Please note: All times listed below are in Central Time Zone
OpenStack provides a robust Role-based access control(RBAC) framework that governs the authorization within OpenStack. These RBAC policies, if incorrectly configured on production environment could restrict valid users to perform certain actions or provide over-permissions to certain tasks which could prove catastrophic.
Patrole is an OpenStack project that solves this problem by automating the policy verification process and ensuring that the RBAC policies are correctly enforced. It runs Tempest-based API tests using specified RBAC roles, thus allowing deployments to verify that only intended roles have access to those APIs.
Validation of in-code policy definitions
Validation of custom policy definitions (or) roles that overrides default policy definitions (or) roles.
This workshop will provide the audience;
- An Overview on Patrole
- How it works?
- Playaround with various configurations & complex scenarios to run RBAC tests
Attendees will get to learn the following
- Overview on Patrole and it's design principles
- How patrole works
- Various configurations with Patrole
- How to enable Patrole and run RBAC test
- Write a sample testcase with Patrole for Glance
- Walk through some of the complex scenarios with Nova where we would need to toggle roles for nested API invocation.