Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 19e3becfc73cf02df18de42742ac1d90e8d29ac6^! / . / releasenotes
commit19e3becfc73cf02df18de42742ac1d90e8d29ac6[log] [tgz]
authorSergey Vilgelm <sergey@vilgelm.info>Mon Jan 07 11:59:41 2019 -0600
committerSergey Vilgelm <sergey@vilgelm.info>Thu Jan 31 08:20:44 2019 -0600
tree4a8440d1fef88688b828ea8767d8d10891d8e21d
parent2daa5e6017e0619087f192371b2b003ff9f030bb [diff]
Support implied rules

Using keystone API[0] to get all role inference rules and makes it
possible to extend the used list of roles with implied roles.

[0] https://developer.openstack.org/api-ref/identity/v3/#list-all-role-inference-rules
Change-Id: Ia57351f3b21a82f4556ec61323abd295b427fc1e

diff --git a/releasenotes/notes/implied-roles-96a307a2b9fa2a40.yaml b/releasenotes/notes/implied-roles-96a307a2b9fa2a40.yaml
new file mode 100644
index 0000000..4329101
--- /dev/null
+++ b/releasenotes/notes/implied-roles-96a307a2b9fa2a40.yaml

@@ -0,0 +1,22 @@
+---
+features:
+  - |
+    Supporting the role inference rules API gives Patrole an ability of testing
+    role chains, when one role implies the second which can also imply the
+    third:
+
+      ``admin`` implies ``member`` implies ``reader``
+
+    Now in a case of testing against an ``admin`` role (``[patole]
+    rbac_test_roles`` = ``admin``) the ``rbac_rule_validation.action`` calls
+    the ``rbac_utils.get_all_needed_roles`` function to extend the roles
+    and validates a policy rule against the full list of possible roles:
+
+      ["admin", "member", "reader"]
+
+    Here is few examples:
+        ["admin"] >> ["admin", "member", "reader"]
+        ["member"] >> ["member", "reader"]
+        ["reader"] >> ["reader"]
+        ["custom_role"] >> ["custom_role"]
+        ["custom_role", "member"] >> ["custom_role", "member", "reader"]