Merge "Use consistent naming for enforce_scope option"
diff --git a/.zuul.yaml b/.zuul.yaml
index 2f38e5d..4906ab0 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -165,8 +165,8 @@
# global_default: true
test-config:
$TEMPEST_CONFIG:
- barbican_rbac_scope_verification:
- enforce_scope: True
+ enforce_scope:
+ barbican: True
# barbican_tempest:
# enable_multiple_secret_stores: True
diff --git a/barbican_tempest_plugin/config.py b/barbican_tempest_plugin/config.py
index c358aee..ad32de6 100644
--- a/barbican_tempest_plugin/config.py
+++ b/barbican_tempest_plugin/config.py
@@ -101,13 +101,11 @@
"certificate validation?")
]
-barbican_rbac_scope_verification_group = cfg.OptGroup(
- name="barbican_rbac_scope_verification",
- title="Barbican RBAC Verification Options")
-
-BarbicanRBACScopeVerificationGroup = [
- cfg.BoolOpt('enforce_scope',
+EnforceScopeGroup = [
+ cfg.BoolOpt('barbican',
default=False,
+ deprecated_group='barbican_rbac_scope_verification',
+ deprecated_name='enforce_scope',
help="Does barbican enforce scope and user "
"scope-aware policies?"),
]
diff --git a/barbican_tempest_plugin/plugin.py b/barbican_tempest_plugin/plugin.py
index 4649e85..7459cb4 100644
--- a/barbican_tempest_plugin/plugin.py
+++ b/barbican_tempest_plugin/plugin.py
@@ -13,7 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
-
+import itertools
import os
from tempest.test_discover import plugins
@@ -32,6 +32,8 @@
def register_opts(self, conf):
conf.register_opt(project_config.service_option,
group='service_available')
+ conf.register_opts(
+ project_config.EnforceScopeGroup, group='enforce_scope')
conf.register_group(project_config.key_manager_group)
conf.register_opts(project_config.KeyManagerOpts,
@@ -47,15 +49,19 @@
project_config.ephemeral_storage_encryption_group)
conf.register_opts(project_config.ImageSignatureVerificationGroup,
project_config.image_signature_verification_group)
- conf.register_group(
- project_config.barbican_rbac_scope_verification_group)
- conf.register_opts(
- project_config.BarbicanRBACScopeVerificationGroup,
- project_config.barbican_rbac_scope_verification_group
- )
def get_opt_lists(self):
- return [('service_available', [project_config.service_option])]
+ return [
+ ('service_available', [project_config.service_option]),
+ (project_config.key_manager_group.name,
+ project_config.KeyManagerOpts),
+ (project_config.barbican_tempest_group.name,
+ project_config.barbican_tempest_group),
+ (project_config.ephemeral_storage_encryption_group.name,
+ itertools.chain(project_config.EphemeralStorageEncryptionGroup,
+ project_config.ImageSignatureVerificationGroup)),
+ ('enforce_scope', project_config.EnforceScopeGroup)
+ ]
def get_service_clients(self):
v1_params = {
diff --git a/barbican_tempest_plugin/tests/api/test_quotas.py b/barbican_tempest_plugin/tests/api/test_quotas.py
index 7b26d33..8aadbd5 100644
--- a/barbican_tempest_plugin/tests/api/test_quotas.py
+++ b/barbican_tempest_plugin/tests/api/test_quotas.py
@@ -26,7 +26,7 @@
@decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
def test_get_effective_quota(self):
- if CONF.barbican_rbac_scope_verification.enforce_scope:
+ if CONF.enforce_scope.barbican:
# This test is using key-manager:service-admin legacy
# role. User with only this role should get a Forbidden
# error when trying to get effective quotas in SRBAC
@@ -49,7 +49,7 @@
@classmethod
def skip_checks(cls):
super().skip_checks()
- if CONF.barbican_rbac_scope_verification.enforce_scope:
+ if CONF.enforce_scope.barbican:
# These tests can't be run with the new RBAC rules because
# the APIs they're testing require system-scoped credentials
# instead of the project-scoped credentials used here.
diff --git a/barbican_tempest_plugin/tests/rbac/v1/base.py b/barbican_tempest_plugin/tests/rbac/v1/base.py
index 0e7a774..b25e211 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/base.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/base.py
@@ -63,7 +63,7 @@
@classmethod
def skip_checks(cls):
super().skip_checks()
- if not CONF.barbican_rbac_scope_verification.enforce_scope:
+ if not CONF.enforce_scope.barbican:
raise cls.skipException("enforce_scope is not enabled for "
"barbican, skipping RBAC tests")
api_version_utils.check_skip_with_microversion(
diff --git a/releasenotes/notes/consistent-enforce_scope-option-d3ddf50423e1efaa.yaml b/releasenotes/notes/consistent-enforce_scope-option-d3ddf50423e1efaa.yaml
new file mode 100644
index 0000000..903adcd
--- /dev/null
+++ b/releasenotes/notes/consistent-enforce_scope-option-d3ddf50423e1efaa.yaml
@@ -0,0 +1,5 @@
+---
+deprecations:
+ - |
+ The ``[barbican_rbac_scope_verification] enforce_scope`` option has been
+ deprecated in favor of the new ``[enforce_scope] barican`` option.