We high-spiritedly announce the release of: patrole 0.1.0: Patrole is a tool for verifying that Role-Based Access Control is being enforced across OpenStack deployments. This is the first release of patrole. This release is part of the pike release series. The source is available from: http://git.openstack.org/cgit/openstack/patrole Download the package from: https://tarballs.openstack.org/patrole/ Please report issues through launchpad: http://bugs.launchpad.net/patrole For more details, please see below. 0.1.0 ^^^^^ This release marks the first release for Patrole, tagged as 0.1.0. New Features ************ * Add additional compute hypervisor RBAC tests, so that the previously missing hypervisor endpoints are covered. Tests for the following endpoints were written: * show_hypervisor * list_servers_on_hypervisor * show_hypervisor_statistics * show_hypervisor_uptime * search_hypervisor * Added an RBAC test for force-deleting a backup which enforces the cinder policy action: "volume_extension:backup_admin_actions:force_delete". * Adds test for glance's add_metadef_resource_type_association policy. * Add RBAC tests for cinder os-quota-class-sets API, which cover the policy action "volume_extension:quota_classes". * Refactored framework to remove unused "path" argument. Added config options to allow the path to the policy.json files for Nova, Keystone, Cinder, Neutron, and Glance to be configured without needing to manually change code. * Adds RBAC tests for the domain configuration Keystone v3 extension API. * Adds RBAC tests for the encryption types client. * Adds RBAC tests for the project-related endpoints belonging to the OS-EP-FILTER Keystone v3 extension API. * Add RBAC test for listing hypervisors with details. * Merges *rbac_auth* with *rbac_rule_validation*, because *rbac_auth* decentralized logic from *rbac_rule_validation* without providing any authentication-related utility. This change facilitates code maintenance and code readability. * Adds RBAC tests for the Nova os-volumes API which is deprecated from microversion 2.36 onward. * Added RBAC test for the volume services API, which covers the following policy action: "volume_extension:services:index". * Added test for volume summary API. * Added tests for volumes client functions set bootable, reserve, unreserve, and update metadata. Bug Fixes ********* * Corrected the policy action in the "rbac_rule_validation" decorator for the test "test_snapshot_force_delete" from "volume_extension:volume_admin_actions:force_delete" to "volume_extension:snapshot_admin_actions:force_delete". * Removed "rule" kwarg from "rbac_rule_validation" decorator for identity v2 admin tests, because the identity v2 admin API does not do policy enforcement, and instead checks whether the request object has "context_is_admin". Other Notes *********** * Patrole currently supports RBAC testing for Cinder, Glance, Nova, Neutron and Keystone. The release under current development as of this tag is Pike, meaning that every Patrole commit is also tested against master branch during the Pike cycle. However, this does not necessarily mean that using Patrole as of this tag will work against Pike (or future releases) cloud. In addition, backward compatibility with previous releases is not guaranteed. * Updated the class names for identity v2 tests to include the "Admin" substring, to convey the fact that these tests are only intended to test the v2 admin API, not the v2 API. * Renamed update metadata item and delete metadata item tests to accurately reflect what actions are being performed. Changes in patrole 859beb410fa8aaba4a7e6c52a8a5c9ffcd451fea..0.1.0 ------------------------------------------------------------------ b6f415f List hypervisors with details rbac test 0441eab Adds volume summary test reno e52cbc6 Fix rbac_rule_validation log statement raises TypeError 944e8bc Fix compute create volume test race condition 9621202 Remove incorrect compute min_microversions 682a598 Prepare release notes for release 0.1.0 20359be Fix setup.cfg using incorrect entry point 83cb0be Add oslo.policy requirement to requirements.txt fba3135 Removes client aliases b35de58 Remove singleton from RbacUtils constructor 1461ddc Fix plugin.py test directory 20e780f Include class name in resource names for resource cleanup debugging 4bf66a2 Hacking: enable extensions H106, H203 and H904 980bff3 Extra hypervisor rbac tests c15af32 [Gate fix] Fix volume metadata RBAC tests 4cf2ffb Identity V3 Tests - Domain Configurations d12d2eb Remove enforce_type=True from oslo.config set_override d2e2074 Nova test for Volume client 581268e Remove unnecessary create_volume calls b18f98b Add RBAC tests for v3 auth policy actions d55e786 Rename "Rbac Flag" to "Rbac testing" in skip exceptions 0854ded Adds initial hacking checks to Patrole 7cec526 Corrects compute microversion docstrings f1bd2b0 Volume services rbac test 4e9a496 Remove cinder v1 artifacts from code base f6b69e2 Change "admin" literal for admin role to CONF admin_role bbde022 Added stable interface and release information to documentation 3c3fc9a Consolidates rbac_base for v2 and v3 identity tests d7120bb Add force detach volume test. 2c9e3a4 Removes force_backup_delete test 6345995 Adds create metadef resource test e7e552e [Fix gate] Fix failing identity v2 admin tests 45c2b35 Remove heat tests from patrole d0b747b Add RBAC tests for cinder os-quota-class-sets API b45a05e Add RBAC test for force-deleting a backup f568d04 Adds missing volumes client tests c82ce14 Replace generic api_extensions checks 78fc489 Merge rbac_auth with rbac_rule_validation 85f79d7 Creates config options for policy.json paths edcdbec Stop using aliases for creds manager b059d49 Fix up test_volume_actions_rbac 1fa5b2e Keystone v3 tests for endpoint filters for projects e2bfb85 Add additional tests to test_images_rbac 6704253 Add encryption types test b89e584 Move tests from volumes into volumes actions. 2297aa1 Add RBAC test cases to manage cinder volume 7bc35dc Improve patrole core documentation ae7d7bb Fix: the tox cover job was not updating coverage report. 6ed0e03 Adding server evacuate test e46a27d Remove skip exception from virtual interfaces test e7df9c4 Increase unit test coverage for policy parser. 5c4b97d Add volume user messages rbac test 3f4158d Identity V3 Tests - Domains fd1db98 Identity trust rbac tests a810851 Add capabilities and scheduler stats tests a7a2916 Create heat-specific patrole gate 94c1cc6 Add RBAC tests for namespace_tags_client. 6a99c56 Remove admin namespace throughout Patrole - Identity tests 4d6264c Fix non-existent cinder policy action tests. 9909ac6 Remove admin namespace throughout Patrole - Nova tests 706fd34 Remove admin namespace throughout Patrole - Volume tests ba4881b Fix _validate_switch_role throwing incorrect error message 1529351 Fix rbac_rule_validation test being incorrectly skipped 75f2363 Renames switchToRbacRole to toggle_rbac_role a7409cf Fix volume transfers rbac test 6b6c610 Add py3.5 support in setup.cfg 521e5c1 Fix role validation edge case bug in rbac_utils f01a48f RBAC test for compute os-multinic policy action. b83861c Add RBAC tests for the Nova images API. aa19530 Add implied roles rbac tests to identity v3. 7aae506 Fix test_migration_live throwing AttributeError. 9af4e53 Update installation guide fa01d5f Add role-switching validation to Patrole framework. f512433 Identity V3 (ext) Tests - Oauth Consumers 90c7eef Update post_test_hook to use multinode environment. fb18579 Add role assignments rbac tests to identity v3. 78b1925 Fix check-uuid not working 934acae Refactor identity v3 rbac_base to use classmethods. 6da4d21 Identity V3 Tests - Roles ae2ebab Modify policy parser to combine custom and default policy files. d4a4aa6 Add heat resource types rbac tests. ee0205d Compute API Compute Flavor Rxtx Test. 06e3bc6 Tag additional slow tests to run in slow gate. dcddd6e Network tests should take advantage of net_utils to find unused ip. 0d88008 Improve Patrole config options 59c886c Add new regex for "slow test" gate 8eda8cc Refactors exceptions in rbac_rule_validation decorator. 2d95e9d Remove special_fields definition from volume tests. 42933e5 Add server tests for nova. 68015d1 Adding compute server tests 479c603 Add missing requirements ae9db6f Fix oslo_debug_helper not running e1014be Standardize tox 89f498f Configure devstack gate to use UUID tokens 8ec953f Identity V3 rbac_base method refactor 7bae840 Identity V3 tests - Regions 6ebeed0 Fixes IpAddressAlreadyAllocated thrown by fixed_ip port tests. d5d76b8 Fix failing v2 identity user tests by adding admin_only kwarg. c01b1e6 Fix failing neutron port tests for Member role. ca8844b Enhance test_server_actions_rbac with create image actions. 0d537ea Fixes server fault thrown by delete password compute rbac test. 1299894 Enhance validation decorator with error code 280a2a0 Fixes failing flavor access tests for Member role. 9abe87d Fixes router external_fixed_ip tests sometimes failing with Conflict. da03cc0 Update Cinder test that incorrectly handles 404 23923f0 Partially revert removal of time.sleep if v3 auth enabled in conf. 18120de Fixes instance actions compute rbac test failing for Member role. 68d9223 Fixes v3 identity tests with policy actions with rule admin_or_owner. 48c913d Throw skipException for invalid policy actions. 09698bb Fixes test_volume_backup_delete failing during tearDown. 3874300 Fix broken volume tests 426f3cb Compute API Quota Sets RBAC tests. 8590c0c Removal of re-switching of rbac-role from tearDown 61b9049 Switch to admin role during client set up to fix some gate bugs. dbea7df Fixes test_images_member_rbac missing os credentials for image v2. 86fdd63 Decrease overall run time when identity auth is set to v3. d5bd33b Add switchToRbacRole=True to test instance actions in compute. 503c557 Add service validation to Patrole framework 8a8b59f Fix for V2 image failing test cases. 613de66 Fixes many failing identity tests for member. ef1d21d Removing unused admin_client e68ac0b Add negative lookahead to post_test_hook to skip slow tests. 18d92b5 Add @test.attr(type='slow') to slow tests to reduce test run time. 69dacff Fix failing compute volume attachment tests. 52c5565 Add post_test_hook.sh to Patrole. 4a611bf Switch to use stable data_utils 6448b4a Add pip install patrole command to pre_test_hook.sh. 9dd3d31 Compute API Server Actions Test 2c0c55a Default rbac_flag = True for testing in gates. ac64829 Neutron tests - Security Groups 1ee5f4d Fix test coverage tox command for patrole. d028a7e Orchestration API config tests 1272679 Users RBAC test for Keystone API v2 users 313a7f8 Add pre_test_hook.sh for devstack tempest gates. b3b7bc8 Increase unit test coverage for rbac_utils. 8deb578 Compute API Keypairs e6aa86b Cinder tests - Volume types c27904d Cinder tests for Volume hosts policy actions 8913879 Compute API Server Tags Test 34a138c Refactors Patrole framework to only use admin tenant credential type. 889264e Enhance rbac policy parser to correctly interpret user_id policy actions. fc29958 Compute API Suspend Server Test df95870 Changes tox to only run unit tests and moves unit tests to tests/unit. 89cc76d Assisted Volume snapshot RBAC test for Compute v2.1 API roles bada30a Compute API Server Password Test 34552b1 Roles RBAC test for Keystone API v2 roles 322c5b6 Change name of rbac_role_converter to rbac_policy_parser. e87b92e Compute API Server Actions Test bd75098 Adds missing switch to rbac role function call to hypervisors compute test. 8c8e417 Add compute API test for config_drive policy action. 5b9ff75 Compute API Deferred Delete Tests 82443c7 Compute API Availability Zone Tests 1dc1125 Add Subnetpool test cases for RBAC. Rename FloatingIps class name to follow naming convention. 6e8f1e3 Fix for few failing network rbac tests 48c36ce Add floating IP test cases for RBAC. b0475fa Enhance test_server_actions_rbac with index/detail/show server actions. 874222f Add multi-provider networks test cases for RBAC. 8337289 Add metering labels and metering label rules test cases for RBAC. 3a6e3ca Compute API Compute Tenant Networks Tests. dc0ef43 Compute API Instance Usage Audit Log Test. 43ffff3 Compute API Compute Flavor Extra Specs Test. 1b17ee2 Fix for typo of correct volume status b911cc2 Fix for V3 identity failing test cases. d8e4e20 Compute API Aggregates Tests 317b0cc Fix for V2 identity failing test cases. 47056d5 Compute API Floating Ip Pools Test d972919 Renamed Glance test file 7029349 Identity V3 Tests - Policies c3f1c61 Compute API Floating Ips Bulk Tests. cf937f1 Compute API Floating Ips Tests. 84d6d9f Remove discoverable test from compute tests. 33e707d Compute API Agents Tests 83cfad3 Compute API Attach Interfaces Tests. ec28743 Compute API Ips Tests. 7990e52 Compute Admin Server Actions Test 7c46d45 Services test for Keystone version 2 api services 3094936 Compute API Hosts Tests. e9babc6 Identity V3 Tests - Groups 6770009 Projects test for Keystone version 2 api projects b46c30c Compute API Flavor Access Tests. f170f8a Keystone tests - v2 Endpoints ba6c929 Identity V3 tests - Endpoints 1a2186b Neutron tests - Routers bbf9369 Tests for compute security groups. 1246308 Compute API Hypervisor Tests. afddb37 Removes test_access_ips_rbac test because it cannot be tested. 3485a3c Identity V3 Tests - Services 5e05bdd Fixes test_absolute_limits testing the wrong action. 4b51a0d Compute API Instance Actions Tests. ffc2100 Neutron tests - Ports 09cd3a7 Identity V3 Tests - Projects 26b46da Identity V3 Tests - Credentials 9d0d7d6 Identity V3 tests - Users aab4feb Compute API Migrations Tests. 7807ced Compute API Rescue Test. 2d2b890 Compute API Server Diagnostics Test. 2e3bbd3 Compute API Server Groups Test. d203a1c Compute API Server Usage Test. cef6e13 Fix volume transfers RBAC tests 193c7e3 Compute API Server Volume Attachments Test. a6348e1 Copyright and other information correctness ac7c230 Cinder tests - Volume snapshot metadata ebb7c44 Compute Access IPs tests b0c0486 Compute API Services Test. 0066e2b Compute API Simple Tenant Usage Tests 9fc782e Fixes policy rules in neutron containing the keyword tenant_id. e679c14 Cinder tests - Volume backend f17ed2d Cinder tests - Volume transfers be97eb2 Cinder tests - Volume actions 575dd64 Glance tests - Image Metadef Namespace Properties 9c97850 Improve is_admin support in Patrole converter framework. a6fab3b Glance tests - Image Metadef Namespace Resource Types 1d60d6a Glance tests - Image Metadef Namespace and Namespace Objects b25f93d Fixed AT&T Copyright statements eb7e7be Cinder tests - Volume List 5e93025 Cinder tests - Volume Snapshots 652e2a2 Removing rbac_roles from config.py. bf335e9 Cinder tests - Volume QOS 5f8c46b Glance tests - API version 1 e178c30 Rbac tests for compute absolute limits 71704ba Cinder tests - Volume Extend e36e59a Cinder tests - Volume Extensions c079936 Cinder tests - Volume Availability Zone 511c46e Fix volume test copyrights cbd0617 Add try/except block to rbac_rule_validation. b059565 Fixes converter not working for certain edge cases. d1c72e3 Fixes outdated CONF setting in test_networks_rbac. 2006807 Refactor rbac_base class b71cf16 Initial neutron tests db7f981 Glance tests - Image Member 45bc1a6 Improve documentation 3589f2b Initial Cinder tests d35eef2 Cinder tests - Volume Quotas 36eba5e Initial Cinder tests 7cff6d2 Initial Cinder tests da434a2 Initial Cinder tests 25fc8c5 Remove 'MANIFEST.in' 645dfc9 Switch to oslo_log 3bbdd62 update homepage with developer documentation page 617a2a5 Initial glance tests 029d8c3 Initial functionality framework. Includes: rbac_util - Utility for switching between roles for tests. rbac_auth - Determines if a given role is valid for a given api call. rbac_rule_validation - Determines if a allowed proper access and denied improper access (403 error) rbac_role_converter - Converts policy.json files into a list of api's and the roles that can access them. 663aedf Initial Cookiecutter commit Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..6871057 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,11 @@ +# The order of packages is significant, because pip processes them in the order +# of appearance. Changing the order has an impact on the overall integration +# process, which may cause wedges in the gate later. +hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 +pbr>=1.8 # Apache-2.0 +urllib3>=1.15.1 # MIT +oslo.log>=3.11.0 # Apache-2.0 +oslo.config>=3.22.0 # Apache-2.0 +oslo.policy>=1.17.0 # Apache-2.0 +tempest>=14.0.0 # Apache-2.0 +stevedore>=1.20.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt new file mode 100644 index 0000000..7c97fa7 --- /dev/null +++ b/test-requirements.txt @@ -0,0 +1,16 @@ +# The order of packages is significant, because pip processes them in the order +# of appearance. Changing the order has an impact on the overall integration +# process, which may cause wedges in the gate later. +hacking>=0.12.0,!=0.13.0,<0.14 # Apache-2.0 + +sphinx>=1.2.1,!=1.3b1,<1.4 # BSD +oslosphinx>=4.7.0 # Apache-2.0 +reno>=1.8.0 # Apache-2.0 +mock>=2.0 # BSD +coverage>=4.0 # Apache-2.0 +nose # LGPL +nosexcover # BSD +oslotest>=1.10.0 # Apache-2.0 +oslo.policy>=1.17.0 # Apache-2.0 +oslo.log>=3.11.0 # Apache-2.0 +tempest>=12.1.0 # Apache-2.0