openstack
/
designate-tempest-plugin
Code Issues Proposed changes

Update designate-tempest-plugin "direction change" 

The RBAC goal has changed[1] and system scope is no longer going to be
used. This patch updates Designate tempest plugin to align to this change in
direction by removing the system scope from the policy tests.

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change

Change-Id: I4e5c56630d5cca96278fe67232519c067356da23
This commit is contained in:
Michael Johnson 2023-03-31 00:36:20 +00:00
parent 759ee725b8
commit 288cdcf697
13 changed files with 56 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
.zuul.yaml
View File

@ -24,7 +24,8 @@
- project:
templates:
- designate-devstack-jobs
# Temporary removed to transition the scoped tokens job
# - designate-devstack-jobs
- check-requirements
- publish-openstack-docs-pti
- tempest-plugin-jobs
@ -36,3 +37,22 @@
- designate-bind9-stable-xena
- designate-bind9-stable-wallaby
- neutron-tempest-plugin-designate-scenario
# Temporary expand template to remove scoped tokens job that is changing
- designate-bind9
- designate-bind9-centos9stream-fips:
voting: false
- designate-bind9-centos-9-stream:
voting: false
- designate-pdns4
- designate-grenade-bind9
- designate-grenade-pdns4
- designate-ipv6-only-pdns4
- designate-ipv6-only-bind9
gate:
fail-fast: true
jobs:
- designate-bind9
- designate-pdns4
- designate-grenade-pdns4
- designate-ipv6-only-pdns4
- designate-ipv6-only-bind9

20
designate_tempest_plugin/tests/api/v2/test_blacklists.py
View File

@ -58,9 +58,7 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
self.assertExpected(blacklist, body, self.excluded_keys)
expected_allowed = ['os_admin']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_CUD_RBAC_enforcement('BlacklistsClient', 'create_blacklist',
expected_allowed, False)
@ -100,9 +98,7 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
LOG.info('Ensure the fetched response matches the created blacklist')
self.assertExpected(blacklist, body, self.excluded_keys)
expected_allowed = ['os_admin']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'BlacklistsClient', 'show_blacklist', expected_allowed, False,
@ -121,9 +117,7 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
# A blacklist delete returns an empty body
self.assertEqual(body.strip(), b"")
expected_allowed = ['os_admin']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_CUD_RBAC_enforcement(
'BlacklistsClient', 'delete_blacklist', expected_allowed, False,
@ -141,9 +135,7 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
# TODO(pglass): Assert that the created blacklist is in the response
self.assertGreater(len(body['blacklists']), 0)
expected_allowed = ['os_admin']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'BlacklistsClient', 'list_blacklists',
@ -168,9 +160,7 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
self.assertEqual(pattern, body['pattern'])
self.assertEqual(description, body['description'])
expected_allowed = ['os_admin']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_CUD_RBAC_enforcement(
'BlacklistsClient', 'update_blacklist', expected_allowed, False,

5
designate_tempest_plugin/tests/api/v2/test_pool.py
View File

@ -102,10 +102,7 @@ class PoolAdminTest(BasePoolTest):
# TODO(johnsom) Test reader roles once this bug is fixed.
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
# TODO(johnsom) The pools API seems inconsistent with the requirement
# of the all-projects header.

5
designate_tempest_plugin/tests/api/v2/test_recordset.py
View File

@ -297,10 +297,7 @@ class RecordsetsTest(BaseRecordsetsTest):
self.zone['id'], recordset_id)
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'RecordsetClient', 'show_recordset', expected_allowed, True,

5
designate_tempest_plugin/tests/api/v2/test_service_statuses.py
View File

@ -73,10 +73,7 @@ class ServiceStatusAdmin(base.BaseDnsV2Test):
"services: {}".format(services_statuses_tup))
# Test RBAC
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ServiceClient', 'list_statuses', expected_allowed, False)

2
designate_tempest_plugin/tests/api/v2/test_shared_zones.py
View File

@ -122,7 +122,6 @@ class SharedZonesTest(BaseSharedZoneTest):
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.append('os_system_reader')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
self.check_CUD_RBAC_enforcement(
@ -175,7 +174,6 @@ class SharedZonesTest(BaseSharedZoneTest):
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.append('os_system_reader')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
self.check_CUD_RBAC_enforcement(

10
designate_tempest_plugin/tests/api/v2/test_tld.py
View File

@ -148,10 +148,7 @@ class TldAdminTest(BaseTldTest):
self.assertExpected(tld, body, self.excluded_keys)
# Test RBAC
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TldClient', 'show_tld', expected_allowed, False, tld['id'])
@ -191,10 +188,7 @@ class TldAdminTest(BaseTldTest):
self.assertGreater(len(body['tlds']), 0)
# Test RBAC
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'TldClient', 'list_tlds', expected_allowed, [tld['id']],

23
designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
View File

@ -121,6 +121,9 @@ class TransferAcceptTest(BaseTransferAcceptTest):
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
# Note: system_reader is allowed because this API RBAC is based
# on the target project ID. It will return a 401 instead of
# a 403.
expected_allowed.append('os_system_reader')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
@ -185,10 +188,7 @@ class TransferAcceptTest(BaseTransferAcceptTest):
True, transfer_accept['id'])
# Test RBAC with x-auth-all-projects
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
@ -278,20 +278,14 @@ class TransferAcceptTest(BaseTransferAcceptTest):
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_RBAC_enforcement_count(
'TransferAcceptClient', 'list_transfer_accept',
expected_allowed, 0)
# Test that users who should see the zone, can see it.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'TransferAcceptClient', 'list_transfer_accept',
@ -400,10 +394,7 @@ class TransferAcceptTest(BaseTransferAcceptTest):
self.wait_zone_delete, self.alt_zone_client, zone['id'])
# Test RBAC with x-auth-sudo-project-id header
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,

22
designate_tempest_plugin/tests/api/v2/test_transfer_request.py
View File

@ -160,20 +160,16 @@ class TransferRequestTest(BaseTransferRequestTest):
# Test RBAC
# Note: The create service client does not define a target project
# ID, so everyone should be able to see it.
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_system_admin', 'os_system_reader',
'os_project_member', 'os_project_reader'])
expected_allowed = ['os_admin', 'os_primary', 'os_alt',
'os_system_admin', 'os_system_reader',
'os_project_member', 'os_project_reader']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
True, transfer_request['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
@ -244,11 +240,8 @@ class TransferRequestTest(BaseTransferRequestTest):
self.assertExpected(transfer_request, body, excluded_keys)
# Test RBAC when a transfer target project is specified.
expected_allowed = ['os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_system_admin', 'os_project_member'])
else:
expected_allowed.append('os_admin')
expected_allowed = ['os_primary', 'os_alt', 'os_admin',
'os_system_admin', 'os_project_member']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
@ -304,8 +297,7 @@ class TransferRequestTest(BaseTransferRequestTest):
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_admin']
expected_allowed = ['os_system_admin', 'os_admin']
else:
expected_allowed = ['os_alt']

8
designate_tempest_plugin/tests/api/v2/test_tsigkey.py
View File

@ -145,9 +145,7 @@ class TsigkeyAdminTest(BaseTsigkeyTest):
self.assertGreater(len(body['tsigkeys']), 0)
# Test RBAC
expected_allowed = ['os_admin']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'TsigkeyClient', 'list_tsigkeys', expected_allowed,
[tsigkey['id']])
@ -409,9 +407,7 @@ class TsigkeyAdminTest(BaseTsigkeyTest):
self.assertExpected(tsigkey, body, self.excluded_keys)
# Test RBAC
expected_allowed = ['os_admin']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TsigkeyClient', 'show_tsigkey', expected_allowed, True,

13
designate_tempest_plugin/tests/api/v2/test_zones.py
View File

@ -172,10 +172,7 @@ class ZonesTest(BaseZonesTest):
'ZonesClient', 'show_zone', expected_allowed, True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone', expected_allowed, False, zone['id'],
@ -282,8 +279,7 @@ class ZonesTest(BaseZonesTest):
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_admin']
expected_allowed = ['os_system_admin', 'os_admin']
else:
expected_allowed = ['os_alt']
@ -438,10 +434,7 @@ class ZonesTest(BaseZonesTest):
True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone_nameservers', expected_allowed,

13
designate_tempest_plugin/tests/api/v2/test_zones_exports.py
View File

@ -129,10 +129,7 @@ class ZonesExportTest(BaseZoneExportsTest):
zone_export['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
@ -164,10 +161,7 @@ class ZonesExportTest(BaseZoneExportsTest):
zone_export['id'], listed_export_ids))
# Test RBAC with x-auth-sudo-project-id header
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
@ -229,8 +223,7 @@ class ZonesExportTest(BaseZoneExportsTest):
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_admin']
expected_allowed = ['os_system_admin', 'os_admin']
else:
expected_allowed = ['os_alt']

13
designate_tempest_plugin/tests/api/v2/test_zones_imports.py
View File

@ -159,10 +159,7 @@ class ZonesImportTest(BaseZonesImportTest):
zone_import['id'])
# Test with x-auth-all-projects
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
@ -233,8 +230,7 @@ class ZonesImportTest(BaseZonesImportTest):
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_admin']
expected_allowed = ['os_system_admin', 'os_admin']
else:
expected_allowed = ['os_alt']
@ -307,10 +303,7 @@ class ZonesImportTest(BaseZonesImportTest):
zone_import, resp_body['imports'][0], self.excluded_keys)
# Test with x-auth-sudo-project-id header
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin']
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,