This patch set doesn't really add new documentation but instead moves documentation regarding RBAC testing guidelines and examples out of framework/rbac_utils.rst and moves it into a separate test_writing_guide.rst file located in the "Developers' Guide" section. This is because this information is directly relevant to developers and should be included somewhere obvious where they can find it. Including important testing examples and guidelines in the framework documentation isn't too helpful. Change-Id: I6e975cbf1b86d356e9f5d623f81fbf293efcc42c
1.4 KiB
RBAC Utils Module
Overview
Patrole manipulates the os_primary
Tempest
credentials, which are the primary set of Tempest credentials. It is
necessary to use the same credentials across the entire test setup/test
execution/test teardown workflow because otherwise 400-level errors will
be thrown by OpenStack services.
This is because many services check the request context's project
scope -- and in very rare cases, user scope. However, each set of
Tempest credentials (via dynamic
credentials) is allocated its own distinct project. For example, the
os_admin
and os_primary
credentials each have
a distinct project, meaning that it is not always possible for the
os_primary
credentials to access resources created by the
os_admin
credentials.
The only foolproof solution is to manipulate the role for the same set of credentials, rather than using distinct credentials for setup/teardown and test execution, respectively. This is especially true when considering custom policy rule definitions, which can be arbitrarily complex.
Implementation
patrole_tempest_plugin.rbac_utils