There are so many protection tests now, and for the moment they are so
inefficient, that running them all as part of our main unit test suite
for py27, py36, py37, and cover jobs yields a high rate of timeouts
which reduces our own development velocity and negatively impacts every
project that co-gates with keystone. This change splits the protection
tests into their own level of tests outside of the configured stestr
test_path and adds a separate tox environment and zuul job to run just
the protection tests on their own. Parallelizing these tests should help
alleviate the timeout issue while we work on making these tests more
efficient.
Change-Id: Ibb12053bd6864a153f7e3998dbd008b6eec4295b
This commit introduces some tests that explicitly show how project
users are expected to behave with the registered limits API. A
subsequent patch will clean up the now obsolete policies in the
policy.v3cloudsample.json policy file.
Related-Bug: 1805880
Change-Id: I66c1d1273dae98f32802de244eb220bf998f9070
This commit adds domain-scope to the scope_types for registered limit
policies, allowing domain users to access those API when enforce_scope
is enabled. This commit also introduces some tests that explicitly
show how domain users are expected to behave with the registered
limits API. A subsequent patch will do the same for project users.
Change-Id: I7a04e1e2fc585340c9e061c915461ab13b9abec2
Related-Bug: 1805880
This change makes the policy definitions for admin registered limit
operations consistent with the other registered limit
policies. Subsequent patches will incorporate:
- domain user test coverage
- project user test coverage
Change-Id: If0352220670fdf5c98d0820309817416466b1466
Related-Bug: 1805372
Related-Bug: 1805880
From keystone-perspective, the ``member`` and ``reader`` roles are
effectively the same, isolating writeable registered limit operations
to the ``admin`` role.
This commit adds explicit testing to make sure the ``member`` role
is allowed to perform readable and not writable registered limits
operations. Subsequent patches will incorporate:
- system admin functionality
- testing for domain users
- testing for project users
Change-Id: I6c428422f09e788faf2179d24cc01eb1ab623b64
Related-Bug: 1805372
Related-Bug: 1805880
This commit creates a set of sets that we can reuse across different
default roles and scopes to ensure everyone has access to registered
limit information. Subsequent patches will make sure we build on this
by incorporating default roles for:
- system member test coverage
- system admin functionality
- domain user test coverage
- project users test coverage
Change-Id: Ibb28ec8f85bad6df531cffc7ba2c5f879e96d297
Related-Bug: 1805372
Related-Bug: 1805880
Colleen Murphy