Merge "Add docstring for rbac_rule_validation is_authorized"
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index 53f84ff..0753a42 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -130,6 +130,20 @@
def _is_authorized(test_obj, service, rule_name, extra_target_data):
+ """Validates whether current RBAC role has permission to do policy action.
+
+ :param test_obj: type BaseTestCase (tempest base test class)
+ :param service: the OpenStack service that enforces ``rule_name``
+ :param rule_name: the name of the policy action
+ :param extra_target_data: dictionary with unresolved string literals that
+ reference nested BaseTestCase attributes
+ :returns: True if the current RBAC role can perform the policy action else
+ False
+ :raises RbacParsingException: if ``CONF.rbac.strict_policy_check`` is
+ enabled and the ``rule_name`` does not exist in the system
+ :raises skipException: if ``CONF.rbac.strict_policy_check`` is
+ disabled and the ``rule_name`` does not exist in the system
+ """
try:
project_id = test_obj.auth_provider.credentials.project_id
user_id = test_obj.auth_provider.credentials.user_id
@@ -215,7 +229,8 @@
:param test_obj: type BaseTestCase (tempest base test class)
:param extra_target_data: dictionary with unresolved string literals that
reference nested BaseTestCase attributes
- :returns: dictionary with resolved BaseTestCase attributes
+ :returns: dictionary containing additional object data needed by
+ oslo.policy to validate generic checks
"""
attr_value = test_obj
formatted_target_data = {}