|  | #    Copyright 2017 AT&T Corporation. | 
|  | #    All Rights Reserved. | 
|  | # | 
|  | #    Licensed under the Apache License, Version 2.0 (the "License"); you may | 
|  | #    not use this file except in compliance with the License. You may obtain | 
|  | #    a copy of the License at | 
|  | # | 
|  | #         http://www.apache.org/licenses/LICENSE-2.0 | 
|  | # | 
|  | #    Unless required by applicable law or agreed to in writing, software | 
|  | #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | 
|  | #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | 
|  | #    License for the specific language governing permissions and limitations | 
|  | #    under the License. | 
|  |  | 
|  | from oslo_config import cfg | 
|  |  | 
|  |  | 
|  | patrole_group = cfg.OptGroup(name='patrole', title='Patrole Testing Options') | 
|  |  | 
|  |  | 
|  | PatroleGroup = [ | 
|  | cfg.StrOpt('rbac_test_role', | 
|  | default='admin', | 
|  | deprecated_group='rbac', | 
|  | help="""The current RBAC role against which to run Patrole | 
|  | tests."""), | 
|  | cfg.BoolOpt('enable_rbac', | 
|  | default=True, | 
|  | deprecated_group='rbac', | 
|  | help="Enables RBAC tests."), | 
|  | cfg.BoolOpt('strict_policy_check', | 
|  | default=False, | 
|  | deprecated_group='rbac', | 
|  | help="""If true, throws RbacParsingException for policies which | 
|  | don't exist or are not included in the service's policy file. If false, throws | 
|  | skipException."""), | 
|  | # TODO(rb560u): There needs to be support for reading these JSON files from | 
|  | # other hosts. It may be possible to leverage the v3 identity policy API. | 
|  | cfg.ListOpt('custom_policy_files', | 
|  | default=['/etc/%s/policy.json'], | 
|  | deprecated_group='rbac', | 
|  | help="""List of the paths to search for policy files. Each | 
|  | policy path assumes that the service name is included in the path once. Also | 
|  | assumes Patrole is on the same host as the policy files. The paths should be | 
|  | ordered by precedence, with high-priority paths before low-priority paths. The | 
|  | first path that is found to contain the service's policy file will be used. | 
|  | """), | 
|  | cfg.StrOpt('cinder_policy_file', | 
|  | default='/etc/cinder/policy.json', | 
|  | help="""Location of the Cinder policy file. Assumed to be on | 
|  | the same host as Patrole.""", | 
|  | deprecated_group='rbac', | 
|  | deprecated_for_removal=True, | 
|  | deprecated_reason="It is better to use `custom_policy_files` " | 
|  | "which supports any OpenStack service."), | 
|  | cfg.StrOpt('glance_policy_file', | 
|  | default='/etc/glance/policy.json', | 
|  | help="""Location of the Glance policy file. Assumed to be on | 
|  | the same host as Patrole.""", | 
|  | deprecated_group='rbac', | 
|  | deprecated_for_removal=True, | 
|  | deprecated_reason="It is better to use `custom_policy_files` " | 
|  | "which supports any OpenStack service."), | 
|  | cfg.StrOpt('keystone_policy_file', | 
|  | default='/etc/keystone/policy.json', | 
|  | help="""Location of the custom Keystone policy file. Assumed to | 
|  | be on the same host as Patrole.""", | 
|  | deprecated_group='rbac', | 
|  | deprecated_for_removal=True, | 
|  | deprecated_reason="It is better to use `custom_policy_files` " | 
|  | "which supports any OpenStack service."), | 
|  | cfg.StrOpt('neutron_policy_file', | 
|  | default='/etc/neutron/policy.json', | 
|  | help="""Location of the Neutron policy file. Assumed to be on | 
|  | the same host as Patrole.""", | 
|  | deprecated_group='rbac', | 
|  | deprecated_for_removal=True, | 
|  | deprecated_reason="It is better to use `custom_policy_files` " | 
|  | "which supports any OpenStack service."), | 
|  | cfg.StrOpt('nova_policy_file', | 
|  | default='/etc/nova/policy.json', | 
|  | help="""Location of the custom Nova policy file. Assumed to be | 
|  | on the same host as Patrole.""", | 
|  | deprecated_group='rbac', | 
|  | deprecated_for_removal=True, | 
|  | deprecated_reason="It is better to use `custom_policy_files` " | 
|  | "which supports any OpenStack service."), | 
|  | cfg.BoolOpt('test_custom_requirements', | 
|  | default=False, | 
|  | deprecated_group='rbac', | 
|  | help=""" | 
|  | This option determines whether Patrole should run against a | 
|  | `custom_requirements_file` which defines RBAC requirements. The | 
|  | purpose of setting this flag to True is to verify that RBAC policy | 
|  | is in accordance to requirements. The idea is that the | 
|  | `custom_requirements_file` perfectly defines what the RBAC requirements are. | 
|  |  | 
|  | Here are the possible outcomes when running the Patrole tests against | 
|  | a `custom_requirements_file`: | 
|  |  | 
|  | YAML definition: allowed | 
|  | test run: allowed | 
|  | test result: pass | 
|  |  | 
|  | YAML definition: allowed | 
|  | test run: not allowed | 
|  | test result: fail (under-permission) | 
|  |  | 
|  | YAML definition: not allowed | 
|  | test run: allowed | 
|  | test result: fail (over-permission) | 
|  | """), | 
|  | cfg.StrOpt('custom_requirements_file', | 
|  | deprecated_group='rbac', | 
|  | help=""" | 
|  | File path of the yaml file that defines your RBAC requirements. This | 
|  | file must be located on the same host that Patrole runs on. The yaml | 
|  | file should be written as follows: | 
|  |  | 
|  | ``` | 
|  | <service>: | 
|  | <api_action>: | 
|  | - <allowed_role> | 
|  | - <allowed_role> | 
|  | - <allowed_role> | 
|  | <api_action>: | 
|  | - <allowed_role> | 
|  | - <allowed_role> | 
|  | <service> | 
|  | <api_action>: | 
|  | - <allowed_role> | 
|  | ``` | 
|  | Where: | 
|  | service = the service that is being tested (cinder, nova, etc) | 
|  | api_action = the policy action that is being tested. Examples: | 
|  | - volume:create | 
|  | - os_compute_api:servers:start | 
|  | - add_image | 
|  | allowed_role = the Keystone role that is allowed to perform the API | 
|  | """) | 
|  | ] | 
|  |  | 
|  |  | 
|  | rbac_group = cfg.OptGroup(name='rbac', | 
|  | title='RBAC testing options', | 
|  | help="This group is deprecated and will be removed " | 
|  | "in the next release. Use the [patrole] group " | 
|  | "instead.") | 
|  |  | 
|  | patrole_log_group = cfg.OptGroup( | 
|  | name='patrole_log', title='Patrole Logging Options') | 
|  |  | 
|  | PatroleLogGroup = [ | 
|  | cfg.BoolOpt('enable_reporting', | 
|  | default=False, | 
|  | help="Enables reporting on RBAC expected and actual test " | 
|  | "results for each Patrole test"), | 
|  | cfg.StrOpt('report_log_name', | 
|  | default='patrole.log', | 
|  | help="Name of file where output from 'enable_reporting' is " | 
|  | "logged. Note that this file is recreated on each " | 
|  | "invocation of patrole"), | 
|  | cfg.StrOpt('report_log_path', | 
|  | default='.', | 
|  | help="Path (relative or absolute) where the output from " | 
|  | "'enable_reporting' is logged. This is combined with" | 
|  | "report_log_name to generate the full path."), | 
|  | ] | 
|  |  | 
|  |  | 
|  | def list_opts(): | 
|  | """Return a list of oslo.config options available. | 
|  |  | 
|  | The purpose of this is to allow tools like the Oslo sample config file | 
|  | generator to discover the options exposed to users. | 
|  | """ | 
|  | opt_list = [ | 
|  | (patrole_group, PatroleGroup), | 
|  | (patrole_log_group, PatroleLogGroup), | 
|  | (rbac_group, PatroleGroup) | 
|  | ] | 
|  |  | 
|  | return opt_list |