From 47db4235c37cbbe38d207899058ea9a5a71916c6 Mon Sep 17 00:00:00 2001 From: Ansuman Bebarta Date: Fri, 13 Dec 2019 18:52:36 +0530 Subject: [PATCH] Make change to support rbac testing - Change client manager to create different clients for hitting ranger apis from rbac tests - Change base client to use appropriate credential which role has been changed by patrole - Add basic rbac test for customer Change-Id: I9338bf3a31e3ca6e2b2e30859084d1561a70633c --- ranger_tempest_plugin/clients.py | 25 +++++++ ranger_tempest_plugin/services/base_client.py | 46 ++++++++++--- ranger_tempest_plugin/tests/rbac/__init__.py | 0 .../tests/rbac/test_customers.py | 68 +++++++++++++++++++ requirements.txt | 1 + 5 files changed, 129 insertions(+), 11 deletions(-) create mode 100644 ranger_tempest_plugin/tests/rbac/__init__.py create mode 100644 ranger_tempest_plugin/tests/rbac/test_customers.py diff --git a/ranger_tempest_plugin/clients.py b/ranger_tempest_plugin/clients.py index 8fe7fb1..dcbb78d 100755 --- a/ranger_tempest_plugin/clients.py +++ b/ranger_tempest_plugin/clients.py @@ -49,3 +49,28 @@ class OrmClientManager(clients.Manager): CONF.identity.catalog_type, CONF.identity.region, CONF.ranger.ranger_ims_base_url) + + self.cms_rbac_client = CmsClient( + base_client.RangerAuthProvider(credentials), + CONF.identity.catalog_type, + CONF.identity.region, + CONF.ranger.ranger_cms_base_url, + rbac=True) + self.fms_rbac_client = FmsClient( + base_client.RangerAuthProvider(credentials), + CONF.identity.catalog_type, + CONF.identity.region, + CONF.ranger.ranger_fms_base_url, + rbac=True) + self.rms_rbac_client = RmsClient( + base_client.RangerAuthProvider(credentials), + CONF.identity.catalog_type, + CONF.identity.region, + CONF.ranger.ranger_rms_base_url, + rbac=True) + self.ims_rbac_client = ImsClient( + base_client.RangerAuthProvider(credentials), + CONF.identity.catalog_type, + CONF.identity.region, + CONF.ranger.ranger_ims_base_url, + rbac=True) diff --git a/ranger_tempest_plugin/services/base_client.py b/ranger_tempest_plugin/services/base_client.py index 4607e1c..56c61fb 100755 --- a/ranger_tempest_plugin/services/base_client.py +++ b/ranger_tempest_plugin/services/base_client.py @@ -39,17 +39,19 @@ class RangerClientBase(rest_client.RestClient): timeout = 10 + def __init__(self, *args, **kwargs): + # Get the rbac value and also remove it from kwargs before + # sending to parent + self.rbac = kwargs.pop('rbac', False) + super().__init__(*args, **kwargs) + def get_keystone_ep(self): """Get the Keystone EP from tempest conf.""" identity_url = CONF.identity.uri_v3 or "" identity_url = identity_url.strip('/v3') return identity_url - def get_token(self, timeout, host): - headers = { - 'Content-Type': 'application/json', - } - url = '%s/v3/auth/tokens' + def get_data(self): data = ''' { "auth":{ @@ -77,6 +79,27 @@ class RangerClientBase(rest_client.RestClient): } } }''' + if self.rbac: + # Pick the credentials from auth_provider where patrole has + # switched the role + data = data % (self.auth_provider.credentials.user_domain_name, + self.auth_provider.credentials.username, + self.auth_provider.credentials.password, + self.auth_provider.credentials.project_name, + self.auth_provider.credentials.project_domain_name) + else: + data = data % (CONF.auth.admin_domain_name, + CONF.auth.admin_username, + CONF.auth.admin_password, + CONF.auth.admin_project_name, + CONF.auth.admin_domain_name) + return data + + def get_token(self, timeout, host): + headers = { + 'Content-Type': 'application/json', + } + url = '%s/v3/auth/tokens' if not CONF.ranger.auth_enabled: return None @@ -89,11 +112,7 @@ class RangerClientBase(rest_client.RestClient): region)) url = url % (keystone_ep) - data = data % (CONF.auth.admin_domain_name, - CONF.auth.admin_username, - CONF.auth.admin_password, - CONF.auth.admin_project_name, - CONF.auth.admin_domain_name) + data = self.get_data() try: resp = requests.post(url, @@ -110,10 +129,15 @@ class RangerClientBase(rest_client.RestClient): raise ConnectionError(ex.message) def get_headers(self, accept_type=None, send_type=None): + if self.rbac: + requester = self.auth_provider.credentials.username + else: + requester = CONF.auth.admin_username + headers = {'X-Auth-Region': CONF.identity.region, 'X-Auth-Token': self.get_token(self.timeout, self.rms_url), 'X-RANGER-Tracking-Id': 'test', - 'X-RANGER-Requester': CONF.auth.admin_username, + 'X-RANGER-Requester': requester, 'X-RANGER-Client': 'cli', 'Content-Type': 'application/json' } diff --git a/ranger_tempest_plugin/tests/rbac/__init__.py b/ranger_tempest_plugin/tests/rbac/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/ranger_tempest_plugin/tests/rbac/test_customers.py b/ranger_tempest_plugin/tests/rbac/test_customers.py new file mode 100644 index 0000000..fd1796d --- /dev/null +++ b/ranger_tempest_plugin/tests/rbac/test_customers.py @@ -0,0 +1,68 @@ +# Copyright (c) 2019 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# pylint: disable=too-many-ancestors + +from patrole_tempest_plugin import rbac_rule_validation +from patrole_tempest_plugin import rbac_utils + +from ranger_tempest_plugin.tests.api import test_customers + +from tempest import config +from tempest.lib import decorators + + +CONF = config.CONF + + +class TestCustomer(rbac_utils.RbacUtilsMixin, test_customers.TestTempestCms): + + @classmethod + def setup_clients(cls): + super(TestCustomer, cls).setup_clients() + cls.client = cls.os_primary.cms_rbac_client + + @rbac_rule_validation.action(service="ranger", + rules=['customers:get_one'], + expected_error_codes=[403]) + @decorators.idempotent_id('c28cca7b-99ab-4d8d-bef9-f1fe1a1e86cc') + def test_get_customer(self): + with self.override_role(): + self.client.get_customer(self.setup_customer_id) + + @rbac_rule_validation.action(service="ranger", + rules=['customers:get_all'], + expected_error_codes=[403]) + @decorators.idempotent_id('5f1e6d5b-f7b8-4e19-a30e-95afa3902827') + def test_list_customer(self): + with self.override_role(): + # List customers without any filters + self.client.list_customers(None) + + @rbac_rule_validation.action(service='ranger', + rules=['customers:create'], + expected_error_codes=[403]) + @decorators.idempotent_id('021ada0a-3638-4075-8220-76ff4cbfc9ce') + def test_create_customer(self): + post_body = self._get_customer_params( + quota=False, + region_users=False, + default_users=False + ) + with self.override_role(): + _, body = self.client.create_customer(**post_body) + test_customer_id = body['customer']['id'] + self.addCleanup(self._del_cust_validate_deletion_on_dcp_and_lcp, + test_customer_id) + self._wait_for_status(test_customer_id, 'Success') diff --git a/requirements.txt b/requirements.txt index 784e536..303b601 100644 --- a/requirements.txt +++ b/requirements.txt @@ -10,6 +10,7 @@ oslo.log>=3.36.0 # Apache-2.0 oslosphinx>=4.7.0 # Apache-2.0 oslotest>=1.10.0 # Apache-2.0 oslo.utils>=3.33.0 # Apache-2.0 +patrole>=0.7.0 # Apache-2.0 python-subunit>=0.0.18 # Apache-2.0/BSD reno>=1.8.0 # Apache-2.0 requests>=2.10.0