| Felipe Monteiro | 8a5f69a | 2017-07-14 20:12:33 +0100 | [diff] [blame] | 1 | .. _patrole-configuration: |
| 2 | |
| 3 | Patrole Configuration Guide |
| 4 | =========================== |
| 5 | |
| 6 | Patrole can be customized by updating Tempest's ``tempest.conf`` configuration |
| 7 | file. All Patrole-specific configuration options should be included under |
| Felipe Monteiro | f6eb862 | 2017-08-06 06:08:02 +0100 | [diff] [blame] | 8 | the ``patrole`` group. |
| Felipe Monteiro | 8a5f69a | 2017-07-14 20:12:33 +0100 | [diff] [blame] | 9 | |
| 10 | RBAC Test Role |
| 11 | -------------- |
| 12 | |
| 13 | The RBAC test role governs which role is used when running Patrole tests. For |
| 14 | example, setting ``rbac_test_role`` to "admin" will execute all RBAC tests |
| 15 | using admin credentials. Changing the ``rbac_test_role`` value will `override` |
| 16 | Tempest's primary credentials to use that role. |
| 17 | |
| 18 | This implies that, if ``rbac_test_role`` is "admin", regardless of the Tempest |
| 19 | credentials used by a client, the client will be calling APIs using the admin |
| 20 | role. That is, ``self.os_primary.servers_client`` will run as though it were |
| 21 | ``self.os_admin.servers_client``. |
| 22 | |
| 23 | Similarly, setting ``rbac_test_role`` to a non-admin role results in Tempest's |
| melissaml | 7cd2161 | 2018-05-23 21:00:50 +0800 | [diff] [blame] | 24 | primary credentials being overridden by the role specified by |
| Felipe Monteiro | 8a5f69a | 2017-07-14 20:12:33 +0100 | [diff] [blame] | 25 | ``rbac_test_role``. |
| 26 | |
| 27 | .. note:: |
| 28 | |
| 29 | Only the role of the primary Tempest credentials ("os_primary") is |
| 30 | modified. The ``user_id`` and ``project_id`` remain unchanged. |
| 31 | |
| 32 | Enable RBAC |
| 33 | ----------- |
| 34 | |
| 35 | Given the value of ``enable_rbac``, enables or disables Patrole tests. If |
| 36 | ``enable_rbac`` is ``False``, then Patrole tests are skipped. |
| 37 | |
| Felipe Monteiro | 8a5f69a | 2017-07-14 20:12:33 +0100 | [diff] [blame] | 38 | Custom Policy Files |
| 39 | ------------------- |
| 40 | |
| 41 | Patrole supports testing custom policy file definitions, along with default |
| 42 | policy definitions. Default policy definitions are used if custom file |
| 43 | definitions are not specified. If both are specified, the custom policy |
| 44 | definition takes precedence (that is, replaces the default definition, |
| 45 | as this is the default behavior in OpenStack). |
| 46 | |
| 47 | The ``custom_policy_files`` option allows a user to specify a comma-separated |
| 48 | list of custom policy file locations that are on the same host as Patrole. |
| 49 | Each policy file must include the name of the service that is being tested: |
| 50 | for example, if "compute" tests are executed, then Patrole will use the first |
| 51 | policy file contained in ``custom_policy_files`` that contains the "nova" |
| 52 | keyword. |
| 53 | |
| 54 | .. note:: |
| 55 | |
| 56 | Patrole currently does not support policy files located on a host different |
| 57 | than the one on which it is running. |