commit f6b69e23b95d5348a19774ed14f14b53b52b1452
author Felipe Monteiro <felipe.monteiro@att.com> Thu May 04 21:55:04 2017 +0100
committer Felipe Monteiro <felipe.monteiro@att.com> Thu May 04 20:59:29 2017 +0000
tree 33874463560c02812dbff7396aa55b1cc7d5c00d
parent ae6d0ef3c15a2f5e86250e446031005f290a73d4

Change "admin" literal for admin role to CONF admin_role

Currently, the Patrole framework always assumes that the admin
role is "admin". But this might not necessarily be the case.
The word "admin" is just a convention, but is nonetheless an
arbitrary designation for administration privileges.

Instead, the Patrole framework should take advantage of the
already-existing Tempest configuration option:

    cfg.StrOpt('admin_role',
               default='admin',
               help="Role required to administrate keystone."),

This patch changes instances of 'admin' (for identifying the
admin role) with ``CONF.identity.admin_role``. This patch doesn't
make changes to 'admin' in unit tests, as that's not necessary,
but instead uses ``CONF.set_override`` to change the ``admin_role``
to "admin".

Closes-Bug: #1680294
Change-Id: Ia4431c2a16892a60fe10bb7e8495e7e384e552c1

patrole_tempest_plugin/rbac_policy_parser.py

diff --git a/patrole_tempest_plugin/rbac_policy_parser.py b/patrole_tempest_plugin/rbac_policy_parser.py
index e68921f..8256889 100644
--- a/patrole_tempest_plugin/rbac_policy_parser.py
+++ b/patrole_tempest_plugin/rbac_policy_parser.py
@@ -168,7 +168,7 @@
             return self._allowed(
                 access=self._get_access_token(role),
                 apply_rule='context_is_admin')
-        return role == 'admin'
+        return role == CONF.identity.admin_role
 
     def _get_access_token(self, role):
         access_token = {