Remove deprecated switch_role method

This is to remove the deprecated switch_role method from
rbac_utils module as it has been replaced by override_role
which is a superior way to manipulate the underlying role used
for querying API endpoints in Tempest.

Change-Id: Ibaffcd8cd0b62ad792b0ef5f9be4d33ec31e8c7a

HACKING.rst

@@ -39,25 +39,17 @@ The following are Patrole's specific Commandments:
 - [P103] ``self.client`` must not be used as a client alias; this allows for
          code that is more maintainable and easier to read
 
-Role Switching
---------------
+Role Overriding
+---------------
 
-Correct role switching is vital to correct RBAC testing within Patrole. If a
-test does not call ``rbac_utils.switch_role`` with ``toggle_rbac_role=True``
-within the RBAC test, then the test is *not* a valid RBAC test: The API
-endpoint under test will be performed with admin credentials, which is always
-wrong unless ``CONF.patrole.rbac_test_role`` is admin.
+Correct role overriding is vital to correct RBAC testing within Patrole. If a
+test does not call ``rbac_utils.override_role`` within the RBAC test, followed
+by the API endpoint that enforces the expected policy action, then the test is
+**not** a valid Patrole test: The API endpoint under test will be performed
+with admin role, which is always wrong unless ``CONF.patrole.rbac_test_role``
+is also admin.
 
-.. note::
+.. todo::
 
-    Switching back to the admin role for setup and clean up is automatically
-    performed. Toggling ``switch_role`` with ``toggle_rbac_role=False`` within
-    the context of a test should *never* be performed and doing so will likely
-    result in an error being thrown.
-..
-
-Patrole does not have a hacking check for role switching, but does use a
-built-in mechanism for verifying that role switching is being correctly
-executed across tests. If a test does not call ``switch_role`` with
-``toggle_rbac_role=True``, then an ``RbacResourceSetupFailed`` exception
-will be raised.
+    Patrole does not have a hacking check for role overriding, but one may be
+    added in the future.

patrole_tempest_plugin/rbac_rule_validation.py

@@ -105,9 +105,9 @@ def action(service, rule='', expected_error_code=403, extra_target_data=None):
         @rbac_rule_validation.action(
             service="nova", rule="os_compute_api:os-agents")
         def test_list_agents_rbac(self):
-            # The call to `switch_role` is mandatory.
-            self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-            self.agents_client.list_agents()
+            # The call to `override_role` is mandatory.
+            with self.rbac_utils.override_role(self):
+                self.agents_client.list_agents()
     """
 
     if extra_target_data is None:

patrole_tempest_plugin/rbac_utils.py

@@ -15,7 +15,6 @@
 
 import abc
 from contextlib import contextmanager
-import debtcollector.removals
 import six
 import time
 
@@ -107,20 +106,6 @@ class RbacUtils(object):
             # up.
             self._override_role(test_obj, False)
 
-    @debtcollector.removals.remove(removal_version='Rocky')
-    def switch_role(self, test_obj, toggle_rbac_role):
-        """Switch the role used by `os_primary` Tempest credentials.
-
-        Switch the role used by `os_primary` credentials to:
-
-        * admin if `toggle_rbac_role` is False
-        * `CONF.patrole.rbac_test_role` if `toggle_rbac_role` is True
-
-        :param test_obj: instance of :py:class:`tempest.test.BaseTestCase`
-        :param toggle_rbac_role: role to switch `os_primary` Tempest creds to
-        """
-        self._override_role(test_obj, toggle_rbac_role)
-
     def _override_role(self, test_obj, toggle_rbac_role=False):
         """Private helper for overriding ``os_primary`` Tempest credentials.
 

releasenotes/notes/remove-deprecated-switch-role-148c9a5c6796857f.yaml

@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    The ``switch_role`` method in ``rbac_utils`` module has been removed
+    because it is a clunky way of manipulating Tempest roles to achieve
+    RBAC testing. Use ``override_role`` instead.