Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / refs/heads/0.4.x / . / etc / patrole.conf.sample
blob: 6de073db481f94221c59883787b9b08344bf5a2d [file] [log] [blame]
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]1[DEFAULT]
2
3
4[patrole]
5
6#
7# From patrole.config
8#
9
10# The current RBAC role against which to run Patrole
11# tests. (string value)
12#rbac_test_role = admin
13
14# Enables RBAC tests. (boolean value)
15#enable_rbac = true
16
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]17# List of the paths to search for policy files. Each
18# policy path assumes that the service name is included in the path
19# once. Also
20# assumes Patrole is on the same host as the policy files. The paths
21# should be
22# ordered by precedence, with high-priority paths before low-priority
23# paths. The
24# first path that is found to contain the service's policy file will
25# be used.
26# (list value)
27#custom_policy_files = /etc/%s/policy.json
28
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]29#
30# This option determines whether Patrole should run against a
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]31# ``custom_requirements_file`` which defines RBAC requirements. The
Felipe Monteiro66d54a92018-05-31 20:08:35 +0100[diff] [blame]32# purpose of setting this flag to ``True`` is to verify that RBAC
33# policy
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]34# is in accordance to requirements. The idea is that the
Felipe Monteiro66d54a92018-05-31 20:08:35 +0100[diff] [blame]35# ``custom_requirements_file`` precisely defines what the RBAC
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]36# requirements are.
37#
38# Here are the possible outcomes when running the Patrole tests
39# against
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]40# a ``custom_requirements_file``:
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]41#
42# YAML definition: allowed
43# test run: allowed
44# test result: pass
45#
46# YAML definition: allowed
47# test run: not allowed
Felipe Monteirof16b6b32018-06-28 19:32:59 -0400[diff] [blame]48# test result: fail (under-permission)
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]49#
50# YAML definition: not allowed
51# test run: allowed
52# test result: fail (over-permission)
53# (boolean value)
54#test_custom_requirements = false
55
56#
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]57# File path of the YAML file that defines your RBAC requirements. This
58# file must be located on the same host that Patrole runs on. The YAML
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]59# file should be written as follows:
60#
Felipe Monteiro66d54a92018-05-31 20:08:35 +0100[diff] [blame]61# .. code-block:: yaml
62#
63# <service_foo>:
64# <api_action_a>:
65# - <allowed_role_1>
66# - <allowed_role_2>
67# - <allowed_role_3>
68# <api_action_b>:
69# - <allowed_role_2>
70# - <allowed_role_4>
71# <service_bar>:
72# <api_action_c>:
73# - <allowed_role_3>
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]74#
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]75# Where:
Felipe Monteiro97117b02018-05-23 16:31:23 -0700[diff] [blame]76#
Felipe Monteiro66d54a92018-05-31 20:08:35 +0100[diff] [blame]77# service = the service that is being tested (Cinder, Nova, etc.).
78#
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]79# api_action = the policy action that is being tested. Examples:
Felipe Monteiro66d54a92018-05-31 20:08:35 +0100[diff] [blame]80#
81# * volume:create
82# * os_compute_api:servers:start
83# * add_image
84#
85# allowed_role = the ``oslo.policy`` role that is allowed to perform
86# the API.
Felipe Monteiro098a8cd2017-09-20 21:31:27 +0100[diff] [blame]87# (string value)
88#custom_requirements_file = <None>
89
90
91[patrole_log]
92
93#
94# From patrole.config
95#
96
97# Enables reporting on RBAC expected and actual test results for each
98# Patrole test (boolean value)
99#enable_reporting = false
100
101# Name of file where output from 'enable_reporting' is logged. Note
102# that this file is recreated on each invocation of patrole (string
103# value)
104#report_log_name = patrole.log
105
106# Path (relative or absolute) where the output from 'enable_reporting'
107# is logged. This is combined withreport_log_name to generate the full
108# path. (string value)
109#report_log_path = .
Felipe Monteiro739041f2018-03-25 00:24:03 -0400[diff] [blame]110
111
112[policy-feature-enabled]
113
114#
115# From patrole.config
116#
117
118# Is the Neutron policy
119# "create_port:fixed_ips:ip_address" available in the cloud? This
120# policy was
121# changed in a backwards-incompatible way. (boolean value)
122#create_port_fixed_ips_ip_address_policy = true
123
124# Is the Neutron policy
125# "update_port:fixed_ips:ip_address" available in the cloud? This
126# policy was
127# changed in a backwards-incompatible way. (boolean value)
128#update_port_fixed_ips_ip_address_policy = true
129
130# Is the Cinder policy
131# "limits_extension:used_limits" available in the cloud? This policy
132# was
133# changed in a backwards-incompatible way. (boolean value)
134#limits_extension_used_limits_policy = true
135
136# Is the Cinder policy
137# "volume_extension:volume_actions:attach" available in the cloud?
138# This policy
139# was changed in a backwards-incompatible way. (boolean value)
140#volume_extension_volume_actions_attach_policy = true
141
142# Is the Cinder policy
143# "volume_extension:volume_actions:reserve" available in the cloud?
144# This policy
145# was changed in a backwards-incompatible way. (boolean value)
146#volume_extension_volume_actions_reserve_policy = true
147
148# Is the Cinder policy
149# "volume_extension:volume_actions:unreserve" available in the cloud?
150# This policy
151# was changed in a backwards-incompatible way. (boolean value)
152#volume_extension_volume_actions_unreserve_policy = true