commit f6b69e23b95d5348a19774ed14f14b53b52b1452
author Felipe Monteiro <felipe.monteiro@att.com> Thu May 04 21:55:04 2017 +0100
committer Felipe Monteiro <felipe.monteiro@att.com> Thu May 04 20:59:29 2017 +0000
tree 33874463560c02812dbff7396aa55b1cc7d5c00d
parent ae6d0ef3c15a2f5e86250e446031005f290a73d4

Change "admin" literal for admin role to CONF admin_role

Currently, the Patrole framework always assumes that the admin
role is "admin". But this might not necessarily be the case.
The word "admin" is just a convention, but is nonetheless an
arbitrary designation for administration privileges.

Instead, the Patrole framework should take advantage of the
already-existing Tempest configuration option:

    cfg.StrOpt('admin_role',
               default='admin',
               help="Role required to administrate keystone."),

This patch changes instances of 'admin' (for identifying the
admin role) with ``CONF.identity.admin_role``. This patch doesn't
make changes to 'admin' in unit tests, as that's not necessary,
but instead uses ``CONF.set_override`` to change the ``admin_role``
to "admin".

Closes-Bug: #1680294
Change-Id: Ia4431c2a16892a60fe10bb7e8495e7e384e552c1

patrole_tempest_plugin/rbac_rule_validation.py

diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index 4382259..8de3d97 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -77,7 +77,7 @@
                 LOG.info("As admin_only is True, only admin role should be "
                          "allowed to perform the API. Skipping oslo.policy "
                          "check for policy action {0}.".format(rule))
-                allowed = CONF.rbac.rbac_test_role == 'admin'
+                allowed = CONF.rbac.rbac_test_role == CONF.identity.admin_role
             else:
                 allowed = _is_authorized(test_obj, service, rule,
                                          extra_target_data)