Fixes converter not working for certain edge cases.
Currently, the converter framework is not robust enough to handle
all policy cases. For example, is_admin context breaks.
This patch makes the converter more robust. The converter was changed
to use oslo_policy's shell tool for figuring out which roles are
permitted for a given rule. The shell tool can be found here:
https://github.com/openstack/oslo.policy/blob/master/oslo_policy/shell.py
Because the shell tool is intended to be used as a CLI tool, it was
adapted from oslo policy to better work within Patrole.
implements blueprint: oslo-policy-converter
Change-Id: Ia0fe9113e2be44e609b0edbb4c6facd1425f28b5
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index e11ae4c..7f9d4d2 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -13,7 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
-from oslo_log import log as logging
+import logging
+
from tempest import config
from tempest.lib import exceptions
@@ -24,10 +25,11 @@
LOG = logging.getLogger(__name__)
-def action(component, service, rule):
+def action(service, rule):
def decorator(func):
def wrapper(*args, **kwargs):
- authority = rbac_auth.RbacAuthority(component, service)
+ authority = rbac_auth.RbacAuthority(
+ args[0].auth_provider.credentials.tenant_id, service)
allowed = authority.get_permission(rule, CONF.rbac.rbac_test_role)
try: