v0.3.0 Release Notes

0.3.0 Release Notes



This release marks the start of Queens release support in Patrole.

New Features

  • Add RBAC test for “backup:backup_project_attribute” which verifies that the “os-backup-project-attr:project_id” attribute appears in the response body once policy enforcement succeeds.

  • Implemented a new method override_role in rbac_utils module, which provides the exact same functionality as the now-deprecated switch_role method, with one difference: override_role is a contextmanager which provides better policy validation granularity. This means that immediately after the contextmanager’s code has executed, the role is switched back to the admin role automatically.

  • Add complete RBAC test coverage for the compute APIs that enforce: “os_compute_api:os-extended-server-attributes”.

  • test_flavor_rxtx_rbac now offers complete coverage for the os-flavor-rxtx policy.

  • Adds tests to see if key_name is returned in server response to test_server_misc_policy_actions_rbac.

  • Add RBAC test for creating a server backup, providing coverage for the policy action: “os_compute_api:os-create-backup”.

Upgrade Notes

  • All of the identity v2.0 API tests have been removed from Patrole because the majority of the v2.0 API has been removed from the identity project.

  • The [rbac] config group has been removed. Use the [patrole] group instead which contains the exact same options.

Deprecation Notes

  • The switch_role method in rbac_utils module has been deprecated and will be removed during the Rocky release cycle.

  • The configuration option [patrole] strict_policy_check is deprecated and will be removed in the Rocky release cycle.

  • Removed the following deprecated Patrole configuration options:

    • cinder_policy_file

    • glance_policy_file

    • keystone_policy_file

    • neutron_policy_file

    • nova_policy_file

    To specify the location of a custom policy file, use [patrole] custom_policy_files instead.

Other Notes

  • The default value for [patrole] strict_policy_check has been changed to True because a Patrole test should always fail if the policy action is invalid, to avoid false positives.

  • OpenStack Releases supported after this release are Queens and Pike. The release under current development of this tag is Rocky, meaning that every Patrole commit is also tested against master during the Rocky cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Rocky (or future release) cloud.