Deprecate strict_policy_enforce configuration option
The configuration option ``[patrole] strict_policy_check`` is deprecated and will be removed in the Rocky release cycle. The default value for ``[patrole] strict_policy_check`` has been changed to ``True`` because a Patrole test should always fail if the policy action is invalid, to avoid false positives. Change-Id: Idb902f23b1845bdbc9ac8fb490f3e74e262c1451
This commit is contained in:
parent
e182300601
commit
f71def828a
|
@ -20,7 +20,6 @@ function install_patrole_tempest_plugin() {
|
|||
|
||||
iniset $TEMPEST_CONFIG rbac enable_rbac True
|
||||
iniset $TEMPEST_CONFIG rbac rbac_test_role $RBAC_TEST_ROLE
|
||||
iniset $TEMPEST_CONFIG rbac strict_policy_check False
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
|
@ -30,8 +30,12 @@ tests."""),
|
|||
deprecated_group='rbac',
|
||||
help="Enables RBAC tests."),
|
||||
cfg.BoolOpt('strict_policy_check',
|
||||
default=False,
|
||||
default=True,
|
||||
deprecated_group='rbac',
|
||||
deprecated_for_removal=True,
|
||||
deprecated_reason="""This option allows for the possibility
|
||||
of false positives. As a testing framework, Patrole should fail any test that
|
||||
passes in an invalid policy.""",
|
||||
help="""If true, throws RbacParsingException for policies which
|
||||
don't exist or are not included in the service's policy file. If false, throws
|
||||
skipException."""),
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
deprecations:
|
||||
- |
|
||||
The configuration option ``[patrole] strict_policy_check`` is deprecated
|
||||
and will be removed in the Rocky release cycle.
|
||||
other:
|
||||
- |
|
||||
The default value for ``[patrole] strict_policy_check`` has been changed
|
||||
to ``True`` because a Patrole test should always fail if the policy action
|
||||
is invalid, to avoid false positives.
|
Loading…
Reference in New Issue