead.
Other Notes
***********
* The default value for "[patrole] strict_policy_check" has been
changed to "True" because a Patrole test should always fail if the
policy action is invalid, to avoid false positives.
* OpenStack Releases supported after this release are **Queens** and
**Pike**. The release under current development of this tag is
Rocky, meaning that every Patrole commit is also tested against
master during the Rocky cycle. However, this does not necessarily
mean that using Patrole as of this tag will work against a Rocky (or
future release) cloud.
Changes in patrole 0.2.0..0.3.0
-------------------------------
b006983 Add releasenotes to mark the start of Queens support
938471b Remove all v2.0 identity API tests
6a8c08c RBAC tests for group type specs
ac2ee13 [Gate fix] Fix attach volume create server test timeout
686e0d9 Replace curly quotes with straight quotes
2189207 RBAC tests for reset group snapshot status policy
8731f7b Zuul: Remove project name
88061b7 Add waiter to test_manage_snapshot_rbac to fix data race
795dae5 Remove unnecessary dir 'legacy'
233b943 Zuul: Remove project name
1882e9b override_role cleanup: Remove superfluous call in rbac_rule_validation
ba816be Updated from global requirements
7676a21 Migrate to override_role for volume module (part 3)
398a09f Clean up exception message raised by policy authority module
50d52d7 Add tests for update group types for volume module
81a22b1 Add test coverage for volume types
e7d7c22 Make create_server tests more policy-granular
d67a92c Migrate to override_role for volume module (part 1)
8bd897b Optimize test_requireemtns.txt and requirements.txt
f58755b Updated from global requirements
58590ee Migrate to override_role for identity v2 module
e6a70a5 Updated from global requirements
da5ef5b Migrate to override_role for network security group tests
6dd2b01 Add Rbac test for "group_snapshot"
d1ce46a Migrate to override_role for image module (part 2)
1a7e0cf Migrate to override_role for network port tests
9da7440 Migrate to override_role for volume module (part 4)
f456a38 Migrate to override_role for volume module (part 2)
0eb2220 Migrate to override_role for volume module (last)
f50b461 Migrate to override_role for network test_networks_rbac
81949e6 Migrate to override_role for network metering tests
97ce5c7 Migrate to override_role for network metering_labels tests
dbb0895 Migrate to override_role for network multiprovider tests
0fb59a8 Migrate to override_role for network tests-2
c1b3005 Migrate to override_role for image module (part 1)
96f23c6 Migrate to override_role for network tests
80b9aab [docs] Fix weird indentation in documentation
211d4f9 Remove 'tempest' from patrole jobs name
017664f Migrate to override_role for compute module (part 3)
41eef07 Migrate to override_role for identity module (part 1)
97a97a2 Migrate to override_role for identity module (part 2)
d6f107a [Fix gate] Fix compute snapshot tests raising ServerFault
144ec1e [docs] Update rbac_utils.rst documentation
d5aee6c Fix wrong exception in test_snapshot_manage_rbac
e25d8a6 Add "snapshot_manage" Rbac test
ad2dd79 Fix min_microversion in volume test_groups_rbac
27e0c8e "get_association_qos" test using wrong policy rule
0085d32 Adding 'reset_group_status' rbac test
a8c25f0 [Gate fix] Change policy for create_port/update_port:fixed_ips
b9e3fd8 Adding Missing rbac test for Volume
2e2af48 [TrivialFix] Use _override_role in rbac_rule_validation
d278efe Migrate to override_role for compute module (part 2)
961212f Migrate to override_role for compute module (part 1)
07a1c17 Implement RbacUtilsMixin for base RBAC classes
9b4232a Remove unusued BaseV1ImageRbacTest class
017fcd6 Unskip volume show host test
087c010 Complete coverage for volume transfers policies
3bf15ef Updated from global requirements
d69a3f7 Update patrole entry_point plugin name
10e82fd Base implementation of override_role for automatic role re-switch
5fa20f7 Switch to use stestr for unit tests directly
c8ec1f6 Update documentation with rbac_utils details
25949b8 Remove dsvm prefix from in-repo zuul jobs
09a1833 Updated from global requirements
9792c16 Correct policy names for volume metadata tests
a4cccae Fix volume delete_group data race in clean up
b58c119 Remove deprecrated [rbac] config group
cb433c0 Improve gitignore for project
b3bf95e Additional volume quota set RBAC tests
f89b7f2 Add get_router high availaibility test policy
f14ce81 Add missing volume RBAC test
0fc826d Migrate to Zuul v3
eac9c8e Skip test_show_host volume test
f71def8 Deprecate strict_policy_enforce configuration option
c92846a Rename function name to avoid confusion
0cf00b4 Remove Cinder v2 RBAC tests
f07edf1 Remove setting of version/release from releasenotes
7a85dfe Add Pause/Unpause policy tests
c287389 Design principles README section
c269b9f Updated from global requirements
7ab96ce Add RBAC test for 'get_auth_domains'
d5a9ba9 Add 'fixed ips' APIs policy tests
e7f4ed6 Add RBAC tests for volume limits client
4c5dbdd Add 'show_trust' Policy Test for Identity
7c3ba05 Adding missing snapshot_metadata RBAC tests
bc058fc Correct policy action for backup export volume endpoint
912b9fe Add Show ' update_backup ' policy tests
1c4066a Correct policy action for reserve/unreserve volume actions
53530ad Correct policy action for attach/detach volume actions
501c828 Add Shelve/Unshelve policy tests
38f344b Fix six.reraise bug in rbac_rule_validation
b987141 RBAC test for unrescue server
bbd6a3c Remove deprecated custom policy file options
4bc86e8 Cover more 'floating ips' APIs for policy tests
b580963 Fix TypeError being raised by json.dumps in policy_authority
c6f7e22 Rename base.rebuild_server to base.recreate_server
4fb116e Add Show ' os-attach-interfaces ' policy tests
d35e8ad Skip floating IPs tests with new config options
098a8cd Auto-generate sample config file
d2f9f6e Use Tempest decorators in tempest.common.utils
c0188ef Clean up identity base class resources via addClassResourceCleanup
2cb5da9 Clean up image resource types class resources via addClassResourceCleanup
0dd58e7 Clean up network class resources via addClassResourceCleanup
e22ed5a Clean up namespace class resources via addClassResourceCleanup
21ab97e Clean up volume class resources via addClassResourceCleanup
906623e Image create v1/v2 compatible in compute test_images_rbac
1a9cd96 Clean up test_server_actions_rbac
b18a3f6 [flake8] Enable extra, optional hacking checks
bc6c682 Clean up compute class resources via addClassResourceCleanup
0f86ca4 RBAC tests for extended server attributes policies
1171b6f Add os-create-backup compute RBAC test
a63f854 [Gate Fix] Fix AttributeError in ServerActionsRbacTest
6836b87 Updated from global requirements
2466aeb Improve test coverage for flavor_access nova policies
b601740 Remove urllib3/requests from requirements
b3939a8 [Gate fix] Change expected_error_code to 403 for some subnetpool tests
7243075 RBAC tests for key_name in response
5ed98d7 Clean up rbac_rule_validation unit tests
2f8c888 [TrivialFix] Remove redundant function in RbacUtils class
f2b58d7 Update policy authority documentation
4af0345 Volume test for backup:backup_project_attribute
bf58a7f Fix flavor_rxtx_rbac
e0e2edc Remove a few tests from multinode gate
72b55d9 Add missing v3 volume tests for which v2 tests exist
Diffstat (except docs and test files)
-------------------------------------
.gitignore | 7 +-
.mailmap | 2 +
.stestr.conf | 3 +
.testr.conf | 7 -
.zuul.yaml | 79 +++++
README.rst | 29 ++
devstack/plugin.sh | 5 +-
etc/config-generator.patrole.conf | 3 +
etc/patrole.conf.sample | 114 +++++++
patrole_tempest_plugin/config.py | 72 ++---
patrole_tempest_plugin/plugin.py | 6 -
patrole_tempest_plugin/policy_authority.py | 108 ++++---
patrole_tempest_plugin/rbac_rule_validation.py | 90 +++---
patrole_tempest_plugin/rbac_utils.py | 175 ++++++-----
.../api/compute/test_availability_zone_rbac.py | 12 +-
.../api/compute/test_flavor_extra_specs_rbac.py | 33 +-
.../api/compute/test_floating_ip_pools_rbac.py | 10 +-
.../api/compute/test_floating_ips_bulk_rbac.py | 10 +-
.../compute/test_instance_usages_audit_log_rbac.py | 20 +-
.../api/compute/test_quota_class_sets_rbac.py | 23 +-
.../api/compute/test_server_migrations_rbac.py | 22 +-
.../test_server_misc_policy_actions_rbac.py | 333 ++++++++++++++-------
.../compute/test_server_volume_attachments_rbac.py | 26 +-
.../identity/v3/test_domain_configuration_rbac.py | 75 +++--
.../api/identity/v3/test_ep_filter_groups_rbac.py | 31 +-
.../identity/v3/test_ep_filter_projects_rbac.py | 28 +-
.../api/identity/v3/test_oauth_consumers_rbac.py | 22 +-
.../api/identity/v3/test_oauth_tokens_rbac.py | 36 +--
.../api/identity/v3/test_role_assignments_rbac.py | 13 +-
.../api/identity/v3/test_tokens_negative_rbac.py | 30 +-
.../api/image/test_image_namespace_objects_rbac.py | 30 +-
.../image/test_image_namespace_property_rbac.py | 28 +-
.../api/image/test_image_namespace_tags_rbac.py | 31 +-
.../api/image/test_image_resource_types_rbac.py | 26 +-
.../api/network/test_metering_label_rules_rbac.py | 28 +-
.../network/test_networks_multiprovider_rbac.py | 20 +-
.../api/network/test_service_providers_rbac.py | 4 +-
.../api/volume/test_snapshots_actions_rbac.py | 46 ++-
.../api/volume/test_snapshots_metadata_rbac.py | 62 +++-
.../api/volume/test_volume_basic_crud_rbac.py | 34 +--
.../api/volume/test_volume_types_access_rbac.py | 21 +-
.../volume/test_volume_types_extra_specs_rbac.py | 33 +-
.../api/volume/test_volumes_snapshots_rbac.py | 47 ++-
playbooks/patrole-admin/post.yaml | 80 +++++
playbooks/patrole-admin/run.yaml | 60 ++++
playbooks/patrole-member/post.yaml | 80 +++++
playbooks/patrole-member/run.yaml | 61 ++++
playbooks/patrole-multinode-admin/post.yaml | 80 +++++
playbooks/patrole-multinode-admin/run.yaml | 63 ++++
playbooks/patrole-multinode-member/post.yaml | 80 +++++
playbooks/patrole-multinode-member/run.yaml | 63 ++++
playbooks/patrole-py35-member/post.yaml | 80 +++++
playbooks/patrole-py35-member/run.yaml | 70 +++++
...up-project-attribute-test-504f053c6ec95b85.yaml | 6 +
...te-rbac-utils-switch-role-a959f7bb3ebab353.yaml | 13 +
...ict-policy-enforce-option-e15d2be4e753608e.yaml | 10 +
...xtended-server-attributes-36623af87e714369.yaml | 5 +
.../notes/flavor-rxtx-d7aadbb32a9f232c.yaml | 5 +
releasenotes/notes/keypairs-c8355d9496f83f9f.yaml | 5 +
.../os-create-backup-test-cd8037ea130c3d8d.yaml | 5 +
...remove-named-policy-files-134f3045502e9ce9.yaml | 13 +
.../remove-rbac-config-group-097c200f3db99fad.yaml | 5 +
.../start-of-queens-support-6c379f2b9cafbf31.yaml | 11 +
releasenotes/source/conf.py | 12 +-
requirements.txt | 10 +-
setup.cfg | 4 +-
test-requirements.txt | 15 +-
tox.ini | 15 +-
166 files changed, 4957 insertions(+), 3384 deletions(-)
Requirements updates
--------------------
diff --git a/requirements.txt b/requirements.txt
index 00c7e64..35c6038 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4 +3,0 @@
-hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
@@ -6,5 +5,4 @@ pbr!=2.1.0,>=2.0.0 # Apache-2.0
-urllib3>=1.21.1 # MIT
-oslo.log>=3.30.0 # Apache-2.0
-oslo.config!=4.3.0,!=4.4.0,>=4.0.0 # Apache-2.0
-oslo.policy>=1.23.0 # Apache-2.0
-tempest>=16.1.0 # Apache-2.0
+oslo.log>=3.36.0 # Apache-2.0
+oslo.config>=5.1.0 # Apache-2.0
+oslo.policy>=1.30.0 # Apache-2.0
+tempest>=17.1.0 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index 0657438..add2388 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -4 +4 @@
-hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
+hacking>=1.0.0 # Apache-2.0
@@ -6,2 +6,2 @@ hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
-sphinx>=1.6.2 # BSD
-openstackdocstheme>=1.16.0 # Apache-2.0
+sphinx!=1.6.6,>=1.6.2 # BSD
+openstackdocstheme>=1.18.1 # Apache-2.0
@@ -12,6 +12,3 @@ coverage!=4.4,>=4.0 # Apache-2.0
-nose # LGPL
-nosexcover # BSD
-oslotest>=1.10.0 # Apache-2.0
-oslo.policy>=1.23.0 # Apache-2.0
-oslo.log>=3.30.0 # Apache-2.0
-tempest>=16.1.0 # Apache-2.0
+nose>=1.3.7 # LGPL
+nosexcover>=1.0.10 # BSD
+oslotest>=3.2.0 # Apache-2.0
More information about the Release-announce
mailing list