We are jazzed to announce the release of:
patrole 0.4.0: Patrole is a tool for verifying that Role-Based Access Control is being enforced across OpenStack deployments.
This release is part of the rocky release series.
The source is available from:
https://git.openstack.org/cgit/openstack/patrole
Download the package from:
https://tarballs.openstack.org/patrole/
Please report issues through launchpad:
https://bugs.launchpad.net/patrole
For more details, please see below.
0.4.0 ^^^^^
Prelude *******
This release is to tag the Patrole for OpenStack Rocky release. After this release, Patrole will support below OpenStack Releases:
* Rocky
* Queens
* Pike
Current development of Patrole is for OpenStack Stein development cycle. Every Patrole commit is also tested against master during the Stein cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Stein (or future release) cloud.
New Features ************
* In order to strive toward complete test coverage for the services it tests, Patrole now offers RBAC coverage for the APIs included in neutron-tempest-plugin. If this plugin is not installed or enabled, then Patrole will skip those tests.
* A new configuration group "[policy_feature_enabled]" has been added to Patrole which will be responsible for collecting the feature flags to be used for newly introduced policies or policies that were changed in a backwards-incompatible way.
* create_port_fixed_ips_ip_address_policy (Neutron)
* update_port_fixed_ips_ip_address_policy (Neutron)
* limits_extension_used_limits_policy (Cinder)
* volume_extension_volume_actions_attach_policy (Cinder)
* volume_extension_volume_actions_reserve_policy (Cinder)
* volume_extension_volume_actions_unreserve_policy (Cinder)
These feature flags will be supported until Pike release cycle is EOL.
* Patrole now offers support for multiple policies. The "rules" argument has been added to the "rbac_rule_validation.action" decorator, which takes a list of policy names which Patrole will use to determine the expected test result. This allows Patrole to more accurately determine whether RBAC is configured correctly, since some API endpoints enforce multiple policies.
Multiple policy support includes the capability to specify multiple expected error codes, as some components may return different error codes for different roles due to checking multiple policy rules. The "expected_error_codes" argument has been added to the "rbac_rule_validation.action" decorator, which is a list of error codes expected when the corresponding rule in the "rules" list is disallowed to perform the API action. For this reason, the error codes in the "expected_error_codes" list must appear in the same order as their corresponding rules in the "rules" list. For example:
expected_error_codes[0] is the error code for the rules[0] rule. expected_error_codes[1] is the error code for the rules[1] rule. ...
Upgrade Notes *************
* The "admin_only" kwarg has been removed from "rbac_rule_validation" decorator because it is no longer used by any tests. Besides that, it should not be used because Patrole is dedicated to RBAC testing and an admin-only check is not RBAC because it does not use "oslo.policy" library.
* The "switch_role" method in "rbac_utils" module has been removed because it is a clunky way of manipulating Tempest roles to achieve RBAC testing. Use "override_role" instead.
* The "[patrole].strict_policy_check" was deprecated during the Queens release cycle. It is removed in this release cycle because Patrole should always fail on invalid policies.
Deprecation Notes *****************
* The "[patrole].enable_rbac" option is deprecated and will be removed during the "S" release. This is a legacy option that was meaningful downstream when Patrole was a suite of tests inside Tempest itself. Now that Patrole exists upstream as a Tempest plugin, it is paradoxical to install the Patrole plugin yet have an option that allows all Patrole tests to be skipped. This option is at odds with current Patrole architecture.
To skip RBAC tests going forward, with Patrole Tempest plugin already installed, use an appropriate regex.
* The "rule" argument in the "rbac_rule_validation.action" decorator has been deprecated in favor of "rules".
The "expected_error_code" argument in the "rbac_rule_validation.action" decorator has been deprecated in favor of "expected_error_codes".
Changes in patrole 0.3.0..0.4.0 -------------------------------
9ee07cf Fix 'ref' format errors in README file cad317e Add releasenote to tag the Patrole for Rocky release 73d9f95 Add tests to cover flavors 2cc271c Add tests to cover auto_allocated_topology 3e98fe4 Update segments rbac tests with error codes 1d82978 Reset ntp_client cached token in override_role context a137576 Improve tests for test_volume_basic_crud.py 8390341 Deprecate enable_rbac configuration option d48d892 Remove misleading todo from config.py d067148 Add tests to cover segments 2ee0db0 Add list backups with details for backup:backup_project_attribute 9d45e40 Adds create_network tests for missing policy actions f8d1c74 Adds the following tests for update_network: 1884c57 Increase test stability of backup RBAC tests e917655 Docs: Add RBAC overview documentation fdc4514 trivial: Fix HACKING.rst nits causing rendering issues f6ffb8b Add README in the devstack folder eb197db Add REVIEWING documentation 51299a1 Improve exception that is raised following invalid service 561d028 Cap additional nova-network tests at Queens 299b9d4 Bump hacking to 1.1.0 1bbf48e followup: Include spec/discussion references f800a1c Add documentation explaining why Patrole tests aren't in Tempest e5ee4be docs: Add symlink to readme from overview documentation f16b6b3 Update overpermission/underpermission rbac exceptions d91c124 Change Neutron tests to use multi-policy support f5ed588 trivial: Drop empty services folder under patrole_tempest_plugin 318fa3b Use tempest-multinode-full parent for multinode Zuul jobs c0cb7eb multi policy: Fix logging issues with multiple policies 543f7b9 docs: Add Patrole overview documentation ddac38b Limit .zuul.yaml gate jobs to most important jobs only 1bed58b Add fixed ip cleanup to test_add_fixed_ip e7679f7 Fix Neutron-related return values on some list APIs 35a7711 Add support for handling multiple error codes 2fc2929 Gate fix: Rename Member (legacy) to member role 5da0aad Gate fix: Cap nova-network tests at Queens 383960d Drop old README file ece376d Remove duplicate test_unmanage_volume test 57ab8c4 Remove duplicate subnet tests fromt test_networks_rbac module 3056b98 Wait for interface to detach for all interface tests d0ddf7d Add RBAC tests for identity v3 application credentials API 8251477 Refactor `test_confirm_resize_server` to pass for all roles 68f4c2f fix tox python3 overrides 66d54a9 Docs: Add requirements authority module to documentation bc865df Fix test_volume_upload BadRequest error 2880cad Remove RBAC test_volume_list_image_metadata test case ac3e85d Move VirtualInterfacesRbacTest into separate module 778b780 Add docstrings for requirements_authority module 31e308e Move RbacAuthority class into separate module 9ae705d Docs: Add documentation on policy feature flags f1ba5ae Wait for interface to detach for required tests 97117b0 Fix typos for custom requirements config options descriptions 7cd2161 fix typos in documentation 443d39c docs: Add Patrole RBAC field guide 94fc2ca [trivial] Update short-hand doc reference with real link 44d7784 Update rbac_rule_validation for multi-policy support 4c3ae9b Make patrole-member job run for queens and pike branches 739041f feature flag: Policy feature enabled config group 3896908 Create or attach interface should use specific network 58515ed Gate fix: Cap hacking to avoid gate failure 6c0f40a Add waiters to Nova tests to prevent tearDown failures af81f05 Add skip check to 'test_update_volume_attachment' d737199 Rephrase Patrole skip message for better sorting 7dec873 Always use correct host for aggregates test suite 05c8597 [TrivialFix] Use tempest.config instead of oslo_config.cfg d0c6929 Add RBAC tests for identity v3 project tags 8d29e70 Fix test_show_server_usage not checking expected attributes c330bab Add max microversion = 2.42 for compute host tests 88d4fc7 Set max microversion for some hypervisor tests to 2.52 0ad6bde Increase RBAC test coverage for floating ips bulk API 04352ea Set max_microversion 2.43 for virtual_interfaces tests 3d8623d Fix: Set max_microversion to 2.38 for image metadata compute tests b43c486 Drop min_microversion = '2.10' from compute test 445c48b RBAC test for Keystone v3 OS-ENDPOINT-POLICY API 2fe986d Add functools.wraps decorator to rbac_rule_validation 4ef7e53 Remove already-deprecated strict_policy_check option 1c8620a Remove deprecated switch_role method 8669a51 add lower-constraints job 932b81d Update docs building bb46c5a Fix a bug in patrole documentation. 6da23e6 Fix tests for snapshots extended_snapshot_attributes policy f918e08 Add RBAC test for listing snapshots with details 55bc499 Updated from global requirements 097d94c Patrole base job as zuulv3 native 5ca7ada Add releasenotes page for v0.3.0 3f67a39 [Fix Gate] Fix network segments policy test raising 503 f9ace2b [docs] Add information about supported & stable tests 318a0bf Remove admin_only kwarg from rbac_rule_validation decorator 0548f03 Add v0.2.0 releasenotes page 6e86fc1 Increase coverage for volume metadata tests bb1ebaa Fix test_limits_rbac not checking for expected response b437ae1 Add RBAC test for show_encryption_specs_item
Diffstat (except docs and test files) -------------------------------------
.zuul.yaml | 156 ++++++- HACKING.rst | 113 +++-- README.rst | 200 +++++++-- REVIEWING.rst | 136 ++++++ devstack/README.rst | 25 ++ devstack/plugin.sh | 25 +- etc/patrole.conf.sample | 110 +++-- lower-constraints.txt | 84 ++++ patrole_tempest_plugin/README.rst | 5 - patrole_tempest_plugin/config.py | 121 ++++-- patrole_tempest_plugin/hacking/checks.py | 4 +- patrole_tempest_plugin/plugin.py | 21 +- patrole_tempest_plugin/policy_authority.py | 24 +- patrole_tempest_plugin/rbac_authority.py | 38 ++ patrole_tempest_plugin/rbac_exceptions.py | 30 +- patrole_tempest_plugin/rbac_rule_validation.py | 326 ++++++++++----- patrole_tempest_plugin/rbac_utils.py | 92 ++-- patrole_tempest_plugin/requirements_authority.py | 54 ++- patrole_tempest_plugin/services/__init__.py | 0 .../api/compute/test_floating_ips_bulk_rbac.py | 68 ++- .../test_server_misc_policy_actions_rbac.py | 130 ++++-- .../compute/test_server_volume_attachments_rbac.py | 9 + .../api/compute/test_virtual_interfaces_rbac.py | 64 +++ .../v3/test_application_credentials_rbac.py | 85 ++++ .../identity/v3/test_policy_association_rbac.py | 152 +++++++ .../api/identity/v3/test_project_tags_rbac.py | 96 +++++ .../network/test_auto_allocated_topology_rbac.py | 44 ++ .../api/network/test_metering_label_rules_rbac.py | 5 +- .../api/network/test_network_segments_rbac.py | 122 ++++++ .../network/test_networks_multiprovider_rbac.py | 99 ----- .../api/volume/test_snapshots_metadata_rbac.py | 9 - .../api/volume/test_volume_basic_crud_rbac.py | 33 +- .../api/volume/test_volumes_snapshots_rbac.py | 88 ++-- playbooks/patrole-admin/post.yaml | 80 ---- playbooks/patrole-admin/run.yaml | 60 --- playbooks/patrole-member/post.yaml | 80 ---- playbooks/patrole-member/run.yaml | 61 --- playbooks/patrole-multinode-admin/post.yaml | 80 ---- playbooks/patrole-multinode-admin/run.yaml | 63 --- playbooks/patrole-multinode-member/post.yaml | 80 ---- playbooks/patrole-multinode-member/run.yaml | 63 --- playbooks/patrole-py35-member/post.yaml | 80 ---- playbooks/patrole-py35-member/run.yaml | 70 ---- ...on-tempest-plugin-clients-c031e232021b390c.yaml | 7 + ...patible-rule-feature-flag-ebe8b44c0aa663a8.yaml | 16 + ...recate-enable-rbac-option-1e499bb0914cdee8.yaml | 13 + .../multi-policy-support-4e5c8b4e9e25ad9d.yaml | 31 ++ .../patrole-rocky-release-e6f36691306bec7e.yaml | 14 + .../remove-admin-only-kwarg-919f1a4797318a33.yaml | 8 + ...ve-deprecated-switch-role-148c9a5c6796857f.yaml | 6 + ...emove-strict-policy-check-480e3d664f7b2d96.yaml | 6 + releasenotes/source/index.rst | 8 +- releasenotes/source/v0.2.0.rst | 6 + releasenotes/source/v0.3.0.rst | 6 + requirements.txt | 2 +- setup.cfg | 6 - test-requirements.txt | 6 +- tox.ini | 30 +- 106 files changed, 4350 insertions(+), 1789 deletions(-)
Requirements updates --------------------
diff --git a/requirements.txt b/requirements.txt index 35c6038..cc13aa9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6 +6 @@ oslo.log>=3.36.0 # Apache-2.0 -oslo.config>=5.1.0 # Apache-2.0 +oslo.config>=5.2.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index add2388..9085c07 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -4,5 +4 @@ -hacking>=1.0.0 # Apache-2.0 - -sphinx!=1.6.6,>=1.6.2 # BSD -openstackdocstheme>=1.18.1 # Apache-2.0 -reno>=2.5.0 # Apache-2.0 +hacking>=1.1.0,<1.2.0 # Apache-2.0
participants (1)
-
no-reply@openstack.org