Remove admin_only kwarg from rbac_rule_validation decorator
The ``admin_only`` kwarg has been removed from ``rbac_rule_validation``
decorator because it is no longer used by any tests. Besides that,
it should not be used because Patrole is dedicated to RBAC testing and
an admin-only check is not RBAC because it does not use ``oslo.policy``
library.
Change-Id: Iee4881a8756cf2f2a0a4520dd450776a4f1e873c
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index daf03e4..97d246f 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -26,7 +26,6 @@
from patrole_tempest_plugin import policy_authority
from patrole_tempest_plugin import rbac_exceptions
-from patrole_tempest_plugin import rbac_utils
from patrole_tempest_plugin import requirements_authority
CONF = config.CONF
@@ -37,8 +36,7 @@
RBACLOG = logging.getLogger('rbac_reporting')
-def action(service, rule='', admin_only=False, expected_error_code=403,
- extra_target_data=None):
+def action(service, rule='', expected_error_code=403, extra_target_data=None):
"""A decorator for verifying OpenStack policy enforcement.
A decorator which allows for positive and negative RBAC testing. Given:
@@ -77,10 +75,6 @@
Patrole currently only supports custom JSON policy files.
- :param admin_only: Skips over ``oslo.policy`` check because the policy
- action defined by ``rule`` is not enforced by the service's policy
- enforcement engine. For example, Keystone v2 performs an admin check
- for most of its endpoints. If True, ``rule`` is effectively ignored.
:param expected_error_code: Overrides default value of 403 (Forbidden)
with endpoint-specific error code. Currently only supports 403 and 404.
Support for 404 is needed because some services, like Neutron,
@@ -131,7 +125,7 @@
'an instance of `tempest.test.BaseTestCase`.')
allowed = _is_authorized(test_obj, service, rule,
- extra_target_data, admin_only)
+ extra_target_data)
expected_exception, irregular_msg = _get_exception_type(
expected_error_code)
@@ -188,7 +182,7 @@
return decorator
-def _is_authorized(test_obj, service, rule, extra_target_data, admin_only):
+def _is_authorized(test_obj, service, rule, extra_target_data):
"""Validates whether current RBAC role has permission to do policy action.
:param test_obj: An instance or subclass of ``tempest.test.BaseTestCase``.
@@ -200,10 +194,6 @@
``tempest.test.BaseTestCase`` attributes. Used by ``oslo.policy`` for
performing matching against attributes that are sent along with the API
calls.
- :param admin_only: Skips over ``oslo.policy`` check because the policy
- action defined by ``rule`` is not enforced by the service's policy
- enforcement engine. For example, Keystone v2 performs an admin check
- for most of its endpoints. If True, ``rule`` is effectively ignored.
:returns: True if the current RBAC role can perform the policy action,
else False.
@@ -216,12 +206,6 @@
the ``rule`` does not exist in the system.
"""
- if admin_only:
- LOG.info("As admin_only is True, only admin role should be "
- "allowed to perform the API. Skipping oslo.policy "
- "check for policy action {0}.".format(rule))
- return rbac_utils.is_admin()
-
try:
project_id = test_obj.os_primary.credentials.project_id
user_id = test_obj.os_primary.credentials.user_id
diff --git a/releasenotes/notes/remove-admin-only-kwarg-919f1a4797318a33.yaml b/releasenotes/notes/remove-admin-only-kwarg-919f1a4797318a33.yaml
new file mode 100644
index 0000000..21b8eb0
--- /dev/null
+++ b/releasenotes/notes/remove-admin-only-kwarg-919f1a4797318a33.yaml
@@ -0,0 +1,8 @@
+---
+upgrade:
+ - |
+ The ``admin_only`` kwarg has been removed from ``rbac_rule_validation``
+ decorator because it is no longer used by any tests. Besides that,
+ it should not be used because Patrole is dedicated to RBAC testing and
+ an admin-only check is not RBAC because it does not use ``oslo.policy``
+ library.