Add SRBAC jobs
This patch adds jobs with scope enforcement and new defaults enabled for Nova, Cinder, Glance and Neutron. Keystone still has system scope adopted in their policy. The scope enforcement will be disabled for now until Keystone's policies are updated accordingly[1] [1]https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html Depends-On: https://review.opendev.org/c/openstack/tempest/+/869440 Change-Id: I64019c4f3f25cd1bd347fb55de5e38408a335cb0
This commit is contained in:
parent
6488be3e82
commit
8d2ee59af3
49
.zuul.yaml
49
.zuul.yaml
|
@ -12,6 +12,8 @@
|
|||
- python-tempestconf-tempest-devstack-admin-yoga
|
||||
- python-tempestconf-tempest-devstack-demo
|
||||
- python-tempestconf-tempest-devstack-admin-plugins
|
||||
- python-tempestconf-tempest-devstack-enforce-scope-new-defaults-admin
|
||||
- python-tempestconf-tempest-devstack-enforce-scope-new-defaults-demo
|
||||
- python-tempestconf-tempest-packstack-admin:
|
||||
voting: false
|
||||
- python-tempestconf-tempest-packstack-demo:
|
||||
|
@ -167,6 +169,20 @@
|
|||
/etc/openstack/accounts.yaml: logs
|
||||
irrelevant-files: *irrelevant-files
|
||||
|
||||
- job:
|
||||
name: python-tempestconf-devstack-enforce-scope-new-defaults-base
|
||||
parent: python-tempestconf-devstack-base
|
||||
description: Base job for python-tempestconf on a devstack environment with enforce scope and new defaults enabled
|
||||
vars:
|
||||
devstack_localrc:
|
||||
# NOTE(rpopelka) We need to keep keystone scope check disabled as
|
||||
# it still has system scope enabled in it's policies. When keystone
|
||||
# updates it's policies, the scope check can be set to True also.
|
||||
NOVA_ENFORCE_SCOPE: True
|
||||
CINDER_ENFORCE_SCOPE: True
|
||||
GLANCE_ENFORCE_SCOPE: True
|
||||
NEUTRON_ENFORCE_SCOPE: True
|
||||
|
||||
- job:
|
||||
name: python-tempestconf-tempest-devstack-admin-plugins
|
||||
parent: python-tempestconf-devstack-base
|
||||
|
@ -315,3 +331,36 @@
|
|||
user: demo
|
||||
test_demo: true
|
||||
cloud_admin: packstack-admin
|
||||
|
||||
- job:
|
||||
name: python-tempestconf-tempest-devstack-enforce-scope-new-defaults-admin
|
||||
parent: python-tempestconf-devstack-enforce-scope-new-defaults-base
|
||||
description: |
|
||||
Tempest job for python-tempestconf on a devstack environment with enforce scope and new defaults enabled as the admin user.
|
||||
run: playbooks/python-tempestconf-tempest-devstack.yaml
|
||||
vars:
|
||||
user: admin
|
||||
cloud_user: devstack-admin
|
||||
tempest_concurrency: 2
|
||||
|
||||
- job:
|
||||
name: python-tempestconf-tempest-devstack-enforce-scope-new-defaults-demo
|
||||
parent: python-tempestconf-devstack-enforce-scope-new-defaults-base
|
||||
description: |
|
||||
Tempest job for python-tempestconf on a devstack environment with enforce scope and new default enabled as the demo user.
|
||||
run: playbooks/python-tempestconf-tempest-devstack.yaml
|
||||
vars:
|
||||
additional_tempestconf_params: "auth.tempest_roles member"
|
||||
user: demo
|
||||
cloud_user: devstack
|
||||
test_demo: true
|
||||
cloud_admin: devstack-admin
|
||||
# concurrency is reduced in this job, because a minimal accounts
|
||||
# file is used
|
||||
tempest_concurrency: 1
|
||||
# skip until https://storyboard.openstack.org/#!/story/2004209
|
||||
# is resolved
|
||||
tempest_exclude_regex: 'tempest.api.compute.servers'
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue