Base implementation of override_role for automatic role re-switch
This PS deprecated switch_role in rbac_utils and replaces it with
override_role. override_role realizes the same functionality as
switch_role, but uses @contextmanager so that role-switching can be
streamlined. This approach offers the following advantages:
1) Role switching is performed in 1 class only. There is no
need to call ``test_obj.switch_role(test_obj, toggle_rbac_role=False)``
from ``rbac_rule_validation``. This de-coupling between both modules
leads to cleaner, more readable code.
2) Improves test code readability.
3) Improve role switch granularity, meaning the role remains switched
within the narrowest scope possible.
4) Simplifies interface, making it easier for test-writers to use
the Patrole framework.
Rather than doing:
# setup code here
rand_name = data_utils.rand_name(...)
# ...
# more setup code here
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
# execute the test here
(Without newlines, this code is very hard to read.)
It is instead possible to now do:
# setup code here
rand_name = data_utils.rand_name(...)
# ...
# more setup code here
with self.rbac_utils.override_role(self):
# execute the test here
# notice the indentation... visually it is easy to see
# that this block here is where the role is switched
# now we are back to admin credentials in case we still
# need it in the test... this was not possible before w/o
# calling ``switch_role`` yet again...
waiters.wait_for_volume_status(self.volumes_client, ...)
This commit:
* Adds the necessary logic to rbac_utils to allow for automatic
role re-switch following test execution (i.e. override_role)
* Deprecates switch_role method in rbac_utils.
* Refactors RBAC tests in test_volumes_extend_rbac to prove
the concept introduced here.
* Removes _validate_switch_role functionality since its purpose
was to overcompensate for the old switch_role interface which
allowed users to pass in a boolean flag; now this is no longer
needed. Also removes associated unit tests.
* Updates a docstring in rbac_utils module.
Partially Implements: blueprint rbac-utils-contextmanager
Change-Id: I670fba358bf321eae0d22d18cea6d2f530f00716
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index 927c803..82bc1a0 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -175,6 +175,8 @@
"OverPermission: Role %s was allowed to perform %s" %
(role, rule))
finally:
+ # TODO(felipemonteiro): Remove the `switch_role` call below
+ # once all the tests have migrated over to `override_role`.
test_obj.rbac_utils.switch_role(test_obj,
toggle_rbac_role=False)
if CONF.patrole_log.enable_reporting: