patrole_tempest_plugin.requirements_authority module

class patrole_tempest_plugin.requirements_authority.RequirementsAuthority(filepath=None, component=None)[source]

Bases: patrole_tempest_plugin.rbac_authority.RbacAuthority

A class that uses a custom requirements file to validate RBAC.

allowed(rule_name, roles)[source]

Checks if a given rule in a policy is allowed with given role.

Parameters
  • rule_name (string) – Rule to be checked using provided requirements file specified by [patrole].custom_requirements_file. Must be a key present in this file, under the appropriate component.

  • roles (List[string]) – Roles to validate against custom requirements file.

Returns

True if role is allowed to perform rule_name, else False.

Return type

bool

Raises

RbacParsingException – If rule_name does not exist among the keyed policy names in the custom requirements file.

class patrole_tempest_plugin.requirements_authority.RequirementsParser(filepath)[source]

Bases: object

A class that parses a custom requirements file.

class Inner(filepath)[source]

Bases: object

static parse(component)[source]

Parses a requirements file with the following format:

<service_foo>:
  <api_action_a>:
    - <allowed_role_1>
    - <allowed_role_2>,<allowed_role_3>
    - <allowed_role_3>
  <api_action_b>:
    - <allowed_role_2>
    - <allowed_role_4>
<service_bar>:
  <api_action_c>:
    - <allowed_role_3>
Parameters

component (str) – Name of the OpenStack service to be validated.

Returns

The dictionary that maps each policy action to the list of allowed roles, for the given component.

Return type

dict