| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 1 | RBAC Testing Validation |
| 2 | ======================= |
| 3 | |
| 4 | -------- |
| 5 | Overview |
| 6 | -------- |
| 7 | |
| 8 | RBAC testing validation is broken up into 3 stages: |
| 9 | |
| 10 | #. "Expected" stage. Determine whether the test should be able to succeed |
| 11 | or fail based on the test role defined by ``[patrole] rbac_test_role``) |
| 12 | and the policy action that the test enforces. |
| 13 | #. "Actual" stage. Run the test by calling the API endpoint that enforces |
| 14 | the expected policy action using the test role. |
| 15 | #. Comparing the outputs from both stages for consistency. A "consistent" |
| 16 | result is treated as a pass and an "inconsistent" result is treated |
| 17 | as a failure. "Consistent" (or successful) cases include: |
| 18 | |
| 19 | * Expected result is ``True`` and the test passes. |
| 20 | * Expected result is ``False`` and the test fails. |
| 21 | |
| 22 | For example, a 200 from the API call and a ``True`` result from |
| 23 | ``oslo.policy`` or a 403 from the API call and a ``False`` result from |
| 24 | ``oslo.policy`` are successful results. |
| 25 | |
| 26 | "Inconsistent" (or failing) cases include: |
| 27 | |
| 28 | * Expected result is ``False`` and the test passes. This results in an |
| 29 | ``RbacOverPermission`` exception getting thrown. |
| 30 | * Expected result is ``True`` and the test fails. This results in a |
| 31 | ``Forbidden`` exception getting thrown. |
| 32 | |
| 33 | For example, a 200 from the API call and a ``False`` result from |
| 34 | ``oslo.policy`` or a 403 from the API call and a ``True`` result from |
| 35 | ``oslo.policy`` are failing results. |
| 36 | |
| 37 | ------------------------------- |
| 38 | The RBAC Rule Validation Module |
| 39 | ------------------------------- |
| 40 | |
| 41 | High-level module that provides the decorator that wraps around Tempest tests |
| 42 | and serves as the entry point for RBAC testing validation. The workflow |
| 43 | described above is ultimately carried out by the decorator. |
| 44 | |
| 45 | For more information about this module, please see :ref:`rbac-validation`. |
| 46 | |
| 47 | --------------------------- |
| 48 | The Policy Authority Module |
| 49 | --------------------------- |
| 50 | |
| 51 | Module called by :ref:`rbac-validation` to verify whether the test |
| 52 | role is allowed to execute a policy action by querying ``oslo.policy`` with |
| 53 | required test data. The result is used by :ref:`rbac-validation` as the |
| 54 | "Expected" result. |
| 55 | |
| 56 | For more information about this module, please see :ref:`policy-authority`. |
| 57 | |
| 58 | --------------------- |
| 59 | The RBAC Utils Module |
| 60 | --------------------- |
| 61 | |
| 62 | This module is responsible for handling role switching, the mechanism by which |
| 63 | Patrole is able to set up, tear down and execute APIs using the same set |
| 64 | of credentials. Every RBAC test must perform a role switch even if the role |
| 65 | that is being switched to is admin. |
| 66 | |
| 67 | For more information about this module, please see :ref:`rbac-utils`. |