Accommodate stable branches with scoped tokens
This patch updates the Designate tempest plugin to accommodate stable
branches that still have keystone scoped tokens. The "Direction
change"[1] means scoped tokens were dropped in the Bobcat (2023.2)
release. However the stable branches back to Wallaby will still have
scoped tokens available as a configuration option.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change
Change-Id: Ia57b5126dbc9fbe98cbcaa7ad0e11d36c21a14da
diff --git a/designate_tempest_plugin/tests/api/v2/test_blacklists.py b/designate_tempest_plugin/tests/api/v2/test_blacklists.py
index 0fd8509..48b3028 100644
--- a/designate_tempest_plugin/tests/api/v2/test_blacklists.py
+++ b/designate_tempest_plugin/tests/api/v2/test_blacklists.py
@@ -98,7 +98,10 @@
LOG.info('Ensure the fetched response matches the created blacklist')
self.assertExpected(blacklist, body, self.excluded_keys)
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin', 'os_system_reader']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'BlacklistsClient', 'show_blacklist', expected_allowed, False,
@@ -135,7 +138,10 @@
# TODO(pglass): Assert that the created blacklist is in the response
self.assertGreater(len(body['blacklists']), 0)
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'BlacklistsClient', 'list_blacklists',
diff --git a/designate_tempest_plugin/tests/api/v2/test_pool.py b/designate_tempest_plugin/tests/api/v2/test_pool.py
index e89b9f6..27f6e9d 100644
--- a/designate_tempest_plugin/tests/api/v2/test_pool.py
+++ b/designate_tempest_plugin/tests/api/v2/test_pool.py
@@ -102,7 +102,10 @@
# TODO(johnsom) Test reader roles once this bug is fixed.
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
# TODO(johnsom) The pools API seems inconsistent with the requirement
# of the all-projects header.
diff --git a/designate_tempest_plugin/tests/api/v2/test_recordset.py b/designate_tempest_plugin/tests/api/v2/test_recordset.py
index e76bc74..2249a68 100644
--- a/designate_tempest_plugin/tests/api/v2/test_recordset.py
+++ b/designate_tempest_plugin/tests/api/v2/test_recordset.py
@@ -297,7 +297,10 @@
self.zone['id'], recordset_id)
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'RecordsetClient', 'show_recordset', expected_allowed, True,
diff --git a/designate_tempest_plugin/tests/api/v2/test_service_statuses.py b/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
index a4a824f..0b63f21 100644
--- a/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
+++ b/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
@@ -73,7 +73,10 @@
"services: {}".format(services_statuses_tup))
# Test RBAC
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin', 'os_system_reader']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ServiceClient', 'list_statuses', expected_allowed, False)
diff --git a/designate_tempest_plugin/tests/api/v2/test_tld.py b/designate_tempest_plugin/tests/api/v2/test_tld.py
index 58ded53..a74edc1 100644
--- a/designate_tempest_plugin/tests/api/v2/test_tld.py
+++ b/designate_tempest_plugin/tests/api/v2/test_tld.py
@@ -148,7 +148,10 @@
self.assertExpected(tld, body, self.excluded_keys)
# Test RBAC
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin', 'os_system_reader']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TldClient', 'show_tld', expected_allowed, False, tld['id'])
@@ -188,7 +191,10 @@
self.assertGreater(len(body['tlds']), 0)
# Test RBAC
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'TldClient', 'list_tlds', expected_allowed, [tld['id']],
diff --git a/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py b/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
index 1a588ec..94c661a 100644
--- a/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
+++ b/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
@@ -188,7 +188,10 @@
True, transfer_accept['id'])
# Test RBAC with x-auth-all-projects
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
@@ -278,14 +281,20 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_RBAC_enforcement_count(
'TransferAcceptClient', 'list_transfer_accept',
expected_allowed, 0)
# Test that users who should see the zone, can see it.
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'TransferAcceptClient', 'list_transfer_accept',
@@ -394,7 +403,10 @@
self.wait_zone_delete, self.alt_zone_client, zone['id'])
# Test RBAC with x-auth-sudo-project-id header
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
diff --git a/designate_tempest_plugin/tests/api/v2/test_transfer_request.py b/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
index 203eed0..20c68ed 100644
--- a/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
+++ b/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
@@ -169,7 +169,10 @@
True, transfer_request['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
@@ -240,8 +243,12 @@
self.assertExpected(transfer_request, body, excluded_keys)
# Test RBAC when a transfer target project is specified.
- expected_allowed = ['os_primary', 'os_alt', 'os_admin',
- 'os_system_admin', 'os_project_member']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_primary', 'os_alt',
+ 'os_system_admin', 'os_project_member']
+ else:
+ expected_allowed = ['os_primary', 'os_alt', 'os_admin',
+ 'os_system_admin', 'os_project_member']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
diff --git a/designate_tempest_plugin/tests/api/v2/test_tsigkey.py b/designate_tempest_plugin/tests/api/v2/test_tsigkey.py
index aab027f..926797f 100644
--- a/designate_tempest_plugin/tests/api/v2/test_tsigkey.py
+++ b/designate_tempest_plugin/tests/api/v2/test_tsigkey.py
@@ -145,7 +145,11 @@
self.assertGreater(len(body['tsigkeys']), 0)
# Test RBAC
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
+
self.check_list_IDs_RBAC_enforcement(
'TsigkeyClient', 'list_tsigkeys', expected_allowed,
[tsigkey['id']])
@@ -407,7 +411,10 @@
self.assertExpected(tsigkey, body, self.excluded_keys)
# Test RBAC
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin', 'os_system_reader']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TsigkeyClient', 'show_tsigkey', expected_allowed, True,
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones.py b/designate_tempest_plugin/tests/api/v2/test_zones.py
index 9316578..395caa5 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones.py
@@ -172,7 +172,10 @@
'ZonesClient', 'show_zone', expected_allowed, True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone', expected_allowed, False, zone['id'],
@@ -434,7 +437,10 @@
True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone_nameservers', expected_allowed,
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones_exports.py b/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
index eb137b4..5ca5495 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
@@ -129,7 +129,10 @@
zone_export['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
@@ -161,7 +164,10 @@
zone_export['id'], listed_export_ids))
# Test RBAC with x-auth-sudo-project-id header
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones_imports.py b/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
index 2adba2c..025fa9a 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
@@ -159,7 +159,10 @@
zone_import['id'])
# Test with x-auth-all-projects
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
@@ -303,7 +306,10 @@
zone_import, resp_body['imports'][0], self.excluded_keys)
# Test with x-auth-sudo-project-id header
- expected_allowed = ['os_admin', 'os_system_admin']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,