fix: admin, member, and reader gates broken

Recent changes in Keystone to move trust enforcement [0] to default
policies is currently breaking several voting gates in Patrole.
This commit updates the trusts_rbac tests to account for these changes.

Additionally, 'test_list_trusts' is updated so that it does indeed test
'identity:list_trusts'. If a 'trustor_user_id' or 'trustee_user_id' is passed
into list_trusts() then a different policy action will be enforced. A future
commit will add tests for the actions added here [1].

Added new feature flag called ``keystone_policy_enforcement_train`` under
the configuration group ``[policy-feature-enabled]`` to make ``test_list_trusts``
test backwards compatible, test the current release, and test the correct policy
action. The Keystone Trust API is enforced differently depending on passed arguments.

The new feature flag is needed so that all the voting gates pass, otherwise the
'test_list_trusts' is not backwards compatible and would not test the correct
policy action in the current release.

[0] https://review.opendev.org/#/q/topic:trust-policies+(status:open+OR+status:merged)
[1] https://review.opendev.org/#/c/675807/10/keystone/common/policies/trust.py

Change-Id: Ia5661e12977b26e1c16f09a074d1a805263c6c22
This commit is contained in:
Rick Bartra 2019-09-12 13:35:10 -04:00
parent fe4e5fd7b5
commit 97fffede9e
4 changed files with 64 additions and 7 deletions

View File

@ -37,6 +37,12 @@ function install_patrole_tempest_plugin {
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
# TODO(rb560u): Remove this once stable/pike becomes EOL.
# Make the 'test_list_trusts' test backwards compatible.
# The Keystone Trust API is enforced differently depending on passed
# arguments
iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
fi
if [[ ${DEVSTACK_SERIES} == 'queens' ]]; then
@ -54,12 +60,32 @@ function install_patrole_tempest_plugin {
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
# TODO(rb560u): Remove this once stable/queens becomes EOL.
# Make the 'test_list_trusts' test backwards compatible.
# The Keystone Trust API is enforced differently depending on passed
# arguments
iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
fi
if [[ ${DEVSTACK_SERIES} == 'rocky' ]]; then
# TODO(cl566n): Policies used by Patrole testing. Remove these once stable/rocky becomes EOL.
iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
# TODO(rb560u): Remove this once stable/rocky becomes EOL.
# Make the 'test_list_trusts' test backwards compatible.
# The Keystone Trust API is enforced differently depending on passed
# arguments
iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
fi
if [[ ${DEVSTACK_SERIES} == 'stein' ]]; then
# TODO(rb560u): Remove this once stable/stein becomes EOL.
# Make the 'test_list_trusts' test backwards compatible.
# The Keystone Trust API is enforced differently depending on passed
# arguments
iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
fi
iniset $TEMPEST_CONFIG patrole rbac_test_roles $RBAC_TEST_ROLES

View File

@ -184,7 +184,12 @@ were removed in Stein."""),
default=True,
help="""Are the Cinder Stein policies available in the cloud
(e.g. [create|update|get|delete]_encryption_policy)? These policies are added
in Stein.""")
in Stein."""),
cfg.BoolOpt('keystone_policy_enforcement_train',
default=True,
help="""Is the cloud running the Train release or newer? If
so, the Keystone Trust API is enforced differently depending on passed
arguments""")
]

View File

@ -94,7 +94,10 @@ class IdentityTrustV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@decorators.idempotent_id('d9a6fd06-08f6-462c-a86c-ce009adf1230')
@rbac_rule_validation.action(
service="keystone",
rules=["identity:delete_trust"])
rules=["identity:delete_trust"],
extra_target_data={
"target.trust.trustor_user_id": "os_primary.credentials.user_id"
})
def test_delete_trust(self):
trust = self.setup_test_trust(trustor_user_id=self.trustor_user_id,
trustee_user_id=self.trustee_user_id)
@ -107,14 +110,24 @@ class IdentityTrustV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
service="keystone",
rules=["identity:list_trusts"])
def test_list_trusts(self):
# Depending on the passed arguments to the list trusts API, different
# policy actions are enforced.
feature_flag = \
CONF.policy_feature_enabled.keystone_policy_enforcement_train
with self.override_role():
self.trusts_client.list_trusts(
trustor_user_id=self.trustor_user_id)
if feature_flag:
self.trusts_client.list_trusts()
else:
self.trusts_client.list_trusts(
trustor_user_id=self.trustor_user_id)
@decorators.idempotent_id('3c9ff92f-a73e-4f9b-8865-e017f38c70f5')
@rbac_rule_validation.action(
service="keystone",
rules=["identity:list_roles_for_trust"])
rules=["identity:list_roles_for_trust"],
extra_target_data={
"target.trust.trustor_user_id": "os_primary.credentials.user_id"
})
def test_list_roles_for_trust(self):
with self.override_role():
self.trusts_client.list_trust_roles(self.trust['id'])
@ -122,7 +135,10 @@ class IdentityTrustV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@decorators.idempotent_id('3bb4f97b-cecd-4c7d-ad10-b88ee6c5d573')
@rbac_rule_validation.action(
service="keystone",
rules=["identity:get_role_for_trust"])
rules=["identity:get_role_for_trust"],
extra_target_data={
"target.trust.trustor_user_id": "os_primary.credentials.user_id"
})
def test_show_trust_role(self):
with self.override_role():
self.trusts_client.show_trust_role(
@ -131,7 +147,10 @@ class IdentityTrustV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@decorators.idempotent_id('0184e0fb-641e-4b52-ab73-81c1ce6ca5c1')
@rbac_rule_validation.action(
service="keystone",
rules=["identity:get_trust"])
rules=["identity:get_trust"],
extra_target_data={
"target.trust.trustor_user_id": "os_primary.credentials.user_id"
})
def test_show_trust(self):
with self.override_role():
self.trusts_client.show_trust(self.trust['id'])

View File

@ -0,0 +1,7 @@
---
features:
- |
Added new feature flag called ``keystone_policy_enforcement_train`` under
the configuration group ``[policy-feature-enabled]`` to make ``test_list_trusts``
test backwards compatible, test the current release, and test the correct policy
action. The Keystone Trust API is enforced differently depending on passed arguments