| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 1 | .. _rbac-utils: |
| 2 | |
| 3 | The RBAC Utils Module |
| 4 | ===================== |
| 5 | |
| 6 | Overview |
| 7 | -------- |
| 8 | |
| 9 | Patrole manipulates the ``os_primary`` `Tempest credentials`_, which are the |
| 10 | primary set of Tempest credentials. It is necessary to use the same credentials |
| 11 | across the entire test setup/test execution/test teardown workflow |
| 12 | because otherwise 400-level errors will be thrown by OpenStack services. |
| 13 | |
| 14 | This is because many services check the request context's project scope -- and |
| 15 | in very rare cases, user scope. However, each set of Tempest credentials (via |
| 16 | `dynamic credentials`_) is allocated its own distinct project. For example, the |
| 17 | ``os_admin`` and ``os_primary`` credentials each have a distinct project, |
| 18 | meaning that it is not always possible for the ``os_primary`` credentials to |
| 19 | access resources created by the ``os_admin`` credentials. |
| 20 | |
| 21 | The only foolproof solution is to manipulate the role for the same set of |
| 22 | credentials, rather than using distinct credentials for setup/teardown |
| 23 | and test execution, respectively. This is especially true when considering |
| 24 | custom policy rule definitions, which can be arbitrarily complex. |
| 25 | |
| 26 | Patrole, therefore, implicitly splits up each test into 3 stages: set up, |
| 27 | test execution, and teardown. |
| 28 | |
| 29 | The role workflow is as follows: |
| 30 | |
| 31 | #. Setup: Admin role is used automatically. The primary credentials are |
| 32 | overridden with the admin role. |
| 33 | #. Test execution: ``[patrole] rbac_test_role`` is used manually via a call |
| 34 | to ``rbac_utils.switch_role(self, toggle_rbac_role=True)``. Everything that |
| 35 | is executed after this call, until the end of the test, uses the primary |
| 36 | credentials overridden with the ``rbac_test_role``. |
| 37 | #. Teardown: Admin role is used automatically. The primary credentials have |
| 38 | been overridden with the admin role. |
| 39 | |
| 40 | .. _Tempest credentials: https://docs.openstack.org/tempest/latest/library/credential_providers.html |
| 41 | .. _dynamic credentials: https://docs.openstack.org/tempest/latest/configuration.html#dynamic-credentials |
| 42 | |
| 43 | Test Setup |
| 44 | ---------- |
| 45 | |
| 46 | Automatic role switch in background. |
| 47 | |
| 48 | Resources can be set up inside the ``resource_setup`` class method that Tempest |
| 49 | provides. These resources are typically reserved for "expensive" resources |
| 50 | in terms of memory or storage requirements, like volumes and VMs. These |
| 51 | resources are **always** created via the admin role; Patrole automatically |
| 52 | handles this. |
| 53 | |
| 54 | Like Tempest, however, Patrole must also create resources inside tests |
| 55 | themselves. At the beginning of each test, the primary credentials have already |
| 56 | been overridden with the admin role. One can create whatever test-level |
| 57 | resources one needs, without having to worry about permissions. |
| 58 | |
| 59 | Test Execution |
| 60 | -------------- |
| 61 | |
| 62 | Manual role switch required. |
| 63 | |
| 64 | "Test execution" here means calling the API endpoint that enforces the policy |
| 65 | action expected by the ``rbac_rule_validation`` decorator. Test execution |
| 66 | should be performed *only after* calling |
| 67 | ``rbac_utils.switch_role(self, toggle_rbac_role=True)``. |
| 68 | |
| 69 | Immediately after that call, the API endpoint that enforces the policy should |
| 70 | be called. |
| 71 | |
| 72 | Example:: |
| 73 | |
| 74 | # Always apply the RBAC decorator to the test. |
| 75 | @rbac_rule_validation.action( |
| 76 | service="nova", |
| 77 | rule="os_compute_api:os-aggregates:show") |
| 78 | def test_show_aggregate_rbac(self): |
| 79 | # Do test setup before the switch_role call. |
| 80 | aggregate_id = self._create_aggregate() |
| 81 | # Call the switch_role method so that the primary credentials have |
| 82 | # the test role needed for test execution. |
| 83 | self.rbac_utils.switch_role(self, toggle_rbac_role=True) |
| 84 | # Call the endpoint that enforces the expected policy action, described |
| 85 | # by the "rule" kwarg in the decorator above. |
| 86 | self.aggregates_client.show_aggregate(aggregate_id) |
| 87 | |
| 88 | Test Cleanup |
| 89 | ------------ |
| 90 | |
| 91 | Automatic role switch in background. |
| 92 | |
| 93 | After the test -- no matter whether it ended successfully or in failure -- |
| 94 | the credentials are overridden with the admin role by the Patrole framework, |
| 95 | *before* ``tearDown`` or ``tearDownClass`` are called. This means that |
| 96 | resources are always cleaned up using the admin role. |
| 97 | |
| 98 | Implementation |
| 99 | -------------- |
| 100 | |
| 101 | .. automodule:: patrole_tempest_plugin.rbac_utils |
| 102 | :members: |
| 103 | :private-members: |