commit 6006de75a749556a071d23e12ca3a1e7e0ec58c0
author Michael Johnson <johnsomor@gmail.com> Sun Feb 21 01:42:39 2021 +0000
committer Michael Johnson <johnsomor@gmail.com> Thu Apr 08 22:07:40 2021 +0000
tree 0f65b194bd92d997ecb2d5968046b7bd1c43a673
parent 41b3aac6b0386dae202abe8cc03455ea710e468e

Update tests for scoped tokens and default roles

This patch refactors the RBAC enforcement checks in the API tests.
It also updates those test for keystone scoped tokens and default roles.

Change-Id: I6fad03f5a89c213562918ca258884aac34ba7ce7

octavia_tempest_plugin/config.py

diff --git a/octavia_tempest_plugin/config.py b/octavia_tempest_plugin/config.py
index f44bf96..fb4cb36 100644
--- a/octavia_tempest_plugin/config.py
+++ b/octavia_tempest_plugin/config.py
@@ -86,6 +86,12 @@
     cfg.StrOpt('admin_role',
                default='load-balancer_admin',
                help='The load balancing admin RBAC role.'),
+    cfg.StrOpt('observer_role',
+               default='load-balancer_observer',
+               help='The load balancing observer RBAC role.'),
+    cfg.StrOpt('global_observer_role',
+               default='load-balancer_global_observer',
+               help='The load balancing global observer RBAC role.'),
     cfg.IntOpt('scp_connection_timeout',
                default=5,
                help='Timeout in seconds to wait for a '
@@ -97,10 +103,13 @@
                default='octavia',
                help='The provider driver to use for the tests.'),
     cfg.StrOpt('RBAC_test_type', default=const.ADVANCED,
-               choices=[const.ADVANCED, const.OWNERADMIN, const.NONE],
+               choices=[const.ADVANCED, const.KEYSTONE_DEFAULT_ROLES,
+                        const.OWNERADMIN, const.NONE],
                help='Type of RBAC tests to run. "advanced" runs the octavia '
                     'default RBAC tests. "owner_or_admin" runs the legacy '
-                    'owner or admin tests. "none" disables the RBAC tests.'),
+                    'owner or admin tests. "keystone_default_roles" runs the '
+                    'tests using only the keystone default roles. "none" '
+                    'disables the RBAC tests.'),
     cfg.DictOpt('enabled_provider_drivers',
                 help=('A comma separated list of dictionaries of the '
                       'enabled provider driver names and descriptions. '
@@ -217,6 +226,15 @@
                default='/opt/octavia-tempest-plugin/test_server.bin',
                help='Filesystem path to the test web server that will be '
                     'installed in the web server VMs.'),
+    # RBAC related options
+    # Note: Also see the enforce_scope section (from tempest) for Octavia API
+    #       scope checking setting.
+    cfg.BoolOpt('enforce_new_defaults',
+                default=False,
+                help='Does the load-balancer service API policies enforce '
+                     'the new keystone default roles? This configuration '
+                     'value should be same as octavia.conf: '
+                     '[oslo_policy].enforce_new_defaults option.'),
 ]
 
 lb_feature_enabled_group = cfg.OptGroup(name='loadbalancer-feature-enabled',
@@ -261,3 +279,15 @@
                      "the tempest instance have access to the log files "
                      "specified in the tempest configuration."),
 ]
+
+# Extending this enforce_scope group defined in tempest
+enforce_scope_group = cfg.OptGroup(name="enforce_scope",
+                                   title="OpenStack Services with "
+                                         "enforce scope")
+EnforceScopeGroup = [
+    cfg.BoolOpt('octavia',
+                default=False,
+                help='Does the load-balancer service API policies enforce '
+                     'scope? This configuration value should be same as '
+                     'octavia.conf: [oslo_policy].enforce_scope option.'),
+]