| Felipe Monteiro | 443d39c | 2018-04-08 17:05:33 -0400 | [diff] [blame] | 1 | .. _rbac_field_guide: |
| 2 | |
| 3 | Patrole Field Guide to RBAC Tests |
| 4 | ================================= |
| 5 | |
| 6 | |
| 7 | What are these tests? |
| 8 | --------------------- |
| 9 | |
| 10 | Patrole's primary responsibility is to ensure that your OpenStack cloud |
| 11 | has properly configured Role-Based Access Control (RBAC). All Patrole |
| 12 | tests cases are devoted to this responsibility. Tempest API clients |
| 13 | and utility functions are leveraged to accomplish this goal, but such |
| 14 | functionality is secondary to RBAC validation. |
| 15 | |
| 16 | Like Tempest, Patrole not only tests expected positive paths for RBAC |
| 17 | validation, but also -- and more importantly -- negative paths. While |
| 18 | Patrole could be thought of as validating RBAC, it more importantly |
| 19 | verifies that your OpenStack cloud is secure from the perspective of |
| 20 | RBAC (there are many gotchas when it comes to security, not just RBAC). |
| 21 | |
| 22 | Negative paths are arguably more important than positive paths when it |
| 23 | comes to RBAC and by extension security, because it is essential that |
| 24 | your cloud be secure from unauthorized access. For example, while it is |
| 25 | important to verify that the admin role has access to admin-level |
| 26 | functionality, it is of critical importance to verify that non-admin roles |
| 27 | *do not* have access to such functionality. |
| 28 | |
| 29 | Unlike Tempest, Patrole accomplishes negative testing implicitly -- by |
| 30 | abstracting it away in the background. Patrole dynamically determines |
| 31 | whether a role should have access to an API depending on your cloud's |
| 32 | policy configuration and then confirms whether that is true or false. |
| 33 | |
| 34 | |
| 35 | Why are these tests in Patrole? |
| 36 | ------------------------------- |
| 37 | |
| 38 | These tests constitute the core mission in Patrole: to verify RBAC. These |
| 39 | tests are mainly intended to validate RBAC, but can also *unofficially* |
| 40 | be used to discover the policy-to-API mapping for an OpenStack component. |
| 41 | |
| 42 | It could be argued that some of these tests could be implemented in |
| 43 | the projects themselves, but that approach has the following shortcomings: |
| 44 | |
| 45 | * The projects do not validate RBAC from an integration testing perspective. |
| 46 | * By extension, RBAC across cross-service communication is not usually |
| 47 | validated. |
| 48 | * The projects' tests do not pass all the metadata to ``oslo.policy`` that is |
| 49 | in reality passed by the deployed server to that library to determine |
| 50 | whether a given user is authorized to perform an API action. |
| 51 | * The projects do not exhaustively do RBAC testing for all positive and |
| 52 | negative paths. |
| 53 | * Patrole is designed to work with any role via configuration settings, but |
| 54 | on the other hand the projects handpick which roles to test. |
| 55 | |
| Felipe Monteiro | f800a1c | 2018-07-09 00:23:46 -0400 | [diff] [blame] | 56 | Why not use Patrole framework on Tempest tests? |
| 57 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 58 | |
| 59 | The Patrole framework can't be applied to existing Tempest tests via |
| 60 | :ref:`rbac-validation`, because: |
| 61 | |
| 62 | * Tempest tests aren't factored the right way: They're not granular enough. |
| 63 | They call too many APIs and too many policies are enforced by each test. |
| 64 | * Tempest tests assume default policy rules: Tempest uses ``os_admin`` |
| Felipe Monteiro | 1bbf48e | 2018-07-10 18:43:47 +0100 | [diff] [blame] | 65 | `credentials`_ for admin APIs and ``os_primary`` for non-admin APIs. |
| Felipe Monteiro | f800a1c | 2018-07-09 00:23:46 -0400 | [diff] [blame] | 66 | This breaks for custom policy overrides. |
| 67 | * Tempest doesn't have tests that enforce all the policy actions, regardless. |
| 68 | Some RBAC tests require that tests be written a very precise way for the |
| 69 | server to authorize the expected policy actions. |
| 70 | |
| 71 | Why are these tests not in Tempest? |
| 72 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 73 | |
| Felipe Monteiro | 1bbf48e | 2018-07-10 18:43:47 +0100 | [diff] [blame] | 74 | Patrole should be a separate project that specializes in RBAC tests. This |
| 75 | was agreed upon during `discussion`_ that led to the approval of the RBAC |
| 76 | testing framework `spec`_, which was the genesis for Patrole. |
| Felipe Monteiro | f800a1c | 2018-07-09 00:23:46 -0400 | [diff] [blame] | 77 | |
| 78 | Philosophically speaking: |
| 79 | |
| 80 | * Tempest supports `API and scenario testing`_. RBAC testing is out of scope. |
| 81 | * The `OpenStack project structure reform`_ evolved OpenStack "to a more |
| 82 | decentralized model where [projects like QA] provide processes and tools to |
| 83 | empower projects to do the work themselves". This model resulted in the |
| 84 | creation of the `Tempest external plugin interface`_. |
| 85 | * Tempest supports `plugins`_. Why not use one for RBAC testing? |
| 86 | |
| 87 | Practically speaking: |
| 88 | |
| 89 | * The Tempest team should not be burdened with having to support Patrole, too. |
| 90 | Tempest is a big project and having to absorb RBAC testing is difficult. |
| 91 | * Tempest already has many in-tree Zuul checks/gates. If Patrole tests lived |
| 92 | in Tempest, then adding more Zuul checks/gates for Patrole would only make it |
| 93 | harder to get changes merged in Tempest. |
| 94 | |
| Felipe Monteiro | 1bbf48e | 2018-07-10 18:43:47 +0100 | [diff] [blame] | 95 | .. _credentials: https://docs.openstack.org/tempest/latest/write_tests.html#allocating-credentials |
| 96 | .. _discussion: https://review.openstack.org/#/c/382672/ |
| 97 | .. _spec: https://specs.openstack.org/openstack/qa-specs/specs/tempest/rbac-policy-testing.html |
| Felipe Monteiro | f800a1c | 2018-07-09 00:23:46 -0400 | [diff] [blame] | 98 | .. _API and scenario testing: https://docs.openstack.org/tempest/latest/overview.html#tempest-the-openstack-integration-test-suite |
| 99 | .. _OpenStack project structure reform: https://governance.openstack.org/tc/resolutions/20141202-project-structure-reform-spec.html#impact-for-horizontal-teams |
| 100 | .. _Tempest external plugin interface: https://specs.openstack.org/openstack/qa-specs/specs/tempest/implemented/tempest-external-plugin-interface.html |
| 101 | .. _plugins: https://docs.openstack.org/tempest/latest/plugin.html |
| 102 | |
| Felipe Monteiro | 443d39c | 2018-04-08 17:05:33 -0400 | [diff] [blame] | 103 | |
| 104 | Scope of these tests |
| 105 | -------------------- |
| 106 | |
| 107 | RBAC tests should always use the Tempest implementation of the |
| 108 | OpenStack API, to take advantage of Tempest's stable library. |
| 109 | |
| 110 | Each test should test a specific API endpoint and the related policy. |
| 111 | |
| 112 | Each policy should be tested in isolation of one another -- or at least |
| 113 | as close to this rule as possible -- to ensure proper validation of RBAC. |
| 114 | |
| 115 | Each test should be able to work for positive and negative paths. |
| 116 | |
| 117 | All tests should be able to be run on their own, not depending on the |
| 118 | state created by a previous test. |