fix: admin, member, and reader gates broken
Recent changes in Keystone to move trust enforcement [0] to default policies is currently breaking several voting gates in Patrole. This commit updates the trusts_rbac tests to account for these changes. Additionally, 'test_list_trusts' is updated so that it does indeed test 'identity:list_trusts'. If a 'trustor_user_id' or 'trustee_user_id' is passed into list_trusts() then a different policy action will be enforced. A future commit will add tests for the actions added here [1]. Added new feature flag called ``keystone_policy_enforcement_train`` under the configuration group ``[policy-feature-enabled]`` to make ``test_list_trusts`` test backwards compatible, test the current release, and test the correct policy action. The Keystone Trust API is enforced differently depending on passed arguments. The new feature flag is needed so that all the voting gates pass, otherwise the 'test_list_trusts' is not backwards compatible and would not test the correct policy action in the current release. [0] https://review.opendev.org/#/q/topic:trust-policies+(status:open+OR+status:merged) [1] https://review.opendev.org/#/c/675807/10/keystone/common/policies/trust.py Change-Id: Ia5661e12977b26e1c16f09a074d1a805263c6c22
This commit is contained in:
parent
fe4e5fd7b5
commit
97fffede9e
|
@ -37,6 +37,12 @@ function install_patrole_tempest_plugin {
|
|||
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
|
||||
iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
|
||||
iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
|
||||
|
||||
# TODO(rb560u): Remove this once stable/pike becomes EOL.
|
||||
# Make the 'test_list_trusts' test backwards compatible.
|
||||
# The Keystone Trust API is enforced differently depending on passed
|
||||
# arguments
|
||||
iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
|
||||
fi
|
||||
|
||||
if [[ ${DEVSTACK_SERIES} == 'queens' ]]; then
|
||||
|
@ -54,12 +60,32 @@ function install_patrole_tempest_plugin {
|
|||
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
|
||||
iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
|
||||
iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
|
||||
|
||||
# TODO(rb560u): Remove this once stable/queens becomes EOL.
|
||||
# Make the 'test_list_trusts' test backwards compatible.
|
||||
# The Keystone Trust API is enforced differently depending on passed
|
||||
# arguments
|
||||
iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
|
||||
fi
|
||||
|
||||
if [[ ${DEVSTACK_SERIES} == 'rocky' ]]; then
|
||||
# TODO(cl566n): Policies used by Patrole testing. Remove these once stable/rocky becomes EOL.
|
||||
iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
|
||||
iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
|
||||
|
||||
# TODO(rb560u): Remove this once stable/rocky becomes EOL.
|
||||
# Make the 'test_list_trusts' test backwards compatible.
|
||||
# The Keystone Trust API is enforced differently depending on passed
|
||||
# arguments
|
||||
iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
|
||||
fi
|
||||
|
||||
if [[ ${DEVSTACK_SERIES} == 'stein' ]]; then
|
||||
# TODO(rb560u): Remove this once stable/stein becomes EOL.
|
||||
# Make the 'test_list_trusts' test backwards compatible.
|
||||
# The Keystone Trust API is enforced differently depending on passed
|
||||
# arguments
|
||||
iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
|
||||
fi
|
||||
|
||||
iniset $TEMPEST_CONFIG patrole rbac_test_roles $RBAC_TEST_ROLES
|
||||
|
|
|
@ -184,7 +184,12 @@ were removed in Stein."""),
|
|||
default=True,
|
||||
help="""Are the Cinder Stein policies available in the cloud
|
||||
(e.g. [create|update|get|delete]_encryption_policy)? These policies are added
|
||||
in Stein.""")
|
||||
in Stein."""),
|
||||
cfg.BoolOpt('keystone_policy_enforcement_train',
|
||||
default=True,
|
||||
help="""Is the cloud running the Train release or newer? If
|
||||
so, the Keystone Trust API is enforced differently depending on passed
|
||||
arguments""")
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -94,7 +94,10 @@ class IdentityTrustV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
|
|||
@decorators.idempotent_id('d9a6fd06-08f6-462c-a86c-ce009adf1230')
|
||||
@rbac_rule_validation.action(
|
||||
service="keystone",
|
||||
rules=["identity:delete_trust"])
|
||||
rules=["identity:delete_trust"],
|
||||
extra_target_data={
|
||||
"target.trust.trustor_user_id": "os_primary.credentials.user_id"
|
||||
})
|
||||
def test_delete_trust(self):
|
||||
trust = self.setup_test_trust(trustor_user_id=self.trustor_user_id,
|
||||
trustee_user_id=self.trustee_user_id)
|
||||
|
@ -107,14 +110,24 @@ class IdentityTrustV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
|
|||
service="keystone",
|
||||
rules=["identity:list_trusts"])
|
||||
def test_list_trusts(self):
|
||||
# Depending on the passed arguments to the list trusts API, different
|
||||
# policy actions are enforced.
|
||||
feature_flag = \
|
||||
CONF.policy_feature_enabled.keystone_policy_enforcement_train
|
||||
with self.override_role():
|
||||
self.trusts_client.list_trusts(
|
||||
trustor_user_id=self.trustor_user_id)
|
||||
if feature_flag:
|
||||
self.trusts_client.list_trusts()
|
||||
else:
|
||||
self.trusts_client.list_trusts(
|
||||
trustor_user_id=self.trustor_user_id)
|
||||
|
||||
@decorators.idempotent_id('3c9ff92f-a73e-4f9b-8865-e017f38c70f5')
|
||||
@rbac_rule_validation.action(
|
||||
service="keystone",
|
||||
rules=["identity:list_roles_for_trust"])
|
||||
rules=["identity:list_roles_for_trust"],
|
||||
extra_target_data={
|
||||
"target.trust.trustor_user_id": "os_primary.credentials.user_id"
|
||||
})
|
||||
def test_list_roles_for_trust(self):
|
||||
with self.override_role():
|
||||
self.trusts_client.list_trust_roles(self.trust['id'])
|
||||
|
@ -122,7 +135,10 @@ class IdentityTrustV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
|
|||
@decorators.idempotent_id('3bb4f97b-cecd-4c7d-ad10-b88ee6c5d573')
|
||||
@rbac_rule_validation.action(
|
||||
service="keystone",
|
||||
rules=["identity:get_role_for_trust"])
|
||||
rules=["identity:get_role_for_trust"],
|
||||
extra_target_data={
|
||||
"target.trust.trustor_user_id": "os_primary.credentials.user_id"
|
||||
})
|
||||
def test_show_trust_role(self):
|
||||
with self.override_role():
|
||||
self.trusts_client.show_trust_role(
|
||||
|
@ -131,7 +147,10 @@ class IdentityTrustV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
|
|||
@decorators.idempotent_id('0184e0fb-641e-4b52-ab73-81c1ce6ca5c1')
|
||||
@rbac_rule_validation.action(
|
||||
service="keystone",
|
||||
rules=["identity:get_trust"])
|
||||
rules=["identity:get_trust"],
|
||||
extra_target_data={
|
||||
"target.trust.trustor_user_id": "os_primary.credentials.user_id"
|
||||
})
|
||||
def test_show_trust(self):
|
||||
with self.override_role():
|
||||
self.trusts_client.show_trust(self.trust['id'])
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Added new feature flag called ``keystone_policy_enforcement_train`` under
|
||||
the configuration group ``[policy-feature-enabled]`` to make ``test_list_trusts``
|
||||
test backwards compatible, test the current release, and test the correct policy
|
||||
action. The Keystone Trust API is enforced differently depending on passed arguments
|
Loading…
Reference in New Issue