Multi role RBAC validation
This patchset replaces ``CONF.patrole.rbac_test_role`` with
``CONF.patrole.rbac_test_roles``, where instead of single role
we can specify list of roles to be assigned to test user.
Change-Id: Ia68bcbdbb523dfe7c4abd6107fb4c426a566ae9d
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index f6aaf04..05716fe 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -7,34 +7,28 @@
file. All Patrole-specific configuration options should be included under
the ``patrole`` group.
-RBAC Test Role
---------------
+RBAC Test Roles
+---------------
-The RBAC test role governs which role is used when running Patrole tests. For
-example, setting ``rbac_test_role`` to "admin" will execute all RBAC tests
-using admin credentials. Changing the ``rbac_test_role`` value will `override`
-Tempest's primary credentials to use that role.
+The RBAC test roles govern the list of roles to be used when running Patrole
+tests. For example, setting ``rbac_test_roles`` to "admin" will execute all
+RBAC tests using admin credentials. Changing the ``rbac_test_roles`` value
+will `override` Tempest's primary credentials to use that role.
-This implies that, if ``rbac_test_role`` is "admin", regardless of the Tempest
+This implies that, if ``rbac_test_roles`` is "admin", regardless of the Tempest
credentials used by a client, the client will be calling APIs using the admin
role. That is, ``self.os_primary.servers_client`` will run as though it were
``self.os_admin.servers_client``.
-Similarly, setting ``rbac_test_role`` to a non-admin role results in Tempest's
-primary credentials being overridden by the role specified by
-``rbac_test_role``.
+Similarly, setting ``rbac_test_roles`` with various roles, results in
+Tempest's primary credentials being overridden by the roles specified by
+``rbac_test_roles``.
.. note::
- Only the role of the primary Tempest credentials ("os_primary") is
+ Only the roles of the primary Tempest credentials ("os_primary") are
modified. The ``user_id`` and ``project_id`` remain unchanged.
-Enable RBAC
------------
-
-Given the value of ``enable_rbac``, enables or disables Patrole tests. If
-``enable_rbac`` is ``False``, then Patrole tests are skipped.
-
Custom Policy Files
-------------------
diff --git a/doc/source/framework/overview.rst b/doc/source/framework/overview.rst
index 8e04082..6f72eec 100644
--- a/doc/source/framework/overview.rst
+++ b/doc/source/framework/overview.rst
@@ -10,10 +10,10 @@
RBAC testing validation is broken up into 3 stages:
#. "Expected" stage. Determine whether the test should be able to succeed
- or fail based on the test role defined by ``[patrole] rbac_test_role``)
+ or fail based on the test roles defined by ``[patrole] rbac_test_roles``)
and the policy action that the test enforces.
#. "Actual" stage. Run the test by calling the API endpoint that enforces
- the expected policy action using the test role.
+ the expected policy action using the test roles.
#. Comparing the outputs from both stages for consistency. A "consistent"
result is treated as a pass and an "inconsistent" result is treated
as a failure. "Consistent" (or successful) cases include:
@@ -63,7 +63,7 @@
---------------------------
Module called by :ref:`rbac-validation` to verify whether the test
-role is allowed to execute a policy action by querying ``oslo.policy`` with
+roles are allowed to execute a policy action by querying ``oslo.policy`` with
required test data. The result is used by :ref:`rbac-validation` as the
"Expected" result.
diff --git a/doc/source/test_writing_guide.rst b/doc/source/test_writing_guide.rst
index 1291201..4e0f0be 100644
--- a/doc/source/test_writing_guide.rst
+++ b/doc/source/test_writing_guide.rst
@@ -23,8 +23,8 @@
Role overriding is the way Patrole is able to create resources and delete
resources -- including those that require admin credentials -- while still
being able to exercise the same set of Tempest credentials to perform the API
-action that authorizes the policy under test, by manipulating the role of
-the Tempest credentials.
+action that authorizes the policy under test, by manipulating roles of the
+Tempest credentials.
Patrole implicitly splits up each test into 3 stages: set up, test execution,
and teardown.
@@ -33,10 +33,10 @@
#. Setup: Admin role is used automatically. The primary credentials are
overridden with the admin role.
-#. Test execution: ``[patrole] rbac_test_role`` is used manually via the
+#. Test execution: ``[patrole] rbac_test_roles`` is used manually via the
call to ``with rbac_utils.override_role(self)``. Everything that
is executed within this contextmanager uses the primary
- credentials overridden with the ``[patrole] rbac_test_role``.
+ credentials overridden with the ``[patrole] rbac_test_roles``.
#. Teardown: Admin role is used automatically. The primary credentials have
been overridden with the admin role.