openstack/ironic
Code Issues Proposed changes

Address some rbac review feedback in merged patches

Browse Source 
Some of the early test changes for the RBAC work have merged
which is awesome, but a couple minor follow-up items should be
addressed. They are so minor it doesn't really make sense to merge
in with one of the patches in the chain.

Change-Id: I85de4d953237f240c3c220f6a57169c633fb295f
This commit is contained in:
Julia Kreger 2021-02-12 06:56:31 -08:00
parent e77d1b553a
commit e3ccb9ec22
2 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
doc/source/contributor/rbac-testing.rst
View File

@ -1,6 +1,6 @@
================================== ===================================
Role Based Acces Control - Testing Role Based Access Control - Testing
================================== ===================================
.. todo: This entire file is being added in to provide context for .. todo: This entire file is being added in to provide context for
reviewers so we can keep in-line comments to the necessary points reviewers so we can keep in-line comments to the necessary points
@ -8,7 +8,7 @@ Role Based Acces Control - Testing
later patches, but it is also broad in nature attempting to provide later patches, but it is also broad in nature attempting to provide
context to aid in review. context to aid in review.
The Role Based Access control testing is a minor departure from the ironic The Role Based Access control testing is a minor departure from the Ironic
standard pattern of entirely python based unit testing. In part this was done standard pattern of entirely python based unit testing. In part this was done
for purposes of speed and to keep the declaration of the test context. for purposes of speed and to keep the declaration of the test context.
@ -46,7 +46,7 @@ one of the following error codes.
* 403 - Forbidden - This tells us the policy worked as expected where * 403 - Forbidden - This tells us the policy worked as expected where
access was denied. access was denied.
* 404 - NotFound - This is typically when objects were not found. Before * 404 - NotFound - This is typically when objects were not found. Before
ironic becomes scope aware, these are generally only in the drivers Ironic becomes scope aware, these are generally only in the drivers
API endpoint's behavior. In System scope aware Project scoped API endpoint's behavior. In System scope aware Project scoped
configuration, i.e. later RBAC tests, this will become the dominant configuration, i.e. later RBAC tests, this will become the dominant
response for project scoped users as responding with a 403 if they response for project scoped users as responding with a 403 if they
@ -74,7 +74,8 @@ and ``lessee`` having slightly different views of the universe.
Some general rules apply Some general rules apply
* Admins can do things * Admins can do things, at least as far as their scope or rights apply.
Remember: owner and lessee admins are closer to System scoped Admin Members.
* Members can do some things, but not everything * Members can do some things, but not everything
* Readers can always read, but as we get into sensitive data later on * Readers can always read, but as we get into sensitive data later on
such as fields containing infrastucture internal addresses, these values such as fields containing infrastucture internal addresses, these values

2
ironic/tests/unit/api/test_acl.py
View File

@ -261,4 +261,4 @@ class TestRBACScoped(TestRBACModelBeforeScopes):
# NOTE(TheJulia): The purpose of this class is to execute the legacy # NOTE(TheJulia): The purpose of this class is to execute the legacy
# RBAC tests with the new configuration, which forces us to # RBAC tests with the new configuration, which forces us to
# explicity mark each test as a deprecated test later on. That # explicity mark each test as a deprecated test later on. That
# funcationality will be added in a later patch when needed, # functionality will be added in a later patch when needed,