Patrole testing scope is strictly confined to Role-Based Access Control
(RBAC). In OpenStack, oslo.policy
is the RBAC library used by all
major services. Thus, Patrole is concerned with validating that public API
endpoints are correctly using oslo.policy
for authorization.
In other words, all tests in Patrole are RBAC tests.
RBAC tests are Tempest-like API tests plus Patrole’s RBAC Rule Validation Module. All Patrole tests are RBAC validation tests for the OpenStack API.
In the discussion below, “correct” means that a test is consistent with a service’s API-to-policy mapping and “stable” means that a test should require minimal maintenance for the supported releases.
During the Queens release, a governance spec was pushed to support policy in code, which documents the mapping between APIs and each of their policies.
This documentation is an important prerequisite for ensuring that Patrole tests for a given service are correct. This mapping can be referenced to confirm that Patrole’s assumed mapping for a test is correct. For example, Nova has implemented policy in code which can be used to verify that Patrole’s Nova RBAC tests use the same mapping.
If a given service does not have policy in code, this implies that it is more likely that the RBAC tests for that service are inconsistent with the intended policy mapping. Until that service implements policy in code, it is difficult for Patrole maintainers to verify that tests for that service are correct.
Once all services that Patrole tests have implemented policy in code – and once Patrole has updated all its tests in accordance with the policy in code documentation – then Patrole tests can guaranteed to be stable.
This stability will be denoted with a 1.0 version release.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.