commit 889264e90f0b2d469c5e99dd16c0dcbe130813e1
author Felipe Monteiro <felipe.monteiro@att.com> Wed Mar 01 17:19:35 2017 -0500
committer Felipe Monteiro <felipe.monteiro@att.com> Thu Mar 02 10:58:46 2017 -0500
tree d1e9a25f887c2c71ca3261e28674e77887d35284
parent c41f2609a3128231f96a8ebf2ba5a6ba9d40be4e

Enhance rbac policy parser to correctly interpret user_id policy actions.

Currently, while nova in some places uses policy actions that contain
the syntax "user_id: %(user_id)s" [0], the rbac policy parser in Patrole
cannot understand it.

This patch enhances the rbac policy parser to correctly understand
policy actions containing the above syntax.

[0] https://github.com/openstack/nova/blob/master/nova/policies/keypairs.py

Closes-Bug: #1669211
Change-Id: Ibb76d9353e680e5a9557e8d5dcb848ee7b5652f7
Needed-By: Ib2ebe58ccab8e334e073626eddb45bcb3a91a3f7

patrole_tempest_plugin/rbac_rule_validation.py

diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index 4b85187..36784b7 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -30,12 +30,13 @@
         def wrapper(*args, **kwargs):
             try:
                 tenant_id = args[0].auth_provider.credentials.tenant_id
+                user_id = args[0].auth_provider.credentials.user_id
             except (IndexError, AttributeError) as e:
-                msg = ("{0}: tenant_id not found in "
+                msg = ("{0}: tenant_id/user_id not found in "
                        "cls.auth_provider.credentials".format(e))
                 LOG.error(msg)
                 raise rbac_exceptions.RbacResourceSetupFailed(msg)
-            authority = rbac_auth.RbacAuthority(tenant_id, service)
+            authority = rbac_auth.RbacAuthority(tenant_id, user_id, service)
             allowed = authority.get_permission(rule, CONF.rbac.rbac_test_role)
 
             try: