v0.3.0 Release Notes¶
0.3.0 Release Notes¶
This release marks the start of Queens release support in Patrole.
Add RBAC test for “backup:backup_project_attribute” which verifies that the “os-backup-project-attr:project_id” attribute appears in the response body once policy enforcement succeeds.
Implemented a new method
rbac_utilsmodule, which provides the exact same functionality as the now-deprecated
switch_rolemethod, with one difference:
override_roleis a contextmanager which provides better policy validation granularity. This means that immediately after the contextmanager’s code has executed, the role is switched back to the admin role automatically.
Add complete RBAC test coverage for the compute APIs that enforce: “os_compute_api:os-extended-server-attributes”.
test_flavor_rxtx_rbac now offers complete coverage for the os-flavor-rxtx policy.
Adds tests to see if key_name is returned in server response to test_server_misc_policy_actions_rbac.
Add RBAC test for creating a server backup, providing coverage for the policy action: “os_compute_api:os-create-backup”.
All of the identity v2.0 API tests have been removed from Patrole because the majority of the v2.0 API has been removed from the identity project.
[rbac]config group has been removed. Use the
[patrole]group instead which contains the exact same options.
rbac_utilsmodule has been deprecated and will be removed during the Rocky release cycle.
The configuration option
[patrole] strict_policy_checkis deprecated and will be removed in the Rocky release cycle.
Removed the following deprecated Patrole configuration options:
To specify the location of a custom policy file, use
The default value for
[patrole] strict_policy_checkhas been changed to
Truebecause a Patrole test should always fail if the policy action is invalid, to avoid false positives.
OpenStack Releases supported after this release are Queens and Pike. The release under current development of this tag is Rocky, meaning that every Patrole commit is also tested against master during the Rocky cycle. However, this does not necessarily mean that using Patrole as of this tag will work against a Rocky (or future release) cloud.