From e3ccb9ec220290383f7feddc13e9240f32213e1f Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Fri, 12 Feb 2021 06:56:31 -0800 Subject: [PATCH] Address some rbac review feedback in merged patches Some of the early test changes for the RBAC work have merged which is awesome, but a couple minor follow-up items should be addressed. They are so minor it doesn't really make sense to merge in with one of the patches in the chain. Change-Id: I85de4d953237f240c3c220f6a57169c633fb295f --- doc/source/contributor/rbac-testing.rst | 13 +++++++------ ironic/tests/unit/api/test_acl.py | 2 +- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/doc/source/contributor/rbac-testing.rst b/doc/source/contributor/rbac-testing.rst index dca06b36d0..d3f7e4de61 100644 --- a/doc/source/contributor/rbac-testing.rst +++ b/doc/source/contributor/rbac-testing.rst @@ -1,6 +1,6 @@ -================================== -Role Based Acces Control - Testing -================================== +=================================== +Role Based Access Control - Testing +=================================== .. todo: This entire file is being added in to provide context for reviewers so we can keep in-line comments to the necessary points @@ -8,7 +8,7 @@ Role Based Acces Control - Testing later patches, but it is also broad in nature attempting to provide context to aid in review. -The Role Based Access control testing is a minor departure from the ironic +The Role Based Access control testing is a minor departure from the Ironic standard pattern of entirely python based unit testing. In part this was done for purposes of speed and to keep the declaration of the test context. @@ -46,7 +46,7 @@ one of the following error codes. * 403 - Forbidden - This tells us the policy worked as expected where access was denied. * 404 - NotFound - This is typically when objects were not found. Before - ironic becomes scope aware, these are generally only in the drivers + Ironic becomes scope aware, these are generally only in the drivers API endpoint's behavior. In System scope aware Project scoped configuration, i.e. later RBAC tests, this will become the dominant response for project scoped users as responding with a 403 if they @@ -74,7 +74,8 @@ and ``lessee`` having slightly different views of the universe. Some general rules apply -* Admins can do things +* Admins can do things, at least as far as their scope or rights apply. + Remember: owner and lessee admins are closer to System scoped Admin Members. * Members can do some things, but not everything * Readers can always read, but as we get into sensitive data later on such as fields containing infrastucture internal addresses, these values diff --git a/ironic/tests/unit/api/test_acl.py b/ironic/tests/unit/api/test_acl.py index e349da4cdf..d00f67ad25 100644 --- a/ironic/tests/unit/api/test_acl.py +++ b/ironic/tests/unit/api/test_acl.py @@ -261,4 +261,4 @@ class TestRBACScoped(TestRBACModelBeforeScopes): # NOTE(TheJulia): The purpose of this class is to execute the legacy # RBAC tests with the new configuration, which forces us to # explicity mark each test as a deprecated test later on. That - # funcationality will be added in a later patch when needed, + # functionality will be added in a later patch when needed,