Add SRBAC jobs

This patch adds jobs with scope enforcement and new defaults enabled for Nova, Cinder, Glance and Neutron. Keystone still has system scope adopted in their policy. The scope enforcement will be disabled for now until Keystone's policies are updated accordingly[1] [1]https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html Depends-On: https://review.opendev.org/c/openstack/tempest/+/869440 Change-Id: I64019c4f3f25cd1bd347fb55de5e38408a335cb0
2022-12-09 12:21:45 +01:00 · 2022-12-09 12:21:45 +01:00 · 8d2ee59af3
parent 6488be3e82
commit 8d2ee59af3
1 changed files with 49 additions and 0 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -12,6 +12,8 @@
        - python-tempestconf-tempest-devstack-admin-yoga
        - python-tempestconf-tempest-devstack-demo
        - python-tempestconf-tempest-devstack-admin-plugins
+        - python-tempestconf-tempest-devstack-enforce-scope-new-defaults-admin
+        - python-tempestconf-tempest-devstack-enforce-scope-new-defaults-demo
        - python-tempestconf-tempest-packstack-admin:
            voting: false
        - python-tempestconf-tempest-packstack-demo:
@ -167,6 +169,20 @@
        /etc/openstack/accounts.yaml: logs
    irrelevant-files: *irrelevant-files

+- job:
+    name: python-tempestconf-devstack-enforce-scope-new-defaults-base
+    parent: python-tempestconf-devstack-base
+    description: Base job for python-tempestconf on a devstack environment with enforce scope and new defaults enabled
+    vars:
+      devstack_localrc:
+        # NOTE(rpopelka) We need to keep keystone scope check disabled as
+        # it still has system scope enabled in it's policies. When keystone
+        # updates it's policies, the scope check can be set to True also.
+        NOVA_ENFORCE_SCOPE: True
+        CINDER_ENFORCE_SCOPE: True
+        GLANCE_ENFORCE_SCOPE: True
+        NEUTRON_ENFORCE_SCOPE: True
+
 - job:
    name: python-tempestconf-tempest-devstack-admin-plugins
    parent: python-tempestconf-devstack-base
@ -315,3 +331,36 @@
      user: demo
      test_demo: true
      cloud_admin: packstack-admin
+
+- job:
+    name: python-tempestconf-tempest-devstack-enforce-scope-new-defaults-admin
+    parent: python-tempestconf-devstack-enforce-scope-new-defaults-base
+    description: |
+      Tempest job for python-tempestconf on a devstack environment with enforce scope and new defaults enabled as the admin user.
+    run: playbooks/python-tempestconf-tempest-devstack.yaml
+    vars:
+      user: admin
+      cloud_user: devstack-admin
+      tempest_concurrency: 2
+
+- job:
+    name: python-tempestconf-tempest-devstack-enforce-scope-new-defaults-demo
+    parent: python-tempestconf-devstack-enforce-scope-new-defaults-base
+    description: |
+      Tempest job for python-tempestconf on a devstack environment with enforce scope and new default enabled as the demo user.
+    run: playbooks/python-tempestconf-tempest-devstack.yaml
+    vars:
+      additional_tempestconf_params: "auth.tempest_roles member"
+      user: demo
+      cloud_user: devstack
+      test_demo: true
+      cloud_admin: devstack-admin
+      # concurrency is reduced in this job, because a minimal accounts
+      # file is used
+      tempest_concurrency: 1
+      # skip until https://storyboard.openstack.org/#!/story/2004209
+      # is resolved
+      tempest_exclude_regex: 'tempest.api.compute.servers'
+
+
+