openstack/patrole
Code Issues Proposed changes
Files
6da06edd6242f4029db2d427224b64337ea2217d
patrole/doc/source/field_guide/index.rst
Felipe Monteiro 443d39c5a1 docs: Add Patrole RBAC field guide 
This documentation update adds a README.rst to
patrole_tempest_plugin/tests/api which explains the RBAC field
guide. It is modeled after Tempest's API field guide [0][1]. The
README.rst is then referenced in a new field_guide section
under doc/source/field_guide.

[0] 28b252f7f6/tempest/api
[1] https://docs.openstack.org/tempest/latest/field_guide/api.html#api-field-guide

Change-Id: I877ce4a1f681bd483c7f71b02fd7bb2b4d3b3e2a
2018-05-22 21:43:37 +00:00

2.1 KiB
Raw Blame History

Patrole Field Guide Overview

Testing Scope

Patrole testing scope is strictly confined to Role-Based Access Control (RBAC). In OpenStack, oslo.policy is the RBAC library used by all major services. Thus, Patrole is concerned with validating that public API endpoints are correctly using oslo.policy for authorization.

In other words, all tests in Patrole are RBAC tests.

rbac_field_guide

RBAC tests are Tempest-like API tests plus Patrole's rbac-validation. All Patrole tests are RBAC validation tests for the OpenStack API.

Stable Tests

In the discussion below, "correct" means that a test is consistent with a service's API-to-policy mapping and "stable" means that a test should require minimal maintenance for the supported releases.

Present

During the Queens release, a governance spec was pushed to support policy in code, which documents the mapping between APIs and each of their policies.

This documentation is an important prerequisite for ensuring that Patrole tests for a given service are correct. This mapping can be referenced to confirm that Patrole's assumed mapping for a test is correct. For example, Nova has implemented policy in code which can be used to verify that Patrole's Nova RBAC tests use the same mapping.

If a given service does not have policy in code, this implies that it is more likely that the RBAC tests for that service are inconsistent with the intended policy mapping. Until that service implements policy in code, it is difficult for Patrole maintainers to verify that tests for that service are correct.

Future

Once all services that Patrole tests have implemented policy in code --and once Patrole has updated all its tests in accordance with the policy in code documentation -- then Patrole tests can guaranteed to be stable.

This stability will be denoted with a 1.0 version release.