This module is only called for calculating the “Expected” result if
[patrole] test_custom_requirements
is False
.
Using the PolicyAuthority
class, policy verification is performed by:
oslo.policy
otherwise claims that role “foo” is allowed to
perform policy action “bar”, for example, because it defers to the
“default” policy rule and oftentimes the default can be “anyone allowed”).oslo.policy
and returning
the expected result back to rbac_rule_validation
decorator.This RbacAuthority
class
can be used to validate the default OpenStack policy configuration. It
is recommended that this approach be used for RBAC validation for clouds that
use little to no policy customizations or overrides.
This validation approach should be used when:
Validating the out-of-the-box policy-in-code OpenStack policy configuration.
It is important that the default OpenStack policy configuration be validated before deploying OpenStack into production. Bugs exist in software and the earlier they can be caught and prevented (via CI/CD, for example), the better. Patrole continues to be used to identify default policy bugs across OpenStack services.
Validating policy reliably and accurately.
Relying on oslo.policy
to compute the expected test results provides
accurate tests, without the hassle of having to reinvent the wheel. Since
OpenStack APIs use oslo.policy
for policy enforcement, it makes sense
to compute expected results by using the same library, ensuring test
reliability.
Continuously validating policy changes to OpenStack projects under development by gating them against Patrole CI/CD jobs run by Zuul.
A class that uses oslo.policy
for validating RBAC.
Checks if a given rule in a policy is allowed with given role.
Parameters: |
|
---|---|
Raises: | RbacParsingException – If |
Dynamically discover the policy file for each service in
cls.available_services
. Pick the first candidate path found
out of the potential paths in [patrole] custom_policy_files
.
Validate whether the service passed to __init__
exists.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.