tempest

primary and alt credentials not flexible enough in non deafult policy.json deploymet

Bug #1738076 reported by Sangeet Gupta
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tempest
Expired
Undecided
Unassigned

Bug Description

When you secure your api through the policy.json files, some tempest testcases will start to failing with 403. We would like to propose the ability to set the roles according to the primary and alt default creds in the testcase class credential array. This will allow you to specify higher privileges on primary and lower on alt when using both the dynamic_creds and preprov_creds. The default setting would function as it is today.
The high level design would be:
1) add the following config.py setting
    tempest_primary_cred_role # Roles to be applied to dynamic_creds or searched in accounts.yaml.
    tempest_alt_cred_role # Roles to be applied to dynamic_creds or searched in accounts.yaml.
2) update DynamicCredentialProvider.get_credentials to assign roles in list according to primary and alt.
3) update PreProvisionedCredentialProvider.get_primary_creds and PreProvisionedCredentialProvider.get_alt_creds to look for the role in accounts.yaml that in the tempest_primary_cred_role or tempest_alt_cred_role provides.

Sangeet Gupta (sg774j)
Changed in tempest:
assignee: nobody → Sangeet Gupta (sg774j)
Revision history for this message
Matthew Treinish (treinish) wrote :

So I'm not sure I understand the issue is here. We've taken a pretty hard stance in the past about adding a generic policy framework to tempest. Making things too adaptable actually makes it too easy to shoot yourself in the foot when verifying that your deployment works. (for example we've had examples of people making policy too restrictive or loose which breaks some basic interop assumptions) Which is why we only have 2 classes of user (normal and admin) and a very basic rbac model. This is why the patrole project https://github.com/openstack/patrole exists to provide deep functional rbac validation.

I can believe we missed a valid case for cloud validation in tempest. But, right now there is a config option: CONF.auth.tempest_roles which does what your talking about already. For dynamic creds it assigns that role to all created users. Is the ask here just to add a new config value for setting different roles on the primary and alt users? I'd be kind of reluctant to do that because the theory behind primary and alt is that they're the same class of user.

Matthew Treinish (treinish)
Changed in tempest:
status: New → Incomplete
Revision history for this message
Doug Schveninger (ds6901) wrote :

Currently we use preprovision creds since we are LDAP backed. We also have evaluated policy file so we have to run our test with primary and alt creds with the admin role. This causes tests to fail since the alt account can see things that the test does not expect. We are looking to change it so with dynamic and preprovsion creds you can mange the roles that the primary and alt creds have independently of each other to allow more flexibilities in downstream CI gates.

Revision history for this message
Doug Schveninger (ds6901) wrote :

We would like to expand the dynamic conf setting of the cred roles in 2 ways
First we would like to add support for primary_extra_roles and alt_extra_roles in the conf
 so people can do more then add extra_roles to all creds.
Second we would like to move this feature in dynamic creds into preprovision creds

Let me know what you think

Martin Kopec (mkopec)
Changed in tempest:
assignee: Sangeet Gupta (sg774j) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for tempest because there has been no activity for 60 days.]

Changed in tempest:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.