4af0345627
Add RBAC test for "backup:backup_project_attribute" which verifies that the "os-backup-project-attr:project_id" attribute appears in the response body only policy enforcement succeeds. This commit specifically: * adds the test specified above * adds a class-wide volume shared by test_show_backup and test_show_backup_project_attribute tests (i.e. moved volume creation for these tests from setUp into resource_setup) Change-Id: I751275633a3b6f20e67894fceb826f0f97a62b46 |
||
---|---|---|
devstack | ||
doc/source | ||
patrole_tempest_plugin | ||
releasenotes | ||
.coveragerc | ||
.gitignore | ||
.gitreview | ||
.mailmap | ||
.testr.conf | ||
babel.cfg | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
README.rst | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
Team and repository tags
Patrole - RBAC Integration Tempest Plugin
Patrole is a security validation tool for verifying that Role-Based Access Control is correctly configured and enforced in a system. It runs Tempest-based API tests using specified RBAC roles, thus allowing deployments to verify that only intended roles have access to those APIs.
Patrole currently offers testing for the following OpenStack services: Nova, Neutron, Glance, Cinder and Keystone.
Features
- Validation of default policy definitions located in policy.json files.
- Validation of in-code policy definitions.
- Validation of custom policy file definitions that override default policy definitions.
- Built-in positive and negative testing. Positive and negative testing are performed using the same tests and role-switching.
- Valdation of custom roles as well as default OpenStack roles.
Note
Patrole does not yet support policy.yaml files, the new file format for policy files in OpenStack.
How It Works
Patrole leverages oslo.policy
(OpenStack's policy
enforcement engine) to determine whether a given role is allowed to
perform a policy action, given a specific role and OpenStack service.
The output from oslo.policy
(the expected result) and the
actual result from test execution are compared to each other: if both
results match, then the test passes; else it fails.
- Documentation: https://docs.openstack.org/patrole/latest/
- Bugs: https://bugs.launchpad.net/patrole
Quickstart
Tempest is a prerequisite for running Patrole. If you do not have Tempest installed, please reference the official Tempest documentation for guidance.
Assuming Tempest is installed, the simplest way to configure Patrole is:
1. Open up the tempest.conf
configuration file and
include the following settings:
[rbac]
enable_rbac = True
rbac_test_role = admin
These settings tell Patrole to run RBAC tests using the "admin" role
(which is the default admin role in OpenStack) to verify the default
policy definitions used by OpenStack services. Specifying a different
role for rbac_test_role
will run Patrole tests against that
role. For additional information about Patrole's configuration settings,
please refer to patrole-configuration
and patrole-sampleconf
for a
sample configuration file.
2. You are now ready to run Patrole. To do so, you can use any testr-based test runner:
$ testr run patrole_tempest_plugin.tests.api
or:
$ ostestr --regex '(?!.*\[.*\bslow\b.*\])(^patrole_tempest_plugin\.tests\.api)'
It is also possible to run Patrole using tox:
tox -eall-plugin -- patrole_tempest_plugin.tests.api
Release Versioning
Patrole Release Notes shows which changes have been released for each version.
Patrole's release versioning follows Tempest's conventions. Like Tempest, Patrole is branchless and uses versioning instead.