openstack
/
designate-tempest-plugin
Code Issues Proposed changes

Accommodate stable branches with scoped tokens 

This patch updates the Designate tempest plugin to accommodate stable
branches that still have keystone scoped tokens. The "Direction
change"[1] means scoped tokens were dropped in the Bobcat (2023.2)
release. However the stable branches back to Wallaby will still have
scoped tokens available as a configuration option.

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change

Change-Id: Ia57b5126dbc9fbe98cbcaa7ad0e11d36c21a14da
This commit is contained in:
Michael Johnson 2023-04-11 16:53:59 +00:00
parent 1f63edcc33
commit f4935ea128
11 changed files with 87 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
designate_tempest_plugin/tests/api/v2/test_blacklists.py
View File

@ -98,7 +98,10 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
LOG.info('Ensure the fetched response matches the created blacklist')
self.assertExpected(blacklist, body, self.excluded_keys)
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin', 'os_system_reader']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'BlacklistsClient', 'show_blacklist', expected_allowed, False,
@ -135,7 +138,10 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
# TODO(pglass): Assert that the created blacklist is in the response
self.assertGreater(len(body['blacklists']), 0)
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'BlacklistsClient', 'list_blacklists',

5
designate_tempest_plugin/tests/api/v2/test_pool.py
View File

@ -102,7 +102,10 @@ class PoolAdminTest(BasePoolTest):
# TODO(johnsom) Test reader roles once this bug is fixed.
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
# TODO(johnsom) The pools API seems inconsistent with the requirement
# of the all-projects header.

5
designate_tempest_plugin/tests/api/v2/test_recordset.py
View File

@ -297,7 +297,10 @@ class RecordsetsTest(BaseRecordsetsTest):
self.zone['id'], recordset_id)
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'RecordsetClient', 'show_recordset', expected_allowed, True,

5
designate_tempest_plugin/tests/api/v2/test_service_statuses.py
View File

@ -73,7 +73,10 @@ class ServiceStatusAdmin(base.BaseDnsV2Test):
"services: {}".format(services_statuses_tup))
# Test RBAC
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin', 'os_system_reader']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ServiceClient', 'list_statuses', expected_allowed, False)

10
designate_tempest_plugin/tests/api/v2/test_tld.py
View File

@ -148,7 +148,10 @@ class TldAdminTest(BaseTldTest):
self.assertExpected(tld, body, self.excluded_keys)
# Test RBAC
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin', 'os_system_reader']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TldClient', 'show_tld', expected_allowed, False, tld['id'])
@ -188,7 +191,10 @@ class TldAdminTest(BaseTldTest):
self.assertGreater(len(body['tlds']), 0)
# Test RBAC
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'TldClient', 'list_tlds', expected_allowed, [tld['id']],

20
designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
View File

@ -188,7 +188,10 @@ class TransferAcceptTest(BaseTransferAcceptTest):
True, transfer_accept['id'])
# Test RBAC with x-auth-all-projects
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
@ -278,14 +281,20 @@ class TransferAcceptTest(BaseTransferAcceptTest):
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_RBAC_enforcement_count(
'TransferAcceptClient', 'list_transfer_accept',
expected_allowed, 0)
# Test that users who should see the zone, can see it.
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'TransferAcceptClient', 'list_transfer_accept',
@ -394,7 +403,10 @@ class TransferAcceptTest(BaseTransferAcceptTest):
self.wait_zone_delete, self.alt_zone_client, zone['id'])
# Test RBAC with x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,

13
designate_tempest_plugin/tests/api/v2/test_transfer_request.py
View File

@ -169,7 +169,10 @@ class TransferRequestTest(BaseTransferRequestTest):
True, transfer_request['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
@ -240,8 +243,12 @@ class TransferRequestTest(BaseTransferRequestTest):
self.assertExpected(transfer_request, body, excluded_keys)
# Test RBAC when a transfer target project is specified.
expected_allowed = ['os_primary', 'os_alt', 'os_admin',
'os_system_admin', 'os_project_member']
if CONF.enforce_scope.designate:
expected_allowed = ['os_primary', 'os_alt',
'os_system_admin', 'os_project_member']
else:
expected_allowed = ['os_primary', 'os_alt', 'os_admin',
'os_system_admin', 'os_project_member']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,

11
designate_tempest_plugin/tests/api/v2/test_tsigkey.py
View File

@ -145,7 +145,11 @@ class TsigkeyAdminTest(BaseTsigkeyTest):
self.assertGreater(len(body['tsigkeys']), 0)
# Test RBAC
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'TsigkeyClient', 'list_tsigkeys', expected_allowed,
[tsigkey['id']])
@ -407,7 +411,10 @@ class TsigkeyAdminTest(BaseTsigkeyTest):
self.assertExpected(tsigkey, body, self.excluded_keys)
# Test RBAC
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin', 'os_system_reader']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TsigkeyClient', 'show_tsigkey', expected_allowed, True,

10
designate_tempest_plugin/tests/api/v2/test_zones.py
View File

@ -172,7 +172,10 @@ class ZonesTest(BaseZonesTest):
'ZonesClient', 'show_zone', expected_allowed, True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone', expected_allowed, False, zone['id'],
@ -434,7 +437,10 @@ class ZonesTest(BaseZonesTest):
True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone_nameservers', expected_allowed,

10
designate_tempest_plugin/tests/api/v2/test_zones_exports.py
View File

@ -129,7 +129,10 @@ class ZonesExportTest(BaseZoneExportsTest):
zone_export['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
@ -161,7 +164,10 @@ class ZonesExportTest(BaseZoneExportsTest):
zone_export['id'], listed_export_ids))
# Test RBAC with x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,

10
designate_tempest_plugin/tests/api/v2/test_zones_imports.py
View File

@ -159,7 +159,10 @@ class ZonesImportTest(BaseZonesImportTest):
zone_import['id'])
# Test with x-auth-all-projects
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
@ -303,7 +306,10 @@ class ZonesImportTest(BaseZonesImportTest):
zone_import, resp_body['imports'][0], self.excluded_keys)
# Test with x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_system_admin']
if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,