Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / ee53f843fcb19815b94c80b922968fae72e5f789 / . / etc / patrole.conf.sample
blob: 42f104216b6a56470142932e665f6c9442f3c5c8 [file] [log] [blame]
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]1[DEFAULT]
2
3
4[patrole]
5
6#
7# From patrole.config
8#
9
Mykola Yakovlieve0f35502018-09-26 18:26:57 -0500[diff] [blame]10# DEPRECATED: The current RBAC role against which to run
11# Patrole tests. (string value)
12# This option is deprecated for removal.
13# Its value may be silently ignored in the future.
14# Reason: This option is deprecated and being
15# replaced with ``rbac_test_roles``.
16#rbac_test_role =
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]17
Mykola Yakovlieve0f35502018-09-26 18:26:57 -0500[diff] [blame]18# The current RBAC roles to be assigned to Keystone
19# Group against which to run Patrole tests. (list value)
20#rbac_test_roles = admin
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]21
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]22# List of the paths to search for policy files. Each
23# policy path assumes that the service name is included in the path
24# once. Also
25# assumes Patrole is on the same host as the policy files. The paths
26# should be
27# ordered by precedence, with high-priority paths before low-priority
Mykola Yakovlieve0f35502018-09-26 18:26:57 -0500[diff] [blame]28# paths. All
29# the paths that are found to contain the service's policy file will
30# be used and
31# all policy files will be merged. Allowed ``json`` or ``yaml``
32# formats.
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]33# (list value)
34#custom_policy_files = /etc/%s/policy.json
35
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]36#
37# This option determines whether Patrole should run against a
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]38# ``custom_requirements_file`` which defines RBAC requirements. The
Felipe Monteiro66d54a92018-05-31 20:08:35 +0100[diff] [blame]39# purpose of setting this flag to ``True`` is to verify that RBAC
40# policy
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]41# is in accordance to requirements. The idea is that the
Felipe Monteiro66d54a92018-05-31 20:08:35 +0100[diff] [blame]42# ``custom_requirements_file`` precisely defines what the RBAC
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]43# requirements are.
44#
45# Here are the possible outcomes when running the Patrole tests
46# against
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]47# a ``custom_requirements_file``:
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]48#
49# YAML definition: allowed
50# test run: allowed
51# test result: pass
52#
53# YAML definition: allowed
54# test run: not allowed
Felipe Monteirof16b6b32018-06-28 19:32:59 -0400[diff] [blame]55# test result: fail (under-permission)
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]56#
57# YAML definition: not allowed
58# test run: allowed
59# test result: fail (over-permission)
60# (boolean value)
61#test_custom_requirements = false
62
63#
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]64# File path of the YAML file that defines your RBAC requirements. This
65# file must be located on the same host that Patrole runs on. The YAML
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]66# file should be written as follows:
67#
Felipe Monteiro66d54a92018-05-31 20:08:35 +0100[diff] [blame]68# .. code-block:: yaml
69#
70# <service_foo>:
71# <api_action_a>:
72# - <allowed_role_1>
73# - <allowed_role_2>
74# - <allowed_role_3>
75# <api_action_b>:
76# - <allowed_role_2>
77# - <allowed_role_4>
78# <service_bar>:
79# <api_action_c>:
80# - <allowed_role_3>
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]81#
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]82# Where:
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]83#
Mykola Yakovlievcd2c5fd2019-01-15 13:48:15 -0600[diff] [blame]84# service = the service that is being tested (cinder, nova, etc.).
Felipe Monteiro66d54a92018-05-31 20:08:35 +0100[diff] [blame]85#
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]86# api_action = the policy action that is being tested. Examples:
Felipe Monteiro66d54a92018-05-31 20:08:35 +0100[diff] [blame]87#
88# * volume:create
89# * os_compute_api:servers:start
90# * add_image
91#
92# allowed_role = the ``oslo.policy`` role that is allowed to perform
93# the API.
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]94# (string value)
95#custom_requirements_file = <None>
96
97
98[patrole_log]
99
100#
101# From patrole.config
102#
103
104# Enables reporting on RBAC expected and actual test results for each
105# Patrole test (boolean value)
106#enable_reporting = false
107
108# Name of file where output from 'enable_reporting' is logged. Note
109# that this file is recreated on each invocation of patrole (string
110# value)
111#report_log_name = patrole.log
112
113# Path (relative or absolute) where the output from 'enable_reporting'
114# is logged. This is combined withreport_log_name to generate the full
115# path. (string value)
116#report_log_path = .
Felipe Monteiro739041f2018-03-25 00:24:03 -0400[diff] [blame]117
118
119[policy-feature-enabled]
120
121#
122# From patrole.config
123#
124
125# Is the Neutron policy
126# "create_port:fixed_ips:ip_address" available in the cloud? This
127# policy was
128# changed in a backwards-incompatible way. (boolean value)
129#create_port_fixed_ips_ip_address_policy = true
130
131# Is the Neutron policy
132# "update_port:fixed_ips:ip_address" available in the cloud? This
133# policy was
134# changed in a backwards-incompatible way. (boolean value)
135#update_port_fixed_ips_ip_address_policy = true
136
137# Is the Cinder policy
138# "limits_extension:used_limits" available in the cloud? This policy
139# was
140# changed in a backwards-incompatible way. (boolean value)
141#limits_extension_used_limits_policy = true
142
143# Is the Cinder policy
144# "volume_extension:volume_actions:attach" available in the cloud?
145# This policy
146# was changed in a backwards-incompatible way. (boolean value)
147#volume_extension_volume_actions_attach_policy = true
148
149# Is the Cinder policy
150# "volume_extension:volume_actions:reserve" available in the cloud?
151# This policy
152# was changed in a backwards-incompatible way. (boolean value)
153#volume_extension_volume_actions_reserve_policy = true
154
155# Is the Cinder policy
156# "volume_extension:volume_actions:unreserve" available in the cloud?
157# This policy
158# was changed in a backwards-incompatible way. (boolean value)
159#volume_extension_volume_actions_unreserve_policy = true
Mykola Yakovlieve0f35502018-09-26 18:26:57 -0500[diff] [blame]160
161# Are the Nova API extension policies available in the
162# cloud (e.g. os_compute_api:os-extended-availability-zone)? These
163# policies were
164# removed in Stein because Nova API extension concept was removed in
165# Pike. (boolean value)
166#removed_nova_policies_stein = true
167
168# Are the Cinder API extension policies available in the
169# cloud (e.g. [create|update|get|delete]_encryption_policy)? These
170# policies are
171# added in Stein. (boolean value)
172#added_cinder_policies_stein = true