OpenStack Identity (keystone)

Some protection test cases have incorrect domain id setup

Bug #1533330 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Lance Bragstad
OpenStack Identity (keystone) mitaka-2 "m2"

Bug Description

The IdentityTestv3CloudPolicySample test classes has it's own setup method, similar to other test classes. The setup method for IdentityTestv3CloudPolicySample loads in sample data that can be used throughout the tests in the module.

However, the IdentityTestv3CloudPolicySample setup method creates a domain in such a way that is incompatible with how domains are created in real world deployments. Keystone doesn't allow admins to specify domain_id on request, making it so keystone always issues uuid.hex formatted id strings for domain ids. The only domain that is the exception to this rule is the default domain id, which is specified in keystone's configuration.

The IdentityTestv3CloudPolicySample tests and setup should be refactored to not use 'admin_domain' and instead rely on actual domain ids created by keystone [0].

[0] https://github.com/openstack/keystone/blob/ae87c03813fa0a1bfcd9d690817c8d45ee76fcb1/keystone/tests/unit/test_v3_protection.py#L608-L609

Lance Bragstad (lbragstad)
tags: added: low-hanging-fruit test-improvement
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/266571

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: New → In Progress
Revision history for this message
Henry Nash (henry-nash) wrote :

So the reason it is this way, is that this creates the cloud admin capability - as referenced in the v3cloudsample. This test had to be written this way otherwise we'd need to modify the policy file on the fly.

What I think should happen is that we switch to using the new admin_project/admin_domin as the cloud admin indicator...although I'm not sure the later is yet implemented

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/266617

Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Henry Nash (henry-nash)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/266571
Reason: Going to abandon this patch in favor of the one Henry proposed - https://review.openstack.org/#/c/266617/2

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Henry Nash (henry-nash) → Lance Bragstad (lbragstad)
Steve Martinelli (stevemar)
Changed in keystone:
importance: Undecided → Medium
milestone: none → mitaka-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/266617
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5c0611eccd06d04697040b12f7225168efcb10ce
Submitter: Jenkins
Branch: master

commit 5c0611eccd06d04697040b12f7225168efcb10ce
Author: Henry Nash <email address hidden>
Date: Tue Jan 12 23:58:52 2016 +0000

    Update v3policysample tests to use admin_project not special domain_id

    We now support the special admin_project that can be used to grant
    cloud-wide powers. The tests on the v3cloudsample had been half
    updated to use this new facility, but in fact were still using the
    old "patch a domain id in the policy file" approach. As well as
    not testing the new functionality, the current tests were causing
    problems elsewhere since they used a non-UUID domain_id.

    Closes-Bug: #1533330
    Change-Id: Ic116cf8715130f6ed6bd5380c1b31d5ef0ca154d

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 9.0.0.0b2

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.