Current Series Release Notes

0.14.0

Prelude

This release is to tag the Patrole for OpenStack Yoga release. This release marks the start of Yoga release support in Patrole. After this release, Patrole will support below OpenStack Releases:

  • Yoga

  • Xena

  • Wallaby

  • Victoria

  • Ussuri

Current development of Patrole is for OpenStack Zed development cycle. Every Patrole commit is also tested against master during the Zed cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Yoga (or future release) cloud. To be on safe side, use this tag to test the OpenStack Yoga release.

New Features

  • Added new feature flag called changed_cinder_policies_xena under the configuration group [policy-feature-enabled] for testing Cinder tests withe old and new policies.

0.13.0

Prelude

This release is to tag the Patrole for OpenStack Xena release. This release marks the start of Xena release support in Patrole. After this release, Patrole will support below OpenStack Releases:

  • Xena

  • Wallaby

  • Victoria

  • Ussuri

Current development of Patrole is for OpenStack Yoga development cycle. Every Patrole commit is also tested against master during the Yoga cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Xena (or future release) cloud. To be on safe side, use this tag to test the OpenStack Xena release.

Bug Fixes

  • fixes an issue in VolumesBackupsV3RbacTest.test_reset_backup_status test where the volume is not registered to be cleaned up after the test. This fix cleans up the volume.

0.12.0

Prelude

This release is to tag the Patrole for OpenStack Wallaby release. This release marks the start of Wallaby release support in Patrole. After this release, Patrole will support below OpenStack Releases:

  • Wallaby

  • Victoria

  • Ussuri

  • Train

Current development of Patrole is for OpenStack Xena development cycle. Every Patrole commit is also tested against master during the Xena cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Xena (or future release) cloud. To be on safe side, use this tag to test the OpenStack Wallaby release.

0.11.0

Prelude

This is an intermediate release during the Wallaby development cycle to mark the end of support for EM Stein release in Patrole. After this release, Patrole will support below OpenStack Releases:

  • Victoria

  • Ussuri

  • Train

Current development of Patrole is for OpenStack Wallaby development cycle.

New Features

  • Added new feature flag called removed_nova_policies_wallaby under the configuration group [policy-feature-enabled] for skipping Nova tests whose policies were removed in Wallaby. This feature flag is currently applied to os-agents related policies.

0.10.0

Prelude

This release is to tag the Patrole for OpenStack Victoria release. This release marks the start of Victoria release support in Patrole. After this release, Patrole will support below OpenStack Releases:

  • Victoria

  • Ussuri

  • Train

  • Stein

Current development of Patrole is for OpenStack Wallaby development cycle. Every Patrole commit is also tested against master during the Wallaby cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Wallaby (or future release) cloud. To be on safe side, use this tag to test the OpenStack Victoria release.

New Features

  • A new policy feature flag called [policy_feature_flag].changed_nova_policies_victoria has been added to Patrole’s config to handle Nova policies changed in Victoria. The policy feature flag is applied to tests that use policies changed in Victoria, including the following:

    • os_compute_api:os-hosts

    • os_compute_api:os-tenant-networks

    • os_compute_api:os-volumes

    • os_compute_api:os-security-groups

0.9.0

Prelude

This release is to tag the Patrole for OpenStack Ussuri release. This release marks the start of Ussuri release support in Patrole. After this release, Patrole will support below OpenStack Releases:

  • Ussuri

  • Train

  • Stein

Current development of Patrole is for OpenStack Victoria development cycle. Every Patrole commit is also tested against master during the Victoria cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Victoria (or future release) cloud. To be on safe side, use this tag to test the OpenStack Ussuri release.

New Features

  • Nova adopting the new policy defaults in ussuri cycle which include some of the policies are made granular.

    Patorle tests will adopt the new polcies. Below are the policies changed in patrole tests:

    • os_compute_api:os-services

    • os_compute_api:deferred_delete

    • os_compute_api:os-attach-interfaces

    • os_compute_api:os-instance-usage-audit-log

    • os_compute_api:os-agents

    • os_compute_api:os-hypervisors

    • os_compute_api:os-instance-actions

    • os_compute_api:os-security-groups

    • os_compute_api:os-server-password

Upgrade Notes

  • Python 2.7 support has been dropped. Last release of patrole to support python 2.7 is patrole 0.8.0. The minimum version of Python now supported by Patrole is Python 3.6.

0.8.0

Prelude

This is an intermediate release during the Ussuri development cycle to mark the end of support for EM Queens in Patrole. After this release, Patrole will support below OpenStack Releases:

  • Train

  • Stein

  • Rocky

Current development of Patrole is for OpenStack Ussuri development cycle. This is the last release of Patrole to officially support python2.7.

New Features

  • A new policy feature flag called [policy_feature_flag].changed_nova_policies_ussuri has been added to Patrole’s config to handle Nova policies changed in Ussuri. The policy feature flag is applied to tests that use policies changed in Ussuri, including the following:

    • os_compute_api:os-services

    Note that not all changed policies are included above because test coverage is missing for them.

0.7.0

Prelude

This release is to tag the Patrole for OpenStack Train release. This release marks the start of Train release support in Patrole. After this release, Patrole will support below OpenStack Releases:

  • Train

  • Stein

  • Rocky

  • Queens

Current development of Patrole is for OpenStack Ussuri development cycle. Every Patrole commit is also tested against master during the Ussuri cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Ussuri (or future release) cloud. To be on safe side, use this tag to test the OpenStack Train release.

New Features

  • Added new feature flag called keystone_policy_enforcement_train under the configuration group [policy-feature-enabled] to make test_list_trusts test backwards compatible, test the current release, and test the correct policy action. The Keystone Trust API is enforced differently depending on passed arguments

0.6.0

Prelude

This is an intermediate release during the Train development cycle to marks the end of support for Pike in Patrole. After this release, Patrole will support below OpenStack Releases:

  • Stein

  • Rocky

  • Queens

Current development of Patrole is for OpenStack Train development cycle.

0.5.0

Prelude

This release is to tag the Patrole for OpenStack Stein release. After this release, Patrole will support below OpenStack Releases:

  • Stein

  • Rocky

  • Queens

  • Pike

Current development of Patrole is for OpenStack Train development cycle. Every Patrole commit is also tested against master during the Train cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Train (or future release) cloud.

New Features

  • The exception class RbacMalformedException has been broken up into the following discrete exceptions:

    • RbacMissingAttributeResponseBody - incomplete means that the response body (for show or list) is missing certain attributes

    • RbacPartialResponseBody - partial means that a list response only returned a subset of the possible results available.

    • RbacEmptyResponseBody - empty means that the show or list response body is entirely empty

    Each of the exception classes above deals with a different type of failure related to a soft authorization failure. This means that, rather than a 403 error code getting returned by the server, the response body is incomplete in some way.

  • Add new exception called RbacOverrideRoleException. Used for safeguarding against false positives that might occur when the expected exception isn’t raised inside the override_role context. Specifically, when:

    • override_role isn’t called

    • an exception is raised before override_role context

    • an exception is raised after override_role context

  • Supporting the role inference rules API gives Patrole an ability of testing role chains, when one role implies the second which can also imply the third:

    admin implies member implies reader

    Now in a case of testing against an admin role ([patole] rbac_test_roles = admin) the rbac_rule_validation.action calls the rbac_utils.get_all_needed_roles function to extend the roles and validates a policy rule against the full list of possible roles:

    [“admin”, “member”, “reader”]

    Here is few examples:

    [“admin”] >> [“admin”, “member”, “reader”] [“member”] >> [“member”, “reader”] [“reader”] >> [“reader”] [“custom_role”] >> [“custom_role”] [“custom_role”, “member”] >> [“custom_role”, “member”, “reader”]

  • We have replaced CONF.patrole.rbac_test_role with CONF.patrole.rbac_test_roles, where instead of single role we can specify list of roles to be assigned to test user. This way we may run rbac tests for scenarios that requires user to have more that a single role.

  • In order to implement the tests for plugins which do not maintain the policy.json with full list of the policy rules and provide policy file with only their own policy rules, the Patrole should be able to load and merge multiple policy files for any of the services.

    • Discovery all policy files for each of the services. The updated discover_policy_files function picks all candidate paths found out of the potential paths in the [patrole].custom_policy_files config option. Using glob.glob() function makes it possible to use the patterns like ‘*.json’ to discover the policy files.

    • Loading and merging a data from multiple policy files. Patrole loads a data from each of the discovered policy files for a service and merge the data from all files.

  • In order to test the list actions which doesn’t have its own policy, implemented the override_role_and_validate_list function. The function has two modes:

    • Validating the number of the resources in a ResponseBody before calling the override_role and after.

      # make sure at least one resource is available
      self.ntp_client.create_policy_dscp_marking_rule()
      # the list of resources available for a user with admin role
      admin_resources = self.ntp_client.list_dscp_marking_rules(
          policy_id=self.policy_id)["dscp_marking_rules"]
      with self.rbac_utils.override_role_and_validate_list(
              self, admin_resources=admin_resources) as ctx:
          # the list of resources available for a user with member role
          ctx.resources = self.ntp_client.list_dscp_marking_rules(
              policy_id=self.policy_id)["dscp_marking_rules"]
      
    • Validating that a resource, created before override_role, is not present in a ResponseBody.

      # the resource created by a user with admin role
      admin_resource_id = (
          self.ntp_client.create_dscp_marking_rule()
          ["dscp_marking_rule"]["id'])
      with self.rbac_utils.override_role_and_validate_list(
              self, admin_resource_id=admin_resource_id) as ctx:
          # the list of resources available for a user wirh member role
          ctx.resources = self.ntp_client.list_dscp_marking_rules(
              policy_id=self.policy_id)["dscp_marking_rules"]
      
  • Merged RbacUtils and RbacUtilsMixin classes. Now there is only RbacUtilsMixin class. The new class still provides all functionality of the original RbacUtils class. New implementation simplifies the usage of the rbac utils:

    • there is no need in calling cls.setup_rbac_utils() function, because it happens automatically at the setup_clients step.

    • there is no rbac_utils variable, so if you need to call a override_role function, just do it using self:

      with self.override_role():
          ...
      
    • there is no need in test_obj variable for override_role function, because it can use self.

  • A new policy feature flag called [policy_feature_flag].removed_nova_policies_stein has been added to Patrole’s config to handle Nova API extension policies removed in Stein.

    The policy feature flag is applied to tests that validate response bodies for expected attributes previously returned for the following policies that passed authorization:

    • os_compute_api:os-config-drive

    • os_compute_api:os-extended-availability-zone

    • os_compute_api:os-extended-status

    • os_compute_api:os-extended-volumes

    • os_compute_api:os-keypairs

    • os_compute_api:os-server-usage

    • os_compute_api:os-flavor-rxtx

    • os_compute_api:os-flavor-access (only from /flavors APIs)

    • os_compute_api:image-size

    Note that not all removed policies are included above because test coverage is missing for them (like os_compute_api:os-security-groups).

  • Added new feature flag called removed_keystone_policies_stein under the configuration group [policy-feature-enabled] for skipping Keystone tests whose policies were removed in Stein. This feature flag is currently applied to credentials-related policies, e.g.: identity:[create|update|get|delete]_credential

  • The requirements_authority module now supports the following 3 cases:

    • logical or operation of roles (existing functionality)

    • logical and operation of roles (new functionality)

    • logical not operation of roles (new functionality)

    <service_foo>:
      <logical_or_example>:
        - <allowed_role_1>
        - <allowed_role_2>
      <logical_and_example>:
        - <allowed_role_3>, <allowed_role_4>
    <service_bar>:
      <logical_not_example>:
        - <!disallowed_role_5>
    

    Each item under logical_or_example is “logical OR”-ed together. Each role in the comma-separated string under logical_and_example is “logical AND”-ed together. And each item prefixed with “!” under logical_not_example is “logical negated”.

    This allows for expressing many more complex cases using the requirements_authority YAML syntax. For example, the policy rule (i.e. what may exist in a policy.yaml file):

    "foo_rule: (role:a and not role:b) or role:c"
    

    May now be expressed using the YAML syntax as:

    foo_rule:
        - a, !b
        - c
    
  • Patrole will validate the deprecated policy rules (if applicable) alongside the current policy rule. Add [patrole] validate_deprecated_rules enabled by default to validate the deprecated rules.

  • Added new Cinder feature flag (CONF.policy_feature_enabled.added_cinder_policies_stein) for the following newly introduced granular Cinder policies:

    • volume_extension:volume_type_encryption:create

    • volume_extension:volume_type_encryption:get

    • volume_extension:volume_type_encryption:update

    • volume_extension:volume_type_encryption:delete

    The corresponding Patrole test cases are modified to support the granularity. The test cases also support backward compatibility with the old single rule: volume_extension:volume_type_encryption

    The rules parameter in rbac_rule_validation.action decorator now also accepts a list of callables; each callable should return a policy action (str).

  • Patrole now supports parsing custom YAML policy files, the new policy file extension since Ocata. The function _get_policy_data has been renamed to get_rules and been changed to re-use oslo_policy.policy.Rules.load function.

Upgrade Notes

  • The exception class RbacMalformedException has been removed. Use one of the following exception classes instead:

    • RbacMissingAttributeResponseBody

    • RbacPartialResponseBody

    • RbacEmptyResponseBody

  • Remove usage of cls.setup_rbac_utils() function.

  • Remove usage of self.rbac_utils variable:

    with self.rbac_utils.override_role(self):
    

    convert to

    with self.override_role():
    
  • Remove test_obj in usage of override_role context manager:

    with self.override_role(self):
    

    convert to

    with self.override_role():
    
  • Remove deprecated [patrole].enable_rbac configuration option. To skip Patrole tests going forward, use an appropriate regex.

  • The following deprecated parameters in rbac_rule_validation.action decorator:

    • rule

    • expected_error_code

    have been removed. Use the non-deprecated versions instead:

    • rules

    • expected_error_codes

Deprecation Notes

  • Patrole will only support the v3 Tempest roles client for role overriding operations. Support for the v2 version has been dropped because the Keystone v2 API is slated for removal.

  • Config parameter CONF.rbac_test_role is deprecated in favor of CONF.rbac_test_roles that implements a list of roles instead of single role.

Bug Fixes

  • Previously, the rbac_rule_validation.action decorator could catch expected exceptions with no regard to where the error happened. Such behavior could cause false-positive results. To prevent this from happening from now on, if an exception happens outside of the override_role context, it will cause rbac_exceptions.RbacOverrideRoleException to be raised.

0.4.0

Prelude

This release is to tag the Patrole for OpenStack Rocky release. After this release, Patrole will support below OpenStack Releases:

  • Rocky

  • Queens

  • Pike

Current development of Patrole is for OpenStack Stein development cycle. Every Patrole commit is also tested against master during the Stein cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Stein (or future release) cloud.

New Features

  • In order to strive toward complete test coverage for the services it tests, Patrole now offers RBAC coverage for the APIs included in neutron-tempest-plugin. If this plugin is not installed or enabled, then Patrole will skip those tests.

  • A new configuration group [policy_feature_enabled] has been added to Patrole which will be responsible for collecting the feature flags to be used for newly introduced policies or policies that were changed in a backwards-incompatible way.

    • create_port_fixed_ips_ip_address_policy (Neutron)

    • update_port_fixed_ips_ip_address_policy (Neutron)

    • limits_extension_used_limits_policy (Cinder)

    • volume_extension_volume_actions_attach_policy (Cinder)

    • volume_extension_volume_actions_reserve_policy (Cinder)

    • volume_extension_volume_actions_unreserve_policy (Cinder)

    These feature flags will be supported until Pike release cycle is EOL.

  • Patrole now offers support for multiple policies. The rules argument has been added to the rbac_rule_validation.action decorator, which takes a list of policy names which Patrole will use to determine the expected test result. This allows Patrole to more accurately determine whether RBAC is configured correctly, since some API endpoints enforce multiple policies.

    Multiple policy support includes the capability to specify multiple expected error codes, as some components may return different error codes for different roles due to checking multiple policy rules. The expected_error_codes argument has been added to the rbac_rule_validation.action decorator, which is a list of error codes expected when the corresponding rule in the rules list is disallowed to perform the API action. For this reason, the error codes in the expected_error_codes list must appear in the same order as their corresponding rules in the rules list. For example:

    expected_error_codes[0] is the error code for the rules[0] rule. expected_error_codes[1] is the error code for the rules[1] rule. …

Upgrade Notes

  • The admin_only kwarg has been removed from rbac_rule_validation decorator because it is no longer used by any tests. Besides that, it should not be used because Patrole is dedicated to RBAC testing and an admin-only check is not RBAC because it does not use oslo.policy library.

  • The switch_role method in rbac_utils module has been removed because it is a clunky way of manipulating Tempest roles to achieve RBAC testing. Use override_role instead.

  • The [patrole].strict_policy_check was deprecated during the Queens release cycle. It is removed in this release cycle because Patrole should always fail on invalid policies.

Deprecation Notes

  • The [patrole].enable_rbac option is deprecated and will be removed during the “S” release. This is a legacy option that was meaningful downstream when Patrole was a suite of tests inside Tempest itself. Now that Patrole exists upstream as a Tempest plugin, it is paradoxical to install the Patrole plugin yet have an option that allows all Patrole tests to be skipped. This option is at odds with current Patrole architecture.

    To skip RBAC tests going forward, with Patrole Tempest plugin already installed, use an appropriate regex.

  • The rule argument in the rbac_rule_validation.action decorator has been deprecated in favor of rules.

    The expected_error_code argument in the rbac_rule_validation.action decorator has been deprecated in favor of expected_error_codes.

0.3.0

Prelude

This release marks the start of Queens release support in Patrole.

New Features

  • Add RBAC test for “backup:backup_project_attribute” which verifies that the “os-backup-project-attr:project_id” attribute appears in the response body once policy enforcement succeeds.

  • Implemented a new method override_role in rbac_utils module, which provides the exact same functionality as the now-deprecated switch_role method, with one difference: override_role is a contextmanager which provides better policy validation granularity. This means that immediately after the contextmanager’s code has executed, the role is switched back to the admin role automatically.

  • Add complete RBAC test coverage for the compute APIs that enforce: “os_compute_api:os-extended-server-attributes”.

  • test_flavor_rxtx_rbac now offers complete coverage for the os-flavor-rxtx policy.

  • Adds tests to see if key_name is returned in server response to test_server_misc_policy_actions_rbac.

  • Add RBAC test for creating a server backup, providing coverage for the policy action: “os_compute_api:os-create-backup”.

Upgrade Notes

  • All of the identity v2.0 API tests have been removed from Patrole because the majority of the v2.0 API has been removed from the identity project.

  • The [rbac] config group has been removed. Use the [patrole] group instead which contains the exact same options.

Deprecation Notes

  • The switch_role method in rbac_utils module has been deprecated and will be removed during the Rocky release cycle.

  • The configuration option [patrole] strict_policy_check is deprecated and will be removed in the Rocky release cycle.

  • Removed the following deprecated Patrole configuration options:

    • cinder_policy_file

    • glance_policy_file

    • keystone_policy_file

    • neutron_policy_file

    • nova_policy_file

    To specify the location of a custom policy file, use [patrole] custom_policy_files instead.

Other Notes

  • The default value for [patrole] strict_policy_check has been changed to True because a Patrole test should always fail if the policy action is invalid, to avoid false positives.

  • OpenStack Releases supported after this release are Queens and Pike. The release under current development of this tag is Rocky, meaning that every Patrole commit is also tested against master during the Rocky cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Rocky (or future release) cloud.

0.2.0

Prelude

This release marks the start of support for the Pike release in Patrole.

New Features

  • Add security groups and server security groups tests to Nova RBAC tests.

  • Add additional port-related RBAC tests to test_ports_rbac in the network module, providing coverage for the following policy actions: * create_port:device_owner * create_port:port_security_enabled * create_port:binding:profile * update_port:device_owner

  • Add additional RBAC tests for network routers API, providing coverage for the following policy actions:

    • create_router:ha

    • create_router:distributed

    • get_router:distributed

    • update_router:ha

    • update_router:distributed

  • Added tests to test_agents_rbac.py for PUT and DELETE endpoints.

  • Add RBAC test for communitizing image, providing coverage for the policy action “communitize_image”.

  • Adds tests for compute snapshot APIs.

  • Adds tests for os-console-output and os-remote-console to compute module.

  • Added RBAC network test for listing dhcp agents on a hosting network, providing coverage for the “get_dhcp-agents” policy.

  • Add new configuration option [rbac] custom_policy_files, allowing users to specify list of the paths to search for custom policy files. Each policy path assumes that the service name is included in the path once. Also assumes Patrole is on the same host as the policy files. The paths should be ordered by precedence, with high-priority paths before low-priority paths. The first path that is found to contain the service’s policy file will be used.

  • Add group-specific RBAC tests for the identity v3 extension API, OS-EP-FILTER, providing coverage for the following policy actions:

    • identity:create_endpoint_group

    • identity:list_endpoint_groups

    • identity:show_endpoint_group (get endpoint group)

    • identity:check_endpoint_group

    • identity:list_endpoint_group (get endpoint groups)

    • identity:update_endpoint_group

    • identity:delete_endpoint_group

  • Add RBAC tests for APIs that enforce “os_compute_api:os-extended-availability-zone”.

  • Added RBAC tests for volume type access and volume type extra specs APIs, providing coverage for the following policy actions:

    • “volume_extension:types_extra_specs”

    • “volume_extension:volume_type_access”

    • “volume_extension:volume_type_access:addProjectAccess”

    • “volume_extension:volume_type_access:removeProjectAccess”

  • Add test coverage for the os-flavor-manage compute API, which includes tests for the following policy actions:

    • “os_compute_api:os-flavor-manage:create”

    • “os_compute_api:os-flavor-manage:delete”

  • Add RBAC tests related to the image_size compute policy action: “os_compute_api:image-size”.

  • Adds tests for Nova’s lock_server policies: lock, unlock, and unlock_override.

  • Add additional RBAC tests to VolumesBackupsRbacTest, providing coverage for “volume_extension:backup_admin_actions:reset_status”.

  • Add Patrole DevStack plugin, allowing Patrole to be installed using DevStack by adding “enable_plugin patrole” to “local” section of local.conf.

  • Added in a new logging feature which logs the result of each Patrole test

    The format of the new log output is:

    “[Service]: %s, [Test]: %s, [Rule]: %s, [Expected]: %s, [Actual]: %s”

    where each “%s” is a string that contains:

    • [Service] - The openstack service being tested (Nova, Neutron, etc)

    • [Test] - The name of the test function being invoked (eg: test_list_aggregate_rbac)

    • [Rule] - The name of the rule the Patrole test is testing (eg: os_compute_api:os-aggregates)

    • [Expected] - The expected outcome (one of Allowed/Denied)

    • [Actual] - The actual outcome from the Patrole test (one of Allowed/Denied/Error)

    This logging feature has two config variables:

    These variables are part of a new config group patrole_log

    • enable_reporting:

      This enables or disables the enhanced rbac reporting

    • report_log_name:

      This variable specifies the name of the log file to write

    • report_log_path:

      This variable specifies the path (relative or absolute) of the log file to write

  • Add RBAC tests for os_compute_api:os-extended-status, which validate that the following attributes:

    • OS-EXT-STS:task_state

    • OS-EXT-STS:vm_state

    • OS-EXT-STS:power_state

    are present in the relevant response bodies.

  • Add RBAC tests for os-extended-volumes:volumes_attached policies, which validate that “os-extended-volumes:volumes_attached” is returned in the response body.

  • Implements RBAC tests for Tempest network agents_client, providing coverage for the following policies:

    • update_agent

    • get_agent

    • create_dhcp-network

    • delete_dhcp-network

    • get_dhcp-networks

    • create_l3-router

    • delete_l3-router

    • get_l3-routers

  • Add RBAC tests for compute quota class sets API, providing coverage for the following policy actions:

    • os_compute_api:os-quota-class-sets:show

    • os_compute_api:os-quota-class-sets:update

  • Add RBAC tests for the compute server metadata API, providing coverage for the following policy actions:

    • os_compute_api:server-metadata:index

    • os_compute_api:server-metadata:update_all

    • os_compute_api:server-metadata:create

    • os_compute_api:server-metadata:show

    • os_compute_api:server-metadata:update

    • os_compute_api:server-metadata:delete

  • Adds test for Neutron’s get_service_provider policy.

  • Add RBAC tests for network subnet endpoints, providing coverage for the following policy actions:

    • create_subnet

    • get_subnet

    • update_subnet

    • delete_subnet

  • Add RBAC test for updating the default subnetpool, providing coverage for the policy action: “update_subnetpool:is_default”.

  • Add support of running Patrole against a custom requirements YAML that defines RBAC requirements. The YAML file lists all the APIs and the roles that should have access to the APIs. The purpose of running Patrole against a requirements YAML is to verify that the RBAC policy is in accordance to deployment specific requirements. Running Patrole against a requirements YAML is completely optional and can be enabled by setting the [rbac] test_custom_requirements option to True in Tempest’s configuration file. The requirements YAML must be located on the same host that Patrole runs on.

  • Add test_oauth_tokens_rbac.py with RBAC test cases related to the OS-OAUTH1 Keystone v3 extension API.

  • Added RBAC test scenarios for the token-related v3 identity API

  • Added RBAC test scenarios for the token-related admin v2 identity API.

  • Add test for updating a volume group, providing coverage for group:update policy action.

  • Add RBAC test to provide coverage for the following cinder policy: “volume_extension:volume_actions:upload_public”.

  • Add RBAC tests for the volume v3 groups and group types APIs, providing coverage for the following policy actions:

    • group:create

    • group:get

    • group:get_all

    • group:delete

    • group:group_types_manage

    • group:access_group_types_specs

Deprecation Notes

  • The [rbac] configuration group has been deprecated and will be removed in the next release. Use [patrole] group instead, which has the exact same options.

  • Deprecate the following configuration options from [rbac] group:

    • cinder_policy_file

    • glance_policy_file

    • keystone_policy_file

    • neutron_policy_file

    • nova_policy_file

    It is better to use [rbac] custom_policy_files which supports any OpenStack service.

  • Glance v1 APIs are deprecated and v2 APIs are current. Glance v1 APIs are removed from volume tests and Glance v1 RBAC tests are removed.

  • Remove assisted volume snapshot RBAC tests, because the Tempest client does not yet exist.

Bug Fixes

  • Add microversion check to test_security_groups_rbac as tests in this file will fail with a 404 after 2.36.

  • Rename test_server_security_groups to test_list_security_groups to properly reflect the test actually being run.

  • Add test.requires_ext above tests that require the binding extension.

Other Notes

  • OpenStack Releases supported after this release are Pike. The release under current development of this tag is Queens, meaning that every Patrole commit is also tested against master during the Queens cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Queens (or future release) cloud.

0.1.0

Prelude

This release marks the first release for Patrole, tagged as 0.1.0.

New Features

  • Add additional compute hypervisor RBAC tests, so that the previously missing hypervisor endpoints are covered. Tests for the following endpoints were written:

    • show_hypervisor

    • list_servers_on_hypervisor

    • show_hypervisor_statistics

    • show_hypervisor_uptime

    • search_hypervisor

  • Added an RBAC test for force-deleting a backup which enforces the cinder policy action: “volume_extension:backup_admin_actions:force_delete”.

  • Adds test for glance’s add_metadef_resource_type_association policy.

  • Add RBAC tests for cinder os-quota-class-sets API, which cover the policy action “volume_extension:quota_classes”.

  • Refactored framework to remove unused “path” argument. Added config options to allow the path to the policy.json files for Nova, Keystone, Cinder, Neutron, and Glance to be configured without needing to manually change code.

  • Adds RBAC tests for the domain configuration Keystone v3 extension API.

  • Adds RBAC tests for the encryption types client.

  • Adds RBAC tests for the project-related endpoints belonging to the OS-EP-FILTER Keystone v3 extension API.

  • Add RBAC test for listing hypervisors with details.

  • Merges rbac_auth with rbac_rule_validation, because rbac_auth decentralized logic from rbac_rule_validation without providing any authentication-related utility. This change facilitates code maintenance and code readability.

  • Adds RBAC tests for the Nova os-volumes API which is deprecated from microversion 2.36 onward.

  • Added RBAC test for the volume services API, which covers the following policy action: “volume_extension:services:index”.

  • Added test for volume summary API.

  • Added tests for volumes client functions set bootable, reserve, unreserve, and update metadata.

Bug Fixes

  • Corrected the policy action in the rbac_rule_validation decorator for the test test_snapshot_force_delete from “volume_extension:volume_admin_actions:force_delete” to “volume_extension:snapshot_admin_actions:force_delete”.

  • Removed rule kwarg from rbac_rule_validation decorator for identity v2 admin tests, because the identity v2 admin API does not do policy enforcement, and instead checks whether the request object has context_is_admin.

Other Notes

  • Patrole currently supports RBAC testing for Cinder, Glance, Nova, Neutron and Keystone.

    The release under current development as of this tag is Pike, meaning that every Patrole commit is also tested against master branch during the Pike cycle. However, this does not necessarily mean that using Patrole as of this tag will work against Pike (or future releases) cloud. In addition, backward compatibility with previous releases is not guaranteed.

  • Updated the class names for identity v2 tests to include the “Admin” substring, to convey the fact that these tests are only intended to test the v2 admin API, not the v2 API.

  • Renamed update metadata item and delete metadata item tests to accurately reflect what actions are being performed.