fix: admin, member, and reader gates broken
Recent changes in Keystone to move trust enforcement [0] to default
policies is currently breaking several voting gates in Patrole.
This commit updates the trusts_rbac tests to account for these changes.
Additionally, 'test_list_trusts' is updated so that it does indeed test
'identity:list_trusts'. If a 'trustor_user_id' or 'trustee_user_id' is passed
into list_trusts() then a different policy action will be enforced. A future
commit will add tests for the actions added here [1].
Added new feature flag called ``keystone_policy_enforcement_train`` under
the configuration group ``[policy-feature-enabled]`` to make ``test_list_trusts``
test backwards compatible, test the current release, and test the correct policy
action. The Keystone Trust API is enforced differently depending on passed arguments.
The new feature flag is needed so that all the voting gates pass, otherwise the
'test_list_trusts' is not backwards compatible and would not test the correct
policy action in the current release.
[0] https://review.opendev.org/#/q/topic:trust-policies+(status:open+OR+status:merged)
[1] https://review.opendev.org/#/c/675807/10/keystone/common/policies/trust.py
Change-Id: Ia5661e12977b26e1c16f09a074d1a805263c6c22
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 6b95182..f60f0f4 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -37,6 +37,12 @@
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
+
+ # TODO(rb560u): Remove this once stable/pike becomes EOL.
+ # Make the 'test_list_trusts' test backwards compatible.
+ # The Keystone Trust API is enforced differently depending on passed
+ # arguments
+ iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
fi
if [[ ${DEVSTACK_SERIES} == 'queens' ]]; then
@@ -54,12 +60,32 @@
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
+
+ # TODO(rb560u): Remove this once stable/queens becomes EOL.
+ # Make the 'test_list_trusts' test backwards compatible.
+ # The Keystone Trust API is enforced differently depending on passed
+ # arguments
+ iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
fi
if [[ ${DEVSTACK_SERIES} == 'rocky' ]]; then
# TODO(cl566n): Policies used by Patrole testing. Remove these once stable/rocky becomes EOL.
iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
+
+ # TODO(rb560u): Remove this once stable/rocky becomes EOL.
+ # Make the 'test_list_trusts' test backwards compatible.
+ # The Keystone Trust API is enforced differently depending on passed
+ # arguments
+ iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
+ fi
+
+ if [[ ${DEVSTACK_SERIES} == 'stein' ]]; then
+ # TODO(rb560u): Remove this once stable/stein becomes EOL.
+ # Make the 'test_list_trusts' test backwards compatible.
+ # The Keystone Trust API is enforced differently depending on passed
+ # arguments
+ iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
fi
iniset $TEMPEST_CONFIG patrole rbac_test_roles $RBAC_TEST_ROLES