DavidPurcell | b25f93d | 2017-01-27 12:46:27 -0500 | [diff] [blame] | 1 | # Copyright 2017 AT&T Corporation. |
DavidPurcell | 663aedf | 2017-01-03 10:01:14 -0500 | [diff] [blame] | 2 | # All Rights Reserved. |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 5 | # not use this file except in compliance with the License. You may obtain |
| 6 | # a copy of the License at |
| 7 | # |
| 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | # |
| 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 13 | # License for the specific language governing permissions and limitations |
| 14 | # under the License. |
| 15 | |
| 16 | from oslo_config import cfg |
| 17 | |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 18 | |
Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 19 | patrole_group = cfg.OptGroup(name='patrole', title='Patrole Testing Options') |
| 20 | |
| 21 | |
| 22 | PatroleGroup = [ |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 23 | cfg.StrOpt('rbac_test_role', |
| 24 | default='admin', |
Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 25 | deprecated_for_removal=True, |
| 26 | deprecated_reason="""This option is deprecated and being |
| 27 | replaced with ``rbac_test_roles``. |
| 28 | """, |
Felipe Monteiro | 8390341 | 2018-07-09 16:33:55 +0100 | [diff] [blame] | 29 | help="""The current RBAC role against which to run |
| 30 | Patrole tests."""), |
Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 31 | cfg.ListOpt('rbac_test_roles', |
| 32 | help="""List of the RBAC roles against which to run |
| 33 | Patrole tests.""", |
| 34 | default=['admin']), |
Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 35 | cfg.ListOpt('custom_policy_files', |
| 36 | default=['/etc/%s/policy.json'], |
| 37 | help="""List of the paths to search for policy files. Each |
| 38 | policy path assumes that the service name is included in the path once. Also |
| 39 | assumes Patrole is on the same host as the policy files. The paths should be |
Sergey Vilgelm | 062fb15 | 2018-09-06 20:51:57 -0500 | [diff] [blame] | 40 | ordered by precedence, with high-priority paths before low-priority paths. All |
| 41 | the paths that are found to contain the service's policy file will be used and |
Sergey Vilgelm | ef7047d | 2018-09-11 14:48:55 -0500 | [diff] [blame] | 42 | all policy files will be merged. Allowed ``json`` or ``yaml`` formats. |
Felipe Monteiro | 3ab2c35 | 2017-07-05 22:25:34 +0100 | [diff] [blame] | 43 | """), |
Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 44 | cfg.BoolOpt('test_custom_requirements', |
| 45 | default=False, |
| 46 | help=""" |
| 47 | This option determines whether Patrole should run against a |
Felipe Monteiro | 97117b0 | 2018-05-23 16:31:23 -0700 | [diff] [blame] | 48 | ``custom_requirements_file`` which defines RBAC requirements. The |
Felipe Monteiro | 66d54a9 | 2018-05-31 20:08:35 +0100 | [diff] [blame] | 49 | purpose of setting this flag to ``True`` is to verify that RBAC policy |
Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 50 | is in accordance to requirements. The idea is that the |
Felipe Monteiro | 66d54a9 | 2018-05-31 20:08:35 +0100 | [diff] [blame] | 51 | ``custom_requirements_file`` precisely defines what the RBAC requirements are. |
Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 52 | |
| 53 | Here are the possible outcomes when running the Patrole tests against |
Felipe Monteiro | 97117b0 | 2018-05-23 16:31:23 -0700 | [diff] [blame] | 54 | a ``custom_requirements_file``: |
Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 55 | |
| 56 | YAML definition: allowed |
| 57 | test run: allowed |
| 58 | test result: pass |
| 59 | |
| 60 | YAML definition: allowed |
| 61 | test run: not allowed |
Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 62 | test result: fail (under-permission) |
Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 63 | |
| 64 | YAML definition: not allowed |
| 65 | test run: allowed |
| 66 | test result: fail (over-permission) |
| 67 | """), |
| 68 | cfg.StrOpt('custom_requirements_file', |
| 69 | help=""" |
Felipe Monteiro | 97117b0 | 2018-05-23 16:31:23 -0700 | [diff] [blame] | 70 | File path of the YAML file that defines your RBAC requirements. This |
| 71 | file must be located on the same host that Patrole runs on. The YAML |
Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 72 | file should be written as follows: |
| 73 | |
Felipe Monteiro | 66d54a9 | 2018-05-31 20:08:35 +0100 | [diff] [blame] | 74 | .. code-block:: yaml |
| 75 | |
| 76 | <service_foo>: |
| 77 | <api_action_a>: |
| 78 | - <allowed_role_1> |
| 79 | - <allowed_role_2> |
| 80 | - <allowed_role_3> |
| 81 | <api_action_b>: |
| 82 | - <allowed_role_2> |
| 83 | - <allowed_role_4> |
| 84 | <service_bar>: |
| 85 | <api_action_c>: |
| 86 | - <allowed_role_3> |
Felipe Monteiro | 97117b0 | 2018-05-23 16:31:23 -0700 | [diff] [blame] | 87 | |
Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 88 | Where: |
Felipe Monteiro | 97117b0 | 2018-05-23 16:31:23 -0700 | [diff] [blame] | 89 | |
Felipe Monteiro | 66d54a9 | 2018-05-31 20:08:35 +0100 | [diff] [blame] | 90 | service = the service that is being tested (Cinder, Nova, etc.). |
| 91 | |
Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 92 | api_action = the policy action that is being tested. Examples: |
Felipe Monteiro | 66d54a9 | 2018-05-31 20:08:35 +0100 | [diff] [blame] | 93 | |
| 94 | * volume:create |
| 95 | * os_compute_api:servers:start |
| 96 | * add_image |
| 97 | |
| 98 | allowed_role = the ``oslo.policy`` role that is allowed to perform the API. |
Sergey Vilgelm | 55e5dfe | 2019-01-07 11:59:41 -0600 | [diff] [blame] | 99 | """), |
| 100 | cfg.BoolOpt('validate_deprecated_rules', default=True, |
| 101 | help="""Some of the policy rules have deprecated version, |
| 102 | Patrole should be able to run check against default and deprecated rules, |
| 103 | otherwise the result of the tests may not be correct. |
Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 104 | """) |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 105 | ] |
Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 106 | |
| 107 | |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 108 | patrole_log_group = cfg.OptGroup( |
| 109 | name='patrole_log', title='Patrole Logging Options') |
| 110 | |
Felipe Monteiro | 739041f | 2018-03-25 00:24:03 -0400 | [diff] [blame] | 111 | |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 112 | PatroleLogGroup = [ |
| 113 | cfg.BoolOpt('enable_reporting', |
| 114 | default=False, |
| 115 | help="Enables reporting on RBAC expected and actual test " |
| 116 | "results for each Patrole test"), |
| 117 | cfg.StrOpt('report_log_name', |
| 118 | default='patrole.log', |
| 119 | help="Name of file where output from 'enable_reporting' is " |
| 120 | "logged. Note that this file is recreated on each " |
| 121 | "invocation of patrole"), |
| 122 | cfg.StrOpt('report_log_path', |
| 123 | default='.', |
| 124 | help="Path (relative or absolute) where the output from " |
zhufl | b5d01cc | 2018-11-19 14:35:27 +0800 | [diff] [blame] | 125 | "'enable_reporting' is logged. This is combined with " |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 126 | "report_log_name to generate the full path."), |
| 127 | ] |
Felipe Monteiro | 098a8cd | 2017-09-20 21:31:27 +0100 | [diff] [blame] | 128 | |
| 129 | |
Felipe Monteiro | 739041f | 2018-03-25 00:24:03 -0400 | [diff] [blame] | 130 | policy_feature_enabled = cfg.OptGroup( |
| 131 | name='policy-feature-enabled', |
| 132 | title='Feature Flags for New or Changed Policies') |
| 133 | |
| 134 | |
| 135 | PolicyFeatureEnabledGroup = [ |
| 136 | # TODO(felipemonteiro): The 6 feature flags below should be removed after |
| 137 | # Pike is EOL. |
| 138 | cfg.BoolOpt('create_port_fixed_ips_ip_address_policy', |
| 139 | default=True, |
| 140 | help="""Is the Neutron policy |
| 141 | "create_port:fixed_ips:ip_address" available in the cloud? This policy was |
| 142 | changed in a backwards-incompatible way."""), |
| 143 | cfg.BoolOpt('update_port_fixed_ips_ip_address_policy', |
| 144 | default=True, |
| 145 | help="""Is the Neutron policy |
| 146 | "update_port:fixed_ips:ip_address" available in the cloud? This policy was |
| 147 | changed in a backwards-incompatible way."""), |
| 148 | cfg.BoolOpt('limits_extension_used_limits_policy', |
| 149 | default=True, |
| 150 | help="""Is the Cinder policy |
| 151 | "limits_extension:used_limits" available in the cloud? This policy was |
| 152 | changed in a backwards-incompatible way."""), |
| 153 | cfg.BoolOpt('volume_extension_volume_actions_attach_policy', |
| 154 | default=True, |
| 155 | help="""Is the Cinder policy |
| 156 | "volume_extension:volume_actions:attach" available in the cloud? This policy |
| 157 | was changed in a backwards-incompatible way."""), |
| 158 | cfg.BoolOpt('volume_extension_volume_actions_reserve_policy', |
| 159 | default=True, |
| 160 | help="""Is the Cinder policy |
| 161 | "volume_extension:volume_actions:reserve" available in the cloud? This policy |
| 162 | was changed in a backwards-incompatible way."""), |
| 163 | cfg.BoolOpt('volume_extension_volume_actions_unreserve_policy', |
| 164 | default=True, |
| 165 | help="""Is the Cinder policy |
| 166 | "volume_extension:volume_actions:unreserve" available in the cloud? This policy |
Felipe Monteiro | 6bffc5c | 2018-08-19 22:54:33 +0100 | [diff] [blame] | 167 | was changed in a backwards-incompatible way."""), |
| 168 | # *** Include feature flags for groups of policies below. *** |
| 169 | # Best practice is to capture new policies, removed policies, renamed |
| 170 | # policies in a group, per release. |
| 171 | # |
| 172 | # TODO(felipemonteiro): Remove these feature flags once Stein is EOL. |
| 173 | cfg.BoolOpt('removed_nova_policies_stein', |
| 174 | default=True, |
| 175 | help="""Are the Nova API extension policies available in the |
| 176 | cloud (e.g. os_compute_api:os-extended-availability-zone)? These policies were |
| 177 | removed in Stein because Nova API extension concept was removed in Pike."""), |
Felipe Monteiro | c38aca7 | 2018-10-31 01:21:48 -0400 | [diff] [blame] | 178 | cfg.BoolOpt('removed_keystone_policies_stein', |
| 179 | default=True, |
| 180 | help="""Are the obsolete Keystone policies available in the |
| 181 | cloud (e.g. identity:[create|update|get|delete]_credential)? These policies |
| 182 | were removed in Stein."""), |
Chi Lo | 8c04bd8 | 2018-06-01 16:21:50 -0500 | [diff] [blame] | 183 | cfg.BoolOpt('added_cinder_policies_stein', |
| 184 | default=True, |
Felipe Monteiro | c38aca7 | 2018-10-31 01:21:48 -0400 | [diff] [blame] | 185 | help="""Are the Cinder Stein policies available in the cloud |
| 186 | (e.g. [create|update|get|delete]_encryption_policy)? These policies are added |
Rick Bartra | 97fffed | 2019-09-12 13:35:10 -0400 | [diff] [blame] | 187 | in Stein."""), |
| 188 | cfg.BoolOpt('keystone_policy_enforcement_train', |
| 189 | default=True, |
| 190 | help="""Is the cloud running the Train release or newer? If |
| 191 | so, the Keystone Trust API is enforced differently depending on passed |
Rick Bartra | f8923d1 | 2020-01-02 17:25:30 -0500 | [diff] [blame] | 192 | arguments"""), |
| 193 | cfg.BoolOpt('changed_nova_policies_ussuri', |
| 194 | default=True, |
| 195 | help="""Are the Nova API policies available in the |
| 196 | cloud (e.g. os_compute_api:os-services)? These policies were |
| 197 | changed in Ussuri.""") |
Felipe Monteiro | 739041f | 2018-03-25 00:24:03 -0400 | [diff] [blame] | 198 | ] |
| 199 | |
| 200 | |
Felipe Monteiro | 098a8cd | 2017-09-20 21:31:27 +0100 | [diff] [blame] | 201 | def list_opts(): |
| 202 | """Return a list of oslo.config options available. |
| 203 | |
| 204 | The purpose of this is to allow tools like the Oslo sample config file |
| 205 | generator to discover the options exposed to users. |
| 206 | """ |
| 207 | opt_list = [ |
| 208 | (patrole_group, PatroleGroup), |
Felipe Monteiro | 739041f | 2018-03-25 00:24:03 -0400 | [diff] [blame] | 209 | (patrole_log_group, PatroleLogGroup), |
| 210 | (policy_feature_enabled, PolicyFeatureEnabledGroup) |
| 211 | |
Felipe Monteiro | 098a8cd | 2017-09-20 21:31:27 +0100 | [diff] [blame] | 212 | ] |
| 213 | |
| 214 | return opt_list |