Switching rbac role can be achieved by admin credential manager rather explicitly passing admin client from caller
#######
Current Framework Implementation:
During RBAC testing,
In rbac_utils.py file, for switching role we are using "admin_client" (which is coming as part of "caller") for role deletion and role assignment.
For this purpose, in rbac_base.py file (or in testcase file)we need to define "admin_client".
Again for admin_client we need "admin" credentials defined in rbac_base also.
i.e. credentials = ['primary', 'admin']
In the rbac base we are writing"credentials = ['primary', 'admin']", which in turn will create 2 tenants -
1. "primary" tenant (Which is inturn "admin" because in tmpest.conf we are passing tempest_
2. "admin" tenant
#######
Problem with above Implementation :
1. In rbac_utils.py file, to delete all roles and assign role we again need to pass admin_client though caller which is also not a good idea. Because it mandates declaration of "admin" credentials in rbac_base.
2. During RBAC testing In tempest.conf "tempest_roles" is always hard coded to "admin", this becomes a precondition.
3. As "tempest_roles = admin", created "primary" tenant also becomes admin. In "credentials = ['primary', 'admin']" after primary which become admin because of tempest_
When both ('primary' and 'admin') has admin roles then using both of them is not an wise idea.
######
Solution:
1. For above problem 1 -
instead of passing "admin_client" in caller to rbac_utils, how about using admin credential manager from tempest ?
2. For above problem#2 and problem#3
After implementation of solution#1, we need not to hard code tempest_roles to admin by using following things -
a. Implement solution#1
b. In rbac_base file (or in test case file ) use only admin credentials and drop primary credentials completely
i.e. credentials = ['admin'] . Although we can use alt credentials
c. As during test case writing we are using cls.os and cls.os_adm where (In tempest) cls.os comes from "primary" and cls.os_adm comes from "admin" credentials.
def setup_credentia
#Solution Proposed
Following patches tries to fulfill above things -
https:/
Blueprint information
- Status:
- Complete
- Approver:
- Samantha Blanco
- Priority:
- Undefined
- Drafter:
- Mh Raies
- Direction:
- Needs approval
- Assignee:
- Mh Raies
- Definition:
- Approved
- Series goal:
- None
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Mh Raies
- Completed by
- Mh Raies
Related branches
Related bugs
Bug #1664278: Explicit admin specific RBAC tests are not required | Fix Released |
Bug #1664600: RBAC framework need a precondition to set "tempest_roles" to "admin" role | Fix Released |
Sprints
Whiteboard
I think that linking to some sources would make the original blueprint more understandable and more robust.
1) Regarding tempest_roles, refer to:
Specifically: Test Credentials in https:/
"It is worth pointing out that depending on your cloud configuration you might need to assign a role to each of the users created by Tempest's dynamic credentials. This can be set using the tempest_roles option. It takes in a list of role names each of which will be assigned to each of the users created by dynamic credentials. This option will not have any effect when Tempest is not configured to use dynamic credentials."
So, what Mohd was saying is correct: when tempest_roles = admin, for each user in credentials = ['admin', 'primary'], the admin role is assigned, meaning the 'primary' user also gets the admin role.
Gerrit topic: https:/
Addressed by: https:/
Required modification in Framework