Pradeep Kumar KS Nishant Kumar N Hemanth Kumar Smruti Soumitra - - PowerPoint PPT Presentation

pradeep kumar ks nishant kumar
SMART_READER_LITE
LIVE PREVIEW

Pradeep Kumar KS Nishant Kumar N Hemanth Kumar Smruti Soumitra - - PowerPoint PPT Presentation

Dec 19, 2023 149 likes •365 views

Pradeep Kumar KS Nishant Kumar N Hemanth Kumar Smruti Soumitra Khuntia Etherpad link for https://etherpad.openstack.org/p/BerlinSummit_Workshop_Patrole ( Please pick your machine and run pre-requisites) Etherpad link for Exercises

slide-1
SLIDE 1

Pradeep Kumar KS Nishant Kumar N Hemanth Kumar Smruti Soumitra Khuntia

slide-2
SLIDE 2

2018-11-04 | Public | Page 2

› Etherpad link for

https://etherpad.openstack.org/p/BerlinSummit_Workshop_Patrole

( Please pick your machine and run pre-requisites) › Etherpad link for Exercises

› https://etherpad.openstack.org/p/BerlinSummit_Workshop_Patrole_Exercise

slide-3
SLIDE 3

2018-11-04 | Public | Page 3

› Role-Based Access Control Overview › Patrole Overview › Hands on Demo.

slide-4
SLIDE 4

2018-11-04 | Public | Page 4

› Role-Based Access Control (RBAC) is used by most OpenStack services to control user access to resources. Authorization is granted if a user has the necessary role to perform an action. – Default Policy file : policy.json – Policy in Code – Custom Policy

slide-5
SLIDE 5

2018-11-04 | Public | Page 5

› Patrole provides security validation process for Role based access Control enforcement in OpenStack cloud. A tool to validate that each of the resources can be accessed by authorized users and cannot be accessed by unauthorized users. › Patrole provides a set of integration test suits to run against live OpenStack cluster to validate correctness and integrity of cloud’s RBAC implementation and policy configuration. › Patrole leverages Tempest based API tests using specified RBAC roles.

slide-6
SLIDE 6

2018-11-04 | Public | Page 6

› Validation of default policy definitions located in policy.json files. › Validation of in-code policy definitions. › Validation of custom policy file definitions that override default policy definitions. › Built-in positive and negative testing. Positive and negative testing are performed using the same tests and role-switching. › Validation of custom roles as well as default OpenStack roles.

slide-7
SLIDE 7

2018-11-04 | Public | Page 7

Roles’ Permission Determination

  • Patrole leverages oslo.policy to determine role’s

permission to perform specific policy action

Oslo Policy

  • Determines the permission from the Policy defined by:

✓Default policy/Policy in Code ✓Custom Policy File

Comparison

  • The output from oslo.policy (the expected result) and the

actual result from test execution are compared to each

  • ther
slide-8
SLIDE 8

2018-11-04 | Public | Page 8

.

Expected Actual Test Case Impression Pass Pass Success Pass Fail Failure Under Permission Fail Pass Failure Over Permission Fail Fail Success Expected Exception Fail Fail Failure Unexpected Exception Terminology Expected Result The expected result of a given test Actual Result The actual result of a given test. Final Result A match between both expected and actual results. A mismatch in the expected result and the actual result will result in a test failure.

slide-9
SLIDE 9

2018-11-04 | Public | Page 9

slide-10
SLIDE 10

2018-11-04 | Public | Page 10

› 0a. Start OpenStack services › 0b. Copy tempest.conf from tempest folder to default location

Etherpad link: https://etherpad.openstack.org/p/BerlinSummit_Workshop_Patrole_Exercise

slide-11
SLIDE 11

2018-11-04 | Public | Page 11

› 1a. List the existing plugins and tests provided by plugins › 1b. Update patrole section of tempest conf › 1c. Execute patrole test cases › 1d. Switch the role to reader and rerun the above test cases

Etherpad link: https://etherpad.openstack.org/p/BerlinSummit_Workshop_Patrole_Exercise

slide-12
SLIDE 12

2018-11-04 | Public | Page 12

› 2a. Execute the SUCCESS scenario ( Expected: Pass, Actual: Pass) › 2b. Execute the SUCCESS scenario ( Expected: Fail, Actual: Fail)

Etherpad link: https://etherpad.openstack.org/p/BerlinSummit_Workshop_Patrole_Exercise

slide-13
SLIDE 13

2018-11-04 | Public | Page 13

› 3a. Execute the FAILURE scenario ( Expected: Fail, Actual: Pass) - OVERPERMISSION › 3b. Execute the FAILURE scenario ( Expected: Pass, Actual: Fail) - UNDERPERMISSION

Etherpad link: https://etherpad.openstack.org/p/BerlinSummit_Workshop_Patrole_Exercise

slide-14
SLIDE 14

2018-11-04 | Public | Page 14

.

service – the service being tested api_action – policy action being tested volume:create

  • s_compute_api:servers:start

allowed_role – oslo.policy role that is allowed to perform the API.

slide-15
SLIDE 15

2018-11-04 | Public | Page 15

› 4a. Execute the SUCCESS scenario with Patrole Custom Requirements › 4b. Execute the FAILURE scenario with Patrole Custom Requirements

Etherpad link: https://etherpad.openstack.org/p/BerlinSummit_Workshop_Patrole_Exercise

slide-16
SLIDE 16

2018-11-04 | Public | Page 16

› Things to consider while writing a new Patrole Testcase

– Role Overriding – Test Setup – Test Execution – Test Cleanup

slide-17
SLIDE 17

2018-11-04 | Public | Page 17

› https://docs.openstack.org/patrole/latest/index.html › https://docs.openstack.org/tempest/latest/index.html

slide-18
SLIDE 18

2018-11-04 | Public | Page 18

› Smruti Soumitra Khuntia : soumitra.khuntia@ericsson.com › Hemanth Kumar Nakkina : n.hemanth.kumar@ericsson.com › Pradeep Kumar KS : pradeepkumar.ks@ericsson.com › Nishant Kumar : nishant.e.kumar@ericsson.com

slide-19
SLIDE 19

2018-11-04 | Public | Page 19

slide-20
SLIDE 20

2018-11-04 | Public | Page 20

slide-21
SLIDE 21