There are so many protection tests now, and for the moment they are so
inefficient, that running them all as part of our main unit test suite
for py27, py36, py37, and cover jobs yields a high rate of timeouts
which reduces our own development velocity and negatively impacts every
project that co-gates with keystone. This change splits the protection
tests into their own level of tests outside of the configured stestr
test_path and adds a separate tox environment and zuul job to run just
the protection tests on their own. Parallelizing these tests should help
alleviate the timeout issue while we work on making these tests more
efficient.
Change-Id: Ibb12053bd6864a153f7e3998dbd008b6eec4295b
This commit introduces test coverage that explicitly shows how
project users are expected to behave global role resources. A
subsequent patch will clean up the now obsolete policies in the
policy.v3cloudsample.json policy file.
Change-Id: Id0dc3022ab294e73aeaa87e130bea4809f8c982b
Partial-Bug: 1806713
This commit adds explicit tests that show how domain users
are expected to behave with global roles. A subsequent patch
will do the same for project users.
Note that these changes are slightly different from the
policy.v3cloudsample.json role policies. In policy.v3cloudsample.json,
domain users were allowed to get and list global roles. So were
project users. This behavior is changing because global roles are
considered global resources of the deployment, and they should be
managed by system users. Domain users should be able to add and remove
domain specific roles, which will come in a subsequent series of
patches. This approach is being taken because it is a safer default
for a system level resource (roles) and still allows the same
functionality for domain users through domain-specific roles.
Change-Id: Ia1a7adf4431042ecea1b41e3c589c55112183ab5
Partial-Bug: 1806713
Partial-Bug: 1805400
This change makes the policy definitions for admin role operations
consistent with other role policies. Subsequent patches will
incorporate:
- domain user test coverage
- project user test coverage
Change-Id: I35a2af10d47e000ee6257ce16c52c7e49a62b033
Related-Bug: 1806713
Closes-Bug: 1805402
From keystone's perspective, the ``member`` and ``reader`` roles are
effectively the same, isolating writable role operations to the
``admin`` role.
This commit adds explicit testing to make sure the ``member`` role is
allowed to perform readable and not writable role operations.
Subsequent patches will incorporate:
- system admin functionality
- domain user test coverage
- project user test coverage
Change-Id: I2bc3b65b6ef16adaa95e6299ac205b26797f7185
Related-Bug: 1805402
Related-Bug: 1806713
The role policies were not taking the default roles work we did last
release into account. This commit changes the default policies to rely
on the ``reader`` role for getting and listing roles. Subsequent
patches will incorporate:
- system member test coverage
- system admin functionality
- domain user test coverage
- project user test coverage
Change-Id: I3e373c437ff0ffddba10bde59fd7f18f8be6498c
Related-Bug: 1805402
Related-Bug: 1806713
Colleen Murphy