ecb1e24972
This patch chain aims to suggest a set of default policies for user management on stx-openstack. We suggest the creation of the project_admin and project_readonly roles and provide some policies to fine tune the access control over the Openstack services to those roles, as described on README.md. Also, we provide a set of tests to ensure the policies and permissions are all working as expected on site for the cloud administrators. This commit includes Cinder related tests and functions, along with common test functions used by multiple OpenStack services. Story: 2008910 Task: 42501 Signed-off-by: Heitor Matsui <heitorvieira.matsui@windriver.com> Signed-off-by: Thiago Brito <thiago.brito@windriver.com> Co-authored-by: Miriam Yumi Peixoto <miriam.yumipeixoto@windriver.com> Co-authored-by: Leonardo Zaccarias <leonardo.zaccarias@windriver.com> Co-authored-by: Rogerio Oliveira Ferraz <rogeriooliveira.ferraz@windriver.com> Change-Id: I6b43bc584e470f022fb08a8a4cf741c188dfe80d
148 lines
4.0 KiB
Python
148 lines
4.0 KiB
Python
#
|
|
# Copyright (c) 2021 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
# All Rights Reserved.
|
|
#
|
|
|
|
from pytest import fixture
|
|
|
|
from tests.fv_rbac import debug1
|
|
from tests.fv_rbac import OpenStackNetworkingSetup
|
|
from tests.fv_rbac import OpenStackTestingSetup
|
|
|
|
|
|
def pytest_addoption(parser):
|
|
parser.addoption(
|
|
"--env",
|
|
action="store",
|
|
default="stx",
|
|
help="Environment to run tests against (stx or wro). Default: stx"
|
|
)
|
|
|
|
|
|
@fixture(scope="session")
|
|
def env(request):
|
|
return request.config.getoption("--env")
|
|
|
|
|
|
@fixture(scope='session')
|
|
def rbac_setup(request):
|
|
|
|
if debug1:
|
|
print("\nSession Initialization")
|
|
|
|
cfg = OpenStackTestingSetup()
|
|
|
|
# Create projects
|
|
cfg._create_project("project1", description="project1 for rbac test1")
|
|
cfg._create_project("project2", description="project2 for rbac test1")
|
|
|
|
# NOTE(tbrito): assume roles are already created
|
|
# Create roles
|
|
# for role in ["project_readonly", "project_admin"]:
|
|
# cfg._create_role(role)
|
|
|
|
# Create users
|
|
for user in cfg.users:
|
|
cfg._create_user(user)
|
|
|
|
# Assign Roles to Users
|
|
cfg._grant_role("project_admin", "user11", "project1")
|
|
cfg._grant_role("member", "user12", "project1")
|
|
cfg._grant_role("project_readonly", "user13", "project1")
|
|
cfg._grant_role("admin", "user02", "project2")
|
|
cfg._grant_role("project_admin", "user21", "project2")
|
|
cfg._grant_role("member", "user22", "project2")
|
|
cfg._grant_role("project_readonly", "user23", "project2")
|
|
|
|
image = cfg._create_admin_image()
|
|
|
|
def teardown():
|
|
|
|
if debug1:
|
|
print("\nSession Teardown")
|
|
|
|
cfg._delete_admin_image(image)
|
|
|
|
cfg._revoke_role("project_admin", "user11", "project1")
|
|
cfg._revoke_role("member", "user12", "project1")
|
|
cfg._revoke_role("project_readonly", "user13", "project1")
|
|
cfg._revoke_role("admin", "user02", "project2")
|
|
cfg._revoke_role("project_admin", "user21", "project2")
|
|
cfg._revoke_role("member", "user22", "project2")
|
|
cfg._revoke_role("project_readonly", "user23", "project2")
|
|
|
|
for user in cfg.users:
|
|
cfg._delete_user(user)
|
|
|
|
# NOTE(tbrito): Roles should NOT be removed on a live deployment
|
|
# for role in ["project_readonly", "project_admin"]:
|
|
# cfg._delete_role(role)
|
|
|
|
for project in ["project1", "project2"]:
|
|
cfg._delete_project(project)
|
|
|
|
request.addfinalizer(teardown)
|
|
|
|
return cfg
|
|
|
|
|
|
@fixture(scope='session')
|
|
def network_admin_setup(request, rbac_setup, env):
|
|
|
|
cfg = OpenStackNetworkingSetup(env)
|
|
|
|
# Create segment ranges based on projects
|
|
cfg._create_network_segment_range(
|
|
"group0-ext-r0",
|
|
shared=True,
|
|
network_type="vlan",
|
|
physical_network="group0-data0",
|
|
minimum=10, maximum=10
|
|
)
|
|
|
|
cfg._create_network_segment_range(
|
|
"group0-data0-r0",
|
|
project_name="project1",
|
|
shared=False,
|
|
network_type="vlan",
|
|
physical_network="group0-data0",
|
|
minimum=400, maximum=499
|
|
)
|
|
|
|
cfg._create_network_segment_range(
|
|
"group0-data0b-r0",
|
|
shared=True,
|
|
network_type="vlan",
|
|
physical_network="group0-data0",
|
|
minimum=500, maximum=599
|
|
)
|
|
|
|
cfg._create_network_segment_range(
|
|
"group0-data1-r0",
|
|
project="project2",
|
|
shared=False,
|
|
network_type="vlan",
|
|
physical_network="group0-data1",
|
|
minimum=600, maximum=699
|
|
)
|
|
|
|
if env == "wro":
|
|
cfg._create_qos("admin-qos", weight=16,
|
|
description="External Network Policy")
|
|
|
|
def network_admin_teardown():
|
|
cfg._delete_network_segment_range("group0-data1-r0")
|
|
cfg._delete_network_segment_range("group0-data0b-r0")
|
|
cfg._delete_network_segment_range("group0-data0-r0")
|
|
cfg._delete_network_segment_range("group0-ext-r0")
|
|
|
|
if env == "wro":
|
|
cfg._delete_qos("admin-qos")
|
|
|
|
request.addfinalizer(network_admin_teardown)
|
|
|
|
return cfg
|