openstack
/
designate-tempest-plugin
Code Issues Proposed changes

Add project_reader in new RBAC tests 

Tempest is fixing the bug#1964509 (depends-on) where
project_reader user will be created under the same project
as primary, project_member, project_admin users.

'primary', 'project_admin', 'project_member', and 'project_reader'
creds will be created in same projects. All the alt creds will be
created under the new projects. non alt and alt creds will use
different project, for example, 'project_alt_member' and
'project_member' creds will be created in different project.

Related-Bug: #1964509

Depends-On: https://review.opendev.org/c/openstack/tempest/+/871018
Change-Id: I143e69c1e150ddf7fa1757dea7bced6bff6739a9
This commit is contained in:
Ghanshyam Mann 2023-01-19 23:20:09 -06:00 committed by Michael Johnson
parent 73065cdaca
commit ed18e74a69
6 changed files with 41 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
designate_tempest_plugin/tests/api/v2/test_recordset.py
View File

@ -233,10 +233,11 @@ class RecordsetsTest(BaseRecordsetsTest):
self.assertGreater(len(body), 0)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_reader',
'os_project_member'])
self.check_list_show_RBAC_enforcement(
'RecordsetClient', 'list_recordset', expected_allowed, True,
@ -244,6 +245,9 @@ class RecordsetsTest(BaseRecordsetsTest):
# Test that users who should see the zone, can see it.
expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_reader',
'os_project_member'])
self.check_list_IDs_RBAC_enforcement(
'RecordsetClient', 'list_recordset',
@ -282,10 +286,11 @@ class RecordsetsTest(BaseRecordsetsTest):
LOG.info('Ensure the fetched response matches the expected one')
self.assertExpected(body, record, self.excluded_keys)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_member',
'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'RecordsetClient', 'show_recordset', expected_allowed, True,
@ -321,7 +326,7 @@ class RecordsetsTest(BaseRecordsetsTest):
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'delete_recordset', expected_allowed, True,
@ -374,7 +379,7 @@ class RecordsetsTest(BaseRecordsetsTest):
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'update_recordset', expected_allowed, True,
@ -383,7 +388,7 @@ class RecordsetsTest(BaseRecordsetsTest):
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'update_recordset', expected_allowed, False,

7
designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
View File

@ -174,10 +174,11 @@ class TransferAcceptTest(BaseTransferAcceptTest):
'created transfer_accept')
self.assertExpected(transfer_accept, body, self.excluded_keys)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_member',
'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
@ -275,8 +276,6 @@ class TransferAcceptTest(BaseTransferAcceptTest):
self.assertEqual('COMPLETE', transfer_accept['status'])
transfer_request_ids.append(transfer_accept['id'])
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:

13
designate_tempest_plugin/tests/api/v2/test_transfer_request.py
View File

@ -157,8 +157,6 @@ class TransferRequestTest(BaseTransferRequestTest):
'created transfer_request')
self.assertExpected(transfer_request, body, self.excluded_keys)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
# Note: The create service client does not define a target project
# ID, so everyone should be able to see it.
@ -245,12 +243,10 @@ class TransferRequestTest(BaseTransferRequestTest):
"project_id"]
self.assertExpected(transfer_request, body, excluded_keys)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC when a transfer target project is specified.
expected_allowed = ['os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.extend(['os_system_admin', 'os_project_member'])
else:
expected_allowed.append('os_admin')
@ -305,14 +301,11 @@ class TransferRequestTest(BaseTransferRequestTest):
self.assertGreater(len(body['transfer_requests']), 0)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_admin', 'os_project_member',
'os_project_reader']
'os_admin']
else:
expected_allowed = ['os_alt']
@ -461,7 +454,7 @@ class TransferRequestTest(BaseTransferRequestTest):
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'TransferRequestClient', 'update_transfer_request',

23
designate_tempest_plugin/tests/api/v2/test_zones.py
View File

@ -160,10 +160,11 @@ class ZonesTest(BaseZonesTest):
LOG.info('Ensure the fetched response matches the created zone')
self.assertExpected(zone, body, self.excluded_keys)
# TODO(johnsom) Test reader roles once this bug is fixed.
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test with no extra header overrides (all_projects, sudo-project-id)
expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_member',
'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone', expected_allowed, True, zone['id'])
@ -194,7 +195,7 @@ class ZonesTest(BaseZonesTest):
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement('ZonesClient', 'delete_zone',
expected_allowed, True, zone['id'])
@ -202,7 +203,7 @@ class ZonesTest(BaseZonesTest):
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement('ZonesClient', 'delete_zone',
expected_allowed, False, zone['id'],
@ -233,14 +234,11 @@ class ZonesTest(BaseZonesTest):
# present in the response.
self.assertGreater(len(body['zones']), 0)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_admin', 'os_project_member',
'os_project_reader']
'os_admin']
else:
expected_allowed = ['os_alt']
@ -291,7 +289,7 @@ class ZonesTest(BaseZonesTest):
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZonesClient', 'update_zone', expected_allowed, True,
@ -300,7 +298,7 @@ class ZonesTest(BaseZonesTest):
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZonesClient', 'update_zone', expected_allowed, False,
@ -384,10 +382,11 @@ class ZonesTest(BaseZonesTest):
pool_nameservers, zone_nameservers,
'Failed - Pool and Zone nameservers should be the same')
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_member',
'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone_nameservers', expected_allowed,

14
designate_tempest_plugin/tests/api/v2/test_zones_exports.py
View File

@ -118,10 +118,11 @@ class ZonesExportTest(BaseZoneExportsTest):
LOG.info('Ensure the fetched response matches the zone export')
self.assertExpected(zone_export, body, self.excluded_keys)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_member',
'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
@ -188,7 +189,7 @@ class ZonesExportTest(BaseZoneExportsTest):
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneExportsClient', 'delete_zone_export', expected_allowed, True,
@ -197,7 +198,7 @@ class ZonesExportTest(BaseZoneExportsTest):
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneExportsClient', 'delete_zone_export', expected_allowed, False,
@ -225,14 +226,11 @@ class ZonesExportTest(BaseZoneExportsTest):
self.assertGreater(len(body['exports']), 0)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_admin', 'os_project_member',
'os_project_reader']
'os_admin']
else:
expected_allowed = ['os_alt']

14
designate_tempest_plugin/tests/api/v2/test_zones_imports.py
View File

@ -148,10 +148,11 @@ class ZonesImportTest(BaseZonesImportTest):
LOG.info('Ensure the fetched response matches the expected one')
self.assertExpected(zone_import, body, self.excluded_keys)
# TODO(johnsom) Test reader roles once this bug is fixed.
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test with no extra header overrides (all_projects, sudo-project-id)
expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_member',
'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, True,
@ -185,7 +186,7 @@ class ZonesImportTest(BaseZonesImportTest):
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneImportsClient', 'delete_zone_import', expected_allowed, True,
@ -194,7 +195,7 @@ class ZonesImportTest(BaseZonesImportTest):
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneImportsClient', 'delete_zone_import', expected_allowed, False,
@ -229,14 +230,11 @@ class ZonesImportTest(BaseZonesImportTest):
self.assertGreater(len(body['imports']), 0)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_admin', 'os_project_member',
'os_project_reader']
'os_admin']
else:
expected_allowed = ['os_alt']