blob: b08714890b0cf5ab53e8cb040116c6cba225fa16 [file] [log] [blame]
DavidPurcellb25f93d2017-01-27 12:46:27 -05001# Copyright 2017 AT&T Corporation.
DavidPurcell663aedf2017-01-03 10:01:14 -05002# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
16from oslo_config import cfg
17
DavidPurcell029d8c32017-01-06 15:27:41 -050018
Felipe Monteirof6eb8622017-08-06 06:08:02 +010019patrole_group = cfg.OptGroup(name='patrole', title='Patrole Testing Options')
20
21
22PatroleGroup = [
DavidPurcell029d8c32017-01-06 15:27:41 -050023 cfg.StrOpt('rbac_test_role',
24 default='admin',
Mykola Yakovlieve0f35502018-09-26 18:26:57 -050025 deprecated_for_removal=True,
26 deprecated_reason="""This option is deprecated and being
27replaced with ``rbac_test_roles``.
28""",
Felipe Monteiro83903412018-07-09 16:33:55 +010029 help="""The current RBAC role against which to run
30Patrole tests."""),
Mykola Yakovlieve0f35502018-09-26 18:26:57 -050031 cfg.ListOpt('rbac_test_roles',
32 help="""List of the RBAC roles against which to run
33Patrole tests.""",
34 default=['admin']),
Felipe Monteiro3ab2c352017-07-05 22:25:34 +010035 cfg.ListOpt('custom_policy_files',
36 default=['/etc/%s/policy.json'],
37 help="""List of the paths to search for policy files. Each
38policy path assumes that the service name is included in the path once. Also
39assumes Patrole is on the same host as the policy files. The paths should be
Sergey Vilgelm062fb152018-09-06 20:51:57 -050040ordered by precedence, with high-priority paths before low-priority paths. All
41the paths that are found to contain the service's policy file will be used and
Sergey Vilgelmef7047d2018-09-11 14:48:55 -050042all policy files will be merged. Allowed ``json`` or ``yaml`` formats.
Felipe Monteiro3ab2c352017-07-05 22:25:34 +010043"""),
Rick Bartraed950052017-06-29 17:20:33 -040044 cfg.BoolOpt('test_custom_requirements',
45 default=False,
46 help="""
47This option determines whether Patrole should run against a
Felipe Monteiro97117b02018-05-23 16:31:23 -070048``custom_requirements_file`` which defines RBAC requirements. The
Felipe Monteiro66d54a92018-05-31 20:08:35 +010049purpose of setting this flag to ``True`` is to verify that RBAC policy
Rick Bartraed950052017-06-29 17:20:33 -040050is in accordance to requirements. The idea is that the
Felipe Monteiro66d54a92018-05-31 20:08:35 +010051``custom_requirements_file`` precisely defines what the RBAC requirements are.
Rick Bartraed950052017-06-29 17:20:33 -040052
53Here are the possible outcomes when running the Patrole tests against
Felipe Monteiro97117b02018-05-23 16:31:23 -070054a ``custom_requirements_file``:
Rick Bartraed950052017-06-29 17:20:33 -040055
56YAML definition: allowed
57test run: allowed
58test result: pass
59
60YAML definition: allowed
61test run: not allowed
Felipe Monteirof16b6b32018-06-28 19:32:59 -040062test result: fail (under-permission)
Rick Bartraed950052017-06-29 17:20:33 -040063
64YAML definition: not allowed
65test run: allowed
66test result: fail (over-permission)
67"""),
68 cfg.StrOpt('custom_requirements_file',
69 help="""
Felipe Monteiro97117b02018-05-23 16:31:23 -070070File path of the YAML file that defines your RBAC requirements. This
71file must be located on the same host that Patrole runs on. The YAML
Rick Bartraed950052017-06-29 17:20:33 -040072file should be written as follows:
73
Felipe Monteiro66d54a92018-05-31 20:08:35 +010074.. code-block:: yaml
75
76 <service_foo>:
77 <api_action_a>:
78 - <allowed_role_1>
79 - <allowed_role_2>
80 - <allowed_role_3>
81 <api_action_b>:
82 - <allowed_role_2>
83 - <allowed_role_4>
84 <service_bar>:
85 <api_action_c>:
86 - <allowed_role_3>
Felipe Monteiro97117b02018-05-23 16:31:23 -070087
Rick Bartraed950052017-06-29 17:20:33 -040088Where:
Felipe Monteiro97117b02018-05-23 16:31:23 -070089
Felipe Monteiro66d54a92018-05-31 20:08:35 +010090service = the service that is being tested (Cinder, Nova, etc.).
91
Rick Bartraed950052017-06-29 17:20:33 -040092api_action = the policy action that is being tested. Examples:
Felipe Monteiro66d54a92018-05-31 20:08:35 +010093
94* volume:create
95* os_compute_api:servers:start
96* add_image
97
98allowed_role = the ``oslo.policy`` role that is allowed to perform the API.
Sergey Vilgelm55e5dfe2019-01-07 11:59:41 -060099"""),
100 cfg.BoolOpt('validate_deprecated_rules', default=True,
101 help="""Some of the policy rules have deprecated version,
102Patrole should be able to run check against default and deprecated rules,
103otherwise the result of the tests may not be correct.
Rick Bartraed950052017-06-29 17:20:33 -0400104""")
DavidPurcell029d8c32017-01-06 15:27:41 -0500105]
Felipe Monteirof6eb8622017-08-06 06:08:02 +0100106
107
Sean Pryor7f8993f2017-08-14 12:53:17 -0400108patrole_log_group = cfg.OptGroup(
109 name='patrole_log', title='Patrole Logging Options')
110
Felipe Monteiro739041f2018-03-25 00:24:03 -0400111
Sean Pryor7f8993f2017-08-14 12:53:17 -0400112PatroleLogGroup = [
113 cfg.BoolOpt('enable_reporting',
114 default=False,
115 help="Enables reporting on RBAC expected and actual test "
116 "results for each Patrole test"),
117 cfg.StrOpt('report_log_name',
118 default='patrole.log',
119 help="Name of file where output from 'enable_reporting' is "
120 "logged. Note that this file is recreated on each "
121 "invocation of patrole"),
122 cfg.StrOpt('report_log_path',
123 default='.',
124 help="Path (relative or absolute) where the output from "
zhuflb5d01cc2018-11-19 14:35:27 +0800125 "'enable_reporting' is logged. This is combined with "
Sean Pryor7f8993f2017-08-14 12:53:17 -0400126 "report_log_name to generate the full path."),
127]
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100128
129
Felipe Monteiro739041f2018-03-25 00:24:03 -0400130policy_feature_enabled = cfg.OptGroup(
131 name='policy-feature-enabled',
132 title='Feature Flags for New or Changed Policies')
133
134
135PolicyFeatureEnabledGroup = [
136 # TODO(felipemonteiro): The 6 feature flags below should be removed after
137 # Pike is EOL.
138 cfg.BoolOpt('create_port_fixed_ips_ip_address_policy',
139 default=True,
140 help="""Is the Neutron policy
141"create_port:fixed_ips:ip_address" available in the cloud? This policy was
142changed in a backwards-incompatible way."""),
143 cfg.BoolOpt('update_port_fixed_ips_ip_address_policy',
144 default=True,
145 help="""Is the Neutron policy
146"update_port:fixed_ips:ip_address" available in the cloud? This policy was
147changed in a backwards-incompatible way."""),
148 cfg.BoolOpt('limits_extension_used_limits_policy',
149 default=True,
150 help="""Is the Cinder policy
151"limits_extension:used_limits" available in the cloud? This policy was
152changed in a backwards-incompatible way."""),
153 cfg.BoolOpt('volume_extension_volume_actions_attach_policy',
154 default=True,
155 help="""Is the Cinder policy
156"volume_extension:volume_actions:attach" available in the cloud? This policy
157was changed in a backwards-incompatible way."""),
158 cfg.BoolOpt('volume_extension_volume_actions_reserve_policy',
159 default=True,
160 help="""Is the Cinder policy
161"volume_extension:volume_actions:reserve" available in the cloud? This policy
162was changed in a backwards-incompatible way."""),
163 cfg.BoolOpt('volume_extension_volume_actions_unreserve_policy',
164 default=True,
165 help="""Is the Cinder policy
166"volume_extension:volume_actions:unreserve" available in the cloud? This policy
Felipe Monteiro6bffc5c2018-08-19 22:54:33 +0100167was changed in a backwards-incompatible way."""),
168 # *** Include feature flags for groups of policies below. ***
169 # Best practice is to capture new policies, removed policies, renamed
170 # policies in a group, per release.
171 #
172 # TODO(felipemonteiro): Remove these feature flags once Stein is EOL.
173 cfg.BoolOpt('removed_nova_policies_stein',
174 default=True,
175 help="""Are the Nova API extension policies available in the
176cloud (e.g. os_compute_api:os-extended-availability-zone)? These policies were
177removed in Stein because Nova API extension concept was removed in Pike."""),
Felipe Monteiroc38aca72018-10-31 01:21:48 -0400178 cfg.BoolOpt('removed_keystone_policies_stein',
179 default=True,
180 help="""Are the obsolete Keystone policies available in the
181cloud (e.g. identity:[create|update|get|delete]_credential)? These policies
182were removed in Stein."""),
Chi Lo8c04bd82018-06-01 16:21:50 -0500183 cfg.BoolOpt('added_cinder_policies_stein',
184 default=True,
Felipe Monteiroc38aca72018-10-31 01:21:48 -0400185 help="""Are the Cinder Stein policies available in the cloud
186(e.g. [create|update|get|delete]_encryption_policy)? These policies are added
Rick Bartra97fffed2019-09-12 13:35:10 -0400187in Stein."""),
188 cfg.BoolOpt('keystone_policy_enforcement_train',
189 default=True,
190 help="""Is the cloud running the Train release or newer? If
191so, the Keystone Trust API is enforced differently depending on passed
Rick Bartraf8923d12020-01-02 17:25:30 -0500192arguments"""),
193 cfg.BoolOpt('changed_nova_policies_ussuri',
194 default=True,
195 help="""Are the Nova API policies available in the
196cloud (e.g. os_compute_api:os-services)? These policies were
197changed in Ussuri.""")
Felipe Monteiro739041f2018-03-25 00:24:03 -0400198]
199
200
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100201def list_opts():
202 """Return a list of oslo.config options available.
203
204 The purpose of this is to allow tools like the Oslo sample config file
205 generator to discover the options exposed to users.
206 """
207 opt_list = [
208 (patrole_group, PatroleGroup),
Felipe Monteiro739041f2018-03-25 00:24:03 -0400209 (patrole_log_group, PatroleLogGroup),
210 (policy_feature_enabled, PolicyFeatureEnabledGroup)
211
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100212 ]
213
214 return opt_list