openstack/octavia-tempest-plugin
Code Issues Proposed changes

Use only keystone roles in keystone RBAC tests

Browse Source 
- don't use the load-balancer_* roles, they may not exist (and they don't
  do anything) in this configuration
- create a temporary user with a temporary non-member role

Change-Id: I9fc26307f64a2eccbbaf2d979e44fa668328565f
This commit is contained in:
Gregory Thiemonge 2024-05-16 02:57:08 -04:00
parent 1f42112bd0
commit cba3b22f63
2 changed files with 84 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
octavia_tempest_plugin/tests/test_base.py
View File

@ -25,7 +25,9 @@ from cryptography.hazmat.primitives import serialization
from oslo_config import cfg from oslo_config import cfg
from oslo_log import log as logging from oslo_log import log as logging
from oslo_utils import uuidutils from oslo_utils import uuidutils
from tempest import clients
from tempest import config from tempest import config
from tempest.lib import auth
from tempest.lib.common.utils import data_utils from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils.linux import remote_client from tempest.lib.common.utils.linux import remote_client
from tempest.lib import exceptions from tempest.lib import exceptions
@ -60,13 +62,12 @@ class LoadBalancerBaseTest(validators.ValidatorsMixin,
elif CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: elif CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
credentials = [ credentials = [
'admin', 'primary', 'admin', 'primary',
['lb_admin', CONF.load_balancer.admin_role, 'admin'], ['lb_admin', 'admin'],
['lb_observer', CONF.load_balancer.observer_role, 'reader'], ['lb_observer', 'reader'],
['lb_global_observer', CONF.load_balancer.global_observer_role, ['lb_global_observer', 'reader'],
'reader'], ['lb_member', 'member'],
['lb_member', CONF.load_balancer.member_role, 'member'], ['lb_member2', 'member']]
['lb_member2', CONF.load_balancer.member_role, 'member'], # Note: an additional non-member user is added in setup_credentials
['lb_member_not_default_member', CONF.load_balancer.member_role]]
else: else:
credentials = [ credentials = [
'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role], 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
@ -133,6 +134,38 @@ class LoadBalancerBaseTest(validators.ValidatorsMixin,
'public_network_id must be defined.') 'public_network_id must be defined.')
raise cls.skipException(msg) raise cls.skipException(msg)
@classmethod
def _setup_new_user_role_client(cls, project_id, role_name):
user = {
'name': data_utils.rand_name('user'),
'password': data_utils.rand_password()
}
user_id = cls.os_admin.users_v3_client.create_user(
**user)['user']['id']
cls._created_users.append(user_id)
roles = cls.os_admin.roles_v3_client.list_roles(
name=role_name)['roles']
if len(roles) == 0:
role = {
'name': role_name
}
role_id = cls.os_admin.roles_v3_client.create_role(
**role)['role']['id']
cls._created_roles.append(role_id)
else:
role_id = roles[0]['id']
cls.os_admin.roles_v3_client.create_user_role_on_project(
project_id, user_id, role_id
)
creds = auth.KeystoneV3Credentials(
user_id=user_id,
password=user['password'],
project_id=project_id
)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
return clients.Manager(credentials=creds)
@classmethod @classmethod
def setup_credentials(cls): def setup_credentials(cls):
"""Setup test credentials and network resources.""" """Setup test credentials and network resources."""
@ -140,12 +173,36 @@ class LoadBalancerBaseTest(validators.ValidatorsMixin,
cls.set_network_resources() cls.set_network_resources()
super(LoadBalancerBaseTest, cls).setup_credentials() super(LoadBalancerBaseTest, cls).setup_credentials()
cls._created_projects = []
cls._created_users = []
cls._created_roles = []
non_dyn_users = []
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
# Create a non-member user for keystone_default_roles
# When using dynamic credentials, tempest cannot create a user
# without a role, it always adds at least the "member" role.
# We manually create the user with a temporary role
project_id = cls.os_admin.projects_client.create_project(
data_utils.rand_name()
)['project']['id']
cls._created_projects.append(project_id)
cls.os_not_member = cls._setup_new_user_role_client(
project_id,
data_utils.rand_name('role'))
cls.allocated_creds.append('os_not_member')
non_dyn_users.append('not_member')
# Tests shall not mess with the list of allocated credentials
cls.allocated_credentials = tuple(cls.allocated_creds)
if not CONF.load_balancer.log_user_roles: if not CONF.load_balancer.log_user_roles:
return return
# Log the user roles for this test run # Log the user roles for this test run
role_name_cache = {} role_name_cache = {}
for cred in cls.credentials: for cred in cls.credentials + non_dyn_users:
user_roles = [] user_roles = []
if isinstance(cred, list): if isinstance(cred, list):
user_name = cred[0] user_name = cred[0]
@ -168,6 +225,16 @@ class LoadBalancerBaseTest(validators.ValidatorsMixin,
user_roles.append([role_name, role['scope']]) user_roles.append([role_name, role['scope']])
LOG.info("User %s has roles: %s", user_name, user_roles) LOG.info("User %s has roles: %s", user_name, user_roles)
@classmethod
def clear_credentials(cls):
for user_id in cls._created_users:
cls.os_admin.users_v3_client.delete_user(user_id)
for project_id in cls._created_projects:
cls.os_admin.projects_client.delete_project(project_id)
for role_id in cls._created_roles:
cls.os_admin.roles_v3_client.delete_role(role_id)
super().clear_credentials()
@classmethod @classmethod
def setup_clients(cls): def setup_clients(cls):
"""Setup client aliases.""" """Setup client aliases."""

9
releasenotes/notes/keystone-default-roles-changes-10733c184f0eebc3.yaml Normal file
View File

@ -0,0 +1,9 @@
---
other:
- |
When using the ``keystone_default_roles`` RBAC tests, the
``load-balancer_*`` roles are no longer used by tempest, it relies only on
the keystone ``admin``, ``member``, ``reader`` roles. The
``[load_balancer].member_role``, ``[load_balancer].admin_role``,
``[load_balancer].observer_role`` and
``[load_balancer].global_observer_role`` settings are ignored.