commit ed95005ac3a3b237284dfddb98826bcb762205eb
author Rick Bartra <rb560u@att.com> Thu Jun 29 17:20:33 2017 -0400
committer Rick Bartra <rb560u@att.com> Fri Jul 07 11:16:31 2017 -0400
tree 687bc0eaa64d429be14d4051844a1db7b8af3f6a
parent 4781dc9067c4c21e425cd4c283e929cf99bdc4f0

Add support for testing custom RBAC requirements

Add support of running Patrole against a custom requirements YAML that
defines RBAC requirements. The YAML file lists all the APIs and the roles
that should have access to the APIs. The purpose of running Patrole against
a requirements YAML is to verify that the RBAC policy is in accordance to
deployment specific requirements. Running Patrole against a requirements
YAML is completely optional and can be enabled through the rbac section of
the tempest.conf.

Change-Id: I8ba89ab5e134b15e97ac20a7aacbfd70896e192f
Implements: blueprint support-custom-yaml
Co-Authored-By: Sangeet Gupta <sg774j@att.com>
Co-Authored-By: David Purcell <d.purcell222@gmail.com>

patrole_tempest_plugin/rbac_utils.py

diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 3bb2cbd..00bfd24 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -13,6 +13,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import abc
+import six
 import sys
 import time
 
@@ -170,3 +172,13 @@
         :returns: True if ``rbac_test_role`` is the admin role.
         """
         return CONF.rbac.rbac_test_role == CONF.identity.admin_role
+
+
+@six.add_metaclass(abc.ABCMeta)
+class RbacAuthority(object):
+    # TODO(rb560u): Add documentation explaining what this class is for
+
+    @abc.abstractmethod
+    def allowed(self, rule_name, role):
+        """Determine whether the role should be able to perform the API"""
+        return