Enforce scope in RBAC testing
Ensure that the Barbican service is configured to use scoped tokens when checking RBAC policy. Depends-On: Id399d2220118efe1033426c658d1834cbff02f94 Change-Id: Id7aa02ea4862242fa34140166d634f30af721c22
This commit is contained in:
parent
ced0ebe88f
commit
e20bc47982
|
@ -63,6 +63,7 @@
|
||||||
$BARBICAN_CONF:
|
$BARBICAN_CONF:
|
||||||
oslo_policy:
|
oslo_policy:
|
||||||
enforce_new_defaults: True
|
enforce_new_defaults: True
|
||||||
|
enforce_scope: True
|
||||||
test-config:
|
test-config:
|
||||||
$TEMPEST_CONFIG:
|
$TEMPEST_CONFIG:
|
||||||
# FIXME(redrobot): Tempest errors out when you try to create a
|
# FIXME(redrobot): Tempest errors out when you try to create a
|
||||||
|
|
|
@ -24,7 +24,7 @@ class QuotasTest(base.BaseKeyManagerTest):
|
||||||
"""Quotas API tests."""
|
"""Quotas API tests."""
|
||||||
|
|
||||||
@decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
|
@decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
|
||||||
def test_create_get_delete_quota(self):
|
def test_get_effective_quota(self):
|
||||||
# Verify the default quota settings
|
# Verify the default quota settings
|
||||||
body = self.quota_client.get_default_project_quota()
|
body = self.quota_client.get_default_project_quota()
|
||||||
quotas = body.get('quotas')
|
quotas = body.get('quotas')
|
||||||
|
@ -34,6 +34,20 @@ class QuotasTest(base.BaseKeyManagerTest):
|
||||||
self.assertEqual(-1, quotas.get('containers'))
|
self.assertEqual(-1, quotas.get('containers'))
|
||||||
self.assertEqual(-1, quotas.get('consumers'))
|
self.assertEqual(-1, quotas.get('consumers'))
|
||||||
|
|
||||||
|
|
||||||
|
class ProjectQuotasTest(base.BaseKeyManagerTest):
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def skip_checks(cls):
|
||||||
|
super().skip_checks()
|
||||||
|
if CONF.barbican_rbac_scope_verification.enforce_scope:
|
||||||
|
# These tests can't be run with the new RBAC rules because
|
||||||
|
# the APIs they're testing require system-scoped credentials
|
||||||
|
# instead of the project-scoped credentials used here.
|
||||||
|
raise cls.skipException("enforce_scope is enabled for barbican, "
|
||||||
|
"skipping project quota tests.")
|
||||||
|
|
||||||
|
def test_manage_project_quotas(self):
|
||||||
# Confirm that there are no quotas
|
# Confirm that there are no quotas
|
||||||
body = self.quota_client.list_quotas()
|
body = self.quota_client.list_quotas()
|
||||||
self.assertEqual(0, body.get('total'), body)
|
self.assertEqual(0, body.get('total'), body)
|
||||||
|
|
Loading…
Reference in New Issue