Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / e4782c0e4bbac1a5e5fe119bf02d5f7995d80cf2^1..e4782c0e4bbac1a5e5fe119bf02d5f7995d80cf2 / .
commite4782c0e4bbac1a5e5fe119bf02d5f7995d80cf2[log] [tgz]
authorJenkins <jenkins@review.openstack.org>Tue May 09 16:08:06 2017 +0000
committerGerrit Code Review <review@openstack.org>Tue May 09 16:08:06 2017 +0000
tree5e3a0c2d17657a3f3c82b3facff8ca70c9b9dd52
parentf1bd2b06abbb8c19ddf939f79b8dc1dcdbd7e71e [diff]
parentf6b69e23b95d5348a19774ed14f14b53b52b1452 [diff]
Merge "Change "admin" literal for admin role to CONF admin_role"
diff --git a/patrole_tempest_plugin/rbac_policy_parser.py b/patrole_tempest_plugin/rbac_policy_parser.py
index e68921f..8256889 100644
--- a/patrole_tempest_plugin/rbac_policy_parser.py
+++ b/patrole_tempest_plugin/rbac_policy_parser.py

@@ -168,7 +168,7 @@
             return self._allowed(
                 access=self._get_access_token(role),
                 apply_rule='context_is_admin')
-        return role == 'admin'
+        return role == CONF.identity.admin_role
 
     def _get_access_token(self, role):
         access_token = {

diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index 4382259..8de3d97 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py

@@ -77,7 +77,7 @@
                 LOG.info("As admin_only is True, only admin role should be "
                          "allowed to perform the API. Skipping oslo.policy "
                          "check for policy action {0}.".format(rule))
-                allowed = CONF.rbac.rbac_test_role == 'admin'
+                allowed = CONF.rbac.rbac_test_role == CONF.identity.admin_role
             else:
                 allowed = _is_authorized(test_obj, service, rule,
                                          extra_target_data)

diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 55a5599..4cddb8d 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py

@@ -160,7 +160,7 @@
         for role in available_roles['roles']:
             if role['name'] == CONF.rbac.rbac_test_role:
                 rbac_role_id = role['id']
-            if role['name'] == 'admin':
+            if role['name'] == CONF.identity.admin_role:
                 admin_role_id = role['id']
 
         if not admin_role_id or not rbac_role_id:

diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_utils.py b/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
index 057ce20..a2917cf 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_utils.py

@@ -51,12 +51,15 @@
         self.mock_test_obj.os_admin = mock.Mock(
             **{'roles_v3_client.list_roles.return_value': available_roles})
 
-        CONF.set_override('rbac_test_role', 'Member', group='rbac',
+        CONF.set_override('admin_role', 'admin', group='identity',
                           enforce_type=True)
         CONF.set_override('auth_version', 'v3', group='identity',
                           enforce_type=True)
+        CONF.set_override('rbac_test_role', 'Member', group='rbac',
+                          enforce_type=True)
 
         self.addCleanup(CONF.clear_override, 'rbac_test_role', group='rbac')
+        self.addCleanup(CONF.clear_override, 'admin_role', group='identity')
         self.addCleanup(CONF.clear_override, 'auth_version', group='identity')
         self.addCleanup(mock.patch.stopall)