f16b6b3a1d
This patchset updates rbac_exceptions by bringing the concept of under-permission and over-permission together. An over-permission occurs when an unauthorized role is allowed to perform an action and an under-permission occurs when an authorized role is not allowed to perform an action. Both of these are important failure scenarios. Current Patrole has an RbacOverPermission Exception but uses a "Forbidden" as a pseudonym for the under-permission version but this is not ideal for the following reasons: * Patrole can expect a 404 Not Found due to Neutron policy enforcement [0] * The naming is inconsistent with RbacOverPermission * It should have a Patrole wrapper exception (NotFound is used directly from Tempest) So, this patchset: * renames RbacOverPermission to RbacOverPermissionException * replaces Forbidden exception with RbacUnderPermissionException * updates documentation, docstrings and unit tests In addition, this patchset introduces a new exception called RbacExpectedWrongException which is raised when the expected exception does not match the actual exception and both are instances of 403 and 404, which means that the RBAC test uses the wrong expected_error_codes. Change-Id: I681610448cbe0269f02c34ea6afaaaf29c306121 |
||
---|---|---|
.. | ||
config-generator.patrole.conf | ||
patrole.conf.sample |