Add Support for Custom Requirements YAML

Registered by Rick Bartra

In an OpenStack deployment with several Keystone roles it is difficult to write policy with 100% accuracy. It is not uncommon to give the Keystone roles incorrect API permissions. Patrole can be used to verify that the policy that you write (either in code or through policy.json) is inline with your requirements. To do this, Patrole would need to support a custom deployment specific yaml that basically list all the APIs and the roles that should have access to the APIs. This yaml is completely optional to run Patrole and the user would only upload this requirements yaml if they want to check if they wrote their policy to be in line with their requirements.

If the user provides a requirements yaml, Patrole would run the existing tests and cross check it with the requirements yaml.

Example:
Roles in Keystone: admin, _member_, viewer, random_role

requirements yaml:

Cinder:
    create_volume:
      - admin
      - _member_
Glance:
    add_image:
      - admin
      - _member_
      - random_role

Example policy.json for Glance.
{
     "add_image": "role:admin or role:random_role",
}

When you run test_create_image, the tests will run with the specified role defined in the tempest.conf and compare the result to the requirments yaml. Example test runs with different roles:

admin:
Test response: 200
Allowed (from yaml): yes
Result: Pass
Reason: Expected result matches actual result

_member_:
Test response: 403
Allowed (from yaml): yes
Result: Fail
Reason: Under permission - expected role _member_ to be able to perform add_image, but the actual result is that it is unable to

random_role:
Test response: 200
Allowed (from yaml): yes
Result: Pass
Reason: Expected result matches actual result

Although it is quite tedious to have to maintain a yaml file containing all of your requirements for RBAC, it is the only way to be able to verify that you wrote your policy correctly. This will help make sure that you do not deliver incorrect RBAC and prevent many defects against RBAC in production. The idea is that uploading the yaml is completely optional and specific to your deployment, so therefore the yaml will not be included in the Patrole repository.

Blueprint information

Status:
Complete
Approver:
Felipe Monteiro
Priority:
High
Drafter:
Rick Bartra
Direction:
Approved
Assignee:
Rick Bartra
Definition:
New
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Rick Bartra
Completed by
Rick Bartra

Related branches

Sprints

Whiteboard

Multiple caveats about this:

1) We should use an abstract base class for separating out this logic from our current framework logic. That is, it should provide some means of separating the rbac_policy_parser from the logic that just reads the requirements YAML file. Toggling between the implementations should be driven by a CONF setting.
2) Using aliasing in the requirements.yaml file should be used instead. For example:

admin_viewer: <list the exact roles>
Cinder:
   add_image: admin_viewer

3) Reading in the YAML should be done safely.
4) We don't want to support/maintain the requirements.yaml file upstream (for many obvious reasons: security being chief).
5) We need unit testing and eventually functional testing for this. Unit testing will be required for this spec. Functional testing can come later.

Gerrit topic: https://review.openstack.org/#q,topic:bp/support-custom-yaml,n,z

Addressed by: https://review.openstack.org/477014
    WIP: Add support for testing custom RBAC requirements

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.