Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 81247497ce8e36a92c0f4f52781db22c80fd0cbf / . / etc / patrole.conf.sample
blob: 370ca8d4fa1884f702de1d8c7b094775491c0b8b [file] [log] [blame]
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]1[DEFAULT]
2
3
4[patrole]
5
6#
7# From patrole.config
8#
9
10# The current RBAC role against which to run Patrole
11# tests. (string value)
12#rbac_test_role = admin
13
14# Enables RBAC tests. (boolean value)
15#enable_rbac = true
16
17# If true, throws RbacParsingException for policies which
18# don't exist or are not included in the service's policy file. If
19# false, throws
20# skipException. (boolean value)
21#strict_policy_check = false
22
23# List of the paths to search for policy files. Each
24# policy path assumes that the service name is included in the path
25# once. Also
26# assumes Patrole is on the same host as the policy files. The paths
27# should be
28# ordered by precedence, with high-priority paths before low-priority
29# paths. The
30# first path that is found to contain the service's policy file will
31# be used.
32# (list value)
33#custom_policy_files = /etc/%s/policy.json
34
35# DEPRECATED: Location of the Cinder policy file. Assumed to be on
36# the same host as Patrole. (string value)
37# This option is deprecated for removal.
38# Its value may be silently ignored in the future.
39# Reason: It is better to use `custom_policy_files` which supports any
40# OpenStack service.
41#cinder_policy_file = /etc/cinder/policy.json
42
43# DEPRECATED: Location of the Glance policy file. Assumed to be on
44# the same host as Patrole. (string value)
45# This option is deprecated for removal.
46# Its value may be silently ignored in the future.
47# Reason: It is better to use `custom_policy_files` which supports any
48# OpenStack service.
49#glance_policy_file = /etc/glance/policy.json
50
51# DEPRECATED: Location of the custom Keystone policy file. Assumed to
52# be on the same host as Patrole. (string value)
53# This option is deprecated for removal.
54# Its value may be silently ignored in the future.
55# Reason: It is better to use `custom_policy_files` which supports any
56# OpenStack service.
57#keystone_policy_file = /etc/keystone/policy.json
58
59# DEPRECATED: Location of the Neutron policy file. Assumed to be on
60# the same host as Patrole. (string value)
61# This option is deprecated for removal.
62# Its value may be silently ignored in the future.
63# Reason: It is better to use `custom_policy_files` which supports any
64# OpenStack service.
65#neutron_policy_file = /etc/neutron/policy.json
66
67# DEPRECATED: Location of the custom Nova policy file. Assumed to be
68# on the same host as Patrole. (string value)
69# This option is deprecated for removal.
70# Its value may be silently ignored in the future.
71# Reason: It is better to use `custom_policy_files` which supports any
72# OpenStack service.
73#nova_policy_file = /etc/nova/policy.json
74
75#
76# This option determines whether Patrole should run against a
77# `custom_requirements_file` which defines RBAC requirements. The
78# purpose of setting this flag to True is to verify that RBAC policy
79# is in accordance to requirements. The idea is that the
80# `custom_requirements_file` perfectly defines what the RBAC
81# requirements are.
82#
83# Here are the possible outcomes when running the Patrole tests
84# against
85# a `custom_requirements_file`:
86#
87# YAML definition: allowed
88# test run: allowed
89# test result: pass
90#
91# YAML definition: allowed
92# test run: not allowed
93# test result: fail (under-permission)
94#
95# YAML definition: not allowed
96# test run: allowed
97# test result: fail (over-permission)
98# (boolean value)
99#test_custom_requirements = false
100
101#
102# File path of the yaml file that defines your RBAC requirements. This
103# file must be located on the same host that Patrole runs on. The yaml
104# file should be written as follows:
105#
106# ```
107# <service>:
108# <api_action>:
109# - <allowed_role>
110# - <allowed_role>
111# - <allowed_role>
112# <api_action>:
113# - <allowed_role>
114# - <allowed_role>
115# <service>
116# <api_action>:
117# - <allowed_role>
118# ```
119# Where:
120# service = the service that is being tested (cinder, nova, etc)
121# api_action = the policy action that is being tested. Examples:
122# - volume:create
123# - os_compute_api:servers:start
124# - add_image
125# allowed_role = the Keystone role that is allowed to perform the API
126# (string value)
127#custom_requirements_file = <None>
128
129
130[patrole_log]
131
132#
133# From patrole.config
134#
135
136# Enables reporting on RBAC expected and actual test results for each
137# Patrole test (boolean value)
138#enable_reporting = false
139
140# Name of file where output from 'enable_reporting' is logged. Note
141# that this file is recreated on each invocation of patrole (string
142# value)
143#report_log_name = patrole.log
144
145# Path (relative or absolute) where the output from 'enable_reporting'
146# is logged. This is combined withreport_log_name to generate the full
147# path. (string value)
148#report_log_path = .
149
150
151[rbac]
152# This group is deprecated and will be removed in the next release.
153# Use the [patrole] group instead.
154
155#
156# From patrole.config
157#
158
159# The current RBAC role against which to run Patrole
160# tests. (string value)
161#rbac_test_role = admin
162
163# Enables RBAC tests. (boolean value)
164#enable_rbac = true
165
166# If true, throws RbacParsingException for policies which
167# don't exist or are not included in the service's policy file. If
168# false, throws
169# skipException. (boolean value)
170#strict_policy_check = false
171
172# List of the paths to search for policy files. Each
173# policy path assumes that the service name is included in the path
174# once. Also
175# assumes Patrole is on the same host as the policy files. The paths
176# should be
177# ordered by precedence, with high-priority paths before low-priority
178# paths. The
179# first path that is found to contain the service's policy file will
180# be used.
181# (list value)
182#custom_policy_files = /etc/%s/policy.json
183
184# DEPRECATED: Location of the Cinder policy file. Assumed to be on
185# the same host as Patrole. (string value)
186# This option is deprecated for removal.
187# Its value may be silently ignored in the future.
188# Reason: It is better to use `custom_policy_files` which supports any
189# OpenStack service.
190#cinder_policy_file = /etc/cinder/policy.json
191
192# DEPRECATED: Location of the Glance policy file. Assumed to be on
193# the same host as Patrole. (string value)
194# This option is deprecated for removal.
195# Its value may be silently ignored in the future.
196# Reason: It is better to use `custom_policy_files` which supports any
197# OpenStack service.
198#glance_policy_file = /etc/glance/policy.json
199
200# DEPRECATED: Location of the custom Keystone policy file. Assumed to
201# be on the same host as Patrole. (string value)
202# This option is deprecated for removal.
203# Its value may be silently ignored in the future.
204# Reason: It is better to use `custom_policy_files` which supports any
205# OpenStack service.
206#keystone_policy_file = /etc/keystone/policy.json
207
208# DEPRECATED: Location of the Neutron policy file. Assumed to be on
209# the same host as Patrole. (string value)
210# This option is deprecated for removal.
211# Its value may be silently ignored in the future.
212# Reason: It is better to use `custom_policy_files` which supports any
213# OpenStack service.
214#neutron_policy_file = /etc/neutron/policy.json
215
216# DEPRECATED: Location of the custom Nova policy file. Assumed to be
217# on the same host as Patrole. (string value)
218# This option is deprecated for removal.
219# Its value may be silently ignored in the future.
220# Reason: It is better to use `custom_policy_files` which supports any
221# OpenStack service.
222#nova_policy_file = /etc/nova/policy.json
223
224#
225# This option determines whether Patrole should run against a
226# `custom_requirements_file` which defines RBAC requirements. The
227# purpose of setting this flag to True is to verify that RBAC policy
228# is in accordance to requirements. The idea is that the
229# `custom_requirements_file` perfectly defines what the RBAC
230# requirements are.
231#
232# Here are the possible outcomes when running the Patrole tests
233# against
234# a `custom_requirements_file`:
235#
236# YAML definition: allowed
237# test run: allowed
238# test result: pass
239#
240# YAML definition: allowed
241# test run: not allowed
242# test result: fail (under-permission)
243#
244# YAML definition: not allowed
245# test run: allowed
246# test result: fail (over-permission)
247# (boolean value)
248#test_custom_requirements = false
249
250#
251# File path of the yaml file that defines your RBAC requirements. This
252# file must be located on the same host that Patrole runs on. The yaml
253# file should be written as follows:
254#
255# ```
256# <service>:
257# <api_action>:
258# - <allowed_role>
259# - <allowed_role>
260# - <allowed_role>
261# <api_action>:
262# - <allowed_role>
263# - <allowed_role>
264# <service>
265# <api_action>:
266# - <allowed_role>
267# ```
268# Where:
269# service = the service that is being tested (cinder, nova, etc)
270# api_action = the policy action that is being tested. Examples:
271# - volume:create
272# - os_compute_api:servers:start
273# - add_image
274# allowed_role = the Keystone role that is allowed to perform the API
275# (string value)
276#custom_requirements_file = <None>