Update designate-tempest-plugin "direction change"
The RBAC goal has changed[1] and system scope is no longer going to be
used. This patch updates Designate tempest plugin to align to this change in
direction by removing the system scope from the policy tests.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change
Change-Id: I4e5c56630d5cca96278fe67232519c067356da23
diff --git a/.zuul.yaml b/.zuul.yaml
index 31a06dd..0fb6f09 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -24,7 +24,8 @@
- project:
templates:
- - designate-devstack-jobs
+# Temporary removed to transition the scoped tokens job
+# - designate-devstack-jobs
- check-requirements
- publish-openstack-docs-pti
- tempest-plugin-jobs
@@ -36,3 +37,22 @@
- designate-bind9-stable-xena
- designate-bind9-stable-wallaby
- neutron-tempest-plugin-designate-scenario
+# Temporary expand template to remove scoped tokens job that is changing
+ - designate-bind9
+ - designate-bind9-centos9stream-fips:
+ voting: false
+ - designate-bind9-centos-9-stream:
+ voting: false
+ - designate-pdns4
+ - designate-grenade-bind9
+ - designate-grenade-pdns4
+ - designate-ipv6-only-pdns4
+ - designate-ipv6-only-bind9
+ gate:
+ fail-fast: true
+ jobs:
+ - designate-bind9
+ - designate-pdns4
+ - designate-grenade-pdns4
+ - designate-ipv6-only-pdns4
+ - designate-ipv6-only-bind9
diff --git a/designate_tempest_plugin/tests/api/v2/test_blacklists.py b/designate_tempest_plugin/tests/api/v2/test_blacklists.py
index 6dced4c..0fd8509 100644
--- a/designate_tempest_plugin/tests/api/v2/test_blacklists.py
+++ b/designate_tempest_plugin/tests/api/v2/test_blacklists.py
@@ -58,9 +58,7 @@
self.assertExpected(blacklist, body, self.excluded_keys)
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_CUD_RBAC_enforcement('BlacklistsClient', 'create_blacklist',
expected_allowed, False)
@@ -100,9 +98,7 @@
LOG.info('Ensure the fetched response matches the created blacklist')
self.assertExpected(blacklist, body, self.excluded_keys)
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'BlacklistsClient', 'show_blacklist', expected_allowed, False,
@@ -121,9 +117,7 @@
# A blacklist delete returns an empty body
self.assertEqual(body.strip(), b"")
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_CUD_RBAC_enforcement(
'BlacklistsClient', 'delete_blacklist', expected_allowed, False,
@@ -141,9 +135,7 @@
# TODO(pglass): Assert that the created blacklist is in the response
self.assertGreater(len(body['blacklists']), 0)
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'BlacklistsClient', 'list_blacklists',
@@ -168,9 +160,7 @@
self.assertEqual(pattern, body['pattern'])
self.assertEqual(description, body['description'])
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_CUD_RBAC_enforcement(
'BlacklistsClient', 'update_blacklist', expected_allowed, False,
diff --git a/designate_tempest_plugin/tests/api/v2/test_pool.py b/designate_tempest_plugin/tests/api/v2/test_pool.py
index 57f5234..e89b9f6 100644
--- a/designate_tempest_plugin/tests/api/v2/test_pool.py
+++ b/designate_tempest_plugin/tests/api/v2/test_pool.py
@@ -102,10 +102,7 @@
# TODO(johnsom) Test reader roles once this bug is fixed.
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
# TODO(johnsom) The pools API seems inconsistent with the requirement
# of the all-projects header.
diff --git a/designate_tempest_plugin/tests/api/v2/test_recordset.py b/designate_tempest_plugin/tests/api/v2/test_recordset.py
index 1526ccf..e76bc74 100644
--- a/designate_tempest_plugin/tests/api/v2/test_recordset.py
+++ b/designate_tempest_plugin/tests/api/v2/test_recordset.py
@@ -297,10 +297,7 @@
self.zone['id'], recordset_id)
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'RecordsetClient', 'show_recordset', expected_allowed, True,
diff --git a/designate_tempest_plugin/tests/api/v2/test_service_statuses.py b/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
index c1f634b..a4a824f 100644
--- a/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
+++ b/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
@@ -73,10 +73,7 @@
"services: {}".format(services_statuses_tup))
# Test RBAC
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ServiceClient', 'list_statuses', expected_allowed, False)
diff --git a/designate_tempest_plugin/tests/api/v2/test_shared_zones.py b/designate_tempest_plugin/tests/api/v2/test_shared_zones.py
index 9039400..1c54581 100644
--- a/designate_tempest_plugin/tests/api/v2/test_shared_zones.py
+++ b/designate_tempest_plugin/tests/api/v2/test_shared_zones.py
@@ -122,7 +122,6 @@
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
- expected_allowed.append('os_system_reader')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
self.check_CUD_RBAC_enforcement(
@@ -175,7 +174,6 @@
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
- expected_allowed.append('os_system_reader')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
self.check_CUD_RBAC_enforcement(
diff --git a/designate_tempest_plugin/tests/api/v2/test_tld.py b/designate_tempest_plugin/tests/api/v2/test_tld.py
index a8b03f1..58ded53 100644
--- a/designate_tempest_plugin/tests/api/v2/test_tld.py
+++ b/designate_tempest_plugin/tests/api/v2/test_tld.py
@@ -148,10 +148,7 @@
self.assertExpected(tld, body, self.excluded_keys)
# Test RBAC
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TldClient', 'show_tld', expected_allowed, False, tld['id'])
@@ -191,10 +188,7 @@
self.assertGreater(len(body['tlds']), 0)
# Test RBAC
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'TldClient', 'list_tlds', expected_allowed, [tld['id']],
diff --git a/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py b/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
index 7cc9f11..1a588ec 100644
--- a/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
+++ b/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
@@ -121,6 +121,9 @@
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
+ # Note: system_reader is allowed because this API RBAC is based
+ # on the target project ID. It will return a 401 instead of
+ # a 403.
expected_allowed.append('os_system_reader')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
@@ -185,10 +188,7 @@
True, transfer_accept['id'])
# Test RBAC with x-auth-all-projects
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
@@ -278,20 +278,14 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_RBAC_enforcement_count(
'TransferAcceptClient', 'list_transfer_accept',
expected_allowed, 0)
# Test that users who should see the zone, can see it.
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'TransferAcceptClient', 'list_transfer_accept',
@@ -400,10 +394,7 @@
self.wait_zone_delete, self.alt_zone_client, zone['id'])
# Test RBAC with x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
diff --git a/designate_tempest_plugin/tests/api/v2/test_transfer_request.py b/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
index c646c2b..203eed0 100644
--- a/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
+++ b/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
@@ -160,20 +160,16 @@
# Test RBAC
# Note: The create service client does not define a target project
# ID, so everyone should be able to see it.
- expected_allowed = ['os_admin', 'os_primary', 'os_alt']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_system_reader',
- 'os_project_member', 'os_project_reader'])
+ expected_allowed = ['os_admin', 'os_primary', 'os_alt',
+ 'os_system_admin', 'os_system_reader',
+ 'os_project_member', 'os_project_reader']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
True, transfer_request['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
@@ -244,11 +240,8 @@
self.assertExpected(transfer_request, body, excluded_keys)
# Test RBAC when a transfer target project is specified.
- expected_allowed = ['os_primary', 'os_alt']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
- else:
- expected_allowed.append('os_admin')
+ expected_allowed = ['os_primary', 'os_alt', 'os_admin',
+ 'os_system_admin', 'os_project_member']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
@@ -304,8 +297,7 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_admin']
+ expected_allowed = ['os_system_admin', 'os_admin']
else:
expected_allowed = ['os_alt']
diff --git a/designate_tempest_plugin/tests/api/v2/test_tsigkey.py b/designate_tempest_plugin/tests/api/v2/test_tsigkey.py
index 6ceeaca..aab027f 100644
--- a/designate_tempest_plugin/tests/api/v2/test_tsigkey.py
+++ b/designate_tempest_plugin/tests/api/v2/test_tsigkey.py
@@ -145,9 +145,7 @@
self.assertGreater(len(body['tsigkeys']), 0)
# Test RBAC
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'TsigkeyClient', 'list_tsigkeys', expected_allowed,
[tsigkey['id']])
@@ -409,9 +407,7 @@
self.assertExpected(tsigkey, body, self.excluded_keys)
# Test RBAC
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TsigkeyClient', 'show_tsigkey', expected_allowed, True,
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones.py b/designate_tempest_plugin/tests/api/v2/test_zones.py
index fbf7c35..9316578 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones.py
@@ -172,10 +172,7 @@
'ZonesClient', 'show_zone', expected_allowed, True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone', expected_allowed, False, zone['id'],
@@ -282,8 +279,7 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_admin']
+ expected_allowed = ['os_system_admin', 'os_admin']
else:
expected_allowed = ['os_alt']
@@ -438,10 +434,7 @@
True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone_nameservers', expected_allowed,
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones_exports.py b/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
index 0e6d54b..eb137b4 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
@@ -129,10 +129,7 @@
zone_export['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
@@ -164,10 +161,7 @@
zone_export['id'], listed_export_ids))
# Test RBAC with x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
@@ -229,8 +223,7 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_admin']
+ expected_allowed = ['os_system_admin', 'os_admin']
else:
expected_allowed = ['os_alt']
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones_imports.py b/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
index d9ef8e9..2adba2c 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
@@ -159,10 +159,7 @@
zone_import['id'])
# Test with x-auth-all-projects
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
@@ -233,8 +230,7 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_admin']
+ expected_allowed = ['os_system_admin', 'os_admin']
else:
expected_allowed = ['os_alt']
@@ -307,10 +303,7 @@
zone_import, resp_body['imports'][0], self.excluded_keys)
# Test with x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,