Use consistent naming for enforce_scope option

Tempest and a few other plugins such as manila-tempest-plugin registers the option to enable scope enforcement tests in the [enforce_scope] option. This renames the option so that this plugin follows that standard. Change-Id: Ibd6962947c64f04ff1948a19c4afe9f26d0b47bb
2023-11-30 22:29:10 +09:00 · 2023-11-30 22:29:10 +09:00 · 39eb56d9c7
parent 6345b34ae2
commit 39eb56d9c7
6 changed files with 28 additions and 19 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -165,8 +165,8 @@
            #  global_default: true
        test-config:
          $TEMPEST_CONFIG:
-            barbican_rbac_scope_verification:
-              enforce_scope: True
+            enforce_scope:
+              barbican: True
            # barbican_tempest:
            #  enable_multiple_secret_stores: True

--- a/barbican_tempest_plugin/config.py
+++ b/barbican_tempest_plugin/config.py
@ -101,13 +101,11 @@ ImageSignatureVerificationGroup = [
                     "certificate validation?")
 ]

-barbican_rbac_scope_verification_group = cfg.OptGroup(
-    name="barbican_rbac_scope_verification",
-    title="Barbican RBAC Verification Options")
-
-BarbicanRBACScopeVerificationGroup = [
-    cfg.BoolOpt('enforce_scope',
+EnforceScopeGroup = [
+    cfg.BoolOpt('barbican',
                default=False,
+                deprecated_group='barbican_rbac_scope_verification',
+                deprecated_name='enforce_scope',
                help="Does barbican enforce scope and user "
                     "scope-aware policies?"),
 ]
--- a/barbican_tempest_plugin/plugin.py
+++ b/barbican_tempest_plugin/plugin.py
@ -13,7 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

-
+import itertools
 import os

 from tempest.test_discover import plugins
@ -32,6 +32,8 @@ class BarbicanTempestPlugin(plugins.TempestPlugin):
    def register_opts(self, conf):
        conf.register_opt(project_config.service_option,
                          group='service_available')
+        conf.register_opts(
+            project_config.EnforceScopeGroup, group='enforce_scope')

        conf.register_group(project_config.key_manager_group)
        conf.register_opts(project_config.KeyManagerOpts,
@ -47,15 +49,19 @@ class BarbicanTempestPlugin(plugins.TempestPlugin):
                           project_config.ephemeral_storage_encryption_group)
        conf.register_opts(project_config.ImageSignatureVerificationGroup,
                           project_config.image_signature_verification_group)
-        conf.register_group(
-            project_config.barbican_rbac_scope_verification_group)
-        conf.register_opts(
-            project_config.BarbicanRBACScopeVerificationGroup,
-            project_config.barbican_rbac_scope_verification_group
-        )

    def get_opt_lists(self):
-        return [('service_available', [project_config.service_option])]
+        return [
+            ('service_available', [project_config.service_option]),
+            (project_config.key_manager_group.name,
+             project_config.KeyManagerOpts),
+            (project_config.barbican_tempest_group.name,
+             project_config.barbican_tempest_group),
+            (project_config.ephemeral_storage_encryption_group.name,
+             itertools.chain(project_config.EphemeralStorageEncryptionGroup,
+                             project_config.ImageSignatureVerificationGroup)),
+            ('enforce_scope', project_config.EnforceScopeGroup)
+        ]

    def get_service_clients(self):
        v1_params = {
--- a/barbican_tempest_plugin/tests/api/test_quotas.py
+++ b/barbican_tempest_plugin/tests/api/test_quotas.py
@ -26,7 +26,7 @@ class QuotasTest(base.BaseKeyManagerTest):

    @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
    def test_get_effective_quota(self):
-        if CONF.barbican_rbac_scope_verification.enforce_scope:
+        if CONF.enforce_scope.barbican:
            # This test is using key-manager:service-admin legacy
            # role. User with only this role should get a Forbidden
            # error when trying to get effective quotas in SRBAC
@ -49,7 +49,7 @@ class ProjectQuotasTest(base.BaseKeyManagerTest):
    @classmethod
    def skip_checks(cls):
        super().skip_checks()
-        if CONF.barbican_rbac_scope_verification.enforce_scope:
+        if CONF.enforce_scope.barbican:
            # These tests can't be run with the new RBAC rules because
            # the APIs they're testing require system-scoped credentials
            # instead of the project-scoped credentials used here.
--- a/barbican_tempest_plugin/tests/rbac/v1/base.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/base.py
@ -63,7 +63,7 @@ class BarbicanV1RbacBase(test.BaseTestCase,
    @classmethod
    def skip_checks(cls):
        super().skip_checks()
-        if not CONF.barbican_rbac_scope_verification.enforce_scope:
+        if not CONF.enforce_scope.barbican:
            raise cls.skipException("enforce_scope is not enabled for "
                                    "barbican, skipping RBAC tests")
        api_version_utils.check_skip_with_microversion(
--- a/releasenotes/notes/consistent-enforce_scope-option-d3ddf50423e1efaa.yaml
+++ b/releasenotes/notes/consistent-enforce_scope-option-d3ddf50423e1efaa.yaml
@ -0,0 +1,5 @@
+---
+deprecations:
+  - |
+    The ``[barbican_rbac_scope_verification] enforce_scope`` option has been
+    deprecated in favor of the new ``[enforce_scope] barican`` option.