Add Support for Custom Requirements YAML
In an OpenStack deployment with several Keystone roles it is difficult to write policy with 100% accuracy. It is not uncommon to give the Keystone roles incorrect API permissions. Patrole can be used to verify that the policy that you write (either in code or through policy.json) is inline with your requirements. To do this, Patrole would need to support a custom deployment specific yaml that basically list all the APIs and the roles that should have access to the APIs. This yaml is completely optional to run Patrole and the user would only upload this requirements yaml if they want to check if they wrote their policy to be in line with their requirements.
If the user provides a requirements yaml, Patrole would run the existing tests and cross check it with the requirements yaml.
Example:
Roles in Keystone: admin, _member_, viewer, random_role
requirements yaml:
Cinder:
create_volume:
- admin
- _member_
Glance:
add_image:
- admin
- _member_
- random_role
Example policy.json for Glance.
{
"add_image": "role:admin or role:random_role",
}
When you run test_create_image, the tests will run with the specified role defined in the tempest.conf and compare the result to the requirments yaml. Example test runs with different roles:
admin:
Test response: 200
Allowed (from yaml): yes
Result: Pass
Reason: Expected result matches actual result
_member_:
Test response: 403
Allowed (from yaml): yes
Result: Fail
Reason: Under permission - expected role _member_ to be able to perform add_image, but the actual result is that it is unable to
random_role:
Test response: 200
Allowed (from yaml): yes
Result: Pass
Reason: Expected result matches actual result
Although it is quite tedious to have to maintain a yaml file containing all of your requirements for RBAC, it is the only way to be able to verify that you wrote your policy correctly. This will help make sure that you do not deliver incorrect RBAC and prevent many defects against RBAC in production. The idea is that uploading the yaml is completely optional and specific to your deployment, so therefore the yaml will not be included in the Patrole repository.
Blueprint information
- Status:
- Complete
- Approver:
- Felipe Monteiro
- Priority:
- High
- Drafter:
- Rick Bartra
- Direction:
- Approved
- Assignee:
- Rick Bartra
- Definition:
- New
- Series goal:
- None
- Implementation:
-
Implemented
- Milestone target:
- None
- Started by
- Rick Bartra
- Completed by
- Rick Bartra
Related branches
Related bugs
Sprints
Whiteboard
Multiple caveats about this:
1) We should use an abstract base class for separating out this logic from our current framework logic. That is, it should provide some means of separating the rbac_policy_parser from the logic that just reads the requirements YAML file. Toggling between the implementations should be driven by a CONF setting.
2) Using aliasing in the requirements.yaml file should be used instead. For example:
admin_viewer: <list the exact roles>
Cinder:
add_image: admin_viewer
3) Reading in the YAML should be done safely.
4) We don't want to support/maintain the requirements.yaml file upstream (for many obvious reasons: security being chief).
5) We need unit testing and eventually functional testing for this. Unit testing will be required for this spec. Functional testing can come later.
Gerrit topic: https:/
Addressed by: https:/
WIP: Add support for testing custom RBAC requirements
