Add rbac_utils is_admin helper method
This patch adds a helper method to rbac_utils.RbacUtils called
``is_admin`` which returns True if the current RBAC test role
is equal to the admin role defined in tempest.conf (i.e.
CONF.rbac.rbac_test_role == CONF.identity.admin_role). This
makes it easier to check this equivalence in a test by simply
running:
if self.rbac_utils.is_admin:
do something
Change-Id: I0efb005f90ac77449453f6b68a010ec64e7a03f7
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index c63ef90..ba04a30 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -81,7 +81,7 @@
LOG.info("As admin_only is True, only admin role should be "
"allowed to perform the API. Skipping oslo.policy "
"check for policy action {0}.".format(rule))
- allowed = CONF.rbac.rbac_test_role == CONF.identity.admin_role
+ allowed = test_obj.rbac_utils.is_admin
else:
allowed = _is_authorized(test_obj, service, rule,
extra_target_data)
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index fe2d99f..3bb2cbd 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -162,3 +162,11 @@
self.admin_role_id = admin_role_id
self.rbac_role_id = rbac_role_id
+
+ @property
+ def is_admin(self):
+ """Verifies whether the current test role equals the admin role.
+
+ :returns: True if ``rbac_test_role`` is the admin role.
+ """
+ return CONF.rbac.rbac_test_role == CONF.identity.admin_role
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
index 9a4363d..784045a 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
@@ -112,8 +112,7 @@
admin-scoped tenants, raise ``RbacActionFailed`` exception otherwise.
"""
tenants_client = self.os_admin.tenants_client if \
- CONF.identity.admin_role == CONF.rbac.rbac_test_role else \
- self.os_primary.tenants_client
+ self.rbac_utils.is_admin else self.os_primary.tenants_client
admin_tenant_id = self.os_admin.auth_provider.credentials.project_id
non_admin_tenant_id = self.auth_provider.credentials.project_id