v0.1.0 Release Notes

0.1.0 Release Notes



This release marks the first release for Patrole, tagged as 0.1.0.

New Features

  • Add additional compute hypervisor RBAC tests, so that the previously missing hypervisor endpoints are covered. Tests for the following endpoints were written:

    • show_hypervisor

    • list_servers_on_hypervisor

    • show_hypervisor_statistics

    • show_hypervisor_uptime

    • search_hypervisor

  • Added an RBAC test for force-deleting a backup which enforces the cinder policy action: “volume_extension:backup_admin_actions:force_delete”.

  • Adds test for glance’s add_metadef_resource_type_association policy.

  • Add RBAC tests for cinder os-quota-class-sets API, which cover the policy action “volume_extension:quota_classes”.

  • Refactored framework to remove unused “path” argument. Added config options to allow the path to the policy.json files for Nova, Keystone, Cinder, Neutron, and Glance to be configured without needing to manually change code.

  • Adds RBAC tests for the domain configuration Keystone v3 extension API.

  • Adds RBAC tests for the encryption types client.

  • Adds RBAC tests for the project-related endpoints belonging to the OS-EP-FILTER Keystone v3 extension API.

  • Add RBAC test for listing hypervisors with details.

  • Merges rbac_auth with rbac_rule_validation, because rbac_auth decentralized logic from rbac_rule_validation without providing any authentication-related utility. This change facilitates code maintenance and code readability.

  • Adds RBAC tests for the Nova os-volumes API which is deprecated from microversion 2.36 onward.

  • Added RBAC test for the volume services API, which covers the following policy action: “volume_extension:services:index”.

  • Added test for volume summary API.

  • Added tests for volumes client functions set bootable, reserve, unreserve, and update metadata.

Bug Fixes

  • Corrected the policy action in the rbac_rule_validation decorator for the test test_snapshot_force_delete from “volume_extension:volume_admin_actions:force_delete” to “volume_extension:snapshot_admin_actions:force_delete”.

  • Removed rule kwarg from rbac_rule_validation decorator for identity v2 admin tests, because the identity v2 admin API does not do policy enforcement, and instead checks whether the request object has context_is_admin.

Other Notes

  • Patrole currently supports RBAC testing for Cinder, Glance, Nova, Neutron and Keystone.

    The release under current development as of this tag is Pike, meaning that every Patrole commit is also tested against master branch during the Pike cycle. However, this does not necessarily mean that using Patrole as of this tag will work against Pike (or future releases) cloud. In addition, backward compatibility with previous releases is not guaranteed.

  • Updated the class names for identity v2 tests to include the “Admin” substring, to convey the fact that these tests are only intended to test the v2 admin API, not the v2 API.

  • Renamed update metadata item and delete metadata item tests to accurately reflect what actions are being performed.