Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 787fbd72542c233a66309c1700fad9645d01a394 / . / doc / source / framework / overview.rst
blob: 4902f7b2c9858e838fea8ffe98defa54d11a752f [file] [log] [blame]
Felipe Monteiroc8ec1f62017-11-15 08:32:56 +0000[diff] [blame]1RBAC Testing Validation
2=======================
3
4--------
5Overview
6--------
7
8RBAC testing validation is broken up into 3 stages:
9
Masayuki Igawa80b9aab2018-01-09 17:00:45 +0900[diff] [blame]10#. "Expected" stage. Determine whether the test should be able to succeed
11 or fail based on the test role defined by ``[patrole] rbac_test_role``)
12 and the policy action that the test enforces.
13#. "Actual" stage. Run the test by calling the API endpoint that enforces
14 the expected policy action using the test role.
15#. Comparing the outputs from both stages for consistency. A "consistent"
16 result is treated as a pass and an "inconsistent" result is treated
17 as a failure. "Consistent" (or successful) cases include:
Felipe Monteiroc8ec1f62017-11-15 08:32:56 +0000[diff] [blame]18
Masayuki Igawa80b9aab2018-01-09 17:00:45 +0900[diff] [blame]19 * Expected result is ``True`` and the test passes.
20 * Expected result is ``False`` and the test fails.
Felipe Monteiroc8ec1f62017-11-15 08:32:56 +0000[diff] [blame]21
Masayuki Igawa80b9aab2018-01-09 17:00:45 +0900[diff] [blame]22 For example, a 200 from the API call and a ``True`` result from
23 ``oslo.policy`` or a 403 from the API call and a ``False`` result from
24 ``oslo.policy`` are successful results.
Felipe Monteiroc8ec1f62017-11-15 08:32:56 +0000[diff] [blame]25
Masayuki Igawa80b9aab2018-01-09 17:00:45 +0900[diff] [blame]26 "Inconsistent" (or failing) cases include:
Felipe Monteiroc8ec1f62017-11-15 08:32:56 +0000[diff] [blame]27
Masayuki Igawa80b9aab2018-01-09 17:00:45 +0900[diff] [blame]28 * Expected result is ``False`` and the test passes. This results in an
Felipe Monteirof16b6b32018-06-28 19:32:59 -0400[diff] [blame]29 :class:`~rbac_exceptions.RbacOverPermissionException` exception
30 getting thrown.
Masayuki Igawa80b9aab2018-01-09 17:00:45 +0900[diff] [blame]31 * Expected result is ``True`` and the test fails. This results in a
Felipe Monteirof16b6b32018-06-28 19:32:59 -0400[diff] [blame]32 :class:`~rbac_exceptions.RbacOverPermissionException` exception
33 getting thrown.
Felipe Monteiroc8ec1f62017-11-15 08:32:56 +0000[diff] [blame]34
Masayuki Igawa80b9aab2018-01-09 17:00:45 +0900[diff] [blame]35 For example, a 200 from the API call and a ``False`` result from
36 ``oslo.policy`` or a 403 from the API call and a ``True`` result from
37 ``oslo.policy`` are failing results.
Felipe Monteiroc8ec1f62017-11-15 08:32:56 +0000[diff] [blame]38
39-------------------------------
40The RBAC Rule Validation Module
41-------------------------------
42
43High-level module that provides the decorator that wraps around Tempest tests
44and serves as the entry point for RBAC testing validation. The workflow
45described above is ultimately carried out by the decorator.
46
47For more information about this module, please see :ref:`rbac-validation`.
48
49---------------------------
50The Policy Authority Module
51---------------------------
52
53Module called by :ref:`rbac-validation` to verify whether the test
54role is allowed to execute a policy action by querying ``oslo.policy`` with
55required test data. The result is used by :ref:`rbac-validation` as the
56"Expected" result.
57
58For more information about this module, please see :ref:`policy-authority`.
59
60---------------------
61The RBAC Utils Module
62---------------------
63
64This module is responsible for handling role switching, the mechanism by which
65Patrole is able to set up, tear down and execute APIs using the same set
66of credentials. Every RBAC test must perform a role switch even if the role
67that is being switched to is admin.
68
69For more information about this module, please see :ref:`rbac-utils`.