{ "info": { "author": "OpenStack", "author_email": "openstack-discuss@lists.openstack.org", "bugtrack_url": null, "classifiers": [ "Environment :: OpenStack", "Intended Audience :: Information Technology", "Intended Audience :: System Administrators", "License :: OSI Approved :: Apache Software License", "Operating System :: POSIX :: Linux", "Programming Language :: Python", "Programming Language :: Python :: 2", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7" ], "description": "Patrole - RBAC Integration Tempest Plugin\n=========================================\n\nPatrole is a set of integration tests to be run against a live OpenStack\ncluster. It has a battery of tests dedicated to validating the correctness and\nintegrity of the cloud's RBAC implementation.\n\nMore importantly, Patrole is a security validation tool for verifying that\nRole-Based Access Control is correctly configured and enforced in an OpenStack\ncloud. It runs `Tempest`_-based API tests using specified RBAC roles, thus\nallowing deployments to verify that only intended roles have access to those\nAPIs.\n\nPatrole is currently undergoing heavy development. As more projects move\ntoward policy in code, Patrole will align its testing with the appropriate\ndocumentation.\n\n* Free software: Apache license\n* Documentation: https://docs.openstack.org/patrole/latest\n* Source: https://opendev.org/openstack/patrole\n* Bugs: https://storyboard.openstack.org/#!/project/openstack/patrole\n* Release notes: https://docs.openstack.org/releasenotes/patrole/\n\nTeam and repository tags\n------------------------\n\n.. image:: https://governance.openstack.org/tc/badges/patrole.svg\n :target: https://governance.openstack.org/tc/reference/tags/index.html\n\n.. _design-principles:\n\nDesign Principles\n-----------------\n\nAs a `Tempest plugin`_, Patrole borrows some design principles from `Tempest design principles`_,\nbut not all, as its testing scope is confined to policies.\n\n* *Stability*. Patrole uses OpenStack public interfaces. Tests in Patrole\n should only touch public OpenStack APIs.\n* *Atomicity*. Patrole tests should be atomic: they should test policies in\n isolation. Unlike Tempest, a Patrole test strives to only call a single\n endpoint at a time. This is because it is important to validate each policy\n is authorized correctly and the best way to do that is to validate each\n policy alone, to avoid test contamination.\n* *Complete coverage*. Patrole should validate all policy in code defaults. For\n testing, Patrole uses the API-to-policy mapping contained in each project's\n `policy in code`_ documentation where applicable.\n\n For example, Nova's policy in code documentation is located in the\n `Nova repository`_ under ``nova/policies``. Likewise, Keystone's policy in\n code documentation is located in the `Keystone repository`_ under\n ``keystone/common/policies``. The other OpenStack services follow the same\n directory layout pattern with respect to policy in code.\n\n .. note::\n\n Realistically this is not always possible because some services have\n not yet moved to policy in code.\n\n* *Customizable*. Patrole should be able to validate custom policy overrides to\n ensure that those overrides enhance rather than undermine the cloud's RBAC\n configuration. In addition, Patrole should be able to validate any role.\n* *Self-cleaning*. Patrole should attempt to clean up after itself; whenever\n possible we should tear down resources when done.\n\n .. note::\n\n Patrole modifies roles dynamically in the background, which affects\n pre-provisioned credentials. Work is currently underway to clean up\n modifications made to pre-provisioned credentials.\n\n* *Self-testing*. Patrole should be self-testing.\n\n.. _Tempest plugin: https://docs.openstack.org/tempest/latest/plugin.html\n.. _Tempest design principles: https://docs.openstack.org/tempest/latest/overview.html#design-principles\n.. _policy in code: https://specs.openstack.org/openstack/oslo-specs/specs/newton/policy-in-code.html\n.. _Nova repository: https://opendev.org/openstack/nova/src/branch/master/nova/policies\n.. _Keystone repository: https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies\n\nFeatures\n--------\n* Validation of default policy definitions located in policy.json files.\n* Validation of in-code policy definitions.\n* Validation of custom policy file definitions that override default policy\n definitions.\n* Built-in positive and negative testing. Positive and negative testing\n are performed using the same tests and role-switching.\n* Valdation of custom roles as well as default OpenStack roles.\n\n.. note::\n\n Patrole does not yet support policy.yaml files, the new file format for\n policy files in OpenStack.\n\nHow It Works\n------------\nPatrole leverages ``oslo.policy`` (OpenStack's policy enforcement engine) to\ndetermine whether a given role is allowed to perform a policy action, given a\nspecific role and OpenStack service. The output from ``oslo.policy`` (the\nexpected result) and the actual result from test execution are compared to\neach other: if both results match, then the test passes; else it fails.\n\nTerminology\n^^^^^^^^^^^\n* Expected Result - The expected result of a given test.\n* Actual Result - The actual result of a given test.\n* Final Result - A match between both expected and actual results. A mismatch\n in the expected result and the actual result will result in a test failure.\n\n * Expected: Pass | Actual: Pass - Test Case Success\n * Expected: Pass | Actual: Fail - Test Case Under-Permission Failure\n * Expected: Fail | Actual: Pass - Test Case Over-Permission Failure\n * Expected: Fail | Actual: Fail (Expected exception) - Test Case Success\n * Expected: Fail | Actual: Fail (Unexpected exception) - Test Case Failure\n\nQuickstart\n----------\nTo run Patrole, you must first have `Tempest`_ installed and configured\nproperly. Please reference `Tempest_quickstart`_ guide to do so. Follow all\nthe steps outlined therein. Afterward, proceed with the steps below.\n\n#. You first need to install Patrole. This is done with pip after you check out\n the Patrole repo::\n\n $ git clone https://opendev.org/openstack/patrole\n $ pip install patrole/\n\n This can be done within a venv.\n\n .. note::\n\n You may also install Patrole from source code by running::\n\n pip install -e patrole/\n\n#. Next you must properly configure Patrole, which is relatively\n straightforward. For details on configuring Patrole refer to the\n `Patrole Configuration `_.\n\n#. Once the configuration is done you're now ready to run Patrole. This can\n be done using the `tempest_run`_ command. This can be done by running::\n\n $ tempest run --regex '^patrole_tempest_plugin\\.tests\\.api'\n\n There is also the option to use testr directly, or any `testr`_ based test\n runner, like `ostestr`_. For example, from the workspace dir run::\n\n $ stestr --regex '(?!.*\\[.*\\bslow\\b.*\\])(^patrole_tempest_plugin\\.tests\\.api))'\n\n will run the same set of tests as the default gate jobs.\n\n You can also run Patrole tests using `tox`_, but as Patrole needs access to\n global packages use ``--sitepackages`` argument. To do so, ``cd`` into the\n **Tempest** directory and run::\n\n $ tox -eall --sitepackages -- patrole_tempest_plugin.tests.api\n\n .. note::\n\n It is possible to run Patrole via ``tox -eall`` in order to run Patrole\n isolated from other plugins. This can be accomplished by including the\n installation of services that currently use policy in code -- for example,\n Nova and Keystone. For example::\n\n $ tox -evenv-tempest -- pip install /opt/stack/patrole /opt/stack/keystone /opt/stack/nova\n $ tox -eall -- patrole_tempest_plugin.tests.api\n\n#. Log information from tests is captured in ``tempest.log`` under the Tempest\n repository. Some Patrole debugging information is captured in that log\n related to expected test results and `Role Overriding `_.\n\n More detailed RBAC testing log output is emitted to ``patrole.log`` under\n the Patrole repository. To configure Patrole's logging, see the\n `Patrole Configuration Guide `_.\n\n.. _Tempest: https://opendev.org/openstack/tempest/\n.. _Tempest_quickstart: https://docs.openstack.org/tempest/latest/overview.html#quickstart\n.. _tempest_run: https://docs.openstack.org/tempest/latest/run.html\n.. _testr: https://testrepository.readthedocs.org/en/latest/MANUAL.html\n.. _ostestr: https://docs.openstack.org/os-testr/latest/\n.. _tox: https://tox.readthedocs.io/en/latest/\n\nRBAC Tests\n----------\n\nTo change the roles that the patrole tests are being run as, edit\n``rbac_test_roles`` in the ``patrole`` section of tempest.conf: ::\n\n [patrole]\n rbac_test_roles = member,reader\n ...\n\n.. note::\n\n The ``rbac_test_roles`` is service-specific. member, for example,\n is an arbitrary role, but by convention is used to designate the default\n non-admin role in the system. Most Patrole tests should be run with\n **admin** and **member** roles. However, other services may use entirely\n different roles or role combinations.\n\nFor more information about RBAC, reference the `rbac-overview`_\ndocumentation page.\n\nFor information regarding which projects Patrole offers RBAC testing for,\nreference the `HACKING`_ documentation page.\n\n.. _rbac-overview: https://docs.openstack.org/patrole/latest/rbac-overview.html\n.. _HACKING: https://docs.openstack.org/patrole/latest/HACKING.html#supported-openstack-components\n\nUnit Tests\n----------\n\nPatrole also has a set of unit tests which test the Patrole code itself. These\ntests can be run by specifying the test discovery path::\n\n $ stestr --test-path ./patrole_tempest_plugin/tests/unit run\n\nBy setting ``--test-path`` option to ``./patrole_tempest_plugin/tests/unit``\nit specifies that test discovery should only be run on the unit test directory.\n\nAlternatively, there are the py27 and py35 tox jobs which will run the unit\ntests with the corresponding version of Python.\n\nOne common activity is to just run a single test; you can do this with tox\nsimply by specifying to just run py27 or py35 tests against a single test::\n\n $ tox -e py27 -- -n patrole_tempest_plugin.tests.unit.test_rbac_utils.RBACUtilsTest.test_override_role_with_missing_admin_role\n\nOr all tests in the test_rbac_utils.py file::\n\n $ tox -e py27 -- -n patrole_tempest_plugin.tests.unit.test_rbac_utils\n\nYou may also use regular expressions to run any matching tests::\n\n $ tox -e py27 -- test_rbac_utils\n\nFor more information on these options and details about stestr, please see the\n`stestr documentation `_.\n\nRelease Versioning\n------------------\n`Patrole Release Notes `_\nshows which changes have been released for each version.\n\nPatrole's release versioning follows Tempest's conventions. Like Tempest,\nPatrole is branchless and uses versioning instead.\n\nStoryboard\n----------\nBugs and enhancements are tracked via Patrole's\n`Storyboard Page `_.\n\n\n\n", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://docs.openstack.org/patrole/latest/", "keywords": "", "license": "", "maintainer": "", "maintainer_email": "", "name": "patrole", "package_url": "https://pypi.org/project/patrole/", "platform": "", "project_url": "https://pypi.org/project/patrole/", "project_urls": { "Homepage": "https://docs.openstack.org/patrole/latest/" }, "release_url": "https://pypi.org/project/patrole/0.7.0/", "requires_dist": [ "pbr (!=2.1.0,>=2.0.0)", "oslo.log (>=3.36.0)", "oslo.config (>=5.2.0)", "oslo.policy (>=1.30.0)", "tempest (>=17.1.0)", "stevedore (>=1.20.0)" ], "requires_python": "", "summary": "Patrole is a tool for verifying that Role-Based Access Control is being enforced across OpenStack deployments.", "version": "0.7.0" }, "last_serial": 5916949, "releases": { "0.0.1.dev15": [], "0.1.0": [ { "comment_text": "", "digests": { "md5": "ff5ecd80335b6050101419433e4b2b4d", "sha256": "5ea835e158ca318d5c7a9d46df539ac0c212965efe256fbf2c34327625b360d6" }, "downloads": -1, "filename": "patrole-0.1.0-py2-none-any.whl", "has_sig": false, "md5_digest": "ff5ecd80335b6050101419433e4b2b4d", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": null, "size": 193005, "upload_time": "2017-05-30T15:59:40", "url": "https://files.pythonhosted.org/packages/d9/55/d020cfe3a9cd5b84a7b93ce55431e2b69029d5f9309fe906451185aa15cd/patrole-0.1.0-py2-none-any.whl" }, { "comment_text": "", "digests": { "md5": "18b1619cbec217dc5334f532d04a4ac4", "sha256": "8becafc7fa56ea1735b42d3ab6dfa758fe2ce21b2615cf02818de2d54d69a01d" }, "downloads": -1, "filename": "patrole-0.1.0.tar.gz", "has_sig": false, "md5_digest": "18b1619cbec217dc5334f532d04a4ac4", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 96055, "upload_time": "2017-05-30T15:59:43", "url": "https://files.pythonhosted.org/packages/76/f1/0997bef171556422b9683590b5bc234862a7e5c4024f936904c92c04d080/patrole-0.1.0.tar.gz" } ], "0.2.0": [ { "comment_text": "", "digests": { "md5": "f5ac5b96706fd5ad2111f58522c86bc0", "sha256": "e45811e49b1eb6db3227e781f2dfb2d04fa8805d544b08afbe0d8c4c8f84cbc9" }, "downloads": -1, "filename": "patrole-0.2.0-py2-none-any.whl", "has_sig": false, "md5_digest": "f5ac5b96706fd5ad2111f58522c86bc0", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": null, "size": 209484, "upload_time": "2017-09-06T00:25:00", "url": "https://files.pythonhosted.org/packages/d2/55/9e4211f0db479564236b6604118731ffc1555b940bcbcb349059efdf57c6/patrole-0.2.0-py2-none-any.whl" }, { "comment_text": "", "digests": { "md5": "d124564788d3742632aa413b60f64be5", "sha256": "c5c3d2ea615f92d45ca12b004ca0867d27ec3c42857ced03e075d656a9d2863e" }, "downloads": -1, "filename": "patrole-0.2.0.tar.gz", "has_sig": false, "md5_digest": "d124564788d3742632aa413b60f64be5", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 119965, "upload_time": "2017-09-06T00:25:04", "url": "https://files.pythonhosted.org/packages/d9/2d/6bf3743bd25ac79d7c21536645c842e5ded6fe01287480c65d6dae9e3a37/patrole-0.2.0.tar.gz" } ], "0.3.0": [ { "comment_text": "", "digests": { "md5": "0bcfd3bc1059f86f0c45ecc36e9d804f", "sha256": "ac99ce2482117f8c7ac8282fc88c128010b54a8b479c05b9f896b1c658a92f95" }, "downloads": -1, "filename": "patrole-0.3.0-py2-none-any.whl", "has_sig": false, "md5_digest": "0bcfd3bc1059f86f0c45ecc36e9d804f", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": null, "size": 212463, "upload_time": "2018-03-13T23:05:31", "url": "https://files.pythonhosted.org/packages/ce/2d/b82413686f0efa48ad7952f93bb54ca3d8f03f1587801d4f4c42b39ff289/patrole-0.3.0-py2-none-any.whl" }, { "comment_text": "", "digests": { "md5": "c341c495b0786d61144e71e128be3ffa", "sha256": "6bcccc638d33cd7ea51c1a2c16ca57e92c3406fea149ff53b3997dde8de9a541" }, "downloads": -1, "filename": "patrole-0.3.0.tar.gz", "has_sig": false, "md5_digest": "c341c495b0786d61144e71e128be3ffa", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 135736, "upload_time": "2018-03-13T23:05:36", "url": "https://files.pythonhosted.org/packages/bd/f1/f690be69148ff85172debfe54d7cc13ea436b07eaff1f0333cf779d64fb7/patrole-0.3.0.tar.gz" } ], "0.4.0": [ { "comment_text": "", "digests": { "md5": "6b98a8be757eeb88b4340ca635a2936b", "sha256": "df9a2fe4821e89646789e7eb2f53725d718cecada90bfd968e4d0c0947ab0706" }, "downloads": -1, "filename": "patrole-0.4.0-py3-none-any.whl", "has_sig": false, "md5_digest": "6b98a8be757eeb88b4340ca635a2936b", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 231606, "upload_time": "2018-08-16T13:09:41", "url": "https://files.pythonhosted.org/packages/64/96/b6528a4f5945489e5d1e5a8e655fa64e52f9c4231945d4d6e034ef0b1235/patrole-0.4.0-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "bc4d895b627fb5543efbf74f32a3d4ad", "sha256": "25d804471966e4f03a790addb5819b69aac14cf8214c3a948ecb5332c9c6b582" }, "downloads": -1, "filename": "patrole-0.4.0.tar.gz", "has_sig": false, "md5_digest": "bc4d895b627fb5543efbf74f32a3d4ad", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 167121, "upload_time": "2018-08-16T13:09:44", "url": "https://files.pythonhosted.org/packages/7c/0e/362c472c43044b0af44af3c6c65fbfa2d50cf84712d6621c0337f9c8c95b/patrole-0.4.0.tar.gz" } ], "0.5.0": [ { "comment_text": "", "digests": { "md5": "139d767b8834559fca4d4318dfac3b46", "sha256": "4603872a3f13cbdc154a873e51b4ec741d6c9a9900c6d235efa52c96a681411a" }, "downloads": -1, "filename": "patrole-0.5.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "139d767b8834559fca4d4318dfac3b46", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 269519, "upload_time": "2019-03-25T21:09:51", "url": "https://files.pythonhosted.org/packages/6c/4c/66cad03ac62367cc039c360b44566a14691279e05995012715715fa35555/patrole-0.5.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "15749b2c73fe9a6e602d790b77d89b59", "sha256": "e29cc3173b8d1974a79236d98d2cc35edbb1b549825b4a07fb125e32d8293e96" }, "downloads": -1, "filename": "patrole-0.5.0.tar.gz", "has_sig": false, "md5_digest": "15749b2c73fe9a6e602d790b77d89b59", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 202301, "upload_time": "2019-03-25T21:09:56", "url": "https://files.pythonhosted.org/packages/a8/54/d62e8d0e1c6814616f6b0336601d90006b2e666d5f5b0c777c22b796a342/patrole-0.5.0.tar.gz" } ], "0.6.0": [ { "comment_text": "", "digests": { "md5": "000c9db3ba8152baa3e968c07c820f91", "sha256": "674747939ced30754aae7ce9b77ef520533d0752690874746397f53fd1eaec1f" }, "downloads": -1, "filename": "patrole-0.6.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "000c9db3ba8152baa3e968c07c820f91", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 270124, "upload_time": "2019-07-29T15:15:18", "url": "https://files.pythonhosted.org/packages/ec/af/1762653c876cbb3126b20974e1648f743e1e9ceb22e8a9eb5ea6d5eb7bd6/patrole-0.6.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "cc71065df0fbff559e878d056ef0d616", "sha256": "e003a1c719800d36943a940ff51bfb6870999c34daf77829bc3c0a8c83688a22" }, "downloads": -1, "filename": "patrole-0.6.0.tar.gz", "has_sig": false, "md5_digest": "cc71065df0fbff559e878d056ef0d616", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 203330, "upload_time": "2019-07-29T15:15:22", "url": "https://files.pythonhosted.org/packages/a2/27/c0ac512378a106778de2e0ae664889a0ed9a52592efc7994410f4245848e/patrole-0.6.0.tar.gz" } ], "0.7.0": [ { "comment_text": "", "digests": { "md5": "c7370dc634b8efb6300c1a2ca4b33be2", "sha256": "9f50111371ed2cae536e542ee5f9a17daa2fd97c6674bea565c389c8ce29c69d" }, "downloads": -1, "filename": "patrole-0.7.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "c7370dc634b8efb6300c1a2ca4b33be2", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 270605, "upload_time": "2019-10-02T09:41:36", "url": "https://files.pythonhosted.org/packages/c2/c3/0df96563d774d9a14a84fce127ea6b8ce6a93a35e310269f5cfcafc2ccd1/patrole-0.7.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "5290aa3d026e11fa8a69dff7e11288db", "sha256": "fd6511dcf7bf418d5dddfa1782f8adabcaa080fb8d9ee7a1b26f687d39d9b309" }, "downloads": -1, "filename": "patrole-0.7.0.tar.gz", "has_sig": false, "md5_digest": "5290aa3d026e11fa8a69dff7e11288db", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 201991, "upload_time": "2019-10-02T09:41:40", "url": "https://files.pythonhosted.org/packages/37/a4/7164a2dbaf21473ac5e68af9775a34513b3fcbf389921329de347ef69e92/patrole-0.7.0.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "c7370dc634b8efb6300c1a2ca4b33be2", "sha256": "9f50111371ed2cae536e542ee5f9a17daa2fd97c6674bea565c389c8ce29c69d" }, "downloads": -1, "filename": "patrole-0.7.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "c7370dc634b8efb6300c1a2ca4b33be2", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 270605, "upload_time": "2019-10-02T09:41:36", "url": "https://files.pythonhosted.org/packages/c2/c3/0df96563d774d9a14a84fce127ea6b8ce6a93a35e310269f5cfcafc2ccd1/patrole-0.7.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "5290aa3d026e11fa8a69dff7e11288db", "sha256": "fd6511dcf7bf418d5dddfa1782f8adabcaa080fb8d9ee7a1b26f687d39d9b309" }, "downloads": -1, "filename": "patrole-0.7.0.tar.gz", "has_sig": false, "md5_digest": "5290aa3d026e11fa8a69dff7e11288db", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 201991, "upload_time": "2019-10-02T09:41:40", "url": "https://files.pythonhosted.org/packages/37/a4/7164a2dbaf21473ac5e68af9775a34513b3fcbf389921329de347ef69e92/patrole-0.7.0.tar.gz" } ] }