blob: dff43f2536b79513fff5379c3eb162f8b446cc47 [file] [log] [blame]
Felipe Monteiro8a5f69a2017-07-14 20:12:33 +01001.. _patrole-usage:
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +01002
DavidPurcell663aedf2017-01-03 10:01:14 -05003========
4Usage
5========
6
Felipe Monteiro79423362017-06-01 21:53:03 +01007RBAC (API) Tests
8================
DavidPurcell663aedf2017-01-03 10:01:14 -05009
Felipe Monteiro79423362017-06-01 21:53:03 +010010If Patrole is installed correctly, then the RBAC tests can be executed
11from inside the tempest root directory as follows::
DavidPurcell663aedf2017-01-03 10:01:14 -050012
Felipe Monteiro79423362017-06-01 21:53:03 +010013 $ tox -eall-plugin -- patrole_tempest_plugin.tests.api
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +010014
Felipe Monteiro79423362017-06-01 21:53:03 +010015To execute patrole tests for a specific module, run::
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +010016
Felipe Monteiro79423362017-06-01 21:53:03 +010017 $ tox -eall-plugin -- patrole_tempest_plugin.tests.api.compute
18
19.. note::
20
21 It is possible to run Patrole via ``tox -eall`` in order to run Patrole
22 isolated from other plugins. This can be accomplished by including the
23 installation of services that currently use policy in code -- for example,
24 Nova and Keystone. For example::
25
26 $ tox -evenv-tempest -- pip install /opt/stack/patrole /opt/stack/keystone /opt/stack/nova
27 $ tox -eall -- patrole_tempest_plugin.tests.api
28..
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +010029
30To change the role that the patrole tests are being run as, edit
31``rbac_test_role`` in the ``rbac`` section of tempest.conf: ::
32
Felipe Monteirof6eb8622017-08-06 06:08:02 +010033 [patrole]
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +010034 rbac_test_role = Member
35 ...
36
37.. note::
38
39 The ``rbac_test_role`` is service-specific. Member, for example,
40 is an arbitrary role, but by convention is used to designate the default
41 non-admin role in the system. Most patrole tests should be run with
42 **admin** and **Member** roles. However, some services, like Heat, take
43 advantage of a role called **heat_stack_user**, as it appears frequently
44 in Heat's policy.json.
45
46For more information about the Member role,
47please see: `<https://ask.openstack.org/en/question/4759/member-vs-_member_/>`__.
Felipe Monteiro79423362017-06-01 21:53:03 +010048
49Unit Tests
50==========
51
52Patrole includes unit tests for its RBAC framework. They can be run by
53executing::
54
55 $ tox -e py27
56
57or::
58
59 $ tox -e py35
60
61against the Python 3.5 interpreter.