RETIRED, Tempest plugin for testing and verifying RBAC policy enforcement.
8590c0c628
Currently, for every test case class, we need to add re-switching rbac role in tearDown method. Thus for every testcase using the tearDown method becomes mandatory. This patch removes tearDown dependency for re-switching rbac-role. Co-Authored-By: Mh Raies <mh.raies@ericsson.com> Co-Authored-By: Felipe Monteiro <felipe.monteiro@att.com> Implements: blueprint refactor-teardown-switch-roles Change-Id: I3f0026533255c87b8128f2bf3a4aa488382a2523 |
||
---|---|---|
contrib | ||
doc/source | ||
patrole_tempest_plugin | ||
releasenotes | ||
.coveragerc | ||
.gitignore | ||
.gitreview | ||
.mailmap | ||
.testr.conf | ||
babel.cfg | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
README.rst | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
test-whitelist.txt | ||
tox.ini |
patrole
Patrole is a tool for verifying that Role-Based Access Control is being enforced.
Patrole allows users to run API tests using specified RBAC roles. This allows deployments to verify that only intended roles have access to those APIs. This is critical to ensure security, especially in large deployments with custom roles.
- Free software: Apache license
- Documentation: http://docs.openstack.org/developer/patrole
- Source: http://git.openstack.org/cgit/openstack/patrole
- Bugs: http://bugs.launchpad.net/patrole
Features
Patrole offers RBAC testing for various OpenStack RBAC policies. It includes a decorator that wraps around tests which verifies that when the test calls the corresponding api endpoint, access is only granted for correct roles.
There are several possible test flows.
- If the rbac_test_role is allowed to access the endpoint
-
- The test passes if no 403 forbidden or RbacActionFailed exception is raised.
- If the rbac_test_role is not allowed to access the endpoint
-
- If the endpoint returns a 403 forbidden exception the test will pass
- If the endpoint returns something other than a 403 forbidden to indicate that the role is not allowed, the test will raise an RbacActionFailed exception.