| DavidPurcell | b25f93d | 2017-01-27 12:46:27 -0500 | [diff] [blame] | 1 | #    Copyright 2017 AT&T Corporation. | 
| DavidPurcell | 663aedf | 2017-01-03 10:01:14 -0500 | [diff] [blame] | 2 | #    All Rights Reserved. | 
|  | 3 | # | 
|  | 4 | #    Licensed under the Apache License, Version 2.0 (the "License"); you may | 
|  | 5 | #    not use this file except in compliance with the License. You may obtain | 
|  | 6 | #    a copy of the License at | 
|  | 7 | # | 
|  | 8 | #         http://www.apache.org/licenses/LICENSE-2.0 | 
|  | 9 | # | 
|  | 10 | #    Unless required by applicable law or agreed to in writing, software | 
|  | 11 | #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | 
|  | 12 | #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | 
|  | 13 | #    License for the specific language governing permissions and limitations | 
|  | 14 | #    under the License. | 
|  | 15 |  | 
|  | 16 | from oslo_config import cfg | 
|  | 17 |  | 
| DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 18 |  | 
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 19 | patrole_group = cfg.OptGroup(name='patrole', title='Patrole Testing Options') | 
|  | 20 |  | 
|  | 21 |  | 
|  | 22 | PatroleGroup = [ | 
| DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 23 | cfg.StrOpt('rbac_test_role', | 
|  | 24 | default='admin', | 
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 25 | deprecated_group='rbac', | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 26 | help="""The current RBAC role against which to run Patrole | 
|  | 27 | tests."""), | 
| Samantha Blanco | 0d88008 | 2017-03-23 18:14:37 -0400 | [diff] [blame] | 28 | cfg.BoolOpt('enable_rbac', | 
| Felipe Monteiro | 2c0c55a | 2017-03-06 17:22:10 -0500 | [diff] [blame] | 29 | default=True, | 
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 30 | deprecated_group='rbac', | 
| Samantha Blanco | 0d88008 | 2017-03-23 18:14:37 -0400 | [diff] [blame] | 31 | help="Enables RBAC tests."), | 
|  | 32 | cfg.BoolOpt('strict_policy_check', | 
|  | 33 | default=False, | 
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 34 | deprecated_group='rbac', | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 35 | help="""If true, throws RbacParsingException for policies which | 
|  | 36 | don't exist or are not included in the service's policy file. If false, throws | 
|  | 37 | skipException."""), | 
| Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 38 | # TODO(rb560u): There needs to be support for reading these JSON files from | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 39 | # other hosts. It may be possible to leverage the v3 identity policy API. | 
|  | 40 | cfg.ListOpt('custom_policy_files', | 
|  | 41 | default=['/etc/%s/policy.json'], | 
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 42 | deprecated_group='rbac', | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 43 | help="""List of the paths to search for policy files. Each | 
|  | 44 | policy path assumes that the service name is included in the path once. Also | 
|  | 45 | assumes Patrole is on the same host as the policy files. The paths should be | 
|  | 46 | ordered by precedence, with high-priority paths before low-priority paths. The | 
|  | 47 | first path that is found to contain the service's policy file will be used. | 
|  | 48 | """), | 
| Samantha Blanco | 85f79d7 | 2017-04-21 11:09:14 -0400 | [diff] [blame] | 49 | cfg.StrOpt('cinder_policy_file', | 
|  | 50 | default='/etc/cinder/policy.json', | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 51 | help="""Location of the Cinder policy file. Assumed to be on | 
|  | 52 | the same host as Patrole.""", | 
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 53 | deprecated_group='rbac', | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 54 | deprecated_for_removal=True, | 
|  | 55 | deprecated_reason="It is better to use `custom_policy_files` " | 
|  | 56 | "which supports any OpenStack service."), | 
| Samantha Blanco | 85f79d7 | 2017-04-21 11:09:14 -0400 | [diff] [blame] | 57 | cfg.StrOpt('glance_policy_file', | 
|  | 58 | default='/etc/glance/policy.json', | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 59 | help="""Location of the Glance policy file. Assumed to be on | 
|  | 60 | the same host as Patrole.""", | 
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 61 | deprecated_group='rbac', | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 62 | deprecated_for_removal=True, | 
|  | 63 | deprecated_reason="It is better to use `custom_policy_files` " | 
|  | 64 | "which supports any OpenStack service."), | 
| Samantha Blanco | 85f79d7 | 2017-04-21 11:09:14 -0400 | [diff] [blame] | 65 | cfg.StrOpt('keystone_policy_file', | 
|  | 66 | default='/etc/keystone/policy.json', | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 67 | help="""Location of the custom Keystone policy file. Assumed to | 
|  | 68 | be on the same host as Patrole.""", | 
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 69 | deprecated_group='rbac', | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 70 | deprecated_for_removal=True, | 
|  | 71 | deprecated_reason="It is better to use `custom_policy_files` " | 
|  | 72 | "which supports any OpenStack service."), | 
| Samantha Blanco | 85f79d7 | 2017-04-21 11:09:14 -0400 | [diff] [blame] | 73 | cfg.StrOpt('neutron_policy_file', | 
|  | 74 | default='/etc/neutron/policy.json', | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 75 | help="""Location of the Neutron policy file. Assumed to be on | 
|  | 76 | the same host as Patrole.""", | 
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 77 | deprecated_group='rbac', | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 78 | deprecated_for_removal=True, | 
|  | 79 | deprecated_reason="It is better to use `custom_policy_files` " | 
|  | 80 | "which supports any OpenStack service."), | 
| Samantha Blanco | 85f79d7 | 2017-04-21 11:09:14 -0400 | [diff] [blame] | 81 | cfg.StrOpt('nova_policy_file', | 
|  | 82 | default='/etc/nova/policy.json', | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 83 | help="""Location of the custom Nova policy file. Assumed to be | 
|  | 84 | on the same host as Patrole.""", | 
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 85 | deprecated_group='rbac', | 
| Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 86 | deprecated_for_removal=True, | 
|  | 87 | deprecated_reason="It is better to use `custom_policy_files` " | 
|  | 88 | "which supports any OpenStack service."), | 
| Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 89 | cfg.BoolOpt('test_custom_requirements', | 
|  | 90 | default=False, | 
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 91 | deprecated_group='rbac', | 
| Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 92 | help=""" | 
|  | 93 | This option determines whether Patrole should run against a | 
|  | 94 | `custom_requirements_file` which defines RBAC requirements. The | 
|  | 95 | purpose of setting this flag to True is to verify that RBAC policy | 
|  | 96 | is in accordance to requirements. The idea is that the | 
|  | 97 | `custom_requirements_file` perfectly defines what the RBAC requirements are. | 
|  | 98 |  | 
|  | 99 | Here are the possible outcomes when running the Patrole tests against | 
|  | 100 | a `custom_requirements_file`: | 
|  | 101 |  | 
|  | 102 | YAML definition: allowed | 
|  | 103 | test run: allowed | 
|  | 104 | test result: pass | 
|  | 105 |  | 
|  | 106 | YAML definition: allowed | 
|  | 107 | test run: not allowed | 
|  | 108 | test result: fail (under-permission) | 
|  | 109 |  | 
|  | 110 | YAML definition: not allowed | 
|  | 111 | test run: allowed | 
|  | 112 | test result: fail (over-permission) | 
|  | 113 | """), | 
|  | 114 | cfg.StrOpt('custom_requirements_file', | 
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 115 | deprecated_group='rbac', | 
| Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 116 | help=""" | 
|  | 117 | File path of the yaml file that defines your RBAC requirements. This | 
|  | 118 | file must be located on the same host that Patrole runs on. The yaml | 
|  | 119 | file should be written as follows: | 
|  | 120 |  | 
|  | 121 | ``` | 
|  | 122 | <service>: | 
|  | 123 | <api_action>: | 
|  | 124 | - <allowed_role> | 
|  | 125 | - <allowed_role> | 
|  | 126 | - <allowed_role> | 
|  | 127 | <api_action>: | 
|  | 128 | - <allowed_role> | 
|  | 129 | - <allowed_role> | 
|  | 130 | <service> | 
|  | 131 | <api_action>: | 
|  | 132 | - <allowed_role> | 
|  | 133 | ``` | 
|  | 134 | Where: | 
|  | 135 | service = the service that is being tested (cinder, nova, etc) | 
|  | 136 | api_action = the policy action that is being tested. Examples: | 
|  | 137 | - volume:create | 
|  | 138 | - os_compute_api:servers:start | 
|  | 139 | - add_image | 
|  | 140 | allowed_role = the Keystone role that is allowed to perform the API | 
|  | 141 | """) | 
| DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 142 | ] | 
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 143 |  | 
|  | 144 |  | 
|  | 145 | rbac_group = cfg.OptGroup(name='rbac', | 
|  | 146 | title='RBAC testing options', | 
|  | 147 | help="This group is deprecated and will be removed " | 
|  | 148 | "in the next release. Use the [patrole] group " | 
|  | 149 | "instead.") |