openstack/barbican
Code Issues Proposed changes

Merge "Add more users/roles to secret/container RBAC tests"

Browse Source
This commit is contained in:
Jenkins 2015-05-27 15:49:23 +00:00 committed by Gerrit Code Review
commit 83fe7aceeb
6 changed files with 80 additions and 1 deletions
bin
keystone_data.sh
contrib/devstack/lib
barbican
etc/barbican
barbican-functional.conf
functionaltests
api/v1/functional
test_rbac.py
common
client.pyconfig.py

25
bin/keystone_data.sh

@ -135,6 +135,19 @@ if [[ "$ENABLED_SERVICES" =~ "barbican" ]]; then
--user="$USER_ID" \
--role="$ROLE_ADMIN_ID" \
--tenant-id="$PROJECT_B_ID"
#
# Setup RBAC Creator of Project B
#
USER_ID=$(get_id keystone user-create \
--name="project_b_creator" \
--pass="$USER_PASSWORD" \
--email="creator_b@example.net")
keystone user-role-add \
--user="$USER_ID" \
--role="$ROLE_CREATOR_ID" \
--tenant-id="$PROJECT_B_ID"
#
# Setup RBAC Observer of Project B
#
@ -146,6 +159,18 @@ if [[ "$ENABLED_SERVICES" =~ "barbican" ]]; then
--user="$USER_ID" \
--role="$ROLE_OBSERVER_ID" \
--tenant-id="$PROJECT_B_ID"
#
# Setup RBAC Auditor of Project B
#
USER_ID=$(get_id keystone user-create \
--name="project_b_auditor" \
--pass="$USER_PASSWORD" \
--email="auditor_b@example.net")
keystone user-role-add \
--user="$USER_ID" \
--role="$ROLE_AUDIT_ID" \
--tenant-id="$PROJECT_B_ID"
#
# Setup Admin Endpoint
#

22
contrib/devstack/lib/barbican

@ -280,6 +280,17 @@ function create_barbican_accounts {
--role="$ROLE_ADMIN_ID" \
--tenant-id="$PROJECT_B_ID"
#
# Setup RBAC Creator of Project B
#
USER_ID=$(get_id keystone user-create \
--name="project_b_creator" \
--pass="$PASSWORD" \
--email="creator_b@example.net")
keystone user-role-add \
--user="$USER_ID" \
--role="$ROLE_CREATOR_ID" \
--tenant-id="$PROJECT_B_ID"
#
# Setup RBAC Observer of Project B
#
USER_ID=$(get_id keystone user-create \
@ -291,6 +302,17 @@ function create_barbican_accounts {
--role="$ROLE_OBSERVER_ID" \
--tenant-id="$PROJECT_B_ID"
#
# Setup RBAC auditor of Project B
#
USER_ID=$(get_id keystone user-create \
--name="project_b_auditor" \
--pass="$PASSWORD" \
--email="auditor_b@example.net")
keystone user-role-add \
--user="$USER_ID" \
--role="$ROLE_AUDIT_ID" \
--tenant-id="$PROJECT_B_ID"
#
# Setup Admin Endpoint
#
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

8
etc/barbican/barbican-functional.conf

@ -14,6 +14,8 @@ domain_name=Default
# Replace these values that represent additional users for RBAC testing
project_a=project_a
project_b=project_b
# users for project_a
admin_a=project_a_admin
admin_a_password=barbican
creator_a=project_a_creator
@ -22,10 +24,16 @@ observer_a=project_a_observer
observer_a_password=barbican
auditor_a=project_a_auditor
auditor_a_password=barbican
# users for project_b
admin_b=project_b_admin
admin_b_password=barbican
creator_b=project_b_creator
creator_b_password=barbican
observer_b=project_b_observer
observer_b_password=barbican
auditor_b=project_b_auditor
auditor_b_password=barbican
[keymanager]

7
functionaltests/api/v1/functional/test_rbac.py

@ -26,8 +26,11 @@ admin_a = CONF.rbac_users.admin_a
creator_a = CONF.rbac_users.creator_a
observer_a = CONF.rbac_users.observer_a
auditor_a = CONF.rbac_users.auditor_a
admin_b = CONF.rbac_users.admin_b
creator_b = CONF.rbac_users.creator_b
observer_b = CONF.rbac_users.observer_b
auditor_b = CONF.rbac_users.auditor_b
test_data_rbac_read_secret = {
@ -36,7 +39,9 @@ test_data_rbac_read_secret = {
'with_observer_a': {'user': observer_a, 'expected_return': 200},
'with_auditor_a': {'user': auditor_a, 'expected_return': 403},
'with_admin_b': {'user': admin_b, 'expected_return': 403},
'with_creator_b': {'user': creator_b, 'expected_return': 403},
'with_observer_b': {'user': observer_b, 'expected_return': 403},
'with_auditor_b': {'user': auditor_b, 'expected_return': 403},
}
@ -46,7 +51,9 @@ test_data_rbac_read_container = {
'with_observer_a': {'user': observer_a, 'expected_return': 200},
'with_auditor_a': {'user': auditor_a, 'expected_return': 200},
'with_admin_b': {'user': admin_b, 'expected_return': 403},
'with_creator_b': {'user': creator_b, 'expected_return': 403},
'with_observer_b': {'user': observer_b, 'expected_return': 403},
'with_auditor_b': {'user': auditor_b, 'expected_return': 403},
}

12
functionaltests/common/client.py

@ -76,12 +76,24 @@ class BarbicanClient(object):
username=CONF.rbac_users.admin_b,
password=CONF.rbac_users.admin_b_password,
project_name=CONF.rbac_users.project_b)
self._auth[CONF.rbac_users.creator_b] = auth.FunctionalTestAuth(
endpoint=CONF.identity.uri,
version=CONF.identity.version,
username=CONF.rbac_users.creator_b,
password=CONF.rbac_users.creator_b_password,
project_name=CONF.rbac_users.project_b)
self._auth[CONF.rbac_users.observer_b] = auth.FunctionalTestAuth(
endpoint=CONF.identity.uri,
version=CONF.identity.version,
username=CONF.rbac_users.observer_b,
password=CONF.rbac_users.observer_b_password,
project_name=CONF.rbac_users.project_b)
self._auth[CONF.rbac_users.auditor_b] = auth.FunctionalTestAuth(
endpoint=CONF.identity.uri,
version=CONF.identity.version,
username=CONF.rbac_users.auditor_b,
password=CONF.rbac_users.auditor_b_password,
project_name=CONF.rbac_users.project_b)
def _attempt_to_stringify_content(self, content, content_tag):
if content is None:

7
functionaltests/common/config.py

@ -50,8 +50,13 @@ def setup_config(config_file=''):
cfg.StrOpt('auditor_a_password', default='barbican'),
cfg.StrOpt('admin_b', default='project_b_admin'),
cfg.StrOpt('admin_b_password', default='barbican'),
cfg.StrOpt('creator_b', default='project_b_creator'),
cfg.StrOpt('creator_b_password', default='barbican'),
cfg.StrOpt('observer_b', default='project_b_observer'),
cfg.StrOpt('observer_b_password', default='barbican')]
cfg.StrOpt('observer_b_password', default='barbican'),
cfg.StrOpt('auditor_b', default='project_b_auditor'),
cfg.StrOpt('auditor_b_password', default='barbican'),
]
TEST_CONF.register_group(rbac_users_group)
TEST_CONF.register_opts(rbac_users_options, group=rbac_users_group)