Refactoring RbacUtils part 3 - documentation

Change the documnentation according to new RbacUtilsMixin

Story: 2002604
Task: 22223

Change-Id: I30ab8ea002f9312a5b50e2f2c511ed321a679c00
This commit is contained in:
Sergey Vilgelm 2019-02-03 10:35:01 -06:00
parent d3d77ef10c
commit 78e7f57fdb
No known key found for this signature in database
GPG Key ID: 08D0E2FF778887E6
5 changed files with 12 additions and 12 deletions

View File

@ -64,7 +64,7 @@ Role Overriding
---------------
Correct role overriding is vital to correct RBAC testing within Patrole. If a
test does not call ``rbac_utils.override_role`` within the RBAC test, followed
test does not call ``self.override_role()`` within the RBAC test, followed
by the API endpoint that enforces the expected policy action, then the test is
**not** a valid Patrole test: The API endpoint under test will be performed
with admin role, which is always wrong unless ``CONF.patrole.rbac_test_role``

View File

@ -80,7 +80,7 @@ Test duplication means:
* testing the same policy in more than one test
For the first bullet, try to avoid calling the same API inside the
``self.rbac_utils.override_role`` call.
``self.override_role()`` call.
.. note::

View File

@ -66,7 +66,7 @@ Below is an example of multi-policy validation for a carefully chosen Nova API:
self.os_admin.servers_client.lock_server(self.server['id'])
self.addCleanup(self.servers_client.unlock_server, self.server['id'])
with self.rbac_utils.override_role(self):
with self.override_role():
self.servers_client.unlock_server(self.server['id'])
While the ``expected_error_codes`` parameter is omitted in the example above,
@ -96,7 +96,7 @@ attribute that is added only following successful policy authorization.
# Verify specific fields of a port
fields = ['binding:vif_type']
with self.rbac_utils.override_role(self):
with self.override_role():
retrieved_port = self.ports_client.show_port(
self.port['id'], fields=fields)['port']
@ -131,7 +131,7 @@ A basic Neutron example that only expects 403's to be raised:
RBAC test for the neutron create_network:router:external policy
"""
with self.rbac_utils.override_role(self):
with self.override_role():
self._create_network(router_external=True)
Note that above the following expected error codes/rules relationship is
@ -158,7 +158,7 @@ subsequent policy authorization failure:
RBAC test for the neutron update_network:shared policy
"""
with self.rbac_utils.override_role(self):
with self.override_role():
self._update_network(shared_network=True)
self.addCleanup(self._update_network, shared_network=False)

View File

@ -34,7 +34,7 @@ The role workflow is as follows:
#. Setup: Admin role is used automatically. The primary credentials are
overridden with the admin role.
#. Test execution: ``[patrole] rbac_test_roles`` is used manually via the
call to ``with rbac_utils.override_role(self)``. Everything that
call to ``with self.override_role()``. Everything that
is executed within this contextmanager uses the primary
credentials overridden with the ``[patrole] rbac_test_roles``.
#. Teardown: Admin role is used automatically. The primary credentials have
@ -68,7 +68,7 @@ Manual role override required.
"Test execution" here means calling the API endpoint that enforces the policy
action expected by the ``rbac_rule_validation`` decorator. Test execution
should be performed *only after* calling
``with rbac_utils.override_role(self)``.
``with self.override_role()``.
Immediately after that call, the API endpoint that enforces the policy should
be called.
@ -89,7 +89,7 @@ Example::
aggregate_id = self._create_aggregate()
# Call the ``override_role`` method so that the primary credentials
# have the test role needed for test execution.
with self.rbac_utils.override_role(self):
with self.override_role():
self.aggregates_client.show_aggregate(aggregate_id)
When using a waiter, do the wait outside the contextmanager. "Waiting" always
@ -113,7 +113,7 @@ Example using waiter::
self.addCleanup(self.servers_client.change_password, self.server['id'],
adminPass=original_password)
with self.rbac_utils.override_role(self):
with self.override_role():
self.servers_client.change_password(
self.server['id'], adminPass=data_utils.rand_password())
# Call the waiter outside the ``override_role`` contextmanager, so that
@ -145,7 +145,7 @@ Incorrect::
# Never call a helper function inside the contextmanager that calls a
# bunch of APIs. Only call the API that enforces the policy action
# contained in the decorator above.
with self.rbac_utils.override_role(self):
with self.override_role():
self._complex_setup_method()
To fix this test, see the "Example using waiter" section above. It is

View File

@ -461,7 +461,7 @@ def _check_for_expected_mismatch_exception(expected_exception,
def _validate_override_role_called(test_obj, actual_exception):
"""Validates that :func:`rbac_utils.RbacUtils.override_role` is called
"""Validates that :func:`rbac_utils.RbacUtilsMixin.override_role` is called
during each Patrole test.
Useful for validating that the expected exception isn't raised too early