| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 1 | .. _rbac-utils: | 
|  | 2 |  | 
| Felipe Monteiro | 144ec1e | 2017-12-26 17:38:11 +0000 | [diff] [blame] | 3 | RBAC Utils Module | 
|  | 4 | ================= | 
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 5 |  | 
|  | 6 | Overview | 
|  | 7 | -------- | 
|  | 8 |  | 
|  | 9 | Patrole manipulates the ``os_primary`` `Tempest credentials`_, which are the | 
|  | 10 | primary set of Tempest credentials. It is necessary to use the same credentials | 
|  | 11 | across the entire test setup/test execution/test teardown workflow | 
|  | 12 | because otherwise 400-level errors will be thrown by OpenStack services. | 
|  | 13 |  | 
|  | 14 | This is because many services check the request context's project scope -- and | 
|  | 15 | in very rare cases, user scope. However, each set of Tempest credentials (via | 
|  | 16 | `dynamic credentials`_) is allocated its own distinct project. For example, the | 
|  | 17 | ``os_admin`` and ``os_primary`` credentials each have a distinct project, | 
|  | 18 | meaning that it is not always possible for the ``os_primary`` credentials to | 
|  | 19 | access resources created by the ``os_admin`` credentials. | 
|  | 20 |  | 
|  | 21 | The only foolproof solution is to manipulate the role for the same set of | 
|  | 22 | credentials, rather than using distinct credentials for setup/teardown | 
|  | 23 | and test execution, respectively. This is especially true when considering | 
|  | 24 | custom policy rule definitions, which can be arbitrarily complex. | 
|  | 25 |  | 
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 26 | Implementation | 
|  | 27 | -------------- | 
|  | 28 |  | 
| Felipe Monteiro | 47c43cb | 2018-11-05 17:15:30 +0000 | [diff] [blame] | 29 | :py:mod:`RBAC Utils Module <patrole_tempest_plugin.rbac_utils>` | 
| Felipe Monteiro | 26b7e09 | 2018-07-27 22:15:27 +0100 | [diff] [blame] | 30 |  | 
|  | 31 | .. _Tempest credentials: https://docs.openstack.org/tempest/latest/library/credential_providers.html | 
|  | 32 | .. _dynamic credentials: https://docs.openstack.org/tempest/latest/configuration.html#dynamic-credentials | 
|  | 33 |  |