Fixes many failing identity tests for member.
Many identity tests are failing for member role because the
framework doesn't currently take how Keystone does policy
enforcement into consideration. Currently, the framework
sets up one admin credential type which creates a user
with admin credentials. During the entire lifecycle of a Patrole
test run, the user retains its admin credentials -- but the admin
credentials are still assigned to the default domain, rather than
to the Tempest project.
It appears that most services only care about whether a user
has a specific role on a project, rather than a domain. However,
Keystone behaves differently, allowing the test user with domain
admin credentials to perform admin actions that should otherwise
be disallowed. This is problematic, because then over-permission
errors are thrown, as the test user that performs the action
as, say, Member retains the admin role on the default domain.
The solution is to create 2 crendential types: admin and primary.
The admin user is responsible for adding/revoking admin role
to/from the primary user, who sets up/cleans up resources with admin
role and performs the API action under test with the rbac role only.
This patch also:
* takes care of removing cls.os = cls.os_adm simultaneously,
which is extremely deceptive and hard to debug
* removes 2 extension tests from compute admin test files
* refactors identity test files that use deprecated/incorrect
functionality
Change-Id: I08b02394276b74711900ff4b6ca286da0e76fd97
Closes-Bug: #1671704
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 69c6ccd..ae018de 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -88,8 +88,8 @@
finally:
test_obj.auth_provider.clear_auth()
- # Sleep to avoid 401 errors caused by rounding
- # In timing of fernet token creation
+ # Sleep to avoid 401 errors caused by rounding in timing of fernet
+ # token creation.
time.sleep(1)
test_obj.auth_provider.set_auth()
diff --git a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py
index 7d057c5..c1c92d9 100644
--- a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py
@@ -59,10 +59,3 @@
self.client.change_password(
self.server_id,
adminPass=data_utils.rand_password())
-
- @rbac_rule_validation.action(
- service="nova", rule="os_compute_api:os-admin-password:discoverable")
- @decorators.idempotent_id('379fce8a-f1ff-11e6-bc64-92361f002671')
- def test_admin_password_discoverable(self):
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.extensions_client.show_extension('os-admin-password')
diff --git a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py
index 888f9a4..b2bc2b6 100644
--- a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py
@@ -72,11 +72,3 @@
def test_reset_network(self):
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.reset_network(self.server_id)
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-admin-actions:discoverable")
- @decorators.idempotent_id('e9d2991f-a05e-4116-881b-e2a82bb173cf')
- def test_admin_actions_discoverable(self):
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.extensions_client.show_extension('os-admin-actions')
diff --git a/patrole_tempest_plugin/tests/api/compute/rbac_base.py b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
index 8292a1b..4243bdd 100644
--- a/patrole_tempest_plugin/tests/api/compute/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
@@ -23,7 +23,8 @@
class BaseV2ComputeRbacTest(compute_base.BaseV2ComputeTest):
- credentials = ['admin']
+
+ credentials = ['admin', 'primary']
@classmethod
def skip_checks(cls):
@@ -33,11 +34,6 @@
'%s skipped as RBAC flag not enabled' % cls.__name__)
@classmethod
- def setup_credentials(cls):
- super(BaseV2ComputeRbacTest, cls).setup_credentials()
- cls.os = cls.os_adm
-
- @classmethod
def setup_clients(cls):
super(BaseV2ComputeRbacTest, cls).setup_clients()
cls.admin_client = cls.os_admin.agents_client
@@ -47,7 +43,7 @@
class BaseV2ComputeAdminRbacTest(compute_base.BaseV2ComputeAdminTest):
- credentials = ['admin']
+ credentials = ['admin', 'primary']
@classmethod
def skip_checks(cls):
@@ -57,11 +53,6 @@
'%s skipped as RBAC flag not enabled' % cls.__name__)
@classmethod
- def setup_credentials(cls):
- super(BaseV2ComputeAdminRbacTest, cls).setup_credentials()
- cls.os = cls.os_adm
-
- @classmethod
def setup_clients(cls):
super(BaseV2ComputeAdminRbacTest, cls).setup_clients()
cls.admin_client = cls.os_admin.agents_client
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
index 0155800..77afed5 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
@@ -25,7 +25,7 @@
class BaseIdentityV2AdminRbacTest(base.BaseIdentityV2AdminTest):
- credentials = ['admin']
+ credentials = ['admin', 'primary']
@classmethod
def skip_checks(cls):
@@ -35,11 +35,6 @@
"%s skipped as RBAC Flag not enabled" % cls.__name__)
@classmethod
- def setup_credentials(cls):
- super(BaseIdentityV2AdminRbacTest, cls).setup_credentials()
- cls.os = cls.os_adm
-
- @classmethod
def setup_clients(cls):
super(BaseIdentityV2AdminRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
index aa9170a..4cd3d43 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
CONF = config.CONF
@@ -28,7 +27,7 @@
class IdentityRoleV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(IdentityRoleV2AdminRbacTest, self).tearDown()
@classmethod
@@ -43,10 +42,10 @@
self.roles_client.delete_role, role['id'])
return role
- def _create_tenant_user_role(self):
- role = self._create_role()
+ def _create_tenant_user_and_role(self):
tenant = self._create_tenant()
user = self._create_user(tenantid=tenant['id'])
+ role = self._create_role()
return tenant, user, role
def _create_role_on_project(self, tenant, user, role):
@@ -67,7 +66,7 @@
RBAC test for Identity Admin 2.0 role-create
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_role()
@rbac_rule_validation.action(service="keystone",
@@ -81,7 +80,7 @@
"""
role = self._create_role()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.roles_client.delete_role(role['id'])
@rbac_rule_validation.action(service="keystone",
@@ -95,7 +94,7 @@
"""
role = self._create_role()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.roles_client.show_role(role['id'])
@rbac_rule_validation.action(service="keystone",
@@ -107,7 +106,7 @@
RBAC test for Identity Admin 2.0 role-list
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.roles_client.list_roles()
@rbac_rule_validation.action(service="keystone",
@@ -119,8 +118,8 @@
RBAC test for Identity Admin 2.0 create_user_role_on_project
"""
- tenant, user, role = self._create_tenant_user_role()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ tenant, user, role = self._create_tenant_user_and_role()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_role_on_project(tenant, user, role)
@rbac_rule_validation.action(service="keystone",
@@ -132,10 +131,10 @@
RBAC test for Identity Admin 2.0 delete_role_from_user_on_project
"""
- tenant, user, role = self._create_tenant_user_role()
+ tenant, user, role = self._create_tenant_user_and_role()
self._create_role_on_project(tenant, user, role)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.roles_client.delete_role_from_user_on_project(
tenant['id'], user['id'], role['id'])
@@ -151,6 +150,6 @@
tenant = self._create_tenant()
user = self._create_user(tenantid=tenant['id'])
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.roles_client.list_user_roles_on_project(
tenant['id'], user['id'])
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
index c7872b3..bad53b3 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
@@ -25,7 +25,7 @@
class BaseIdentityV3RbacAdminTest(base.BaseIdentityV3AdminTest):
- credentials = ['admin']
+ credentials = ['admin', 'primary']
@classmethod
def skip_checks(cls):
@@ -35,11 +35,6 @@
"%s skipped as RBAC Flag not enabled" % cls.__name__)
@classmethod
- def setup_credentials(cls):
- super(BaseIdentityV3RbacAdminTest, cls).setup_credentials()
- cls.os = cls.os_adm
-
- @classmethod
def setup_clients(cls):
super(BaseIdentityV3RbacAdminTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
index 16e2dce..bbdf49d 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
@@ -33,9 +33,8 @@
def _create_group(self):
"""Creates a group for test."""
- name = data_utils.rand_name('Group')
- group = self.groups_client \
- .create_group(name=name)['group']
+ name = data_utils.rand_name('group')
+ group = self.groups_client.create_group(name=name)['group']
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.groups_client.delete_group, group['id'])
diff --git a/patrole_tempest_plugin/tests/api/image/rbac_base.py b/patrole_tempest_plugin/tests/api/image/rbac_base.py
index 9072cb3..3570b81 100644
--- a/patrole_tempest_plugin/tests/api/image/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/image/rbac_base.py
@@ -21,7 +21,7 @@
class BaseV1ImageRbacTest(image_base.BaseV1ImageTest):
- credentials = ['admin']
+ credentials = ['admin', 'primary']
@classmethod
def skip_checks(cls):
@@ -31,11 +31,6 @@
"%s skipped as RBAC Flag not enabled" % cls.__name__)
@classmethod
- def setup_credentials(cls):
- super(BaseV1ImageRbacTest, cls).setup_credentials()
- cls.os = cls.os_adm
-
- @classmethod
def setup_clients(cls):
super(BaseV1ImageRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
@@ -45,7 +40,7 @@
class BaseV2ImageRbacTest(image_base.BaseV2ImageTest):
- credentials = ['admin']
+ credentials = ['admin', 'primary']
@classmethod
def skip_checks(cls):
@@ -55,11 +50,6 @@
"%s skipped as RBAC Flag not enabled" % cls.__name__)
@classmethod
- def setup_credentials(cls):
- super(BaseV2ImageRbacTest, cls).setup_credentials()
- cls.os = cls.os_adm
-
- @classmethod
def setup_clients(cls):
super(BaseV2ImageRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
diff --git a/patrole_tempest_plugin/tests/api/network/rbac_base.py b/patrole_tempest_plugin/tests/api/network/rbac_base.py
index 5f93d81..5beedc2 100644
--- a/patrole_tempest_plugin/tests/api/network/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/network/rbac_base.py
@@ -23,7 +23,7 @@
class BaseNetworkRbacTest(network_base.BaseNetworkTest):
- credentials = ['admin']
+ credentials = ['admin', 'primary']
@classmethod
def skip_checks(cls):
@@ -33,11 +33,6 @@
"%s skipped as RBAC Flag not enabled" % cls.__name__)
@classmethod
- def setup_credentials(cls):
- super(BaseNetworkRbacTest, cls).setup_credentials()
- cls.os = cls.os_adm
-
- @classmethod
def setup_clients(cls):
super(BaseNetworkRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
diff --git a/patrole_tempest_plugin/tests/api/orchestration/rbac_base.py b/patrole_tempest_plugin/tests/api/orchestration/rbac_base.py
index 7a6ab13..e892a02 100644
--- a/patrole_tempest_plugin/tests/api/orchestration/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/orchestration/rbac_base.py
@@ -21,7 +21,7 @@
class BaseOrchestrationRbacTest(heat_base.BaseOrchestrationTest):
- credentials = ['admin']
+ credentials = ['admin', 'primary']
@classmethod
def skip_checks(cls):
@@ -31,11 +31,6 @@
"%s skipped as RBAC Flag not enabled" % cls.__name__)
@classmethod
- def setup_credentials(cls):
- super(BaseOrchestrationRbacTest, cls).setup_credentials()
- cls.os = cls.os_adm
-
- @classmethod
def setup_clients(cls):
super(BaseOrchestrationRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
diff --git a/patrole_tempest_plugin/tests/api/volume/rbac_base.py b/patrole_tempest_plugin/tests/api/volume/rbac_base.py
index 1cb128e..6d1ad16 100644
--- a/patrole_tempest_plugin/tests/api/volume/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/volume/rbac_base.py
@@ -21,7 +21,7 @@
class BaseVolumeRbacTest(vol_base.BaseVolumeTest):
- credentials = ['admin']
+ credentials = ['admin', 'primary']
@classmethod
def skip_checks(cls):
@@ -31,11 +31,6 @@
"%s skipped as RBAC Flag not enabled" % cls.__name__)
@classmethod
- def setup_credentials(cls):
- super(BaseVolumeRbacTest, cls).setup_credentials()
- cls.os = cls.os_adm
-
- @classmethod
def setup_clients(cls):
super(BaseVolumeRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
@@ -45,7 +40,7 @@
class BaseVolumeAdminRbacTest(vol_base.BaseVolumeAdminTest):
- credentials = ['admin']
+ credentials = ['admin', 'primary']
@classmethod
def skip_checks(cls):
@@ -55,11 +50,6 @@
"%s skipped as RBAC Flag not enabled" % cls.__name__)
@classmethod
- def setup_credentials(cls):
- super(BaseVolumeAdminRbacTest, cls).setup_credentials()
- cls.os = cls.os_adm
-
- @classmethod
def setup_clients(cls):
super(BaseVolumeAdminRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider