commit ed95005ac3a3b237284dfddb98826bcb762205eb
author Rick Bartra <rb560u@att.com> Thu Jun 29 17:20:33 2017 -0400
committer Rick Bartra <rb560u@att.com> Fri Jul 07 11:16:31 2017 -0400
tree 687bc0eaa64d429be14d4051844a1db7b8af3f6a
parent 4781dc9067c4c21e425cd4c283e929cf99bdc4f0

Add support for testing custom RBAC requirements

Add support of running Patrole against a custom requirements YAML that
defines RBAC requirements. The YAML file lists all the APIs and the roles
that should have access to the APIs. The purpose of running Patrole against
a requirements YAML is to verify that the RBAC policy is in accordance to
deployment specific requirements. Running Patrole against a requirements
YAML is completely optional and can be enabled through the rbac section of
the tempest.conf.

Change-Id: I8ba89ab5e134b15e97ac20a7aacbfd70896e192f
Implements: blueprint support-custom-yaml
Co-Authored-By: Sangeet Gupta <sg774j@att.com>
Co-Authored-By: David Purcell <d.purcell222@gmail.com>

patrole_tempest_plugin/config.py

diff --git a/patrole_tempest_plugin/config.py b/patrole_tempest_plugin/config.py
index cb00269..1180836 100644
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py
@@ -31,6 +31,8 @@
                 help="If true, throws RbacParsingException for"
                      " policies which don't exist. If false, "
                      "throws skipException."),
+    # TODO(rb560u): There needs to be support for reading these JSON files from
+    # other hosts. It may be possible to leverage the v3 identity policy API
     cfg.StrOpt('cinder_policy_file',
                default='/etc/cinder/policy.json',
                help="Location of the neutron policy file."),
@@ -45,5 +47,56 @@
                help="Location of the neutron policy file."),
     cfg.StrOpt('nova_policy_file',
                default='/etc/nova/policy.json',
-               help="Location of the nova policy file.")
+               help="Location of the nova policy file."),
+    cfg.BoolOpt('test_custom_requirements',
+                default=False,
+                help="""
+This option determines whether Patrole should run against a
+`custom_requirements_file` which defines RBAC requirements. The
+purpose of setting this flag to True is to verify that RBAC policy
+is in accordance to requirements. The idea is that the
+`custom_requirements_file` perfectly defines what the RBAC requirements are.
+
+Here are the possible outcomes when running the Patrole tests against
+a `custom_requirements_file`:
+
+YAML definition: allowed
+test run: allowed
+test result: pass
+
+YAML definition: allowed
+test run: not allowed
+test result: fail (under-permission)
+
+YAML definition: not allowed
+test run: allowed
+test result: fail (over-permission)
+"""),
+    cfg.StrOpt('custom_requirements_file',
+               help="""
+File path of the yaml file that defines your RBAC requirements. This
+file must be located on the same host that Patrole runs on. The yaml
+file should be written as follows:
+
+```
+<service>:
+  <api_action>:
+    - <allowed_role>
+    - <allowed_role>
+    - <allowed_role>
+  <api_action>:
+    - <allowed_role>
+    - <allowed_role>
+<service>
+  <api_action>:
+    - <allowed_role>
+```
+Where:
+service = the service that is being tested (cinder, nova, etc)
+api_action = the policy action that is being tested. Examples:
+             - volume:create
+             - os_compute_api:servers:start
+             - add_image
+allowed_role = the Keystone role that is allowed to perform the API
+""")
 ]