Remove deprecrated [rbac] config group
This PS removes the deprecated [rbac] config group. It was replaced last release cycle with the [patrole] config group, which has the exact same options. This is because [patrole] is more user-friendly and congruent with the project name. Change-Id: Id1a7af0445bd50f44ddcc4277f952391968726b8
This commit is contained in:
parent
feec999bde
commit
b58c1197e9
|
@ -18,8 +18,8 @@ function install_patrole_tempest_plugin() {
|
|||
RBAC_TEST_ROLE="Member"
|
||||
fi
|
||||
|
||||
iniset $TEMPEST_CONFIG rbac enable_rbac True
|
||||
iniset $TEMPEST_CONFIG rbac rbac_test_role $RBAC_TEST_ROLE
|
||||
iniset $TEMPEST_CONFIG patrole enable_rbac True
|
||||
iniset $TEMPEST_CONFIG patrole rbac_test_role $RBAC_TEST_ROLE
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
|
@ -4,8 +4,8 @@
|
|||
Usage
|
||||
========
|
||||
|
||||
RBAC (API) Tests
|
||||
================
|
||||
Patrole (API) Tests
|
||||
===================
|
||||
|
||||
If Patrole is installed correctly, then the RBAC tests can be executed
|
||||
from inside the tempest root directory as follows::
|
||||
|
@ -28,7 +28,7 @@ To execute patrole tests for a specific module, run::
|
|||
..
|
||||
|
||||
To change the role that the patrole tests are being run as, edit
|
||||
``rbac_test_role`` in the ``rbac`` section of tempest.conf: ::
|
||||
``rbac_test_role`` in the ``patrole`` section of tempest.conf: ::
|
||||
|
||||
[patrole]
|
||||
rbac_test_role = Member
|
||||
|
|
|
@ -14,11 +14,17 @@
|
|||
# Enables RBAC tests. (boolean value)
|
||||
#enable_rbac = true
|
||||
|
||||
# If true, throws RbacParsingException for policies which
|
||||
# DEPRECATED: If true, throws RbacParsingException for policies which
|
||||
# don't exist or are not included in the service's policy file. If
|
||||
# false, throws
|
||||
# skipException. (boolean value)
|
||||
#strict_policy_check = false
|
||||
# This option is deprecated for removal.
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: This option allows for the possibility
|
||||
# of false positives. As a testing framework, Patrole should fail any
|
||||
# test that
|
||||
# passes in an invalid policy.
|
||||
#strict_policy_check = true
|
||||
|
||||
# List of the paths to search for policy files. Each
|
||||
# policy path assumes that the service name is included in the path
|
||||
|
@ -32,46 +38,6 @@
|
|||
# (list value)
|
||||
#custom_policy_files = /etc/%s/policy.json
|
||||
|
||||
# DEPRECATED: Location of the Cinder policy file. Assumed to be on
|
||||
# the same host as Patrole. (string value)
|
||||
# This option is deprecated for removal.
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: It is better to use `custom_policy_files` which supports any
|
||||
# OpenStack service.
|
||||
#cinder_policy_file = /etc/cinder/policy.json
|
||||
|
||||
# DEPRECATED: Location of the Glance policy file. Assumed to be on
|
||||
# the same host as Patrole. (string value)
|
||||
# This option is deprecated for removal.
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: It is better to use `custom_policy_files` which supports any
|
||||
# OpenStack service.
|
||||
#glance_policy_file = /etc/glance/policy.json
|
||||
|
||||
# DEPRECATED: Location of the custom Keystone policy file. Assumed to
|
||||
# be on the same host as Patrole. (string value)
|
||||
# This option is deprecated for removal.
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: It is better to use `custom_policy_files` which supports any
|
||||
# OpenStack service.
|
||||
#keystone_policy_file = /etc/keystone/policy.json
|
||||
|
||||
# DEPRECATED: Location of the Neutron policy file. Assumed to be on
|
||||
# the same host as Patrole. (string value)
|
||||
# This option is deprecated for removal.
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: It is better to use `custom_policy_files` which supports any
|
||||
# OpenStack service.
|
||||
#neutron_policy_file = /etc/neutron/policy.json
|
||||
|
||||
# DEPRECATED: Location of the custom Nova policy file. Assumed to be
|
||||
# on the same host as Patrole. (string value)
|
||||
# This option is deprecated for removal.
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: It is better to use `custom_policy_files` which supports any
|
||||
# OpenStack service.
|
||||
#nova_policy_file = /etc/nova/policy.json
|
||||
|
||||
#
|
||||
# This option determines whether Patrole should run against a
|
||||
# `custom_requirements_file` which defines RBAC requirements. The
|
||||
|
@ -146,131 +112,3 @@
|
|||
# is logged. This is combined withreport_log_name to generate the full
|
||||
# path. (string value)
|
||||
#report_log_path = .
|
||||
|
||||
|
||||
[rbac]
|
||||
# This group is deprecated and will be removed in the next release.
|
||||
# Use the [patrole] group instead.
|
||||
|
||||
#
|
||||
# From patrole.config
|
||||
#
|
||||
|
||||
# The current RBAC role against which to run Patrole
|
||||
# tests. (string value)
|
||||
#rbac_test_role = admin
|
||||
|
||||
# Enables RBAC tests. (boolean value)
|
||||
#enable_rbac = true
|
||||
|
||||
# If true, throws RbacParsingException for policies which
|
||||
# don't exist or are not included in the service's policy file. If
|
||||
# false, throws
|
||||
# skipException. (boolean value)
|
||||
#strict_policy_check = false
|
||||
|
||||
# List of the paths to search for policy files. Each
|
||||
# policy path assumes that the service name is included in the path
|
||||
# once. Also
|
||||
# assumes Patrole is on the same host as the policy files. The paths
|
||||
# should be
|
||||
# ordered by precedence, with high-priority paths before low-priority
|
||||
# paths. The
|
||||
# first path that is found to contain the service's policy file will
|
||||
# be used.
|
||||
# (list value)
|
||||
#custom_policy_files = /etc/%s/policy.json
|
||||
|
||||
# DEPRECATED: Location of the Cinder policy file. Assumed to be on
|
||||
# the same host as Patrole. (string value)
|
||||
# This option is deprecated for removal.
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: It is better to use `custom_policy_files` which supports any
|
||||
# OpenStack service.
|
||||
#cinder_policy_file = /etc/cinder/policy.json
|
||||
|
||||
# DEPRECATED: Location of the Glance policy file. Assumed to be on
|
||||
# the same host as Patrole. (string value)
|
||||
# This option is deprecated for removal.
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: It is better to use `custom_policy_files` which supports any
|
||||
# OpenStack service.
|
||||
#glance_policy_file = /etc/glance/policy.json
|
||||
|
||||
# DEPRECATED: Location of the custom Keystone policy file. Assumed to
|
||||
# be on the same host as Patrole. (string value)
|
||||
# This option is deprecated for removal.
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: It is better to use `custom_policy_files` which supports any
|
||||
# OpenStack service.
|
||||
#keystone_policy_file = /etc/keystone/policy.json
|
||||
|
||||
# DEPRECATED: Location of the Neutron policy file. Assumed to be on
|
||||
# the same host as Patrole. (string value)
|
||||
# This option is deprecated for removal.
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: It is better to use `custom_policy_files` which supports any
|
||||
# OpenStack service.
|
||||
#neutron_policy_file = /etc/neutron/policy.json
|
||||
|
||||
# DEPRECATED: Location of the custom Nova policy file. Assumed to be
|
||||
# on the same host as Patrole. (string value)
|
||||
# This option is deprecated for removal.
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: It is better to use `custom_policy_files` which supports any
|
||||
# OpenStack service.
|
||||
#nova_policy_file = /etc/nova/policy.json
|
||||
|
||||
#
|
||||
# This option determines whether Patrole should run against a
|
||||
# `custom_requirements_file` which defines RBAC requirements. The
|
||||
# purpose of setting this flag to True is to verify that RBAC policy
|
||||
# is in accordance to requirements. The idea is that the
|
||||
# `custom_requirements_file` perfectly defines what the RBAC
|
||||
# requirements are.
|
||||
#
|
||||
# Here are the possible outcomes when running the Patrole tests
|
||||
# against
|
||||
# a `custom_requirements_file`:
|
||||
#
|
||||
# YAML definition: allowed
|
||||
# test run: allowed
|
||||
# test result: pass
|
||||
#
|
||||
# YAML definition: allowed
|
||||
# test run: not allowed
|
||||
# test result: fail (under-permission)
|
||||
#
|
||||
# YAML definition: not allowed
|
||||
# test run: allowed
|
||||
# test result: fail (over-permission)
|
||||
# (boolean value)
|
||||
#test_custom_requirements = false
|
||||
|
||||
#
|
||||
# File path of the yaml file that defines your RBAC requirements. This
|
||||
# file must be located on the same host that Patrole runs on. The yaml
|
||||
# file should be written as follows:
|
||||
#
|
||||
# ```
|
||||
# <service>:
|
||||
# <api_action>:
|
||||
# - <allowed_role>
|
||||
# - <allowed_role>
|
||||
# - <allowed_role>
|
||||
# <api_action>:
|
||||
# - <allowed_role>
|
||||
# - <allowed_role>
|
||||
# <service>
|
||||
# <api_action>:
|
||||
# - <allowed_role>
|
||||
# ```
|
||||
# Where:
|
||||
# service = the service that is being tested (cinder, nova, etc)
|
||||
# api_action = the policy action that is being tested. Examples:
|
||||
# - volume:create
|
||||
# - os_compute_api:servers:start
|
||||
# - add_image
|
||||
# allowed_role = the Keystone role that is allowed to perform the API
|
||||
# (string value)
|
||||
#custom_requirements_file = <None>
|
||||
|
|
|
@ -22,16 +22,13 @@ patrole_group = cfg.OptGroup(name='patrole', title='Patrole Testing Options')
|
|||
PatroleGroup = [
|
||||
cfg.StrOpt('rbac_test_role',
|
||||
default='admin',
|
||||
deprecated_group='rbac',
|
||||
help="""The current RBAC role against which to run Patrole
|
||||
tests."""),
|
||||
cfg.BoolOpt('enable_rbac',
|
||||
default=True,
|
||||
deprecated_group='rbac',
|
||||
help="Enables RBAC tests."),
|
||||
cfg.BoolOpt('strict_policy_check',
|
||||
default=True,
|
||||
deprecated_group='rbac',
|
||||
deprecated_for_removal=True,
|
||||
deprecated_reason="""This option allows for the possibility
|
||||
of false positives. As a testing framework, Patrole should fail any test that
|
||||
|
@ -43,7 +40,6 @@ skipException."""),
|
|||
# other hosts. It may be possible to leverage the v3 identity policy API.
|
||||
cfg.ListOpt('custom_policy_files',
|
||||
default=['/etc/%s/policy.json'],
|
||||
deprecated_group='rbac',
|
||||
help="""List of the paths to search for policy files. Each
|
||||
policy path assumes that the service name is included in the path once. Also
|
||||
assumes Patrole is on the same host as the policy files. The paths should be
|
||||
|
@ -52,7 +48,6 @@ first path that is found to contain the service's policy file will be used.
|
|||
"""),
|
||||
cfg.BoolOpt('test_custom_requirements',
|
||||
default=False,
|
||||
deprecated_group='rbac',
|
||||
help="""
|
||||
This option determines whether Patrole should run against a
|
||||
`custom_requirements_file` which defines RBAC requirements. The
|
||||
|
@ -76,7 +71,6 @@ test run: allowed
|
|||
test result: fail (over-permission)
|
||||
"""),
|
||||
cfg.StrOpt('custom_requirements_file',
|
||||
deprecated_group='rbac',
|
||||
help="""
|
||||
File path of the yaml file that defines your RBAC requirements. This
|
||||
file must be located on the same host that Patrole runs on. The yaml
|
||||
|
@ -106,12 +100,6 @@ allowed_role = the Keystone role that is allowed to perform the API
|
|||
]
|
||||
|
||||
|
||||
rbac_group = cfg.OptGroup(name='rbac',
|
||||
title='RBAC testing options',
|
||||
help="This group is deprecated and will be removed "
|
||||
"in the next release. Use the [patrole] group "
|
||||
"instead.")
|
||||
|
||||
patrole_log_group = cfg.OptGroup(
|
||||
name='patrole_log', title='Patrole Logging Options')
|
||||
|
||||
|
@ -141,8 +129,7 @@ def list_opts():
|
|||
"""
|
||||
opt_list = [
|
||||
(patrole_group, PatroleGroup),
|
||||
(patrole_log_group, PatroleLogGroup),
|
||||
(rbac_group, PatroleGroup)
|
||||
(patrole_log_group, PatroleLogGroup)
|
||||
]
|
||||
|
||||
return opt_list
|
||||
|
|
|
@ -62,12 +62,6 @@ class PatroleTempestPlugin(plugins.TempestPlugin):
|
|||
RBACLOG.addHandler(rbac_report_handler)
|
||||
|
||||
def register_opts(self, conf):
|
||||
# TODO(fmontei): Remove ``rbac_group`` in a future release as it is
|
||||
# currently deprecated.
|
||||
config.register_opt_group(
|
||||
conf,
|
||||
project_config.rbac_group,
|
||||
project_config.PatroleGroup)
|
||||
config.register_opt_group(
|
||||
conf,
|
||||
project_config.patrole_group,
|
||||
|
|
|
@ -107,7 +107,7 @@ class RbacUtils(object):
|
|||
# passing the second boundary before attempting to authenticate.
|
||||
# Only sleep if a token revocation occurred as a result of role
|
||||
# switching. This will optimize test runtime in the case where
|
||||
# ``[identity] admin_role`` == ``[rbac] rbac_test_role``.
|
||||
# ``[identity] admin_role`` == ``[patrole] rbac_test_role``.
|
||||
if not role_already_present:
|
||||
time.sleep(1)
|
||||
test_obj.os_primary.auth_provider.set_auth()
|
||||
|
|
|
@ -1,36 +0,0 @@
|
|||
# Copyright 2017 AT&T Corporation.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
"""
|
||||
Tests for `patrole` module.
|
||||
"""
|
||||
|
||||
from tempest import config
|
||||
|
||||
from patrole_tempest_plugin.tests.unit import base
|
||||
|
||||
CONF = config.CONF
|
||||
|
||||
|
||||
class TestPatrole(base.TestCase):
|
||||
|
||||
def test_rbac_group_backwards_compatability(self):
|
||||
"""Validate that the deprecated group [rbac] is available and has the
|
||||
same options and option values as [patrole] group, which is current.
|
||||
"""
|
||||
self.assertTrue(hasattr(CONF, 'patrole'))
|
||||
self.assertTrue(hasattr(CONF, 'rbac'))
|
||||
# Validate that both groups are identical.
|
||||
self.assertEqual(CONF.patrole.items(), CONF.rbac.items())
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
The ``[rbac]`` config group has been removed. Use the ``[patrole]`` group
|
||||
instead which contains the exact same options.
|
Loading…
Reference in New Issue