Switching rbac role can be achieved by admin credential manager rather explicitly passing admin client from caller

Registered by Mh Raies

##########################
Current Framework Implementation:

During RBAC testing,

In rbac_utils.py file, for switching role we are using "admin_client" (which is coming as part of "caller") for role deletion and role assignment.

For this purpose, in rbac_base.py file (or in testcase file)we need to define "admin_client".
Again for admin_client we need "admin" credentials defined in rbac_base also.

i.e. credentials = ['primary', 'admin']

In the rbac base we are writing"credentials = ['primary', 'admin']", which in turn will create 2 tenants -
1. "primary" tenant (Which is inturn "admin" because in tmpest.conf we are passing tempest_roles="admin" which will be added to primary also)
2. "admin" tenant

##########################
Problem with above Implementation :

1. In rbac_utils.py file, to delete all roles and assign role we again need to pass admin_client though caller which is also not a good idea. Because it mandates declaration of "admin" credentials in rbac_base.

2. During RBAC testing In tempest.conf "tempest_roles" is always hard coded to "admin", this becomes a precondition.

3. As "tempest_roles = admin", created "primary" tenant also becomes admin. In "credentials = ['primary', 'admin']" after primary which become admin because of tempest_roles=admin, we are again using "admin" tenant.
When both ('primary' and 'admin') has admin roles then using both of them is not an wise idea.

######
Solution:
1. For above problem 1 -
        instead of passing "admin_client" in caller to rbac_utils, how about using admin credential manager from tempest ?

2. For above problem#2 and problem#3
       After implementation of solution#1, we need not to hard code tempest_roles to admin by using following things -

            a. Implement solution#1
            b. In rbac_base file (or in test case file ) use only admin credentials and drop primary credentials completely
             i.e. credentials = ['admin'] . Although we can use alt credentials
             c. As during test case writing we are using cls.os and cls.os_adm where (In tempest) cls.os comes from "primary" and cls.os_adm comes from "admin" credentials.
                  In our tests, we are using cls.os and cls.os_adm a number of times for client creation and other many more thing.
                  When we are dropping "primary" completely, cls.os will be gone.
                  Also in existing framework, cls.os and cls.os_adm, both are admin because of tempest_roles=admin.
                  With the idea why not we should keep single admin, after dropping "primary" we have to assign "cls.os = cls.os_adm" in setup_credentials
                 So, In rbac_base file, we have to write following lines -

               @classmethod
              def setup_credentials(cls):
                  super(<BaseClass>, cls).setup_credentials()
                  cls.os = cls.os_adm

#Solution Proposed
Following patches tries to fulfill above things -
    https://review.openstack.org/#/c/433741/

Blueprint information

Status:
Complete
Approver:
Samantha Blanco
Priority:
Undefined
Drafter:
Mh Raies
Direction:
Needs approval
Assignee:
Mh Raies
Definition:
Approved
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Mh Raies
Completed by
Mh Raies

Whiteboard

I think that linking to some sources would make the original blueprint more understandable and more robust.

1) Regarding tempest_roles, refer to:

Specifically: Test Credentials in https://docs.openstack.org/developer/tempest/configuration.html?highlight=admin

"It is worth pointing out that depending on your cloud configuration you might need to assign a role to each of the users created by Tempest's dynamic credentials. This can be set using the tempest_roles option. It takes in a list of role names each of which will be assigned to each of the users created by dynamic credentials. This option will not have any effect when Tempest is not configured to use dynamic credentials."

So, what Mohd was saying is correct: when tempest_roles = admin, for each user in credentials = ['admin', 'primary'], the admin role is assigned, meaning the 'primary' user also gets the admin role.

Gerrit topic: https://review.openstack.org/#q,topic:bug/1664600,n,z

Addressed by: https://review.openstack.org/433741
    Required modification in Framework

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.