Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 44d77848b5e1be53072281f77e6324cde15c3caa^! / . / releasenotes / notes / multi-policy-support-4e5c8b4e9e25ad9d.yaml
commit44d77848b5e1be53072281f77e6324cde15c3caa[log] [tgz]
authorFelipe Monteiro <felipe.monteiro@att.com>Wed Mar 21 02:42:59 2018 +0000
committerFelipe Monteiro <felipe.monteiro@att.com>Mon May 21 22:26:36 2018 +0000
tree0f85a812de79f1092ece6d3ab9a30e5ac4572829
parent1f2ba24f4df09ba3711aa520bdf1bedb63e7797a [diff] [blame]
Update rbac_rule_validation for multi-policy support

Introduces foundational logic needed for multi-policy support
to rbac_rule_validation module. Patrole now offers support for
multiple policies. The ``rules`` argument has been added to the
``rbac_rule_validation.action`` decorator, which takes a list of
policy names which Patrole will use to determine the expected test
result. This allows Patrole to more accurately determine
whether RBAC is configured correctly, since some API endpoints
enforce multiple policies.

The new ``rules`` argument is implemented for
test_unlock_server_override test which corresponds to [0]
which enforces:

    rules=["os_compute_api:os-lock-server:unlock:unlock",
           "os_compute_api:os-lock-server:unlock:unlock_override"]

which is set for this test.

The ``rule`` argument in the ``rbac_rule_validation.action``
decorator has been deprecated in favor of ``rules``.

The following will be carried out in additional follow up patches:

  * Renaming rule to rules
  * Adding multi-policy support carefully for selected APIs
    to be tracked via an etherpad
  * Updating Patrole documentation with multi-policy support
    details

[0] https://github.com/openstack/nova/blob/0ab78890c155f0b6ffc7c4148b26642f47aa7070/nova/api/openstack/compute/lock_server.py#L42

Partially Implements: bp rbac-testing-multiple-policies
Change-Id: Iec651aff1c1ef6acda19bcad2f57720f1dd3f8a0

diff --git a/releasenotes/notes/multi-policy-support-4e5c8b4e9e25ad9d.yaml b/releasenotes/notes/multi-policy-support-4e5c8b4e9e25ad9d.yaml
new file mode 100644
index 0000000..3d192d9
--- /dev/null
+++ b/releasenotes/notes/multi-policy-support-4e5c8b4e9e25ad9d.yaml

@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    Patrole now offers support for multiple policies. The ``rules`` argument
+    has been added to the ``rbac_rule_validation.action`` decorator, which
+    takes a list of policy names which Patrole will use to determine the
+    expected test result. This allows Patrole to more accurately determine
+    whether RBAC is configured correctly, since some API endpoints enforce
+    multiple policies.
+deprecations:
+  - |
+    The ``rule`` argument in the ``rbac_rule_validation.action`` decorator has
+    been deprecated in favor of ``rules``.