Patrole

Unnecessary use of admin namespace throughout Patrole test classes

Bug #1672250 reported by Felipe Monteiro
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Patrole
Fix Released
Wishlist
Felipe Monteiro

Bug Description

In Tempest, it is meaningful to separate admin and non-admin tests into different classes and files, because Tempest must use clients with admin credentials to perform admin-only API calls, like changing an admin password. More specifically, Tempest must use the os_adm/os_admin-namespace clients (instantiated with admin credentials) to perform these tests; else 403s are thrown.

Patrole, on the other hand, doesn't need to use os_adm/os_admin-namespace clients, because of the fact that role-switching is performed to grant the os-namespace clients sufficient credentials to perform the admin action when rbac_test_role == admin. And if rbac_test_role != admin, then the Patrole test will still pass, because the if rbac_test_role != admin and a 403 is thrown, Patrole treats this as a successful negative test case.

Thus, all namespaces (files, folders and classes) that contain "admin" should be renamed, if the non-admin version does not already exist. If the admin version and non-admin version tests both exist, then the admin version should be removed.

See original description
Felipe Monteiro (fm577c)
description: updated
description: updated
Revision history for this message
Mh Raies (raiesmh08) wrote :

Thanks Felipe for filing this bug explicitly.
This is really interesting.
I had asked Samantha also long back that we should not write explicit admin tests. This is not required as a part of RBAC framework but was not entertained much about this.
That time I was planning to work on this as a part component wise code cleanup blueprint https://blueprints.launchpad.net/patrole/+spec/cleanup-as-a-result-of-framework-change/
I am adding this bug in "related bugs" field of blueprint.
Let us work on this blueprint in parallel to strengthen the Rbac framework.

Changed in patrole:
status: New → Confirmed
Felipe Monteiro (fm577c)
Changed in patrole:
importance: Undecided → Wishlist
Felipe Monteiro (fm577c)
Changed in patrole:
assignee: nobody → Felipe Monteiro (fm577c)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to patrole (master)

Fix proposed to branch: master
Review: https://review.openstack.org/454275

Changed in patrole:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/455009

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/455010

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to patrole (master)

Reviewed: https://review.openstack.org/454275
Committed: https://git.openstack.org/cgit/openstack/patrole/commit/?id=9909ac6d33f54f6a8487757d653e232ffc759dad
Submitter: Jenkins
Branch: master

commit 9909ac6d33f54f6a8487757d653e232ffc759dad
Author: Felipe Monteiro <email address hidden>
Date: Fri Apr 7 21:12:36 2017 +0100

    Remove admin namespace throughout Patrole - Nova tests

    In Tempest, it is meaningful to separate admin and non-admin
    tests into different classes and files, because Tempest
    must use clients with admin credentials to perform admin-only
    API calls, like changing an admin password. More specifically,
    Tempest must use the os_adm/os_admin-namespace clients
    (instantiated with admin credentials) to perform these tests;
    else 403s are thrown.

    Patrole, on the other hand, doesn't need to use
    os_adm/os_admin-namespace clients, because of the fact that
    role-switching is performed to grant the os-namespace
    clients sufficient credentials to perform API actions that
    require admin credentials during setting up and cleaning up
    test resources. Thus, the distinction between admin and
    non-admin is not important in Patrole, as role-switching
    means that at different points in time the clients have admin
    and non-admin credentials.

    Thus, all namespaces (files, folders and classes) that contain
    "admin" should be renamed, if the non-admin version does not
    already exist. If the admin version and non-admin version
    tests both exist, then the admin version should be removed and
    its tests merged with the non-admin version.

    Change-Id: I4bc55c7e1c8b7391fb11baf35987ace1c4080ef1
    Partial-Bug: #1672250

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/455010
Committed: https://git.openstack.org/cgit/openstack/patrole/commit/?id=706fd34fcc75bba9dc868b9566f50ffa4fa9e940
Submitter: Jenkins
Branch: master

commit 706fd34fcc75bba9dc868b9566f50ffa4fa9e940
Author: Felipe Monteiro <email address hidden>
Date: Sat Apr 8 19:31:04 2017 +0100

    Remove admin namespace throughout Patrole - Volume tests

    In Tempest, it is meaningful to separate admin and non-admin
    tests into different classes and files, because Tempest
    must use clients with admin credentials to perform admin-only
    API calls, like changing an admin password. More specifically,
    Tempest must use the os_adm/os_admin-namespace clients
    (instantiated with admin credentials) to perform these tests;
    else 403s are thrown.

    Patrole, on the other hand, doesn't need to use
    os_adm/os_admin-namespace clients, because of the fact that
    role-switching is performed to grant the os-namespace
    clients sufficient credentials to perform API actions that
    require admin credentials during setting up and cleaning up
    test resources. Thus, the distinction between admin and
    non-admin is not important in Patrole, as role-switching
    means that at different points in time the clients have admin
    and non-admin credentials.

    Thus, all namespaces (files, folders and classes) that contain
    "admin" should be renamed, if the non-admin version does not
    already exist. If the admin version and non-admin version
    tests both exist, then the admin version should be removed and
    its tests merged with the non-admin version.

    Depends-On: I8c3944e766210a31aa684e29c45e39470b738640
    Change-Id: I417fa0d29fc06b04582cdac24608b0373db6aacb
    Partial-Bug: #1672250

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/455009
Committed: https://git.openstack.org/cgit/openstack/patrole/commit/?id=6a99c56bb4e28f4c6984b8c3a9c2d3afdb544791
Submitter: Jenkins
Branch: master

commit 6a99c56bb4e28f4c6984b8c3a9c2d3afdb544791
Author: Felipe Monteiro <email address hidden>
Date: Sat Apr 8 19:13:55 2017 +0100

    Remove admin namespace throughout Patrole - Identity tests

    In Tempest, it is meaningful to separate admin and non-admin
    tests into different classes and files, because Tempest
    must use clients with admin credentials to perform admin-only
    API calls, like changing an admin password. More specifically,
    Tempest must use the os_adm/os_admin-namespace clients
    (instantiated with admin credentials) to perform these tests;
    else 403s are thrown.

    Patrole, on the other hand, doesn't need to use
    os_adm/os_admin-namespace clients, because of the fact that
    role-switching is performed to grant the os-namespace
    clients sufficient credentials to perform API actions that
    require admin credentials during setting up and cleaning up
    test resources. Thus, the distinction between admin and
    non-admin is not important in Patrole, as role-switching
    means that at different points in time the clients have admin
    and non-admin credentials.

    Thus, all namespaces (files, folders and classes) that contain
    "admin" should be renamed, if the non-admin version does not
    already exist. If the admin version and non-admin version
    tests both exist, then the admin version should be removed and
    its tests merged with the non-admin version.

    This patch, in addition, adds additional tests to test_rbac_roles:
    some identity:check_grant tests were missing. Following tests
    were added:
      1) Checking user role on domain
      2) Checking group role on project
      3) Checking group role on domain

    Change-Id: Ib82e8b8a0d6c8587fb0b1ce415e751c3ebc3c2f9
    Partial-Bug: #1672250

Felipe Monteiro (fm577c)
Changed in patrole:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.