v0.2.0 Release Notes

0.2.0 Release Notes



This release marks the start of support for the Pike release in Patrole.

New Features

  • Add security groups and server security groups tests to Nova RBAC tests.

  • Add additional port-related RBAC tests to test_ports_rbac in the network module, providing coverage for the following policy actions: * create_port:device_owner * create_port:port_security_enabled * create_port:binding:profile * update_port:device_owner

  • Add additional RBAC tests for network routers API, providing coverage for the following policy actions:

    • create_router:ha

    • create_router:distributed

    • get_router:distributed

    • update_router:ha

    • update_router:distributed

  • Added tests to test_agents_rbac.py for PUT and DELETE endpoints.

  • Add RBAC test for communitizing image, providing coverage for the policy action “communitize_image”.

  • Adds tests for compute snapshot APIs.

  • Adds tests for os-console-output and os-remote-console to compute module.

  • Added RBAC network test for listing dhcp agents on a hosting network, providing coverage for the “get_dhcp-agents” policy.

  • Add new configuration option [rbac] custom_policy_files, allowing users to specify list of the paths to search for custom policy files. Each policy path assumes that the service name is included in the path once. Also assumes Patrole is on the same host as the policy files. The paths should be ordered by precedence, with high-priority paths before low-priority paths. The first path that is found to contain the service’s policy file will be used.

  • Add group-specific RBAC tests for the identity v3 extension API, OS-EP-FILTER, providing coverage for the following policy actions:

    • identity:create_endpoint_group

    • identity:list_endpoint_groups

    • identity:show_endpoint_group (get endpoint group)

    • identity:check_endpoint_group

    • identity:list_endpoint_group (get endpoint groups)

    • identity:update_endpoint_group

    • identity:delete_endpoint_group

  • Add RBAC tests for APIs that enforce “os_compute_api:os-extended-availability-zone”.

  • Added RBAC tests for volume type access and volume type extra specs APIs, providing coverage for the following policy actions:

    • “volume_extension:types_extra_specs”

    • “volume_extension:volume_type_access”

    • “volume_extension:volume_type_access:addProjectAccess”

    • “volume_extension:volume_type_access:removeProjectAccess”

  • Add test coverage for the os-flavor-manage compute API, which includes tests for the following policy actions:

    • “os_compute_api:os-flavor-manage:create”

    • “os_compute_api:os-flavor-manage:delete”

  • Add RBAC tests related to the image_size compute policy action: “os_compute_api:image-size”.

  • Adds tests for Nova’s lock_server policies: lock, unlock, and unlock_override.

  • Add additional RBAC tests to VolumesBackupsRbacTest, providing coverage for “volume_extension:backup_admin_actions:reset_status”.

  • Add Patrole DevStack plugin, allowing Patrole to be installed using DevStack by adding “enable_plugin patrole” to “local” section of local.conf.

  • Added in a new logging feature which logs the result of each Patrole test

    The format of the new log output is:

    “[Service]: %s, [Test]: %s, [Rule]: %s, [Expected]: %s, [Actual]: %s”

    where each “%s” is a string that contains:

    • [Service] - The openstack service being tested (Nova, Neutron, etc)

    • [Test] - The name of the test function being invoked (eg: test_list_aggregate_rbac)

    • [Rule] - The name of the rule the Patrole test is testing (eg: os_compute_api:os-aggregates)

    • [Expected] - The expected outcome (one of Allowed/Denied)

    • [Actual] - The actual outcome from the Patrole test (one of Allowed/Denied/Error)

    This logging feature has two config variables:

    These variables are part of a new config group patrole_log

    • enable_reporting:

      This enables or disables the enhanced rbac reporting

    • report_log_name:

      This variable specifies the name of the log file to write

    • report_log_path:

      This variable specifies the path (relative or absolute) of the log file to write

  • Add RBAC tests for os_compute_api:os-extended-status, which validate that the following attributes:

    • OS-EXT-STS:task_state

    • OS-EXT-STS:vm_state

    • OS-EXT-STS:power_state

    are present in the relevant response bodies.

  • Add RBAC tests for os-extended-volumes:volumes_attached policies, which validate that “os-extended-volumes:volumes_attached” is returned in the response body.

  • Implements RBAC tests for Tempest network agents_client, providing coverage for the following policies:

    • update_agent

    • get_agent

    • create_dhcp-network

    • delete_dhcp-network

    • get_dhcp-networks

    • create_l3-router

    • delete_l3-router

    • get_l3-routers

  • Add RBAC tests for compute quota class sets API, providing coverage for the following policy actions:

    • os_compute_api:os-quota-class-sets:show

    • os_compute_api:os-quota-class-sets:update

  • Add RBAC tests for the compute server metadata API, providing coverage for the following policy actions:

    • os_compute_api:server-metadata:index

    • os_compute_api:server-metadata:update_all

    • os_compute_api:server-metadata:create

    • os_compute_api:server-metadata:show

    • os_compute_api:server-metadata:update

    • os_compute_api:server-metadata:delete

  • Adds test for Neutron’s get_service_provider policy.

  • Add RBAC tests for network subnet endpoints, providing coverage for the following policy actions:

    • create_subnet

    • get_subnet

    • update_subnet

    • delete_subnet

  • Add RBAC test for updating the default subnetpool, providing coverage for the policy action: “update_subnetpool:is_default”.

  • Add support of running Patrole against a custom requirements YAML that defines RBAC requirements. The YAML file lists all the APIs and the roles that should have access to the APIs. The purpose of running Patrole against a requirements YAML is to verify that the RBAC policy is in accordance to deployment specific requirements. Running Patrole against a requirements YAML is completely optional and can be enabled by setting the [rbac] test_custom_requirements option to True in Tempest’s configuration file. The requirements YAML must be located on the same host that Patrole runs on.

  • Add test_oauth_tokens_rbac.py with RBAC test cases related to the OS-OAUTH1 Keystone v3 extension API.

  • Added RBAC test scenarios for the token-related v3 identity API

  • Added RBAC test scenarios for the token-related admin v2 identity API.

  • Add test for updating a volume group, providing coverage for group:update policy action.

  • Add RBAC test to provide coverage for the following cinder policy: “volume_extension:volume_actions:upload_public”.

  • Add RBAC tests for the volume v3 groups and group types APIs, providing coverage for the following policy actions:

    • group:create

    • group:get

    • group:get_all

    • group:delete

    • group:group_types_manage

    • group:access_group_types_specs

Deprecation Notes

  • The [rbac] configuration group has been deprecated and will be removed in the next release. Use [patrole] group instead, which has the exact same options.

  • Deprecate the following configuration options from [rbac] group:

    • cinder_policy_file

    • glance_policy_file

    • keystone_policy_file

    • neutron_policy_file

    • nova_policy_file

    It is better to use [rbac] custom_policy_files which supports any OpenStack service.

  • Glance v1 APIs are deprecated and v2 APIs are current. Glance v1 APIs are removed from volume tests and Glance v1 RBAC tests are removed.

  • Remove assisted volume snapshot RBAC tests, because the Tempest client does not yet exist.

Bug Fixes

  • Add microversion check to test_security_groups_rbac as tests in this file will fail with a 404 after 2.36.

  • Rename test_server_security_groups to test_list_security_groups to properly reflect the test actually being run.

  • Add test.requires_ext above tests that require the binding extension.

Other Notes

  • OpenStack Releases supported after this release are Pike. The release under current development of this tag is Queens, meaning that every Patrole commit is also tested against master during the Queens cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Queens (or future release) cloud.