Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 9f42552b1aeb615cc7c705156fe0392184e581e8 / . / etc / patrole.conf.sample
blob: 518d38a34a4d5986939edb3397b87806989186f3 [file] [log] [blame]
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]1[DEFAULT]
2
3
4[patrole]
5
6#
7# From patrole.config
8#
9
10# The current RBAC role against which to run Patrole
11# tests. (string value)
12#rbac_test_role = admin
13
14# Enables RBAC tests. (boolean value)
15#enable_rbac = true
16
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]17# List of the paths to search for policy files. Each
18# policy path assumes that the service name is included in the path
19# once. Also
20# assumes Patrole is on the same host as the policy files. The paths
21# should be
22# ordered by precedence, with high-priority paths before low-priority
23# paths. The
24# first path that is found to contain the service's policy file will
25# be used.
26# (list value)
27#custom_policy_files = /etc/%s/policy.json
28
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]29#
30# This option determines whether Patrole should run against a
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]31# ``custom_requirements_file`` which defines RBAC requirements. The
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]32# purpose of setting this flag to True is to verify that RBAC policy
33# is in accordance to requirements. The idea is that the
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]34# ``custom_requirements_file`` perfectly defines what the RBAC
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]35# requirements are.
36#
37# Here are the possible outcomes when running the Patrole tests
38# against
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]39# a ``custom_requirements_file``:
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]40#
41# YAML definition: allowed
42# test run: allowed
43# test result: pass
44#
45# YAML definition: allowed
46# test run: not allowed
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]47# test result: fail (under-permission, e.g. Forbidden exception)
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]48#
49# YAML definition: not allowed
50# test run: allowed
51# test result: fail (over-permission)
52# (boolean value)
53#test_custom_requirements = false
54
55#
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]56# File path of the YAML file that defines your RBAC requirements. This
57# file must be located on the same host that Patrole runs on. The YAML
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]58# file should be written as follows:
59#
60# ```
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]61# <service_foo>:
62# <api_action_x>:
63# - <allowed_role_a>
64# - <allowed_role_b>
65# - <allowed_role_c>
66# <api_action_y>:
67# - <allowed_role_d>
68# - <allowed_role_e>
69# <service_bar>:
70# <api_action_z>:
71# - <allowed_role_b>
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]72# ```
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]73#
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]74# Where:
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]75#
76# service = the service that is being tested (Cinder, Nova, etc.)
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]77# api_action = the policy action that is being tested. Examples:
78# - volume:create
79# - os_compute_api:servers:start
80# - add_image
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]81# allowed_role = the Keystone role that is allowed to perform the API.
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]82# (string value)
83#custom_requirements_file = <None>
84
85
86[patrole_log]
87
88#
89# From patrole.config
90#
91
92# Enables reporting on RBAC expected and actual test results for each
93# Patrole test (boolean value)
94#enable_reporting = false
95
96# Name of file where output from 'enable_reporting' is logged. Note
97# that this file is recreated on each invocation of patrole (string
98# value)
99#report_log_name = patrole.log
100
101# Path (relative or absolute) where the output from 'enable_reporting'
102# is logged. This is combined withreport_log_name to generate the full
103# path. (string value)
104#report_log_path = .
Felipe Monteiro739041f2018-03-25 00:24:03 -0400[diff] [blame]105
106
107[policy-feature-enabled]
108
109#
110# From patrole.config
111#
112
113# Is the Neutron policy
114# "create_port:fixed_ips:ip_address" available in the cloud? This
115# policy was
116# changed in a backwards-incompatible way. (boolean value)
117#create_port_fixed_ips_ip_address_policy = true
118
119# Is the Neutron policy
120# "update_port:fixed_ips:ip_address" available in the cloud? This
121# policy was
122# changed in a backwards-incompatible way. (boolean value)
123#update_port_fixed_ips_ip_address_policy = true
124
125# Is the Cinder policy
126# "limits_extension:used_limits" available in the cloud? This policy
127# was
128# changed in a backwards-incompatible way. (boolean value)
129#limits_extension_used_limits_policy = true
130
131# Is the Cinder policy
132# "volume_extension:volume_actions:attach" available in the cloud?
133# This policy
134# was changed in a backwards-incompatible way. (boolean value)
135#volume_extension_volume_actions_attach_policy = true
136
137# Is the Cinder policy
138# "volume_extension:volume_actions:reserve" available in the cloud?
139# This policy
140# was changed in a backwards-incompatible way. (boolean value)
141#volume_extension_volume_actions_reserve_policy = true
142
143# Is the Cinder policy
144# "volume_extension:volume_actions:unreserve" available in the cloud?
145# This policy
146# was changed in a backwards-incompatible way. (boolean value)
147#volume_extension_volume_actions_unreserve_policy = true