From f64b81ed691468d5ec86ad9aebfefcb18d0c9a84 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Mon, 15 Mar 2021 11:52:41 -0500 Subject: [PATCH] Fix gate for handling of deprecated rules and image client oslo.policy has made the changes to not modify the rule check - https://review.opendev.org/c/openstack/oslo.policy/+/774112 Patrole code for handling the deprecated code needs to make changes to work with latest oslo policy. Also fix the image namespace clients to be admin which were recently changed in Tempest side - https://review.opendev.org/c/openstack/tempest/+/780108 Change-Id: I93d74d71a3e085ab4f08053db83354e86f3f2d14 --- patrole_tempest_plugin/policy_authority.py | 23 ++++++++++++++----- .../tests/api/image/rbac_base.py | 11 ++++++++- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/patrole_tempest_plugin/policy_authority.py b/patrole_tempest_plugin/policy_authority.py index 0a50d612..914f2f9a 100644 --- a/patrole_tempest_plugin/policy_authority.py +++ b/patrole_tempest_plugin/policy_authority.py @@ -20,6 +20,7 @@ import os from oslo_log import log as logging from oslo_policy import policy +import pkg_resources import stevedore from tempest import config @@ -183,10 +184,19 @@ class PolicyAuthority(RbacAuthority): } ) LOG.warn(deprecated_msg) - default.check = policy.OrCheck( - [policy._parser.parse_rule(cs) for cs in - [default.check_str, - deprecated_rule.check_str]]) + oslo_policy_version = pkg_resources.parse_version( + pkg_resources.get_distribution("oslo.policy").version) + # NOTE(gmann): oslo policy 3.7.0 onwards does not allow to modify + # the Rule object check attribute. + required_version = pkg_resources.parse_version('3.7.0') + if oslo_policy_version >= required_version: + return policy.OrCheck([default.check, deprecated_rule.check]) + else: + default.check = policy.OrCheck( + [policy._parser.parse_rule(cs) for cs in + [default.check_str, + deprecated_rule.check_str]]) + return default.check def get_rules(self): rules = policy.Rules() @@ -226,9 +236,10 @@ class PolicyAuthority(RbacAuthority): # NOTE (sergey.vilgelm): # The `DocumentedRuleDefault` object has no # `deprecated_rule` attribute in Pike + check = rule.check if getattr(rule, 'deprecated_rule', False): - self._handle_deprecated_rule(rule) - rules[rule.name] = rule.check + check = self._handle_deprecated_rule(rule) + rules[rule.name] = check elif str(rule.check) != str(rules[rule.name]): msg = ("The same policy name: %s was found in the " "policies files and in the code for service " diff --git a/patrole_tempest_plugin/tests/api/image/rbac_base.py b/patrole_tempest_plugin/tests/api/image/rbac_base.py index 2f7d065c..9019bc45 100644 --- a/patrole_tempest_plugin/tests/api/image/rbac_base.py +++ b/patrole_tempest_plugin/tests/api/image/rbac_base.py @@ -18,4 +18,13 @@ from patrole_tempest_plugin import rbac_utils class BaseV2ImageRbacTest(rbac_utils.RbacUtilsMixin, image_base.BaseV2ImageTest): - pass + + @classmethod + def setup_clients(cls): + super(BaseV2ImageRbacTest, cls).setup_clients() + cls.namespaces_client = cls.os_primary.namespaces_client + cls.resource_types_client = cls.os_primary.resource_types_client + cls.namespace_properties_client =\ + cls.os_primary.namespace_properties_client + cls.namespace_objects_client = cls.os_primary.namespace_objects_client + cls.namespace_tags_client = cls.os_primary.namespace_tags_client