We jubilantly announce the release of: patrole 0.3.0: Patrole is a tool for verifying that Role-Based Access Control is being enforced across OpenStack deployments. This release is part of the queens release series. Download the package from: https://tarballs.openstack.org/patrole/ Please report issues through launchpad: https://bugs.launchpad.net/patrole For more details, please see below. 0.3.0 ^^^^^ Prelude ******* This release marks the start of Queens release support in Patrole. New Features ************ * Add RBAC test for "backup:backup_project_attribute" which verifies that the "os-backup-project-attr:project_id" attribute appears in the response body once policy enforcement succeeds. * Implemented a new method "override_role" in "rbac_utils" module, which provides the exact same functionality as the now-deprecated "switch_role" method, with one difference: "override_role" is a contextmanager which provides better policy validation granularity. This means that immediately after the contextmanager's code has executed, the role is switched back to the admin role automatically. * Add complete RBAC test coverage for the compute APIs that enforce: "os_compute_api:os-extended-server-attributes". * test_flavor_rxtx_rbac now offers complete coverage for the os- flavor-rxtx policy. * Adds tests to see if key_name is returned in server response to test_server_misc_policy_actions_rbac. * Add RBAC test for creating a server backup, providing coverage for the policy action: "os_compute_api:os-create-backup". Upgrade Notes ************* * All of the identity v2.0 API tests have been removed from Patrole because the majority of the v2.0 API has been removed from the identity project. * The "[rbac]" config group has been removed. Use the "[patrole]" group instead which contains the exact same options. Deprecation Notes ***************** * The "switch_role" method in "rbac_utils" module has been deprecated and will be removed during the Rocky release cycle. * The configuration option "[patrole] strict_policy_check" is deprecated and will be removed in the Rocky release cycle. * Removed the following deprecated Patrole configuration options: * cinder_policy_file * glance_policy_file * keystone_policy_file * neutron_policy_file * nova_policy_file To specify the location of a custom policy file, use "[patrole] custom_policy_files" instead. Other Notes *********** * The default value for "[patrole] strict_policy_check" has been changed to "True" because a Patrole test should always fail if the policy action is invalid, to avoid false positives. * OpenStack Releases supported after this release are **Queens** and **Pike**. The release under current development of this tag is Rocky, meaning that every Patrole commit is also tested against master during the Rocky cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Rocky (or future release) cloud. Changes in patrole 0.2.0..0.3.0 ------------------------------- b006983 Add releasenotes to mark the start of Queens support 938471b Remove all v2.0 identity API tests 6a8c08c RBAC tests for group type specs ac2ee13 [Gate fix] Fix attach volume create server test timeout 686e0d9 Replace curly quotes with straight quotes 2189207 RBAC tests for reset group snapshot status policy 8731f7b Zuul: Remove project name 88061b7 Add waiter to test_manage_snapshot_rbac to fix data race 795dae5 Remove unnecessary dir 'legacy' 233b943 Zuul: Remove project name 1882e9b override_role cleanup: Remove superfluous call in rbac_rule_validation ba816be Updated from global requirements 7676a21 Migrate to override_role for volume module (part 3) 398a09f Clean up exception message raised by policy authority module 50d52d7 Add tests for update group types for volume module 81a22b1 Add test coverage for volume types e7d7c22 Make create_server tests more policy-granular d67a92c Migrate to override_role for volume module (part 1) 8bd897b Optimize test_requireemtns.txt and requirements.txt f58755b Updated from global requirements 58590ee Migrate to override_role for identity v2 module e6a70a5 Updated from global requirements da5ef5b Migrate to override_role for network security group tests 6dd2b01 Add Rbac test for "group_snapshot" d1ce46a Migrate to override_role for image module (part 2) 1a7e0cf Migrate to override_role for network port tests 9da7440 Migrate to override_role for volume module (part 4) f456a38 Migrate to override_role for volume module (part 2) 0eb2220 Migrate to override_role for volume module (last) f50b461 Migrate to override_role for network test_networks_rbac 81949e6 Migrate to override_role for network metering tests 97ce5c7 Migrate to override_role for network metering_labels tests dbb0895 Migrate to override_role for network multiprovider tests 0fb59a8 Migrate to override_role for network tests-2 c1b3005 Migrate to override_role for image module (part 1) 96f23c6 Migrate to override_role for network tests 80b9aab [docs] Fix weird indentation in documentation 211d4f9 Remove 'tempest' from patrole jobs name 017664f Migrate to override_role for compute module (part 3) 41eef07 Migrate to override_role for identity module (part 1) 97a97a2 Migrate to override_role for identity module (part 2) d6f107a [Fix gate] Fix compute snapshot tests raising ServerFault 144ec1e [docs] Update rbac_utils.rst documentation d5aee6c Fix wrong exception in test_snapshot_manage_rbac e25d8a6 Add "snapshot_manage" Rbac test ad2dd79 Fix min_microversion in volume test_groups_rbac 27e0c8e "get_association_qos" test using wrong policy rule 0085d32 Adding 'reset_group_status' rbac test a8c25f0 [Gate fix] Change policy for create_port/update_port:fixed_ips b9e3fd8 Adding Missing rbac test for Volume 2e2af48 [TrivialFix] Use _override_role in rbac_rule_validation d278efe Migrate to override_role for compute module (part 2) 961212f Migrate to override_role for compute module (part 1) 07a1c17 Implement RbacUtilsMixin for base RBAC classes 9b4232a Remove unusued BaseV1ImageRbacTest class 017fcd6 Unskip volume show host test 087c010 Complete coverage for volume transfers policies 3bf15ef Updated from global requirements d69a3f7 Update patrole entry_point plugin name 10e82fd Base implementation of override_role for automatic role re-switch 5fa20f7 Switch to use stestr for unit tests directly c8ec1f6 Update documentation with rbac_utils details 25949b8 Remove dsvm prefix from in-repo zuul jobs 09a1833 Updated from global requirements 9792c16 Correct policy names for volume metadata tests a4cccae Fix volume delete_group data race in clean up b58c119 Remove deprecrated [rbac] config group cb433c0 Improve gitignore for project b3bf95e Additional volume quota set RBAC tests f89b7f2 Add get_router high availaibility test policy f14ce81 Add missing volume RBAC test 0fc826d Migrate to Zuul v3 eac9c8e Skip test_show_host volume test f71def8 Deprecate strict_policy_enforce configuration option c92846a Rename function name to avoid confusion 0cf00b4 Remove Cinder v2 RBAC tests f07edf1 Remove setting of version/release from releasenotes 7a85dfe Add Pause/Unpause policy tests c287389 Design principles README section c269b9f Updated from global requirements 7ab96ce Add RBAC test for 'get_auth_domains' d5a9ba9 Add 'fixed ips' APIs policy tests e7f4ed6 Add RBAC tests for volume limits client 4c5dbdd Add 'show_trust' Policy Test for Identity 7c3ba05 Adding missing snapshot_metadata RBAC tests bc058fc Correct policy action for backup export volume endpoint 912b9fe Add Show ' update_backup ' policy tests 1c4066a Correct policy action for reserve/unreserve volume actions 53530ad Correct policy action for attach/detach volume actions 501c828 Add Shelve/Unshelve policy tests 38f344b Fix six.reraise bug in rbac_rule_validation b987141 RBAC test for unrescue server bbd6a3c Remove deprecated custom policy file options 4bc86e8 Cover more 'floating ips' APIs for policy tests b580963 Fix TypeError being raised by json.dumps in policy_authority c6f7e22 Rename base.rebuild_server to base.recreate_server 4fb116e Add Show ' os-attach-interfaces ' policy tests d35e8ad Skip floating IPs tests with new config options 098a8cd Auto-generate sample config file d2f9f6e Use Tempest decorators in tempest.common.utils c0188ef Clean up identity base class resources via addClassResourceCleanup 2cb5da9 Clean up image resource types class resources via addClassResourceCleanup 0dd58e7 Clean up network class resources via addClassResourceCleanup e22ed5a Clean up namespace class resources via addClassResourceCleanup 21ab97e Clean up volume class resources via addClassResourceCleanup 906623e Image create v1/v2 compatible in compute test_images_rbac 1a9cd96 Clean up test_server_actions_rbac b18a3f6 [flake8] Enable extra, optional hacking checks bc6c682 Clean up compute class resources via addClassResourceCleanup 0f86ca4 RBAC tests for extended server attributes policies 1171b6f Add os-create-backup compute RBAC test a63f854 [Gate Fix] Fix AttributeError in ServerActionsRbacTest 6836b87 Updated from global requirements 2466aeb Improve test coverage for flavor_access nova policies b601740 Remove urllib3/requests from requirements b3939a8 [Gate fix] Change expected_error_code to 403 for some subnetpool tests 7243075 RBAC tests for key_name in response 5ed98d7 Clean up rbac_rule_validation unit tests 2f8c888 [TrivialFix] Remove redundant function in RbacUtils class f2b58d7 Update policy authority documentation 4af0345 Volume test for backup:backup_project_attribute bf58a7f Fix flavor_rxtx_rbac e0e2edc Remove a few tests from multinode gate 72b55d9 Add missing v3 volume tests for which v2 tests exist Diffstat (except docs and test files) ------------------------------------- .gitignore | 7 +- .mailmap | 2 + .stestr.conf | 3 + .testr.conf | 7 - .zuul.yaml | 79 +++++ README.rst | 29 ++ devstack/plugin.sh | 5 +- etc/config-generator.patrole.conf | 3 + etc/patrole.conf.sample | 114 +++++++ patrole_tempest_plugin/config.py | 72 ++--- patrole_tempest_plugin/plugin.py | 6 - patrole_tempest_plugin/policy_authority.py | 108 ++++--- patrole_tempest_plugin/rbac_rule_validation.py | 90 +++--- patrole_tempest_plugin/rbac_utils.py | 175 ++++++----- .../api/compute/test_availability_zone_rbac.py | 12 +- .../api/compute/test_flavor_extra_specs_rbac.py | 33 +- .../api/compute/test_floating_ip_pools_rbac.py | 10 +- .../api/compute/test_floating_ips_bulk_rbac.py | 10 +- .../compute/test_instance_usages_audit_log_rbac.py | 20 +- .../api/compute/test_quota_class_sets_rbac.py | 23 +- .../api/compute/test_server_migrations_rbac.py | 22 +- .../test_server_misc_policy_actions_rbac.py | 333 ++++++++++++++------- .../compute/test_server_volume_attachments_rbac.py | 26 +- .../identity/v3/test_domain_configuration_rbac.py | 75 +++-- .../api/identity/v3/test_ep_filter_groups_rbac.py | 31 +- .../identity/v3/test_ep_filter_projects_rbac.py | 28 +- .../api/identity/v3/test_oauth_consumers_rbac.py | 22 +- .../api/identity/v3/test_oauth_tokens_rbac.py | 36 +-- .../api/identity/v3/test_role_assignments_rbac.py | 13 +- .../api/identity/v3/test_tokens_negative_rbac.py | 30 +- .../api/image/test_image_namespace_objects_rbac.py | 30 +- .../image/test_image_namespace_property_rbac.py | 28 +- .../api/image/test_image_namespace_tags_rbac.py | 31 +- .../api/image/test_image_resource_types_rbac.py | 26 +- .../api/network/test_metering_label_rules_rbac.py | 28 +- .../network/test_networks_multiprovider_rbac.py | 20 +- .../api/network/test_service_providers_rbac.py | 4 +- .../api/volume/test_snapshots_actions_rbac.py | 46 ++- .../api/volume/test_snapshots_metadata_rbac.py | 62 +++- .../api/volume/test_volume_basic_crud_rbac.py | 34 +-- .../api/volume/test_volume_types_access_rbac.py | 21 +- .../volume/test_volume_types_extra_specs_rbac.py | 33 +- .../api/volume/test_volumes_snapshots_rbac.py | 47 ++- playbooks/patrole-admin/post.yaml | 80 +++++ playbooks/patrole-admin/run.yaml | 60 ++++ playbooks/patrole-member/post.yaml | 80 +++++ playbooks/patrole-member/run.yaml | 61 ++++ playbooks/patrole-multinode-admin/post.yaml | 80 +++++ playbooks/patrole-multinode-admin/run.yaml | 63 ++++ playbooks/patrole-multinode-member/post.yaml | 80 +++++ playbooks/patrole-multinode-member/run.yaml | 63 ++++ playbooks/patrole-py35-member/post.yaml | 80 +++++ playbooks/patrole-py35-member/run.yaml | 70 +++++ ...up-project-attribute-test-504f053c6ec95b85.yaml | 6 + ...te-rbac-utils-switch-role-a959f7bb3ebab353.yaml | 13 + ...ict-policy-enforce-option-e15d2be4e753608e.yaml | 10 + ...xtended-server-attributes-36623af87e714369.yaml | 5 + .../notes/flavor-rxtx-d7aadbb32a9f232c.yaml | 5 + releasenotes/notes/keypairs-c8355d9496f83f9f.yaml | 5 + .../os-create-backup-test-cd8037ea130c3d8d.yaml | 5 + ...remove-named-policy-files-134f3045502e9ce9.yaml | 13 + .../remove-rbac-config-group-097c200f3db99fad.yaml | 5 + .../start-of-queens-support-6c379f2b9cafbf31.yaml | 11 + releasenotes/source/conf.py | 12 +- requirements.txt | 10 +- setup.cfg | 4 +- test-requirements.txt | 15 +- tox.ini | 15 +- 166 files changed, 4957 insertions(+), 3384 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index 00c7e64..35c6038 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4 +3,0 @@ -hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 @@ -6,5 +5,4 @@ pbr!=2.1.0,>=2.0.0 # Apache-2.0 -urllib3>=1.21.1 # MIT -oslo.log>=3.30.0 # Apache-2.0 -oslo.config!=4.3.0,!=4.4.0,>=4.0.0 # Apache-2.0 -oslo.policy>=1.23.0 # Apache-2.0 -tempest>=16.1.0 # Apache-2.0 +oslo.log>=3.36.0 # Apache-2.0 +oslo.config>=5.1.0 # Apache-2.0 +oslo.policy>=1.30.0 # Apache-2.0 +tempest>=17.1.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index 0657438..add2388 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -4 +4 @@ -hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 +hacking>=1.0.0 # Apache-2.0 @@ -6,2 +6,2 @@ hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 -sphinx>=1.6.2 # BSD -openstackdocstheme>=1.16.0 # Apache-2.0 +sphinx!=1.6.6,>=1.6.2 # BSD +openstackdocstheme>=1.18.1 # Apache-2.0 @@ -12,6 +12,3 @@ coverage!=4.4,>=4.0 # Apache-2.0 -nose # LGPL -nosexcover # BSD -oslotest>=1.10.0 # Apache-2.0 -oslo.policy>=1.23.0 # Apache-2.0 -oslo.log>=3.30.0 # Apache-2.0 -tempest>=16.1.0 # Apache-2.0 +nose>=1.3.7 # LGPL +nosexcover>=1.0.10 # BSD +oslotest>=3.2.0 # Apache-2.0