Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / f71def828a1598e3cee0a1a5c3702f6bfaa650e0^! / .
commitf71def828a1598e3cee0a1a5c3702f6bfaa650e0[log] [tgz]
authorFelipe Monteiro <felipe.monteiro@att.com>Tue Nov 07 03:27:13 2017 +0000
committerFelipe Monteiro <felipe.monteiro@att.com>Tue Nov 21 23:34:19 2017 +0000
tree710e2db8b5cf7afd4a34a1108a89b1f1b0f5564b
parente182300601d0b17c85f86315d1904525b1bc1977 [diff]
Deprecate strict_policy_enforce configuration option

The configuration option ``[patrole] strict_policy_check``
is deprecated and will be removed in the Rocky release cycle.

The default value for ``[patrole] strict_policy_check`` has
been changed to ``True`` because a Patrole test should always
fail if the policy action is invalid, to avoid false positives.

Change-Id: Idb902f23b1845bdbc9ac8fb490f3e74e262c1451

diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 1066136..1f666f2 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh

@@ -20,7 +20,6 @@
 
         iniset $TEMPEST_CONFIG rbac enable_rbac True
         iniset $TEMPEST_CONFIG rbac rbac_test_role $RBAC_TEST_ROLE
-        iniset $TEMPEST_CONFIG rbac strict_policy_check False
     fi
 }
 

diff --git a/patrole_tempest_plugin/config.py b/patrole_tempest_plugin/config.py
index d309d60..7966247 100644
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py

@@ -30,8 +30,12 @@
                 deprecated_group='rbac',
                 help="Enables RBAC tests."),
     cfg.BoolOpt('strict_policy_check',
-                default=False,
+                default=True,
                 deprecated_group='rbac',
+                deprecated_for_removal=True,
+                deprecated_reason="""This option allows for the possibility
+of false positives. As a testing framework, Patrole should fail any test that
+passes in an invalid policy.""",
                 help="""If true, throws RbacParsingException for policies which
 don't exist or are not included in the service's policy file. If false, throws
 skipException."""),

diff --git a/releasenotes/notes/deprecate-strict-policy-enforce-option-e15d2be4e753608e.yaml b/releasenotes/notes/deprecate-strict-policy-enforce-option-e15d2be4e753608e.yaml
new file mode 100644
index 0000000..4f56dd8
--- /dev/null
+++ b/releasenotes/notes/deprecate-strict-policy-enforce-option-e15d2be4e753608e.yaml

@@ -0,0 +1,10 @@
+---
+deprecations:
+  - |
+    The configuration option ``[patrole] strict_policy_check`` is deprecated
+    and will be removed in the Rocky release cycle.
+other:
+  - |
+    The default value for ``[patrole] strict_policy_check`` has been changed
+    to ``True`` because a Patrole test should always fail if the policy action
+    is invalid, to avoid false positives.