Merge "Add project_reader in new RBAC tests"

This commit is contained in:
Zuul 2023-02-24 09:00:30 +00:00 committed by Gerrit Code Review
commit 759ee725b8
6 changed files with 41 additions and 49 deletions

View File

@ -233,10 +233,11 @@ class RecordsetsTest(BaseRecordsetsTest):
self.assertGreater(len(body), 0) self.assertGreater(len(body), 0)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC # Test RBAC
expected_allowed = ['os_primary'] expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_reader',
'os_project_member'])
self.check_list_show_RBAC_enforcement( self.check_list_show_RBAC_enforcement(
'RecordsetClient', 'list_recordset', expected_allowed, True, 'RecordsetClient', 'list_recordset', expected_allowed, True,
@ -244,6 +245,9 @@ class RecordsetsTest(BaseRecordsetsTest):
# Test that users who should see the zone, can see it. # Test that users who should see the zone, can see it.
expected_allowed = ['os_primary'] expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_reader',
'os_project_member'])
self.check_list_IDs_RBAC_enforcement( self.check_list_IDs_RBAC_enforcement(
'RecordsetClient', 'list_recordset', 'RecordsetClient', 'list_recordset',
@ -282,10 +286,11 @@ class RecordsetsTest(BaseRecordsetsTest):
LOG.info('Ensure the fetched response matches the expected one') LOG.info('Ensure the fetched response matches the expected one')
self.assertExpected(body, record, self.excluded_keys) self.assertExpected(body, record, self.excluded_keys)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC # Test RBAC
expected_allowed = ['os_primary'] expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_member',
'os_project_reader'])
self.check_list_show_RBAC_enforcement( self.check_list_show_RBAC_enforcement(
'RecordsetClient', 'show_recordset', expected_allowed, True, 'RecordsetClient', 'show_recordset', expected_allowed, True,
@ -321,7 +326,7 @@ class RecordsetsTest(BaseRecordsetsTest):
# Test RBAC # Test RBAC
expected_allowed = ['os_admin', 'os_primary'] expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin') expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement( self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'delete_recordset', expected_allowed, True, 'RecordsetClient', 'delete_recordset', expected_allowed, True,
@ -374,7 +379,7 @@ class RecordsetsTest(BaseRecordsetsTest):
# Test RBAC # Test RBAC
expected_allowed = ['os_admin', 'os_primary'] expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin') expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement( self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'update_recordset', expected_allowed, True, 'RecordsetClient', 'update_recordset', expected_allowed, True,
@ -383,7 +388,7 @@ class RecordsetsTest(BaseRecordsetsTest):
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header # Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary'] expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin') expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement( self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'update_recordset', expected_allowed, False, 'RecordsetClient', 'update_recordset', expected_allowed, False,

View File

@ -174,10 +174,11 @@ class TransferAcceptTest(BaseTransferAcceptTest):
'created transfer_accept') 'created transfer_accept')
self.assertExpected(transfer_accept, body, self.excluded_keys) self.assertExpected(transfer_accept, body, self.excluded_keys)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC # Test RBAC
expected_allowed = ['os_primary'] expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_member',
'os_project_reader'])
self.check_list_show_RBAC_enforcement( self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed, 'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
@ -275,8 +276,6 @@ class TransferAcceptTest(BaseTransferAcceptTest):
self.assertEqual('COMPLETE', transfer_accept['status']) self.assertEqual('COMPLETE', transfer_accept['status'])
transfer_request_ids.append(transfer_accept['id']) transfer_request_ids.append(transfer_accept['id'])
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get # Test RBAC - Users that are allowed to call list, but should get
# zero zones. # zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:

View File

@ -157,8 +157,6 @@ class TransferRequestTest(BaseTransferRequestTest):
'created transfer_request') 'created transfer_request')
self.assertExpected(transfer_request, body, self.excluded_keys) self.assertExpected(transfer_request, body, self.excluded_keys)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC # Test RBAC
# Note: The create service client does not define a target project # Note: The create service client does not define a target project
# ID, so everyone should be able to see it. # ID, so everyone should be able to see it.
@ -245,12 +243,10 @@ class TransferRequestTest(BaseTransferRequestTest):
"project_id"] "project_id"]
self.assertExpected(transfer_request, body, excluded_keys) self.assertExpected(transfer_request, body, excluded_keys)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC when a transfer target project is specified. # Test RBAC when a transfer target project is specified.
expected_allowed = ['os_primary', 'os_alt'] expected_allowed = ['os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin') expected_allowed.extend(['os_system_admin', 'os_project_member'])
else: else:
expected_allowed.append('os_admin') expected_allowed.append('os_admin')
@ -305,14 +301,11 @@ class TransferRequestTest(BaseTransferRequestTest):
self.assertGreater(len(body['transfer_requests']), 0) self.assertGreater(len(body['transfer_requests']), 0)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get # Test RBAC - Users that are allowed to call list, but should get
# zero zones. # zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader', expected_allowed = ['os_system_admin', 'os_system_reader',
'os_admin', 'os_project_member', 'os_admin']
'os_project_reader']
else: else:
expected_allowed = ['os_alt'] expected_allowed = ['os_alt']
@ -461,7 +454,7 @@ class TransferRequestTest(BaseTransferRequestTest):
# Test RBAC # Test RBAC
expected_allowed = ['os_admin', 'os_primary'] expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin') expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement( self.check_CUD_RBAC_enforcement(
'TransferRequestClient', 'update_transfer_request', 'TransferRequestClient', 'update_transfer_request',

View File

@ -162,10 +162,11 @@ class ZonesTest(BaseZonesTest):
LOG.info('Ensure the fetched response matches the created zone') LOG.info('Ensure the fetched response matches the created zone')
self.assertExpected(zone, body, self.excluded_keys) self.assertExpected(zone, body, self.excluded_keys)
# TODO(johnsom) Test reader roles once this bug is fixed.
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test with no extra header overrides (all_projects, sudo-project-id) # Test with no extra header overrides (all_projects, sudo-project-id)
expected_allowed = ['os_primary'] expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_member',
'os_project_reader'])
self.check_list_show_RBAC_enforcement( self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone', expected_allowed, True, zone['id']) 'ZonesClient', 'show_zone', expected_allowed, True, zone['id'])
@ -196,7 +197,7 @@ class ZonesTest(BaseZonesTest):
# Test RBAC # Test RBAC
expected_allowed = ['os_admin', 'os_primary'] expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin') expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement('ZonesClient', 'delete_zone', self.check_CUD_RBAC_enforcement('ZonesClient', 'delete_zone',
expected_allowed, True, zone['id']) expected_allowed, True, zone['id'])
@ -204,7 +205,7 @@ class ZonesTest(BaseZonesTest):
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header # Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary'] expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin') expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement('ZonesClient', 'delete_zone', self.check_CUD_RBAC_enforcement('ZonesClient', 'delete_zone',
expected_allowed, False, zone['id'], expected_allowed, False, zone['id'],
@ -278,14 +279,11 @@ class ZonesTest(BaseZonesTest):
# present in the response. # present in the response.
self.assertGreater(len(body['zones']), 0) self.assertGreater(len(body['zones']), 0)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get # Test RBAC - Users that are allowed to call list, but should get
# zero zones. # zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader', expected_allowed = ['os_system_admin', 'os_system_reader',
'os_admin', 'os_project_member', 'os_admin']
'os_project_reader']
else: else:
expected_allowed = ['os_alt'] expected_allowed = ['os_alt']
@ -336,7 +334,7 @@ class ZonesTest(BaseZonesTest):
# Test RBAC # Test RBAC
expected_allowed = ['os_admin', 'os_primary'] expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin') expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement( self.check_CUD_RBAC_enforcement(
'ZonesClient', 'update_zone', expected_allowed, True, 'ZonesClient', 'update_zone', expected_allowed, True,
@ -345,7 +343,7 @@ class ZonesTest(BaseZonesTest):
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header # Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary'] expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin') expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement( self.check_CUD_RBAC_enforcement(
'ZonesClient', 'update_zone', expected_allowed, False, 'ZonesClient', 'update_zone', expected_allowed, False,
@ -429,10 +427,11 @@ class ZonesTest(BaseZonesTest):
pool_nameservers, zone_nameservers, pool_nameservers, zone_nameservers,
'Failed - Pool and Zone nameservers should be the same') 'Failed - Pool and Zone nameservers should be the same')
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC # Test RBAC
expected_allowed = ['os_primary'] expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_member',
'os_project_reader'])
self.check_list_show_RBAC_enforcement( self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone_nameservers', expected_allowed, 'ZonesClient', 'show_zone_nameservers', expected_allowed,

View File

@ -118,10 +118,11 @@ class ZonesExportTest(BaseZoneExportsTest):
LOG.info('Ensure the fetched response matches the zone export') LOG.info('Ensure the fetched response matches the zone export')
self.assertExpected(zone_export, body, self.excluded_keys) self.assertExpected(zone_export, body, self.excluded_keys)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC # Test RBAC
expected_allowed = ['os_primary'] expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_member',
'os_project_reader'])
self.check_list_show_RBAC_enforcement( self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True, 'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
@ -188,7 +189,7 @@ class ZonesExportTest(BaseZoneExportsTest):
# Test RBAC # Test RBAC
expected_allowed = ['os_admin', 'os_primary'] expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin') expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement( self.check_CUD_RBAC_enforcement(
'ZoneExportsClient', 'delete_zone_export', expected_allowed, True, 'ZoneExportsClient', 'delete_zone_export', expected_allowed, True,
@ -197,7 +198,7 @@ class ZonesExportTest(BaseZoneExportsTest):
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header # Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary'] expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin') expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement( self.check_CUD_RBAC_enforcement(
'ZoneExportsClient', 'delete_zone_export', expected_allowed, False, 'ZoneExportsClient', 'delete_zone_export', expected_allowed, False,
@ -225,14 +226,11 @@ class ZonesExportTest(BaseZoneExportsTest):
self.assertGreater(len(body['exports']), 0) self.assertGreater(len(body['exports']), 0)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get # Test RBAC - Users that are allowed to call list, but should get
# zero zones. # zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader', expected_allowed = ['os_system_admin', 'os_system_reader',
'os_admin', 'os_project_member', 'os_admin']
'os_project_reader']
else: else:
expected_allowed = ['os_alt'] expected_allowed = ['os_alt']

View File

@ -148,10 +148,11 @@ class ZonesImportTest(BaseZonesImportTest):
LOG.info('Ensure the fetched response matches the expected one') LOG.info('Ensure the fetched response matches the expected one')
self.assertExpected(zone_import, body, self.excluded_keys) self.assertExpected(zone_import, body, self.excluded_keys)
# TODO(johnsom) Test reader roles once this bug is fixed.
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test with no extra header overrides (all_projects, sudo-project-id) # Test with no extra header overrides (all_projects, sudo-project-id)
expected_allowed = ['os_primary'] expected_allowed = ['os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.extend(['os_project_member',
'os_project_reader'])
self.check_list_show_RBAC_enforcement( self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, True, 'ZoneImportsClient', 'show_zone_import', expected_allowed, True,
@ -185,7 +186,7 @@ class ZonesImportTest(BaseZonesImportTest):
# Test RBAC # Test RBAC
expected_allowed = ['os_admin', 'os_primary'] expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin') expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement( self.check_CUD_RBAC_enforcement(
'ZoneImportsClient', 'delete_zone_import', expected_allowed, True, 'ZoneImportsClient', 'delete_zone_import', expected_allowed, True,
@ -194,7 +195,7 @@ class ZonesImportTest(BaseZonesImportTest):
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header # Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary'] expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin') expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement( self.check_CUD_RBAC_enforcement(
'ZoneImportsClient', 'delete_zone_import', expected_allowed, False, 'ZoneImportsClient', 'delete_zone_import', expected_allowed, False,
@ -229,14 +230,11 @@ class ZonesImportTest(BaseZonesImportTest):
self.assertGreater(len(body['imports']), 0) self.assertGreater(len(body['imports']), 0)
# TODO(johnsom) Test reader role once this bug is fixed:
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get # Test RBAC - Users that are allowed to call list, but should get
# zero zones. # zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults: if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader', expected_allowed = ['os_system_admin', 'os_system_reader',
'os_admin', 'os_project_member', 'os_admin']
'os_project_reader']
else: else:
expected_allowed = ['os_alt'] expected_allowed = ['os_alt']