Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 0085d324cd76edc59dfe857293b5da9adeb2039a / . / etc / patrole.conf.sample
blob: cafdf8a3451c3bcfca443f590581eb73a1813f5f [file] [log] [blame]
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]1[DEFAULT]
2
3
4[patrole]
5
6#
7# From patrole.config
8#
9
10# The current RBAC role against which to run Patrole
11# tests. (string value)
12#rbac_test_role = admin
13
14# Enables RBAC tests. (boolean value)
15#enable_rbac = true
16
Felipe Monteirob58c1192017-11-20 01:50:24 +0000[diff] [blame]17# DEPRECATED: If true, throws RbacParsingException for policies which
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]18# don't exist or are not included in the service's policy file. If
19# false, throws
20# skipException. (boolean value)
Felipe Monteirob58c1192017-11-20 01:50:24 +0000[diff] [blame]21# This option is deprecated for removal.
22# Its value may be silently ignored in the future.
23# Reason: This option allows for the possibility
24# of false positives. As a testing framework, Patrole should fail any
25# test that
26# passes in an invalid policy.
27#strict_policy_check = true
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]28
29# List of the paths to search for policy files. Each
30# policy path assumes that the service name is included in the path
31# once. Also
32# assumes Patrole is on the same host as the policy files. The paths
33# should be
34# ordered by precedence, with high-priority paths before low-priority
35# paths. The
36# first path that is found to contain the service's policy file will
37# be used.
38# (list value)
39#custom_policy_files = /etc/%s/policy.json
40
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]41#
42# This option determines whether Patrole should run against a
43# `custom_requirements_file` which defines RBAC requirements. The
44# purpose of setting this flag to True is to verify that RBAC policy
45# is in accordance to requirements. The idea is that the
46# `custom_requirements_file` perfectly defines what the RBAC
47# requirements are.
48#
49# Here are the possible outcomes when running the Patrole tests
50# against
51# a `custom_requirements_file`:
52#
53# YAML definition: allowed
54# test run: allowed
55# test result: pass
56#
57# YAML definition: allowed
58# test run: not allowed
59# test result: fail (under-permission)
60#
61# YAML definition: not allowed
62# test run: allowed
63# test result: fail (over-permission)
64# (boolean value)
65#test_custom_requirements = false
66
67#
68# File path of the yaml file that defines your RBAC requirements. This
69# file must be located on the same host that Patrole runs on. The yaml
70# file should be written as follows:
71#
72# ```
73# <service>:
74# <api_action>:
75# - <allowed_role>
76# - <allowed_role>
77# - <allowed_role>
78# <api_action>:
79# - <allowed_role>
80# - <allowed_role>
81# <service>
82# <api_action>:
83# - <allowed_role>
84# ```
85# Where:
86# service = the service that is being tested (cinder, nova, etc)
87# api_action = the policy action that is being tested. Examples:
88# - volume:create
89# - os_compute_api:servers:start
90# - add_image
91# allowed_role = the Keystone role that is allowed to perform the API
92# (string value)
93#custom_requirements_file = <None>
94
95
96[patrole_log]
97
98#
99# From patrole.config
100#
101
102# Enables reporting on RBAC expected and actual test results for each
103# Patrole test (boolean value)
104#enable_reporting = false
105
106# Name of file where output from 'enable_reporting' is logged. Note
107# that this file is recreated on each invocation of patrole (string
108# value)
109#report_log_name = patrole.log
110
111# Path (relative or absolute) where the output from 'enable_reporting'
112# is logged. This is combined withreport_log_name to generate the full
113# path. (string value)
114#report_log_path = .