Change "admin" literal for admin role to CONF admin_role
Currently, the Patrole framework always assumes that the admin
role is "admin". But this might not necessarily be the case.
The word "admin" is just a convention, but is nonetheless an
arbitrary designation for administration privileges.
Instead, the Patrole framework should take advantage of the
already-existing Tempest configuration option:
cfg.StrOpt('admin_role',
default='admin',
help="Role required to administrate keystone."),
This patch changes instances of 'admin' (for identifying the
admin role) with ``CONF.identity.admin_role``. This patch doesn't
make changes to 'admin' in unit tests, as that's not necessary,
but instead uses ``CONF.set_override`` to change the ``admin_role``
to "admin".
Closes-Bug: #1680294
Change-Id: Ia4431c2a16892a60fe10bb7e8495e7e384e552c1
diff --git a/patrole_tempest_plugin/rbac_policy_parser.py b/patrole_tempest_plugin/rbac_policy_parser.py
index e68921f..8256889 100644
--- a/patrole_tempest_plugin/rbac_policy_parser.py
+++ b/patrole_tempest_plugin/rbac_policy_parser.py
@@ -168,7 +168,7 @@
return self._allowed(
access=self._get_access_token(role),
apply_rule='context_is_admin')
- return role == 'admin'
+ return role == CONF.identity.admin_role
def _get_access_token(self, role):
access_token = {
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index 4382259..8de3d97 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -77,7 +77,7 @@
LOG.info("As admin_only is True, only admin role should be "
"allowed to perform the API. Skipping oslo.policy "
"check for policy action {0}.".format(rule))
- allowed = CONF.rbac.rbac_test_role == 'admin'
+ allowed = CONF.rbac.rbac_test_role == CONF.identity.admin_role
else:
allowed = _is_authorized(test_obj, service, rule,
extra_target_data)
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 55a5599..4cddb8d 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -160,7 +160,7 @@
for role in available_roles['roles']:
if role['name'] == CONF.rbac.rbac_test_role:
rbac_role_id = role['id']
- if role['name'] == 'admin':
+ if role['name'] == CONF.identity.admin_role:
admin_role_id = role['id']
if not admin_role_id or not rbac_role_id:
diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_utils.py b/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
index 057ce20..a2917cf 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
@@ -51,12 +51,15 @@
self.mock_test_obj.os_admin = mock.Mock(
**{'roles_v3_client.list_roles.return_value': available_roles})
- CONF.set_override('rbac_test_role', 'Member', group='rbac',
+ CONF.set_override('admin_role', 'admin', group='identity',
enforce_type=True)
CONF.set_override('auth_version', 'v3', group='identity',
enforce_type=True)
+ CONF.set_override('rbac_test_role', 'Member', group='rbac',
+ enforce_type=True)
self.addCleanup(CONF.clear_override, 'rbac_test_role', group='rbac')
+ self.addCleanup(CONF.clear_override, 'admin_role', group='identity')
self.addCleanup(CONF.clear_override, 'auth_version', group='identity')
self.addCleanup(mock.patch.stopall)