Adding remote running capability to Patrol framework for default policy files.

Registered by Mh Raies

Tempest has a capability to get operated from remote machine.
Being a tempest plugin, Patrole must have a feature to enable operate remotely.
In multi-node deployment, If we are running Patrole from controller node or if we are running Patrole from single node deployment then it will work perfectly.
As a part of RBAC process, Patrole uses policy file parsing.
But currently parsing feature is implemented in such a way that it will always try to make a default policy file path "/etc/<service>/policy.json".

case#1: custom policy file testing (where custom policy file was located at remote machine)-

In this case, On the remote machine, we have to put custom policy files at the location /etc/<service>/policy.json

case#2: Default policy testing -

As per current framework implementation, if we are running Patrole from remote machine (not part of OpenStack deployment), then still it will seek for policy file at the patch "/etc/<service>/policy.json" in case of default policy testing.
Becuase path is being constructed each time whether explicit 'path' is passed or not.

From the file, -

class RbacPolicyConverter(object):
    """A class for parsing policy rules into lists of allowed roles.

    RBAC testing requires that each rule in a policy file be broken up into
    the roles that constitute it. This class automates that process.

    The list of roles per rule can be reverse-engineered by checking, for
    each role, whether a given rule is allowed using oslo policy.

    def __init__(self, tenant_id, service, path=None):
        """Initialization of Policy Converter.

        Parses a policy file to create a dictionary, mapping policy actions to
        roles. If a policy file does not exist, checks whether the policy file
        is registered as a namespace under oslo.policy.policies. Nova, for
        example, doesn't use a policy.json file by default; its policy is
        implemented in code and registered as 'nova' under

        If the policy file is not found in either place, raises an exception.

        Additionally, if the policy file exists in both code and as a
        policy.json (for example, by creating a custom nova policy.json file),
        the custom policy file over the default policy implementation is

        :param tenant_id: type uuid
        :param service: type string
        :param path: type string
        service = service.lower().strip()
        if path is None:
            self.path = '/etc/{0}/policy.json'.format(service)
            self.path = path

        policy_data = "{}"

        # First check whether policy file exists.
        if os.path.isfile(self.path):
            policy_data = open(self.path, 'r').read()
        # Otherwise use oslo_policy to fetch the rules for provided service.
            policy_generator = generator._get_policies_dict([service])
            if policy_generator and service in policy_generator:
                policy_data = "{\n"
                for r in policy_generator[service]:
                    policy_data = policy_data + r.__str__() + ",\n"
                policy_data = policy_data[:-2] + "\n}"
            # Otherwise raise an exception.
                raise rbac_exceptions.RbacResourceSetupFailed(
                    'Policy file for service: {0}, {1} not found.'
                    .format(service, self.path))

        self.rules = policy.Rules.load(policy_data, "default")
        self.tenant_id = tenant_id

From above we can see that during remote run we must put custom policy files on remote machine to operate Patrole from remote machine.
But for default policy testing, putting custom policy files on remote machines violates security constrains.

So, this blueprint aims to add remote running capabilities in Patrole framework.

Blueprint information

Not started
Felipe Monteiro
Mh Raies
Needs approval
Series goal:
Milestone target:

Work Items

This blueprint contains Public information 
Everyone can see this information.


No subscribers.