Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / b58c1197e9cbedb0713ea2342e8710d9869a1362^! / . / etc / patrole.conf.sample
commitb58c1197e9cbedb0713ea2342e8710d9869a1362[log] [tgz]
authorFelipe Monteiro <felipe.monteiro@att.com>Mon Nov 20 01:50:24 2017 +0000
committerFelipe Monteiro <felipe.monteiro@att.com>Mon Nov 27 04:58:28 2017 +0000
tree065b7cb38206f89237925f1056c2d6a65ef02c15
parentfeec999bde210930fe1e8b16bbc60c093927c608 [diff] [blame]
Remove deprecrated [rbac] config group

This PS removes the deprecated [rbac] config group. It was replaced
last release cycle with the [patrole] config group, which has
the exact same options. This is because [patrole] is more user-friendly
and congruent with the project name.

Change-Id: Id1a7af0445bd50f44ddcc4277f952391968726b8

diff --git a/etc/patrole.conf.sample b/etc/patrole.conf.sample
index 370ca8d..cafdf8a 100644
--- a/etc/patrole.conf.sample
+++ b/etc/patrole.conf.sample

@@ -14,11 +14,17 @@
 # Enables RBAC tests. (boolean value)
 #enable_rbac = true
 
-# If true, throws RbacParsingException for policies which
+# DEPRECATED: If true, throws RbacParsingException for policies which
 # don't exist or are not included in the service's policy file. If
 # false, throws
 # skipException. (boolean value)
-#strict_policy_check = false
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: This option allows for the possibility
+# of false positives. As a testing framework, Patrole should fail any
+# test that
+# passes in an invalid policy.
+#strict_policy_check = true
 
 # List of the paths to search for policy files. Each
 # policy path assumes that the service name is included in the path
@@ -32,46 +38,6 @@
 #  (list value)
 #custom_policy_files = /etc/%s/policy.json
 
-# DEPRECATED: Location of the Cinder policy file. Assumed to be on
-# the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#cinder_policy_file = /etc/cinder/policy.json
-
-# DEPRECATED: Location of the Glance policy file. Assumed to be on
-# the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#glance_policy_file = /etc/glance/policy.json
-
-# DEPRECATED: Location of the custom Keystone policy file. Assumed to
-# be on the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#keystone_policy_file = /etc/keystone/policy.json
-
-# DEPRECATED: Location of the Neutron policy file. Assumed to be on
-# the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#neutron_policy_file = /etc/neutron/policy.json
-
-# DEPRECATED: Location of the custom Nova policy file. Assumed to be
-# on the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#nova_policy_file = /etc/nova/policy.json
-
 #
 # This option determines whether Patrole should run against a
 # `custom_requirements_file` which defines RBAC requirements. The
@@ -146,131 +112,3 @@
 # is logged. This is combined withreport_log_name to generate the full
 # path. (string value)
 #report_log_path = .
-
-
-[rbac]
-# This group is deprecated and will be removed in the next release.
-# Use the [patrole] group instead.
-
-#
-# From patrole.config
-#
-
-# The current RBAC role against which to run Patrole
-# tests. (string value)
-#rbac_test_role = admin
-
-# Enables RBAC tests. (boolean value)
-#enable_rbac = true
-
-# If true, throws RbacParsingException for policies which
-# don't exist or are not included in the service's policy file. If
-# false, throws
-# skipException. (boolean value)
-#strict_policy_check = false
-
-# List of the paths to search for policy files. Each
-# policy path assumes that the service name is included in the path
-# once. Also
-# assumes Patrole is on the same host as the policy files. The paths
-# should be
-# ordered by precedence, with high-priority paths before low-priority
-# paths. The
-# first path that is found to contain the service's policy file will
-# be used.
-#  (list value)
-#custom_policy_files = /etc/%s/policy.json
-
-# DEPRECATED: Location of the Cinder policy file. Assumed to be on
-# the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#cinder_policy_file = /etc/cinder/policy.json
-
-# DEPRECATED: Location of the Glance policy file. Assumed to be on
-# the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#glance_policy_file = /etc/glance/policy.json
-
-# DEPRECATED: Location of the custom Keystone policy file. Assumed to
-# be on the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#keystone_policy_file = /etc/keystone/policy.json
-
-# DEPRECATED: Location of the Neutron policy file. Assumed to be on
-# the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#neutron_policy_file = /etc/neutron/policy.json
-
-# DEPRECATED: Location of the custom Nova policy file. Assumed to be
-# on the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#nova_policy_file = /etc/nova/policy.json
-
-#
-# This option determines whether Patrole should run against a
-# `custom_requirements_file` which defines RBAC requirements. The
-# purpose of setting this flag to True is to verify that RBAC policy
-# is in accordance to requirements. The idea is that the
-# `custom_requirements_file` perfectly defines what the RBAC
-# requirements are.
-#
-# Here are the possible outcomes when running the Patrole tests
-# against
-# a `custom_requirements_file`:
-#
-# YAML definition: allowed
-# test run: allowed
-# test result: pass
-#
-# YAML definition: allowed
-# test run: not allowed
-# test result: fail (under-permission)
-#
-# YAML definition: not allowed
-# test run: allowed
-# test result: fail (over-permission)
-#  (boolean value)
-#test_custom_requirements = false
-
-#
-# File path of the yaml file that defines your RBAC requirements. This
-# file must be located on the same host that Patrole runs on. The yaml
-# file should be written as follows:
-#
-# ```
-# <service>:
-#   <api_action>:
-#     - <allowed_role>
-#     - <allowed_role>
-#     - <allowed_role>
-#   <api_action>:
-#     - <allowed_role>
-#     - <allowed_role>
-# <service>
-#   <api_action>:
-#     - <allowed_role>
-# ```
-# Where:
-# service = the service that is being tested (cinder, nova, etc)
-# api_action = the policy action that is being tested. Examples:
-#              - volume:create
-#              - os_compute_api:servers:start
-#              - add_image
-# allowed_role = the Keystone role that is allowed to perform the API
-#  (string value)
-#custom_requirements_file = <None>