etc/patrole.conf.sample

[DEFAULT]


[patrole]

#
# From patrole.config
#

# The current RBAC role against which to run Patrole
# tests. (string value)
#rbac_test_role = admin

# Enables RBAC tests. (boolean value)
#enable_rbac = true

# List of the paths to search for policy files. Each
# policy path assumes that the service name is included in the path
# once. Also
# assumes Patrole is on the same host as the policy files. The paths
# should be
# ordered by precedence, with high-priority paths before low-priority
# paths. The
# first path that is found to contain the service's policy file will
# be used.
#  (list value)
#custom_policy_files = /etc/%s/policy.json

#
# This option determines whether Patrole should run against a
# `custom_requirements_file` which defines RBAC requirements. The
# purpose of setting this flag to True is to verify that RBAC policy
# is in accordance to requirements. The idea is that the
# `custom_requirements_file` perfectly defines what the RBAC
# requirements are.
#
# Here are the possible outcomes when running the Patrole tests
# against
# a `custom_requirements_file`:
#
# YAML definition: allowed
# test run: allowed
# test result: pass
#
# YAML definition: allowed
# test run: not allowed
# test result: fail (under-permission)
#
# YAML definition: not allowed
# test run: allowed
# test result: fail (over-permission)
#  (boolean value)
#test_custom_requirements = false

#
# File path of the yaml file that defines your RBAC requirements. This
# file must be located on the same host that Patrole runs on. The yaml
# file should be written as follows:
#
# ```
# <service>:
#   <api_action>:
#     - <allowed_role>
#     - <allowed_role>
#     - <allowed_role>
#   <api_action>:
#     - <allowed_role>
#     - <allowed_role>
# <service>
#   <api_action>:
#     - <allowed_role>
# ```
# Where:
# service = the service that is being tested (cinder, nova, etc)
# api_action = the policy action that is being tested. Examples:
#              - volume:create
#              - os_compute_api:servers:start
#              - add_image
# allowed_role = the Keystone role that is allowed to perform the API
#  (string value)
#custom_requirements_file = <None>


[patrole_log]

#
# From patrole.config
#

# Enables reporting on RBAC expected and actual test results for each
# Patrole test (boolean value)
#enable_reporting = false

# Name of file where output from 'enable_reporting' is logged. Note
# that this file is recreated on each invocation of patrole (string
# value)
#report_log_name = patrole.log

# Path (relative or absolute) where the output from 'enable_reporting'
# is logged. This is combined withreport_log_name to generate the full
# path. (string value)
#report_log_path = .


[policy-feature-enabled]

#
# From patrole.config
#

# Is the Neutron policy
# "create_port:fixed_ips:ip_address" available in the cloud? This
# policy was
# changed in a backwards-incompatible way. (boolean value)
#create_port_fixed_ips_ip_address_policy = true

# Is the Neutron policy
# "update_port:fixed_ips:ip_address" available in the cloud? This
# policy was
# changed in a backwards-incompatible way. (boolean value)
#update_port_fixed_ips_ip_address_policy = true

# Is the Cinder policy
# "limits_extension:used_limits" available in the cloud? This policy
# was
# changed in a backwards-incompatible way. (boolean value)
#limits_extension_used_limits_policy = true

# Is the Cinder policy
# "volume_extension:volume_actions:attach" available in the cloud?
# This policy
# was changed in a backwards-incompatible way. (boolean value)
#volume_extension_volume_actions_attach_policy = true

# Is the Cinder policy
# "volume_extension:volume_actions:reserve" available in the cloud?
# This policy
# was changed in a backwards-incompatible way. (boolean value)
#volume_extension_volume_actions_reserve_policy = true

# Is the Cinder policy
# "volume_extension:volume_actions:unreserve" available in the cloud?
# This policy
# was changed in a backwards-incompatible way. (boolean value)
#volume_extension_volume_actions_unreserve_policy = true