Switch to enabled version of identity clients
Patrole always uses (e.g.) v3 roles client to retrieve
list of roles which is bad if the v3 identity service is not enabled.
Cases like the following:
self.roles_client = test_obj.os_admin.roles_v3_client
Should be changed to:
self.roles_client = test_obj.os_admin.roles_v3_client \
if CONF.identity_feature_enabled.api_v3 \
else test_obj.os_admin.roles_client
This commit switches between the correct identity client
depending on the identity version that is enabled in tempest.conf.
The v3 client is prioritized as identity v3 is current.
This commit also corrects/improves upon some documentation errata.
Change-Id: I9a12196f11473ac4e045ae90c4321219beab7ca6
Closes-Bug: #1702980
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 9fd8aee..9d7a807 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -76,6 +76,15 @@
rbac_role_id = None
def switch_role(self, test_obj, toggle_rbac_role=False):
+ """Switch the role used by `os_primary` Tempest credentials.
+
+ Switch the role used by `os_primary` credentials to:
+ * admin if `toggle_rbac_role` is False
+ * `CONF.rbac.rbac_test_role` if `toggle_rbac_role` is True
+
+ :param test_obj: test object of type tempest.lib.base.BaseTestCase
+ :param toggle_rbac_role: role to switch `os_primary` Tempest creds to
+ """
self.user_id = test_obj.os_primary.credentials.user_id
self.project_id = test_obj.os_primary.credentials.tenant_id
self.token = test_obj.os_primary.auth_provider.get_token()
@@ -92,20 +101,16 @@
else:
self._add_role_to_user(self.admin_role_id)
except Exception as exp:
- LOG.error(exp)
+ LOG.exception(exp)
raise
finally:
- # NOTE(felipemonteiro): These two comments below are copied from
- # tempest.api.identity.v2/v3.test_users.
- #
- # Reset auth again to verify the password restore does work.
- # Clear auth restores the original credentials and deletes
- # cached auth data.
test_obj.os_primary.auth_provider.clear_auth()
- # Fernet tokens are not subsecond aware and Keystone should only be
- # precise to the second. Sleep to ensure we are passing the second
- # boundary before attempting to authenticate. If token is of type
- # uuid, then do not sleep.
+ # Fernet tokens are not subsecond aware so sleep to ensure we are
+ # passing the second boundary before attempting to authenticate.
+ #
+ # FIXME(felipemonteiro): Rather than skipping sleep if the token
+ # is not uuid, this should instead be skipped if the token is not
+ # Fernet.
if not uuid_utils.is_uuid_like(self.token):
time.sleep(1)
test_obj.os_primary.auth_provider.set_auth()
@@ -140,6 +145,9 @@
* `switch_role` is not called with a boolean value
* `switch_role` is never called in a test file, except in tearDown
* `switch_role` is called with the same boolean value twice
+
+ If a `skipException` is thrown then this is a legitimate reason why
+ `switch_role` is not called.
"""
if not isinstance(toggle_rbac_role, bool):
raise rbac_exceptions.RbacResourceSetupFailed(