ironic/doc/source/contributor/rbac-testing.rst
Sharpz7 949387bd80 [codespell] Fixing Spelling Mistakes
This is the first in a series of commits to add support for codespell. This is continuning the process completed in ironic-python-agent.

Future Commits will add a Tox Target, CI support and potentially a git-blame-ignore-revs file if their are lots of spelling mistakes that could clutter git blame.

Change-Id: Id328ff64c352e85b58181e9d9e35973a8706ab7a
2024-02-12 19:58:56 +00:00

121 lines
6.0 KiB
ReStructuredText

===================================
Role Based Access Control - Testing
===================================
.. todo: This entire file is being added in to provide context for
reviewers so we can keep in-line comments to the necessary points
in the yaml files. It *IS* written with a forward awareness of the
later patches, but it is also broad in nature attempting to provide
context to aid in review.
The Role Based Access control testing is a minor departure from the Ironic
standard pattern of entirely python based unit testing. In part this was done
for purposes of speed and to keep the declaration of the test context.
This also lended itself to be very useful due to the nature of A/B testing
which is required to properly migrate the Ironic project from a project
scoped universe where an ``admin project`` is utilized as the authenticating
factor coupled with two custom roles, ``baremetal_admin``, and
``baremetal_observer``.
As a contributor looking back after getting a over a thousand additional tests
in place using this method, it definitely helped the speed at which these
were created, and then ported to support additional.
How these tests work
====================
These tests execute API calls through the API layer, using the appropriate
verb and header, which settings to prevent the ``keystonemiddleware`` from
intercepting and replacing the headers we're passing. Ultimately this is a
feature, and it helps quite a bit.
The second aspect of how this works is we're mocking the conductor RPC
``get_topic_for`` and ``get_random_topic_for`` methods. These calls raise
Temporary Unavailable, since trying to execute the entire interaction into
the conductor is moderately pointless because all policy enforement is
located with-in the API layer.
At the same time wiring everything up to go from API to conductor code and
back would have been a heavier lift. As such, the tests largely look for
one of the following error codes.
* 200 - Got the item from the API - This is an database driven interaction.
* 201 - Created - This is database driven interaction. These are rare.
* 204 - Accepted - This is a database driven interaction. These are rare.
* 403 - Forbidden - This tells us the policy worked as expected where
access was denied.
* 404 - NotFound - This is typically when objects were not found. Before
Ironic becomes scope aware, these are generally only in the drivers
API endpoint's behavior. In System scope aware Project scoped
configuration, i.e. later RBAC tests, this will become the dominant
response for project scoped users as responding with a 403 if they
could be an owner or lessee would provide insight into the existence
of a node.
* 503 - Service Unavailable - In the context of our tests, we expect this
when a request *has* been successfully authenticated and would have
been sent along to the conductor.
How to make changes or review these tests?
==========================================
The tests cycle through the various endpoints, and repeating patterns
are clearly visible. Typically this means a given endpoint is cycled
through with the same basic test using slightly different parameters
such as different authentication parameters. When it comes to system
scope aware tests supporting node ``owners`` and ``lessee``, these
tests will cycle a little more with slightly different attributes
as the operation is not general against a shared common node, but
different nodes.
Some tests will test body contents, or attributes. some will validate
the number of records returned. This is important later with ``owner``
and ``lessee`` having slightly different views of the universe.
Some general rules apply
* Admins can do things, at least as far as their scope or rights apply.
Remember: owner and lessee admins are closer to System scoped Admin Members.
* Members can do some things, but not everything
* Readers can always read, but as we get into sensitive data later on
such as fields containing infrastructure internal addresses, these values
will become hidden and additional tests will examine this.
* Third party, or external/other Admins will find nothing but sadness
in empty lists, 403, 404, or even 500 errors.
What is/will be tested?
=======================
The idea is to in essence test as much as possible, however as these
tests Role Based Access Control related capabilities will come in a
series of phases, styles vary a little.
The first phase is ``"legacy"``. In essence these are partially
programmatically generated and then human reviewed and values populated
with expected values.
The second phase is remarkably similar to ``legacy``. It is the safety net
where we execute the ``legacy`` tests with the updated ``oslo.policy``
configuration to help enforce scopes. These tests will intentionally begin to
fail in phase three.
The third phase is the implementation of System scope awareness for the
API. In this process, as various portions of the API are made system scope
aware. The ``legacy`` tests are marked as ``deprecated`` which signals to
the second phase test sequences that they are **expected** to fail. New
``system scoped`` tests are also implemented which are matched up by name
to the ``legacy`` tests. The major difference being some header values,
and a user with a ``member`` role in the ``system`` scope now has some
rights.
The forth phase, is implementation of ``owner`` and ``lessee`` aware
project scoping. The testing approach is similar, however it is much more of
a "shotgun" approach. We test what we know should work, and what know should
not work, but we do not have redundant testing for each role as ``admin``
users are also ``members``, and since the policy rules are designed around
thresholds of access, it just made no sense to run the same test for admin
and members, where member was the threshold. These thresholds will vary with
the proposed default policy. The forth scope also tests a third party external
admin as a negative test to ensure that we are also denying access to
resources appropriately.