| Felipe Monteiro | 098a8cd | 2017-09-20 21:31:27 +0100 | [diff] [blame] | 1 | [DEFAULT] |
| 2 | |
| 3 | |
| 4 | [patrole] |
| 5 | |
| 6 | # |
| 7 | # From patrole.config |
| 8 | # |
| 9 | |
| 10 | # The current RBAC role against which to run Patrole |
| 11 | # tests. (string value) |
| 12 | #rbac_test_role = admin |
| 13 | |
| 14 | # Enables RBAC tests. (boolean value) |
| 15 | #enable_rbac = true |
| 16 | |
| Felipe Monteiro | 098a8cd | 2017-09-20 21:31:27 +0100 | [diff] [blame] | 17 | # List of the paths to search for policy files. Each |
| 18 | # policy path assumes that the service name is included in the path |
| 19 | # once. Also |
| 20 | # assumes Patrole is on the same host as the policy files. The paths |
| 21 | # should be |
| 22 | # ordered by precedence, with high-priority paths before low-priority |
| 23 | # paths. The |
| 24 | # first path that is found to contain the service's policy file will |
| 25 | # be used. |
| 26 | # (list value) |
| 27 | #custom_policy_files = /etc/%s/policy.json |
| 28 | |
| Felipe Monteiro | 098a8cd | 2017-09-20 21:31:27 +0100 | [diff] [blame] | 29 | # |
| 30 | # This option determines whether Patrole should run against a |
| 31 | # `custom_requirements_file` which defines RBAC requirements. The |
| 32 | # purpose of setting this flag to True is to verify that RBAC policy |
| 33 | # is in accordance to requirements. The idea is that the |
| 34 | # `custom_requirements_file` perfectly defines what the RBAC |
| 35 | # requirements are. |
| 36 | # |
| 37 | # Here are the possible outcomes when running the Patrole tests |
| 38 | # against |
| 39 | # a `custom_requirements_file`: |
| 40 | # |
| 41 | # YAML definition: allowed |
| 42 | # test run: allowed |
| 43 | # test result: pass |
| 44 | # |
| 45 | # YAML definition: allowed |
| 46 | # test run: not allowed |
| 47 | # test result: fail (under-permission) |
| 48 | # |
| 49 | # YAML definition: not allowed |
| 50 | # test run: allowed |
| 51 | # test result: fail (over-permission) |
| 52 | # (boolean value) |
| 53 | #test_custom_requirements = false |
| 54 | |
| 55 | # |
| 56 | # File path of the yaml file that defines your RBAC requirements. This |
| 57 | # file must be located on the same host that Patrole runs on. The yaml |
| 58 | # file should be written as follows: |
| 59 | # |
| 60 | # ``` |
| 61 | # <service>: |
| 62 | # <api_action>: |
| 63 | # - <allowed_role> |
| 64 | # - <allowed_role> |
| 65 | # - <allowed_role> |
| 66 | # <api_action>: |
| 67 | # - <allowed_role> |
| 68 | # - <allowed_role> |
| 69 | # <service> |
| 70 | # <api_action>: |
| 71 | # - <allowed_role> |
| 72 | # ``` |
| 73 | # Where: |
| 74 | # service = the service that is being tested (cinder, nova, etc) |
| 75 | # api_action = the policy action that is being tested. Examples: |
| 76 | # - volume:create |
| 77 | # - os_compute_api:servers:start |
| 78 | # - add_image |
| 79 | # allowed_role = the Keystone role that is allowed to perform the API |
| 80 | # (string value) |
| 81 | #custom_requirements_file = <None> |
| 82 | |
| 83 | |
| 84 | [patrole_log] |
| 85 | |
| 86 | # |
| 87 | # From patrole.config |
| 88 | # |
| 89 | |
| 90 | # Enables reporting on RBAC expected and actual test results for each |
| 91 | # Patrole test (boolean value) |
| 92 | #enable_reporting = false |
| 93 | |
| 94 | # Name of file where output from 'enable_reporting' is logged. Note |
| 95 | # that this file is recreated on each invocation of patrole (string |
| 96 | # value) |
| 97 | #report_log_name = patrole.log |
| 98 | |
| 99 | # Path (relative or absolute) where the output from 'enable_reporting' |
| 100 | # is logged. This is combined withreport_log_name to generate the full |
| 101 | # path. (string value) |
| 102 | #report_log_path = . |
| Felipe Monteiro | 739041f | 2018-03-25 00:24:03 -0400 | [diff] [blame] | 103 | |
| 104 | |
| 105 | [policy-feature-enabled] |
| 106 | |
| 107 | # |
| 108 | # From patrole.config |
| 109 | # |
| 110 | |
| 111 | # Is the Neutron policy |
| 112 | # "create_port:fixed_ips:ip_address" available in the cloud? This |
| 113 | # policy was |
| 114 | # changed in a backwards-incompatible way. (boolean value) |
| 115 | #create_port_fixed_ips_ip_address_policy = true |
| 116 | |
| 117 | # Is the Neutron policy |
| 118 | # "update_port:fixed_ips:ip_address" available in the cloud? This |
| 119 | # policy was |
| 120 | # changed in a backwards-incompatible way. (boolean value) |
| 121 | #update_port_fixed_ips_ip_address_policy = true |
| 122 | |
| 123 | # Is the Cinder policy |
| 124 | # "limits_extension:used_limits" available in the cloud? This policy |
| 125 | # was |
| 126 | # changed in a backwards-incompatible way. (boolean value) |
| 127 | #limits_extension_used_limits_policy = true |
| 128 | |
| 129 | # Is the Cinder policy |
| 130 | # "volume_extension:volume_actions:attach" available in the cloud? |
| 131 | # This policy |
| 132 | # was changed in a backwards-incompatible way. (boolean value) |
| 133 | #volume_extension_volume_actions_attach_policy = true |
| 134 | |
| 135 | # Is the Cinder policy |
| 136 | # "volume_extension:volume_actions:reserve" available in the cloud? |
| 137 | # This policy |
| 138 | # was changed in a backwards-incompatible way. (boolean value) |
| 139 | #volume_extension_volume_actions_reserve_policy = true |
| 140 | |
| 141 | # Is the Cinder policy |
| 142 | # "volume_extension:volume_actions:unreserve" available in the cloud? |
| 143 | # This policy |
| 144 | # was changed in a backwards-incompatible way. (boolean value) |
| 145 | #volume_extension_volume_actions_unreserve_policy = true |