Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / octavia-tempest-plugin / fb04e6ea97b1f457cb0b44f4086f2ba4f67c23af^! / . / octavia_tempest_plugin / tests
commitfb04e6ea97b1f457cb0b44f4086f2ba4f67c23af[log] [tgz]
authorGregory Thiemonge <gthiemon@redhat.com>Fri Feb 03 13:53:10 2023 +0100
committerGregory Thiemonge <gthiemon@redhat.com>Tue Feb 28 07:39:53 2023 -0500
tree8fb55d4352d885ac8252590c1ed920d9a72f6b74
parent9e9f526d656b0bc33173de21df2a6d7e3662b68b [diff]
Fix legacy admin in RBAC tests

The legacy admin continues to work as it is with the sRBAC [0]
if os_system_admin is allowed, os_admin should be allowed.

[0] https://governance.openstack.org/tc/goals/selected/\
    consistent-and-secure-rbac.html\#legacy-admin-continues-to-work-as-it-is

Depends-On: https://review.opendev.org/c/openstack/octavia/+/875620

Change-Id: I10d497a4b4e3a3b21cb24dba73d5074a71a3d381

diff --git a/octavia_tempest_plugin/tests/RBAC_tests.py b/octavia_tempest_plugin/tests/RBAC_tests.py
index d31d506..8dae024 100644
--- a/octavia_tempest_plugin/tests/RBAC_tests.py
+++ b/octavia_tempest_plugin/tests/RBAC_tests.py

@@ -155,15 +155,14 @@
         """
 
         allowed_list = copy.deepcopy(expected_allowed)
-        # os_admin is a special case as it is valid with the old defaults,
-        # but will not be with the new defaults and/or token scoping.
-        # The old keystone role "admin" becomes project scoped "admin"
-        # instead of being a global admin.
-        # To keep the tests simple, handle that edge case here.
-        # TODO(johnsom) Once token scope is default, remove this.
-        if ('os_system_admin' in expected_allowed and
-                not CONF.load_balancer.enforce_new_defaults and
-                not CONF.enforce_scope.octavia):
+        # The legacy admin behavior changed during the sRBAC development,
+        # os_admin is still a valid admin [0]
+        # [0] https://governance.openstack.org/tc/goals/selected/
+        #       consistent-and-secure-rbac.html
+        #       #legacy-admin-continues-to-work-as-it-is
+        # TODO(gthiemonge) we may have to revisit it in the future if the
+        # legacy admin scope changes.
+        if 'os_system_admin' in expected_allowed:
             allowed_list.append('os_admin')
 
         # #### Test that disallowed credentials cannot access the API.
@@ -244,15 +243,14 @@
         """
 
         allowed_list = copy.deepcopy(expected_allowed)
-        # os_admin is a special case as it is valid with the old defaults,
-        # but will not be with the new defaults and/or token scoping.
-        # The old keystone role "admin" becomes project scoped "admin"
-        # instead of being a global admin.
-        # To keep the tests simple, handle that edge case here.
-        # TODO(johnsom) Once token scope is default, remove this.
-        if ('os_system_admin' in expected_allowed and
-                not CONF.load_balancer.enforce_new_defaults and
-                not CONF.enforce_scope.octavia):
+        # The legacy admin behavior changed during the sRBAC development,
+        # os_admin is still a valid admin [0]
+        # [0] https://governance.openstack.org/tc/goals/selected/
+        #       consistent-and-secure-rbac.html
+        #       #legacy-admin-continues-to-work-as-it-is
+        # TODO(gthiemonge) we may have to revisit it in the future if the
+        # legacy admin scope changes.
+        if 'os_system_admin' in expected_allowed:
             allowed_list.append('os_admin')
 
         # #### Test that disallowed credentials cannot access the API.
@@ -371,15 +369,14 @@
         """
 
         allowed_list = copy.deepcopy(expected_allowed)
-        # os_admin is a special case as it is valid with the old defaults,
-        # but will not be with the new defaults and/or token scoping.
-        # The old keystone role "admin" becomes project scoped "admin"
-        # instead of being a global admin.
-        # To keep the tests simple, handle that edge case here.
-        # TODO(johnsom) Once token scope is default, remove this.
-        if ('os_system_admin' in expected_allowed and
-                not CONF.load_balancer.enforce_new_defaults and
-                not CONF.enforce_scope.octavia):
+        # The legacy admin behavior changed during the sRBAC development,
+        # os_admin is still a valid admin [0]
+        # [0] https://governance.openstack.org/tc/goals/selected/
+        #       consistent-and-secure-rbac.html
+        #       #legacy-admin-continues-to-work-as-it-is
+        # TODO(gthiemonge) we may have to revisit it in the future if the
+        # legacy admin scope changes.
+        if 'os_system_admin' in expected_allowed:
             allowed_list.append('os_admin')
 
         for cred in allowed_list:
@@ -439,15 +436,14 @@
         """
 
         allowed_list = copy.deepcopy(expected_allowed)
-        # os_admin is a special case as it is valid with the old defaults,
-        # but will not be with the new defaults and/or token scoping.
-        # The old keystone role "admin" becomes project scoped "admin"
-        # instead of being a global admin.
-        # To keep the tests simple, handle that edge case here.
-        # TODO(johnsom) Once token scope is default, remove this.
-        if ('os_system_admin' in expected_allowed and
-                not CONF.load_balancer.enforce_new_defaults and
-                not CONF.enforce_scope.octavia):
+        # The legacy admin behavior changed during the sRBAC development,
+        # os_admin is still a valid admin [0]
+        # [0] https://governance.openstack.org/tc/goals/selected/
+        #       consistent-and-secure-rbac.html
+        #       #legacy-admin-continues-to-work-as-it-is
+        # TODO(gthiemonge) we may have to revisit it in the future if the
+        # legacy admin scope changes.
+        if 'os_system_admin' in expected_allowed:
             allowed_list.append('os_admin')
 
         for cred in allowed_list: