Accommodate stable branches with scoped tokens
This patch updates the Designate tempest plugin to accommodate stable branches that still have keystone scoped tokens. The "Direction change"[1] means scoped tokens were dropped in the Bobcat (2023.2) release. However the stable branches back to Wallaby will still have scoped tokens available as a configuration option. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change Change-Id: Ia57b5126dbc9fbe98cbcaa7ad0e11d36c21a14da
This commit is contained in:
parent
1f63edcc33
commit
f4935ea128
|
@ -98,7 +98,10 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
|
|||
LOG.info('Ensure the fetched response matches the created blacklist')
|
||||
self.assertExpected(blacklist, body, self.excluded_keys)
|
||||
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'BlacklistsClient', 'show_blacklist', expected_allowed, False,
|
||||
|
@ -135,7 +138,10 @@ class BlacklistsAdminTest(BaseBlacklistsTest):
|
|||
# TODO(pglass): Assert that the created blacklist is in the response
|
||||
self.assertGreater(len(body['blacklists']), 0)
|
||||
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_IDs_RBAC_enforcement(
|
||||
'BlacklistsClient', 'list_blacklists',
|
||||
|
|
|
@ -102,7 +102,10 @@ class PoolAdminTest(BasePoolTest):
|
|||
# TODO(johnsom) Test reader roles once this bug is fixed.
|
||||
# https://bugs.launchpad.net/tempest/+bug/1964509
|
||||
# Test RBAC
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
# TODO(johnsom) The pools API seems inconsistent with the requirement
|
||||
# of the all-projects header.
|
||||
|
|
|
@ -297,7 +297,10 @@ class RecordsetsTest(BaseRecordsetsTest):
|
|||
self.zone['id'], recordset_id)
|
||||
|
||||
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'RecordsetClient', 'show_recordset', expected_allowed, True,
|
||||
|
|
|
@ -73,7 +73,10 @@ class ServiceStatusAdmin(base.BaseDnsV2Test):
|
|||
"services: {}".format(services_statuses_tup))
|
||||
|
||||
# Test RBAC
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ServiceClient', 'list_statuses', expected_allowed, False)
|
||||
|
|
|
@ -148,7 +148,10 @@ class TldAdminTest(BaseTldTest):
|
|||
self.assertExpected(tld, body, self.excluded_keys)
|
||||
|
||||
# Test RBAC
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'TldClient', 'show_tld', expected_allowed, False, tld['id'])
|
||||
|
@ -188,7 +191,10 @@ class TldAdminTest(BaseTldTest):
|
|||
self.assertGreater(len(body['tlds']), 0)
|
||||
|
||||
# Test RBAC
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_IDs_RBAC_enforcement(
|
||||
'TldClient', 'list_tlds', expected_allowed, [tld['id']],
|
||||
|
|
|
@ -188,7 +188,10 @@ class TransferAcceptTest(BaseTransferAcceptTest):
|
|||
True, transfer_accept['id'])
|
||||
|
||||
# Test RBAC with x-auth-all-projects
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
|
||||
|
@ -278,14 +281,20 @@ class TransferAcceptTest(BaseTransferAcceptTest):
|
|||
|
||||
# Test RBAC - Users that are allowed to call list, but should get
|
||||
# zero zones.
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_RBAC_enforcement_count(
|
||||
'TransferAcceptClient', 'list_transfer_accept',
|
||||
expected_allowed, 0)
|
||||
|
||||
# Test that users who should see the zone, can see it.
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_IDs_RBAC_enforcement(
|
||||
'TransferAcceptClient', 'list_transfer_accept',
|
||||
|
@ -394,7 +403,10 @@ class TransferAcceptTest(BaseTransferAcceptTest):
|
|||
self.wait_zone_delete, self.alt_zone_client, zone['id'])
|
||||
|
||||
# Test RBAC with x-auth-sudo-project-id header
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
|
||||
|
|
|
@ -169,7 +169,10 @@ class TransferRequestTest(BaseTransferRequestTest):
|
|||
True, transfer_request['id'])
|
||||
|
||||
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'TransferRequestClient', 'show_transfer_request', expected_allowed,
|
||||
|
@ -240,8 +243,12 @@ class TransferRequestTest(BaseTransferRequestTest):
|
|||
self.assertExpected(transfer_request, body, excluded_keys)
|
||||
|
||||
# Test RBAC when a transfer target project is specified.
|
||||
expected_allowed = ['os_primary', 'os_alt', 'os_admin',
|
||||
'os_system_admin', 'os_project_member']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_primary', 'os_alt',
|
||||
'os_system_admin', 'os_project_member']
|
||||
else:
|
||||
expected_allowed = ['os_primary', 'os_alt', 'os_admin',
|
||||
'os_system_admin', 'os_project_member']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'TransferRequestClient', 'show_transfer_request', expected_allowed,
|
||||
|
|
|
@ -145,7 +145,11 @@ class TsigkeyAdminTest(BaseTsigkeyTest):
|
|||
self.assertGreater(len(body['tsigkeys']), 0)
|
||||
|
||||
# Test RBAC
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_IDs_RBAC_enforcement(
|
||||
'TsigkeyClient', 'list_tsigkeys', expected_allowed,
|
||||
[tsigkey['id']])
|
||||
|
@ -407,7 +411,10 @@ class TsigkeyAdminTest(BaseTsigkeyTest):
|
|||
self.assertExpected(tsigkey, body, self.excluded_keys)
|
||||
|
||||
# Test RBAC
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin', 'os_system_reader']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'TsigkeyClient', 'show_tsigkey', expected_allowed, True,
|
||||
|
|
|
@ -172,7 +172,10 @@ class ZonesTest(BaseZonesTest):
|
|||
'ZonesClient', 'show_zone', expected_allowed, True, zone['id'])
|
||||
|
||||
# Test with x-auth-all-projects and x-auth-sudo-project-id header
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ZonesClient', 'show_zone', expected_allowed, False, zone['id'],
|
||||
|
@ -434,7 +437,10 @@ class ZonesTest(BaseZonesTest):
|
|||
True, zone['id'])
|
||||
|
||||
# Test with x-auth-all-projects and x-auth-sudo-project-id header
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ZonesClient', 'show_zone_nameservers', expected_allowed,
|
||||
|
|
|
@ -129,7 +129,10 @@ class ZonesExportTest(BaseZoneExportsTest):
|
|||
zone_export['id'])
|
||||
|
||||
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
|
||||
|
@ -161,7 +164,10 @@ class ZonesExportTest(BaseZoneExportsTest):
|
|||
zone_export['id'], listed_export_ids))
|
||||
|
||||
# Test RBAC with x-auth-sudo-project-id header
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
|
||||
|
|
|
@ -159,7 +159,10 @@ class ZonesImportTest(BaseZonesImportTest):
|
|||
zone_import['id'])
|
||||
|
||||
# Test with x-auth-all-projects
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
|
||||
|
@ -303,7 +306,10 @@ class ZonesImportTest(BaseZonesImportTest):
|
|||
zone_import, resp_body['imports'][0], self.excluded_keys)
|
||||
|
||||
# Test with x-auth-sudo-project-id header
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
if CONF.enforce_scope.designate:
|
||||
expected_allowed = ['os_system_admin']
|
||||
else:
|
||||
expected_allowed = ['os_admin', 'os_system_admin']
|
||||
|
||||
self.check_list_show_RBAC_enforcement(
|
||||
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
|
||||
|
|
Loading…
Reference in New Issue