Remove deprecated switch_role method
This is to remove the deprecated switch_role method from rbac_utils module as it has been replaced by override_role which is a superior way to manipulate the underlying role used for querying API endpoints in Tempest. Change-Id: Ibaffcd8cd0b62ad792b0ef5f9be4d33ec31e8c7a
This commit is contained in:
parent
2e6c54854e
commit
1c8620af7a
30
HACKING.rst
30
HACKING.rst
|
@ -39,25 +39,17 @@ The following are Patrole's specific Commandments:
|
|||
- [P103] ``self.client`` must not be used as a client alias; this allows for
|
||||
code that is more maintainable and easier to read
|
||||
|
||||
Role Switching
|
||||
--------------
|
||||
Role Overriding
|
||||
---------------
|
||||
|
||||
Correct role switching is vital to correct RBAC testing within Patrole. If a
|
||||
test does not call ``rbac_utils.switch_role`` with ``toggle_rbac_role=True``
|
||||
within the RBAC test, then the test is *not* a valid RBAC test: The API
|
||||
endpoint under test will be performed with admin credentials, which is always
|
||||
wrong unless ``CONF.patrole.rbac_test_role`` is admin.
|
||||
Correct role overriding is vital to correct RBAC testing within Patrole. If a
|
||||
test does not call ``rbac_utils.override_role`` within the RBAC test, followed
|
||||
by the API endpoint that enforces the expected policy action, then the test is
|
||||
**not** a valid Patrole test: The API endpoint under test will be performed
|
||||
with admin role, which is always wrong unless ``CONF.patrole.rbac_test_role``
|
||||
is also admin.
|
||||
|
||||
.. note::
|
||||
.. todo::
|
||||
|
||||
Switching back to the admin role for setup and clean up is automatically
|
||||
performed. Toggling ``switch_role`` with ``toggle_rbac_role=False`` within
|
||||
the context of a test should *never* be performed and doing so will likely
|
||||
result in an error being thrown.
|
||||
..
|
||||
|
||||
Patrole does not have a hacking check for role switching, but does use a
|
||||
built-in mechanism for verifying that role switching is being correctly
|
||||
executed across tests. If a test does not call ``switch_role`` with
|
||||
``toggle_rbac_role=True``, then an ``RbacResourceSetupFailed`` exception
|
||||
will be raised.
|
||||
Patrole does not have a hacking check for role overriding, but one may be
|
||||
added in the future.
|
||||
|
|
|
@ -105,9 +105,9 @@ def action(service, rule='', expected_error_code=403, extra_target_data=None):
|
|||
@rbac_rule_validation.action(
|
||||
service="nova", rule="os_compute_api:os-agents")
|
||||
def test_list_agents_rbac(self):
|
||||
# The call to `switch_role` is mandatory.
|
||||
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
||||
self.agents_client.list_agents()
|
||||
# The call to `override_role` is mandatory.
|
||||
with self.rbac_utils.override_role(self):
|
||||
self.agents_client.list_agents()
|
||||
"""
|
||||
|
||||
if extra_target_data is None:
|
||||
|
|
|
@ -15,7 +15,6 @@
|
|||
|
||||
import abc
|
||||
from contextlib import contextmanager
|
||||
import debtcollector.removals
|
||||
import six
|
||||
import time
|
||||
|
||||
|
@ -107,20 +106,6 @@ class RbacUtils(object):
|
|||
# up.
|
||||
self._override_role(test_obj, False)
|
||||
|
||||
@debtcollector.removals.remove(removal_version='Rocky')
|
||||
def switch_role(self, test_obj, toggle_rbac_role):
|
||||
"""Switch the role used by `os_primary` Tempest credentials.
|
||||
|
||||
Switch the role used by `os_primary` credentials to:
|
||||
|
||||
* admin if `toggle_rbac_role` is False
|
||||
* `CONF.patrole.rbac_test_role` if `toggle_rbac_role` is True
|
||||
|
||||
:param test_obj: instance of :py:class:`tempest.test.BaseTestCase`
|
||||
:param toggle_rbac_role: role to switch `os_primary` Tempest creds to
|
||||
"""
|
||||
self._override_role(test_obj, toggle_rbac_role)
|
||||
|
||||
def _override_role(self, test_obj, toggle_rbac_role=False):
|
||||
"""Private helper for overriding ``os_primary`` Tempest credentials.
|
||||
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
The ``switch_role`` method in ``rbac_utils`` module has been removed
|
||||
because it is a clunky way of manipulating Tempest roles to achieve
|
||||
RBAC testing. Use ``override_role`` instead.
|
Loading…
Reference in New Issue