v0.2.0 Release Notes¶
0.2.0 Release Notes¶
0.2.0¶
Prelude¶
This release marks the start of support for the Pike release in Patrole.
New Features¶
Add security groups and server security groups tests to Nova RBAC tests.
Add additional port-related RBAC tests to
test_ports_rbacin the network module, providing coverage for the following policy actions: * create_port:device_owner * create_port:port_security_enabled * create_port:binding:profile * update_port:device_owner
Add additional RBAC tests for network routers API, providing coverage for the following policy actions:
create_router:ha
create_router:distributed
get_router:distributed
update_router:ha
update_router:distributed
Added tests to test_agents_rbac.py for PUT and DELETE endpoints.
Add RBAC test for communitizing image, providing coverage for the policy action “communitize_image”.
Adds tests for compute snapshot APIs.
Adds tests for os-console-output and os-remote-console to compute module.
Added RBAC network test for listing dhcp agents on a hosting network, providing coverage for the “get_dhcp-agents” policy.
Add new configuration option
[rbac] custom_policy_files, allowing users to specify list of the paths to search for custom policy files. Each policy path assumes that the service name is included in the path once. Also assumes Patrole is on the same host as the policy files. The paths should be ordered by precedence, with high-priority paths before low-priority paths. The first path that is found to contain the service’s policy file will be used.
Add group-specific RBAC tests for the identity v3 extension API, OS-EP-FILTER, providing coverage for the following policy actions:
identity:create_endpoint_group
identity:list_endpoint_groups
identity:show_endpoint_group (get endpoint group)
identity:check_endpoint_group
identity:list_endpoint_group (get endpoint groups)
identity:update_endpoint_group
identity:delete_endpoint_group
Add RBAC tests for APIs that enforce “os_compute_api:os-extended-availability-zone”.
Added RBAC tests for volume type access and volume type extra specs APIs, providing coverage for the following policy actions:
“volume_extension:types_extra_specs”
“volume_extension:volume_type_access”
“volume_extension:volume_type_access:addProjectAccess”
“volume_extension:volume_type_access:removeProjectAccess”
Add test coverage for the os-flavor-manage compute API, which includes tests for the following policy actions:
“os_compute_api:os-flavor-manage:create”
“os_compute_api:os-flavor-manage:delete”
Add RBAC tests related to the
image_sizecompute policy action: “os_compute_api:image-size”.
Adds tests for Nova’s lock_server policies: lock, unlock, and unlock_override.
Add additional RBAC tests to
VolumesBackupsRbacTest, providing coverage for “volume_extension:backup_admin_actions:reset_status”.
Add Patrole DevStack plugin, allowing Patrole to be installed using DevStack by adding “enable_plugin patrole” to “local” section of local.conf.
Added in a new logging feature which logs the result of each Patrole test
The format of the new log output is:
“[Service]: %s, [Test]: %s, [Rule]: %s, [Expected]: %s, [Actual]: %s”
where each “%s” is a string that contains:
[Service] - The openstack service being tested (Nova, Neutron, etc)
[Test] - The name of the test function being invoked (eg: test_list_aggregate_rbac)
[Rule] - The name of the rule the Patrole test is testing (eg: os_compute_api:os-aggregates)
[Expected] - The expected outcome (one of Allowed/Denied)
[Actual] - The actual outcome from the Patrole test (one of Allowed/Denied/Error)
This logging feature has two config variables:
These variables are part of a new config group
patrole_log- enable_reporting:
This enables or disables the enhanced rbac reporting
- report_log_name:
This variable specifies the name of the log file to write
- report_log_path:
This variable specifies the path (relative or absolute) of the log file to write
Add RBAC tests for os_compute_api:os-extended-status, which validate that the following attributes:
OS-EXT-STS:task_state
OS-EXT-STS:vm_state
OS-EXT-STS:power_state
are present in the relevant response bodies.
Add RBAC tests for os-extended-volumes:volumes_attached policies, which validate that “os-extended-volumes:volumes_attached” is returned in the response body.
Implements RBAC tests for Tempest network agents_client, providing coverage for the following policies:
update_agent
get_agent
create_dhcp-network
delete_dhcp-network
get_dhcp-networks
create_l3-router
delete_l3-router
get_l3-routers
Add RBAC tests for compute quota class sets API, providing coverage for the following policy actions:
os_compute_api:os-quota-class-sets:show
os_compute_api:os-quota-class-sets:update
Add RBAC tests for the compute server metadata API, providing coverage for the following policy actions:
os_compute_api:server-metadata:index
os_compute_api:server-metadata:update_all
os_compute_api:server-metadata:create
os_compute_api:server-metadata:show
os_compute_api:server-metadata:update
os_compute_api:server-metadata:delete
Adds test for Neutron’s get_service_provider policy.
Add RBAC tests for network subnet endpoints, providing coverage for the following policy actions:
create_subnet
get_subnet
update_subnet
delete_subnet
Add RBAC test for updating the default subnetpool, providing coverage for the policy action: “update_subnetpool:is_default”.
Add support of running Patrole against a custom requirements YAML that defines RBAC requirements. The YAML file lists all the APIs and the roles that should have access to the APIs. The purpose of running Patrole against a requirements YAML is to verify that the RBAC policy is in accordance to deployment specific requirements. Running Patrole against a requirements YAML is completely optional and can be enabled by setting the
[rbac] test_custom_requirementsoption to True in Tempest’s configuration file. The requirements YAML must be located on the same host that Patrole runs on.
Add test_oauth_tokens_rbac.py with RBAC test cases related to the OS-OAUTH1 Keystone v3 extension API.
Added RBAC test scenarios for the token-related v3 identity API
Added RBAC test scenarios for the token-related admin v2 identity API.
Add test for updating a volume group, providing coverage for group:update policy action.
Add RBAC test to provide coverage for the following cinder policy: “volume_extension:volume_actions:upload_public”.
Add RBAC tests for the volume v3 groups and group types APIs, providing coverage for the following policy actions:
group:create
group:get
group:get_all
group:delete
group:group_types_manage
group:access_group_types_specs
Deprecation Notes¶
The
[rbac]configuration group has been deprecated and will be removed in the next release. Use[patrole]group instead, which has the exact same options.
Deprecate the following configuration options from
[rbac]group:cinder_policy_file
glance_policy_file
keystone_policy_file
neutron_policy_file
nova_policy_file
It is better to use
[rbac] custom_policy_fileswhich supports any OpenStack service.
Glance v1 APIs are deprecated and v2 APIs are current. Glance v1 APIs are removed from volume tests and Glance v1 RBAC tests are removed.
Remove assisted volume snapshot RBAC tests, because the Tempest client does not yet exist.
Bug Fixes¶
Add microversion check to test_security_groups_rbac as tests in this file will fail with a 404 after 2.36.
Rename test_server_security_groups to test_list_security_groups to properly reflect the test actually being run.
Add
test.requires_extabove tests that require thebindingextension.
Other Notes¶
OpenStack Releases supported after this release are Pike. The release under current development of this tag is Queens, meaning that every Patrole commit is also tested against master during the Queens cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Queens (or future release) cloud.
