openstack/keystone-tempest-plugin
Code Issues Proposed changes

Make keystone-protection-functional job voting

Browse Source 
This patch removes "voting: false" from the
keystone-protection-functional job to make it vote in both gate and
check pipelines.

This patch also fixes a couple of issues with some RBAC tests that were
failing.

* In Keystone, the domains API checks the validity of the json body of
  the request before checking whether the entity being modified actually
  exists.  This results in 400 errors instead of 404s for non-existent
  domains when the request body is invalid.  This patch fixes the
  invalid requests.

* In the endpoints API, RBAC enforcement happens before the entity
  lookup, so the API returns 401 Forbidden for users that don't have
  access whether the endpoint actually exists or not.

Signed-off-by: Douglas Mendizábal <dmendiza@redhat.com>
Change-Id: I39a045fce807a77cd2f1062a00e2c20f01e5abf2
This commit is contained in:
Douglas Mendizabal
2026-04-24 02:02:24 -04:00
committed by Douglas Mendizábal
parent c9853f9251
commit 92947edd42
3 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.zuul.yaml
-1
View File
@@ -1,7 +1,6 @@
- job:
name: keystone-protection-functional
parent: keystone-tempest
voting: false
vars:
tempest_test_regex: 'keystone_tempest_plugin.tests.rbac'
devstack_localrc:
keystone_tempest_plugin/tests/rbac/v3/test_domain.py
+4 -2
View File
@@ -125,7 +125,8 @@ class SystemAdminTests(IdentityV3RbacDomainTests, base.BaseIdentityTest):
description=data_utils.arbitrary_string())
# user gets a 404 for nonexistent domain
self.do_request('update_domain', expected_status=exceptions.NotFound,
domain_id=data_utils.rand_uuid_hex())
domain_id=data_utils.rand_uuid_hex(),
description=data_utils.arbitrary_string())
def test_identity_delete_domain(self):
domain_id = self.admin_domains_client.create_domain(
@@ -156,7 +157,8 @@ class SystemMemberTests(SystemAdminTests, base.BaseIdentityTest):
description=data_utils.arbitrary_string())
# user gets a 404 for nonexistent domain
self.do_request('update_domain', expected_status=exceptions.NotFound,
domain_id=data_utils.rand_uuid_hex())
domain_id=data_utils.rand_uuid_hex(),
description=data_utils.arbitrary_string())
def test_identity_delete_domain(self):
domain_id = self.admin_domains_client.create_domain(
keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py
+8 -6
View File
@@ -174,8 +174,9 @@ class SystemMemberTests(SystemAdminTests, base.BaseIdentityTest):
expected_status=exceptions.Forbidden,
endpoint_id=endpoint_id,
interface='internal')
# user gets a 404 for nonexistent endpoint
self.do_request('update_endpoint', expected_status=exceptions.NotFound,
# user also gets Forbidden for nonexistent endpoint
self.do_request('update_endpoint',
expected_status=exceptions.Forbidden,
endpoint_id=data_utils.rand_uuid_hex(),
interface='internal')
@@ -185,8 +186,9 @@ class SystemMemberTests(SystemAdminTests, base.BaseIdentityTest):
self.do_request('delete_endpoint',
expected_status=exceptions.Forbidden,
endpoint_id=endpoint_id)
# user gets a 404 for nonexistent endpoint
self.do_request('delete_endpoint', expected_status=exceptions.NotFound,
# user also gets Forbidden for nonexistent endpoint
self.do_request('delete_endpoint',
expected_status=exceptions.Forbidden,
endpoint_id=data_utils.rand_uuid_hex())
@@ -207,8 +209,8 @@ class DomainAdminTests(SystemReaderTests, base.BaseIdentityTest):
endpoint_id=endpoint_id)
self.do_request('show_endpoint', expected_status=exceptions.Forbidden,
endpoint_id=endpoint_id)
# user gets a 404 for nonexistent endpoint
self.do_request('show_endpoint', expected_status=exceptions.NotFound,
# user also gets Forbidden for nonexistent endpoint
self.do_request('show_endpoint', expected_status=exceptions.Forbidden,
endpoint_id=data_utils.rand_uuid_hex())
def test_identity_list_endpoints(self):