Make change to support rbac testing

- Change client manager to create different clients for
  hitting ranger apis from rbac tests
- Change base client to use appropriate credential which
  role has been changed by patrole
- Add basic rbac test for customer

Change-Id: I9338bf3a31e3ca6e2b2e30859084d1561a70633c

ranger_tempest_plugin/clients.py

@@ -49,3 +49,28 @@ class OrmClientManager(clients.Manager):
             CONF.identity.catalog_type,
             CONF.identity.region,
             CONF.ranger.ranger_ims_base_url)
+
+        self.cms_rbac_client = CmsClient(
+            base_client.RangerAuthProvider(credentials),
+            CONF.identity.catalog_type,
+            CONF.identity.region,
+            CONF.ranger.ranger_cms_base_url,
+            rbac=True)
+        self.fms_rbac_client = FmsClient(
+            base_client.RangerAuthProvider(credentials),
+            CONF.identity.catalog_type,
+            CONF.identity.region,
+            CONF.ranger.ranger_fms_base_url,
+            rbac=True)
+        self.rms_rbac_client = RmsClient(
+            base_client.RangerAuthProvider(credentials),
+            CONF.identity.catalog_type,
+            CONF.identity.region,
+            CONF.ranger.ranger_rms_base_url,
+            rbac=True)
+        self.ims_rbac_client = ImsClient(
+            base_client.RangerAuthProvider(credentials),
+            CONF.identity.catalog_type,
+            CONF.identity.region,
+            CONF.ranger.ranger_ims_base_url,
+            rbac=True)

ranger_tempest_plugin/services/base_client.py

@@ -39,17 +39,19 @@ class RangerClientBase(rest_client.RestClient):
 
     timeout = 10
 
+    def __init__(self, *args, **kwargs):
+        # Get the rbac value and also remove it from kwargs before
+        # sending to parent
+        self.rbac = kwargs.pop('rbac', False)
+        super().__init__(*args, **kwargs)
+
     def get_keystone_ep(self):
         """Get the Keystone EP from tempest conf."""
         identity_url = CONF.identity.uri_v3 or ""
         identity_url = identity_url.strip('/v3')
         return identity_url
 
-    def get_token(self, timeout, host):
+    def get_data(self):
-        headers = {
-            'Content-Type': 'application/json',
-        }
-        url = '%s/v3/auth/tokens'
         data = '''
 {
    "auth":{
@@ -77,6 +79,27 @@ class RangerClientBase(rest_client.RestClient):
       }
    }
 }'''
+        if self.rbac:
+            # Pick the credentials from auth_provider where patrole has
+            # switched the role
+            data = data % (self.auth_provider.credentials.user_domain_name,
+                           self.auth_provider.credentials.username,
+                           self.auth_provider.credentials.password,
+                           self.auth_provider.credentials.project_name,
+                           self.auth_provider.credentials.project_domain_name)
+        else:
+            data = data % (CONF.auth.admin_domain_name,
+                           CONF.auth.admin_username,
+                           CONF.auth.admin_password,
+                           CONF.auth.admin_project_name,
+                           CONF.auth.admin_domain_name)
+        return data
+
+    def get_token(self, timeout, host):
+        headers = {
+            'Content-Type': 'application/json',
+        }
+        url = '%s/v3/auth/tokens'
         if not CONF.ranger.auth_enabled:
             return None
 
@@ -89,11 +112,7 @@ class RangerClientBase(rest_client.RestClient):
                                                                    region))
 
         url = url % (keystone_ep)
-        data = data % (CONF.auth.admin_domain_name,
+        data = self.get_data()
-                       CONF.auth.admin_username,
-                       CONF.auth.admin_password,
-                       CONF.auth.admin_project_name,
-                       CONF.auth.admin_domain_name)
 
         try:
             resp = requests.post(url,
@@ -110,10 +129,15 @@ class RangerClientBase(rest_client.RestClient):
             raise ConnectionError(ex.message)
 
     def get_headers(self, accept_type=None, send_type=None):
+        if self.rbac:
+            requester = self.auth_provider.credentials.username
+        else:
+            requester = CONF.auth.admin_username
+
         headers = {'X-Auth-Region': CONF.identity.region,
                    'X-Auth-Token': self.get_token(self.timeout, self.rms_url),
                    'X-RANGER-Tracking-Id': 'test',
-                   'X-RANGER-Requester': CONF.auth.admin_username,
+                   'X-RANGER-Requester': requester,
                    'X-RANGER-Client': 'cli',
                    'Content-Type': 'application/json'
                    }

ranger_tempest_plugin/tests/rbac/test_customers.py

@@ -0,0 +1,68 @@
+# Copyright (c) 2019 AT&T Intellectual Property. All other rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+# pylint: disable=too-many-ancestors
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin import rbac_utils
+
+from ranger_tempest_plugin.tests.api import test_customers
+
+from tempest import config
+from tempest.lib import decorators
+
+
+CONF = config.CONF
+
+
+class TestCustomer(rbac_utils.RbacUtilsMixin, test_customers.TestTempestCms):
+
+    @classmethod
+    def setup_clients(cls):
+        super(TestCustomer, cls).setup_clients()
+        cls.client = cls.os_primary.cms_rbac_client
+
+    @rbac_rule_validation.action(service="ranger",
+                                 rules=['customers:get_one'],
+                                 expected_error_codes=[403])
+    @decorators.idempotent_id('c28cca7b-99ab-4d8d-bef9-f1fe1a1e86cc')
+    def test_get_customer(self):
+        with self.override_role():
+            self.client.get_customer(self.setup_customer_id)
+
+    @rbac_rule_validation.action(service="ranger",
+                                 rules=['customers:get_all'],
+                                 expected_error_codes=[403])
+    @decorators.idempotent_id('5f1e6d5b-f7b8-4e19-a30e-95afa3902827')
+    def test_list_customer(self):
+        with self.override_role():
+            # List customers without any filters
+            self.client.list_customers(None)
+
+    @rbac_rule_validation.action(service='ranger',
+                                 rules=['customers:create'],
+                                 expected_error_codes=[403])
+    @decorators.idempotent_id('021ada0a-3638-4075-8220-76ff4cbfc9ce')
+    def test_create_customer(self):
+        post_body = self._get_customer_params(
+            quota=False,
+            region_users=False,
+            default_users=False
+        )
+        with self.override_role():
+            _, body = self.client.create_customer(**post_body)
+            test_customer_id = body['customer']['id']
+            self.addCleanup(self._del_cust_validate_deletion_on_dcp_and_lcp,
+                            test_customer_id)
+        self._wait_for_status(test_customer_id, 'Success')

requirements.txt

@@ -10,6 +10,7 @@ oslo.log>=3.36.0 # Apache-2.0
 oslosphinx>=4.7.0 # Apache-2.0
 oslotest>=1.10.0 # Apache-2.0
 oslo.utils>=3.33.0 # Apache-2.0
+patrole>=0.7.0 # Apache-2.0
 python-subunit>=0.0.18 # Apache-2.0/BSD
 reno>=1.8.0 # Apache-2.0
 requests>=2.10.0