Update designate-tempest-plugin "direction change"
The RBAC goal has changed[1] and system scope is no longer going to be used. This patch updates Designate tempest plugin to align to this change in direction by removing the system scope from the policy tests. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change Change-Id: I4e5c56630d5cca96278fe67232519c067356da23
This commit is contained in:
parent
759ee725b8
commit
288cdcf697
22
.zuul.yaml
22
.zuul.yaml
|
@ -24,7 +24,8 @@
|
|||
|
||||
- project:
|
||||
templates:
|
||||
- designate-devstack-jobs
|
||||
# Temporary removed to transition the scoped tokens job
|
||||
# - designate-devstack-jobs
|
||||
- check-requirements
|
||||
- publish-openstack-docs-pti
|
||||
- tempest-plugin-jobs
|
||||
|
@ -36,3 +37,22 @@
|
|||
- designate-bind9-stable-xena
|
||||
- designate-bind9-stable-wallaby
|
||||
- neutron-tempest-plugin-designate-scenario
|
||||
# Temporary expand template to remove scoped tokens job that is changing
|
||||
- designate-bind9
|
||||
- designate-bind9-centos9stream-fips:
|
||||
voting: false
|
||||
- designate-bind9-centos-9-stream:
|
||||
voting: false
|
||||
- designate-pdns4
|
||||
- designate-grenade-bind9
|
||||
- designate-grenade-pdns4
|
||||
- designate-ipv6-only-pdns4
|
||||
- designate-ipv6-only-bind9
|
||||
gate:
|
||||
fail-fast: true
|
||||
jobs:
|
||||
- designate-bind9
|
||||
- designate-pdns4
|
||||
- designate-grenade-pdns4
|
||||
- designate-ipv6-only-pdns4
|
||||
- designate-ipv6-only-bind9
|
||||
|
|
|
@ -58,9 +58,7 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
|
|||
|
||||
self.assertExpected(blacklist, body, self.excluded_keys)
|
||||
|
||||
expected_allowed = ['os_admin']
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_CUD_RBAC_enforcement('BlacklistsClient', 'create_blacklist',
|
||||
expected_allowed, False)
|
||||
|
@ -100,9 +98,7 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
|
|||
LOG.info('Ensure the fetched response matches the created blacklist')
|
||||
self.assertExpected(blacklist, body, self.excluded_keys)
|
||||
|
||||
expected_allowed = ['os_admin']
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'BlacklistsClient', 'show_blacklist', expected_allowed, False,
|
||||
|
@ -121,9 +117,7 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
|
|||
# A blacklist delete returns an empty body
|
||||
self.assertEqual(body.strip(), b"")
|
||||
|
||||
expected_allowed = ['os_admin']
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_CUD_RBAC_enforcement(
|
||||
'BlacklistsClient', 'delete_blacklist', expected_allowed, False,
|
||||
|
@ -141,9 +135,7 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
|
|||
# TODO(pglass): Assert that the created blacklist is in the response
|
||||
self.assertGreater(len(body['blacklists']), 0)
|
||||
|
||||
expected_allowed = ['os_admin']
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_IDs_RBAC_enforcement(
|
||||
'BlacklistsClient', 'list_blacklists',
|
||||
|
@ -168,9 +160,7 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
|
|||
self.assertEqual(pattern, body['pattern'])
|
||||
self.assertEqual(description, body['description'])
|
||||
|
||||
expected_allowed = ['os_admin']
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_CUD_RBAC_enforcement(
|
||||
'BlacklistsClient', 'update_blacklist', expected_allowed, False,
|
||||
|
|
|
@ -102,10 +102,7 @@ class PoolAdminTest(BasePoolTest):
|
|||
# TODO(johnsom) Test reader roles once this bug is fixed.
|
||||
# https://bugs.launchpad.net/tempest/+bug/1964509
|
||||
# Test RBAC
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
# TODO(johnsom) The pools API seems inconsistent with the requirement
|
||||
# of the all-projects header.
|
||||
|
|
|
@ -297,10 +297,7 @@ class RecordsetsTest(BaseRecordsetsTest):
|
|||
self.zone['id'], recordset_id)
|
||||
|
||||
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'RecordsetClient', 'show_recordset', expected_allowed, True,
|
||||
|
|
|
@ -73,10 +73,7 @@ class ServiceStatusAdmin(base.BaseDnsV2Test):
|
|||
"services: {}".format(services_statuses_tup))
|
||||
|
||||
# Test RBAC
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ServiceClient', 'list_statuses', expected_allowed, False)
|
||||
|
|
|
@ -122,7 +122,6 @@ class SharedZonesTest(BaseSharedZoneTest):
|
|||
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed.append('os_system_admin')
|
||||
expected_allowed.append('os_system_reader')
|
||||
expected_allowed.append('os_project_member')
|
||||
expected_allowed.append('os_project_reader')
|
||||
self.check_CUD_RBAC_enforcement(
|
||||
|
@ -175,7 +174,6 @@ class SharedZonesTest(BaseSharedZoneTest):
|
|||
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed.append('os_system_admin')
|
||||
expected_allowed.append('os_system_reader')
|
||||
expected_allowed.append('os_project_member')
|
||||
expected_allowed.append('os_project_reader')
|
||||
self.check_CUD_RBAC_enforcement(
|
||||
|
|
|
@ -148,10 +148,7 @@ class TldAdminTest(BaseTldTest):
|
|||
self.assertExpected(tld, body, self.excluded_keys)
|
||||
|
||||
# Test RBAC
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'TldClient', 'show_tld', expected_allowed, False, tld['id'])
|
||||
|
@ -191,10 +188,7 @@ class TldAdminTest(BaseTldTest):
|
|||
self.assertGreater(len(body['tlds']), 0)
|
||||
|
||||
# Test RBAC
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_IDs_RBAC_enforcement(
|
||||
'TldClient', 'list_tlds', expected_allowed, [tld['id']],
|
||||
|
|
|
@ -121,6 +121,9 @@ class TransferAcceptTest(BaseTransferAcceptTest):
|
|||
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed.append('os_system_admin')
|
||||
# Note: system_reader is allowed because this API RBAC is based
|
||||
# on the target project ID. It will return a 401 instead of
|
||||
# a 403.
|
||||
expected_allowed.append('os_system_reader')
|
||||
expected_allowed.append('os_project_member')
|
||||
expected_allowed.append('os_project_reader')
|
||||
|
@ -185,10 +188,7 @@ class TransferAcceptTest(BaseTransferAcceptTest):
|
|||
True, transfer_accept['id'])
|
||||
|
||||
# Test RBAC with x-auth-all-projects
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
|
||||
|
@ -278,20 +278,14 @@ class TransferAcceptTest(BaseTransferAcceptTest):
|
|||
|
||||
# Test RBAC - Users that are allowed to call list, but should get
|
||||
# zero zones.
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_RBAC_enforcement_count(
|
||||
'TransferAcceptClient', 'list_transfer_accept',
|
||||
expected_allowed, 0)
|
||||
|
||||
# Test that users who should see the zone, can see it.
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_IDs_RBAC_enforcement(
|
||||
'TransferAcceptClient', 'list_transfer_accept',
|
||||
|
@ -400,10 +394,7 @@ class TransferAcceptTest(BaseTransferAcceptTest):
|
|||
self.wait_zone_delete, self.alt_zone_client, zone['id'])
|
||||
|
||||
# Test RBAC with x-auth-sudo-project-id header
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
|
||||
|
|
|
@ -160,20 +160,16 @@ class TransferRequestTest(BaseTransferRequestTest):
|
|||
# Test RBAC
|
||||
# Note: The create service client does not define a target project
|
||||
# ID, so everyone should be able to see it.
|
||||
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed.extend(['os_system_admin', 'os_system_reader',
|
||||
'os_project_member', 'os_project_reader'])
|
||||
expected_allowed = ['os_admin', 'os_primary', 'os_alt',
|
||||
'os_system_admin', 'os_system_reader',
|
||||
'os_project_member', 'os_project_reader']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'TransferRequestClient', 'show_transfer_request', expected_allowed,
|
||||
True, transfer_request['id'])
|
||||
|
||||
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'TransferRequestClient', 'show_transfer_request', expected_allowed,
|
||||
|
@ -244,11 +240,8 @@ class TransferRequestTest(BaseTransferRequestTest):
|
|||
self.assertExpected(transfer_request, body, excluded_keys)
|
||||
|
||||
# Test RBAC when a transfer target project is specified.
|
||||
expected_allowed = ['os_primary', 'os_alt']
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed.extend(['os_system_admin', 'os_project_member'])
|
||||
else:
|
||||
expected_allowed.append('os_admin')
|
||||
expected_allowed = ['os_primary', 'os_alt', 'os_admin',
|
||||
'os_system_admin', 'os_project_member']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'TransferRequestClient', 'show_transfer_request', expected_allowed,
|
||||
|
@ -304,8 +297,7 @@ class TransferRequestTest(BaseTransferRequestTest):
|
|||
# Test RBAC - Users that are allowed to call list, but should get
|
||||
# zero zones.
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader',
|
||||
'os_admin']
|
||||
expected_allowed = ['os_system_admin', 'os_admin']
|
||||
else:
|
||||
expected_allowed = ['os_alt']
|
||||
|
||||
|
|
|
@ -145,9 +145,7 @@ class TsigkeyAdminTest(BaseTsigkeyTest):
|
|||
self.assertGreater(len(body['tsigkeys']), 0)
|
||||
|
||||
# Test RBAC
|
||||
expected_allowed = ['os_admin']
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
self.check_list_IDs_RBAC_enforcement(
|
||||
'TsigkeyClient', 'list_tsigkeys', expected_allowed,
|
||||
[tsigkey['id']])
|
||||
|
@ -409,9 +407,7 @@ class TsigkeyAdminTest(BaseTsigkeyTest):
|
|||
self.assertExpected(tsigkey, body, self.excluded_keys)
|
||||
|
||||
# Test RBAC
|
||||
expected_allowed = ['os_admin']
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'TsigkeyClient', 'show_tsigkey', expected_allowed, True,
|
||||
|
|
|
@ -172,10 +172,7 @@ class ZonesTest(BaseZonesTest):
|
|||
'ZonesClient', 'show_zone', expected_allowed, True, zone['id'])
|
||||
|
||||
# Test with x-auth-all-projects and x-auth-sudo-project-id header
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ZonesClient', 'show_zone', expected_allowed, False, zone['id'],
|
||||
|
@ -282,8 +279,7 @@ class ZonesTest(BaseZonesTest):
|
|||
# Test RBAC - Users that are allowed to call list, but should get
|
||||
# zero zones.
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader',
|
||||
'os_admin']
|
||||
expected_allowed = ['os_system_admin', 'os_admin']
|
||||
else:
|
||||
expected_allowed = ['os_alt']
|
||||
|
||||
|
@ -438,10 +434,7 @@ class ZonesTest(BaseZonesTest):
|
|||
True, zone['id'])
|
||||
|
||||
# Test with x-auth-all-projects and x-auth-sudo-project-id header
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ZonesClient', 'show_zone_nameservers', expected_allowed,
|
||||
|
|
|
@ -129,10 +129,7 @@ class ZonesExportTest(BaseZoneExportsTest):
|
|||
zone_export['id'])
|
||||
|
||||
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
|
||||
|
@ -164,10 +161,7 @@ class ZonesExportTest(BaseZoneExportsTest):
|
|||
zone_export['id'], listed_export_ids))
|
||||
|
||||
# Test RBAC with x-auth-sudo-project-id header
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
|
||||
|
@ -229,8 +223,7 @@ class ZonesExportTest(BaseZoneExportsTest):
|
|||
# Test RBAC - Users that are allowed to call list, but should get
|
||||
# zero zones.
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader',
|
||||
'os_admin']
|
||||
expected_allowed = ['os_system_admin', 'os_admin']
|
||||
else:
|
||||
expected_allowed = ['os_alt']
|
||||
|
||||
|
|
|
@ -159,10 +159,7 @@ class ZonesImportTest(BaseZonesImportTest):
|
|||
zone_import['id'])
|
||||
|
||||
# Test with x-auth-all-projects
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
|
||||
|
@ -233,8 +230,7 @@ class ZonesImportTest(BaseZonesImportTest):
|
|||
# Test RBAC - Users that are allowed to call list, but should get
|
||||
# zero zones.
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader',
|
||||
'os_admin']
|
||||
expected_allowed = ['os_system_admin', 'os_admin']
|
||||
else:
|
||||
expected_allowed = ['os_alt']
|
||||
|
||||
|
@ -307,10 +303,7 @@ class ZonesImportTest(BaseZonesImportTest):
|
|||
zone_import, resp_body['imports'][0], self.excluded_keys)
|
||||
|
||||
# Test with x-auth-sudo-project-id header
|
||||
if CONF.dns_feature_enabled.enforce_new_defaults:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin']
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
|
||||
|
|
Loading…
Reference in New Issue