Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / f16b6b3a1df654cfc98256ab1dd92ad4e719c369^! / . / doc / source / framework / overview.rst
commitf16b6b3a1df654cfc98256ab1dd92ad4e719c369[log] [tgz]
authorFelipe Monteiro <felipe.monteiro@att.com>Thu Jun 28 19:32:59 2018 -0400
committerFelipe Monteiro <felipe.monteiro@att.com>Fri Jun 29 04:51:33 2018 +0000
treed757fcb089c63b21c7fffd8db1f8fc94c6f6e942
parent556094d276d79b7f320e5557aee93d7f029a1363 [diff] [blame]
Update overpermission/underpermission rbac exceptions

This patchset updates rbac_exceptions by bringing the concept
of under-permission and over-permission together. An over-permission
occurs when an unauthorized role is allowed to perform an action
and an under-permission occurs when an authorized role is not
allowed to perform an action. Both of these are important failure
scenarios.

Current Patrole has an RbacOverPermission Exception but uses
a "Forbidden" as a pseudonym for the under-permission version
but this is not ideal for the following reasons:

* Patrole can expect a 404 Not Found due to Neutron policy enforcement [0]
* The naming is inconsistent with RbacOverPermission
* It should have a Patrole wrapper exception (NotFound is used directly
  from Tempest)

So, this patchset:

* renames RbacOverPermission to RbacOverPermissionException
* replaces Forbidden exception with RbacUnderPermissionException
* updates documentation, docstrings and unit tests

In addition, this patchset introduces a new exception called
RbacExpectedWrongException which is raised when the expected
exception does not match the actual exception and both are instances
of 403 and 404, which means that the RBAC test uses the wrong
expected_error_codes.

Change-Id: I681610448cbe0269f02c34ea6afaaaf29c306121

diff --git a/doc/source/framework/overview.rst b/doc/source/framework/overview.rst
index d862770..4902f7b 100644
--- a/doc/source/framework/overview.rst
+++ b/doc/source/framework/overview.rst

@@ -26,9 +26,11 @@
    "Inconsistent" (or failing) cases include:
 
    * Expected result is ``False`` and the test passes. This results in an
-     ``RbacOverPermission`` exception getting thrown.
+     :class:`~rbac_exceptions.RbacOverPermissionException` exception
+     getting thrown.
    * Expected result is ``True`` and the test fails. This results in a
-     ``Forbidden`` exception getting thrown.
+     :class:`~rbac_exceptions.RbacOverPermissionException` exception
+     getting thrown.
 
    For example, a 200 from the API call and a ``False`` result from
    ``oslo.policy`` or a 403 from the API call and a ``True`` result from