We enthusiastically announce the release of: patrole 0.2.0: Patrole is a tool for verifying that Role-Based Access Control is being enforced across OpenStack deployments. This release is part of the pike release series. Download the package from: https://tarballs.openstack.org/patrole/ Please report issues through launchpad: https://bugs.launchpad.net/patrole For more details, please see below. 0.2.0 ^^^^^ Prelude ******* This release marks the start of support for the Pike release in Patrole. New Features ************ * Add security groups and server security groups tests to Nova RBAC tests. * Add additional port-related RBAC tests to "test_ports_rbac" in the network module, providing coverage for the following policy actions: * create_port:device_owner * create_port:port_security_enabled * create_port:binding:profile * update_port:device_owner * Add additional RBAC tests for network routers API, providing coverage for the following policy actions: * create_router:ha * create_router:distributed * get_router:distributed * update_router:ha * update_router:distributed * Added tests to test_agents_rbac.py for PUT and DELETE endpoints. * Add RBAC test for communitizing image, providing coverage for the policy action "communitize_image". * Adds tests for compute snapshot APIs. * Adds tests for os-console-output and os-remote-console to compute module. * Added RBAC network test for listing dhcp agents on a hosting network, providing coverage for the "get_dhcp-agents" policy. * Add new configuration option "[rbac] custom_policy_files", allowing users to specify list of the paths to search for custom policy files. Each policy path assumes that the service name is included in the path once. Also assumes Patrole is on the same host as the policy files. The paths should be ordered by precedence, with high- priority paths before low-priority paths. The first path that is found to contain the service's policy file will be used. * Add group-specific RBAC tests for the identity v3 extension API, OS- EP-FILTER, providing coverage for the following policy actions: * identity:create_endpoint_group * identity:list_endpoint_groups * identity:show_endpoint_group (get endpoint group) * identity:check_endpoint_group * identity:list_endpoint_group (get endpoint groups) * identity:update_endpoint_group * identity:delete_endpoint_group * Add RBAC tests for APIs that enforce "os_compute_api:os-extended- availability-zone". * Added RBAC tests for volume type access and volume type extra specs APIs, providing coverage for the following policy actions: * "volume_extension:types_extra_specs" * "volume_extension:volume_type_access" * "volume_extension:volume_type_access:addProjectAccess" * "volume_extension:volume_type_access:removeProjectAccess" * Add test coverage for the os-flavor-manage compute API, which includes tests for the following policy actions: * "os_compute_api:os-flavor-manage:create" * "os_compute_api:os-flavor-manage:delete" * Add RBAC tests related to the "image_size" compute policy action: "os_compute_api:image-size". * Adds tests for Nova's lock_server policies: lock, unlock, and unlock_override. * Add additional RBAC tests to "VolumesBackupsRbacTest", providing coverage for "volume_extension:backup_admin_actions:reset_status". * Add Patrole DevStack plugin, allowing Patrole to be installed using DevStack by adding "enable_plugin patrole" to "local" section of local.conf. * Added in a new logging feature which logs the result of each Patrole test The format of the new log output is: "[Service]: %s, [Test]: %s, [Rule]: %s, [Expected]: %s, [Actual]: %s" where each "%s" is a string that contains: * [Service] - The openstack service being tested (Nova, Neutron, etc) * [Test] - The name of the test function being invoked (eg: test_list_aggregate_rbac) * [Rule] - The name of the rule the Patrole test is testing (eg: os_compute_api:os-aggregates) * [Expected] - The expected outcome (one of Allowed/Denied) * [Actual] - The actual outcome from the Patrole test (one of Allowed/Denied/Error) This logging feature has two config variables: These variables are part of a new config group "patrole_log" * enable_reporting: This enables or disables the enhanced rbac reporting * report_log_name: This variable specifies the name of the log file to write * report_log_path: This variable specifies the path (relative or absolute) of the log file to write * Add RBAC tests for os_compute_api:os-extended-status, which validate that the following attributes: * OS-EXT-STS:task_state * OS-EXT-STS:vm_state * OS-EXT-STS:power_state are present in the relevant response bodies. * Add RBAC tests for os-extended-volumes:volumes_attached policies, which validate that "os-extended-volumes:volumes_attached" is returned in the response body. * Implements RBAC tests for Tempest network agents_client, providing coverage for the following policies: * update_agent * get_agent * create_dhcp-network * delete_dhcp-network * get_dhcp-networks * create_l3-router * delete_l3-router * get_l3-routers * Add RBAC tests for compute quota class sets API, providing coverage for the following policy actions: * os_compute_api:os-quota-class-sets:show * os_compute_api:os-quota-class-sets:update * Add RBAC tests for the compute server metadata API, providing coverage for the following policy actions: * os_compute_api:server-metadata:index * os_compute_api:server-metadata:update_all * os_compute_api:server-metadata:create * os_compute_api:server-metadata:show * os_compute_api:server-metadata:update * os_compute_api:server-metadata:delete * Adds test for Neutron's get_service_provider policy. * Add RBAC tests for network subnet endpoints, providing coverage for the following policy actions: * create_subnet * get_subnet * update_subnet * delete_subnet * Add RBAC test for updating the default subnetpool, providing coverage for the policy action: "update_subnetpool:is_default". * Add support of running Patrole against a custom requirements YAML that defines RBAC requirements. The YAML file lists all the APIs and the roles that should have access to the APIs. The purpose of running Patrole against a requirements YAML is to verify that the RBAC policy is in accordance to deployment specific requirements. Running Patrole against a requirements YAML is completely optional and can be enabled by setting the "[rbac] test_custom_requirements" option to True in Tempest's configuration file. The requirements YAML must be located on the same host that Patrole runs on. * Add test_oauth_tokens_rbac.py with RBAC test cases related to the OS-OAUTH1 Keystone v3 extension API. * Added RBAC test scenarios for the token-related v3 identity API * Added RBAC test scenarios for the token-related admin v2 identity API. * Add test for updating a volume group, providing coverage for group:update policy action. * Add RBAC test to provide coverage for the following cinder policy: "volume_extension:volume_actions:upload_public". * Add RBAC tests for the volume v3 groups and group types APIs, providing coverage for the following policy actions: * group:create * group:get * group:get_all * group:delete * group:group_types_manage * group:access_group_types_specs Deprecation Notes ***************** * The "[rbac]" configuration group has been deprecated and will be removed in the next release. Use "[patrole]" group instead, which has the exact same options. * Deprecate the following configuration options from "[rbac]" group: * cinder_policy_file * glance_policy_file * keystone_policy_file * neutron_policy_file * nova_policy_file It is better to use "[rbac] custom_policy_files" which supports any OpenStack service. * Glance v1 APIs are deprecated and v2 APIs are current. Glance v1 APIs are removed from volume tests and Glance v1 RBAC tests are removed. * Remove assisted volume snapshot RBAC tests, because the Tempest client does not yet exist. Bug Fixes ********* * Add microversion check to test_security_groups_rbac as tests in this file will fail with a 404 after 2.36. * Rename test_server_security_groups to test_list_security_groups to properly reflect the test actually being run. * Add "test.requires_ext" above tests that require the "binding" extension. Other Notes *********** * OpenStack Releases supported after this release are **Pike**. The release under current development of this tag is Queens, meaning that every Patrole commit is also tested against master during the Queens cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Queens (or future release) cloud. Changes in patrole 0.1.0..0.2.0 ------------------------------- 45fffa5 Prepare release notes for release 0.2.0 88a5bab Rename rbac_policy_parser to policy_authority 7f8993f Add a per-test log 3983d13 RBAC tests for os-extended-volumes policies c27a62f Fix router tests expecting wrong error code 25b1281 [TrivialFix] Move security group tests into correct test file bc39ee8 Do not use test.get_service_list() d889ffd Updated from global requirements dc73cff Remove identity v3 change_password test 9d086ab Use create_test_server for attach volume server test 146735d Test coverage for compute flavor_manage policies 5f72954 RBAC tests for extended availability zone policies 6056d6b Move some slow tests into the multinode gate 2a3b513 Docstring for RbacAuthority class. 39c460b Updated from global requirements 3e14f47 Use configured admin creds in rbac utils 01d633b Update rbac_rule_validation docstrings f6eb862 Deprecate [rbac] configuration group. b6a9c21 Adds unit tests for hacking checks 11b0232 Update and replace http with https for doc links in patrole 2693bf7 Only sleep following a role switch d2fcf03 Add RBAC test for updating volume group 36bea05 Adds meaningful exceptions for missing attributes 6f663e0 Update the documentation link 0df097d Remove usage of credentials_factory.AdminManager 4360a29 Fix a comment issue 428c44a Adds update and delete agent tests 7de1905 Update tox to correctly use OS_TEST_PATH 8a043fb Change rbac_utils.RbacUtils is_admin to function 0328650 RBAC tests for os-extended-status policies 10fdf98 Move instance actions test into misc policy actions file 7b9ae3f Updated from global requirements d8e0d08 Updated from global requirements 7be94e8 Switch to enabled version of identity clients c7880ac Replace test.attr with decorators.attr ffa47e6 Create rbac utils fixture and refactor tests 864b0f3 Add missing test for os-instance-usage-audit-log 268b71d Update URLs in documents according to document migration 7c7b570 README: Fix headers e8d93e0 Remove need to include admin in credentials in base classes 780210d Rewrite Patrole README to be high-level document ccfa23e Add missing v3 token related testcases 8a5f69a docs: Update configuration docs c8a5e29 Update test.attr to decorators.attr e922e1e Updates test_volume_types_extra_specs_rbac 6c068fc Move config drive tests into misc policy actions file d55dec5 Updated from global requirements 6b1a2f4 [Gate fix] Fix volumes_client AttributeError e85d266 Replace inconsistent skipException messages 529988b Correct policy action for check_endpoint_group test 0cef808 Unit tests for dynamic policy file discovery d982731 Move virtual interfaces test into misc policy actions file 3ab2c35 Dynamic policy file discovery 7de839d Doc warnings as errors ed95005 Add support for testing custom RBAC requirements a7d9425 Group together tests that create server and require network resources 4047a19 Move tenant usage tests into misc policy actions file c971b45 Updated from global requirements dea1384 Add docstring for rbac_rule_validation is_authorized 3203253 Replace os with os_primary 9f1b60f Add test cases for oauth1 token related APIs. 1430ac2 RBAC tests for volume v3 groups and group types a662f82 Minimize number of servers created for more tests 6661e2f Additional volume v2 backup RBAC tests 34193e3 Switch from oslosphinx to openstackdocstheme 0f010a5 RBAC tests for compute quota class sets 4781dc9 Replace the usage of 'admin_manager' with 'os_admin' 7a52b61 Policy update for volume v2 qos-specs RBAC tests a20add2 Use admin creds for waiting 5c12849 Remove unusued create_test_server 1e0a20d Remove unnecessary LOG/CONF statements f85cedc Add missing v2 token related testcases c5ebd76 Identity v3 RBAC Tests - EP Filter Groups 54959dd Minimize number of servers created for certain tests 973a1bc Docstring for rbac_rule_validation _get_exception_type d9607c4 Refactor policy parser init so that validate service is in helper c471d41 Volume test for volume_extension:volume_actions:upload_public 93dae2a Add waiter to test_volume_backup_delete 747e029 Adds lock server tests 65ce70d Fix snapshot rbac test race condition e8f7917 Additional network router RBAC tests 3c1de67 Subnet rbac tests 1442d57 RBAC tests for Tempest network agents_client 7b761b8 Adds server security group tests 4aa609e Fix test_volumes_snapshots_rbac throwing BadRequest c458932 Show team and repo badges on README 1b7d5d5 Adds service_providers client tests f98d8b8 Patrole should only test glance v2 api. f129686 Fix volume backup tests throwing BadRequest 94c9a47 Update Patrole documentation 7888d97 Clean up test_admin_password_rbac 8fe31c2 Adds extension skip checks for Neutron tests 57127fd Remove support for py34 12a52d9 Add vol extra specs/type access RBAC tests 757ea55 Fix test_force_detach_volume_from_instance 189e138 Adds console output RBAC tests b573cea Update plugin.py c1f67b2 Correct reno list formatting 9a6f20f Adds tests for compute snapshots API 31b968d Optimize the link address 9817838 RBAC test for update_subnetpool:is_default 7ae2ff1 Add a page for release 0.1.0 to release notes 3fde3cb RBAC test for "dhcp_agent_scheduler" network policy 7942336 Update test/installation documentation dca00e8 Add RBAC test for communitize_image policy 17e9b49 Add rbac_utils is_admin helper method ace85ac RBAC tests for image_size compute policy action. eeb271a [Gate fix] Fix py35 gate due to incompatible import dd02c62 Additional port-related RBAC tests a44dddf Patrole devstack plugin 6e78dca [Gate fix] Fix test_server_actions raising BadRequest cd87077 Add hacking check to enforce no client aliases 96f826d Compute server metadata rbac tests e6fbe0f Remove assisted volume snapshot RBAC tests Diffstat (except docs and test files) ------------------------------------- .testr.conf | 2 +- CONTRIBUTING.rst | 17 - HACKING.rst | 13 +- README.rst | 206 +++---- contrib/post_test_hook.sh | 83 --- contrib/pre_test_hook.sh | 18 - devstack/plugin.sh | 35 ++ devstack/settings | 8 + patrole_tempest_plugin/config.py | 146 ++++- patrole_tempest_plugin/hacking/checks.py | 43 +- patrole_tempest_plugin/plugin.py | 50 +- patrole_tempest_plugin/policy_authority.py | 264 +++++++++ patrole_tempest_plugin/rbac_exceptions.py | 31 +- patrole_tempest_plugin/rbac_policy_parser.py | 232 -------- patrole_tempest_plugin/rbac_rule_validation.py | 267 ++++++--- patrole_tempest_plugin/rbac_utils.py | 173 ++++-- patrole_tempest_plugin/requirements_authority.py | 72 +++ .../api/compute/test_admin_server_actions_rbac.py | 65 --- .../compute/test_assisted_volume_snapshot_rbac.py | 73 --- .../api/compute/test_attach_interfaces_rbac.py | 92 ---- .../api/compute/test_flavor_extra_specs_rbac.py | 2 +- .../api/compute/test_instance_actions_rbac.py | 56 -- .../compute/test_instance_usages_audit_log_rbac.py | 18 +- .../api/compute/test_quota_class_sets_rbac.py | 84 +++ .../api/compute/test_server_diagnostics_rbac.py | 44 -- .../api/compute/test_server_migrations_rbac.py | 7 +- .../test_server_misc_policy_actions_rbac.py | 599 +++++++++++++++++++++ .../compute/test_server_virtual_interfaces_rbac.py | 41 -- .../compute/test_server_volume_attachments_rbac.py | 9 +- .../api/compute/test_simple_tenant_usage_rbac.py | 56 -- .../api/identity/v3/test_endpoint_filter_rbac.py | 91 ---- .../api/identity/v3/test_ep_filter_groups_rbac.py | 108 ++++ .../identity/v3/test_ep_filter_projects_rbac.py | 90 ++++ .../api/identity/v3/test_oauth_consumers_rbac.py | 8 +- .../api/identity/v3/test_oauth_tokens_rbac.py | 138 +++++ .../api/identity/v3/test_tokens_negative_rbac.py | 100 ++++ .../api/image/test_image_namespace_objects_rbac.py | 106 ++++ .../image/test_image_namespace_property_rbac.py | 97 ++++ .../api/image/test_image_namespace_tags_rbac.py | 109 ++++ .../api/image/test_image_resource_types_rbac.py | 72 +++ .../image/v2/test_image_namespace_objects_rbac.py | 106 ---- .../image/v2/test_image_namespace_property_rbac.py | 97 ---- .../api/image/v2/test_image_namespace_rbac.py | 76 --- .../api/image/v2/test_image_namespace_tags_rbac.py | 109 ---- .../api/image/v2/test_image_resource_types_rbac.py | 72 --- .../api/network/test_metering_label_rules_rbac.py | 2 - .../network/test_networks_multiprovider_rbac.py | 5 +- .../api/network/test_service_providers_rbac.py | 29 + .../api/volume/test_volume_types_access_rbac.py | 81 +++ .../volume/test_volume_types_extra_specs_rbac.py | 86 ++- .../api/volume/test_volumes_snapshots_rbac.py | 12 + patrole_tempest_plugin/version.py | 18 + releasenotes/notes/agents-ca4a5e232ce242a5.yaml | 5 + ...mmunitize-image-rbac-test-bdf1109e58a6c2e0.yaml | 5 + releasenotes/notes/console-6db96c4e329c0ab2.yaml | 5 + .../deprecate-rbac-group-148e222913dc74cc.yaml | 6 + ...dhcp-agent-scheduler-test-842fc1df45799def.yaml | 5 + ...mic-policy-file-discovery-104cbfc64b55d605.yaml | 22 + ...vailability-zone-policies-2ec19e8bbb9ce158.yaml | 5 + .../glance-v1-api-deprecated-1aba7b6ae0b6e063.yaml | 4 + .../notes/lock-server-460767a02d15bb29.yaml | 5 + .../patrole-devstack-plugin-551c9af3325723c9.yaml | 6 + .../notes/rbac-per-test-log-071a530e957c1c26.yaml | 28 + ...r-compute-extended-status-ef00256e58b66223.yaml | 11 + ...-compute-extended-volumes-7f3ccab122d22737.yaml | 6 + ...ests-for-quota-class-sets-20d874b185902308.yaml | 8 + .../notes/service-provider-bc71da578e717c3a.yaml | 4 + .../start-of-pike-support-360e27b4d192e3d2.yaml | 10 + ...ls_update_is_default_test-d3540a87469b6dc8.yaml | 5 + ...support_requirements_yaml-a90e0188a19421ba.yaml | 12 + .../test_oauth_tokens_rbac-13e1d3b5decbaf79.yaml | 4 + .../notes/test_tokens_rbac-63a93e507d079a03.yaml | 3 + .../notes/test_tokens_rbac-7f36919b786e9ffc.yaml | 3 + .../update-group-volume-test-06c7475ccbe36aa8.yaml | 5 + ...volume-upload-public-test-f8e741a838ae7607.yaml | 5 + releasenotes/source/conf.py | 21 +- releasenotes/source/index.rst | 7 +- releasenotes/source/v0.1.0.rst | 6 + requirements.txt | 14 +- setup.cfg | 4 +- setup.py | 5 +- test-requirements.txt | 19 +- test-whitelist.txt | 1 - tox.ini | 11 +- 177 files changed, 7107 insertions(+), 4231 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index 6871057..00c7e64 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,7 +5,7 @@ hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 -pbr>=1.8 # Apache-2.0 -urllib3>=1.15.1 # MIT -oslo.log>=3.11.0 # Apache-2.0 -oslo.config>=3.22.0 # Apache-2.0 -oslo.policy>=1.17.0 # Apache-2.0 -tempest>=14.0.0 # Apache-2.0 -stevedore>=1.20.0 # Apache-2.0 +pbr!=2.1.0,>=2.0.0 # Apache-2.0 +urllib3>=1.21.1 # MIT +oslo.log>=3.30.0 # Apache-2.0 +oslo.config!=4.3.0,!=4.4.0,>=4.0.0 # Apache-2.0 +oslo.policy>=1.23.0 # Apache-2.0 +tempest>=16.1.0 # Apache-2.0 +stevedore>=1.20.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index 7c97fa7..0657438 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -4 +4 @@ -hacking>=0.12.0,!=0.13.0,<0.14 # Apache-2.0 +hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 @@ -6,5 +6,6 @@ hacking>=0.12.0,!=0.13.0,<0.14 # Apache-2.0 -sphinx>=1.2.1,!=1.3b1,<1.4 # BSD -oslosphinx>=4.7.0 # Apache-2.0 -reno>=1.8.0 # Apache-2.0 -mock>=2.0 # BSD -coverage>=4.0 # Apache-2.0 +sphinx>=1.6.2 # BSD +openstackdocstheme>=1.16.0 # Apache-2.0 +reno>=2.5.0 # Apache-2.0 +fixtures>=3.0.0 # Apache-2.0/BSD +mock>=2.0.0 # BSD +coverage!=4.4,>=4.0 # Apache-2.0 @@ -14,3 +15,3 @@ oslotest>=1.10.0 # Apache-2.0 -oslo.policy>=1.17.0 # Apache-2.0 -oslo.log>=3.11.0 # Apache-2.0 -tempest>=12.1.0 # Apache-2.0 +oslo.policy>=1.23.0 # Apache-2.0 +oslo.log>=3.30.0 # Apache-2.0 +tempest>=16.1.0 # Apache-2.0