patrole_tempest_plugin.requirements_authority module

patrole_tempest_plugin.requirements_authority module

class patrole_tempest_plugin.requirements_authority.RequirementsAuthority(filepath=None, component=None)[source]

Bases: patrole_tempest_plugin.rbac_authority.RbacAuthority

A class that uses a custom requirements file to validate RBAC.

allowed(rule_name, roles)[source]

Checks if a given rule in a policy is allowed with given role.

Parameters
  • rule_name (string) – Rule to be checked using provided requirements file specified by [patrole].custom_requirements_file. Must be a key present in this file, under the appropriate component.

  • roles (List[string]) – Roles to validate against custom requirements file.

Returns

True if role is allowed to perform rule_name, else False.

Return type

bool

Raises

RbacParsingException – If rule_name does not exist among the keyed policy names in the custom requirements file.

class patrole_tempest_plugin.requirements_authority.RequirementsParser(filepath)[source]

Bases: object

A class that parses a custom requirements file.

class Inner(filepath)[source]

Bases: object

static parse(component)[source]

Parses a requirements file with the following format:

<service_foo>:
  <api_action_a>:
    - <allowed_role_1>
    - <allowed_role_2>,<allowed_role_3>
    - <allowed_role_3>
  <api_action_b>:
    - <allowed_role_2>
    - <allowed_role_4>
<service_bar>:
  <api_action_c>:
    - <allowed_role_3>
Parameters

component (str) – Name of the OpenStack service to be validated.

Returns

The dictionary that maps each policy action to the list of allowed roles, for the given component.

Return type

dict

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.