openstack/glance
Code Issues Proposed changes

Add a nonvoting functional job with RBAC defaults

Browse Source 
This adds a new tox target called functional-py38-rbac which enables
the new secure RBAC policy defaults for all functional tests. To do
this, the functional tests needed a little bit of extra work to
actually set those, and a new non-voting job is added to run these
in CI.

Related to blueprint policy-refactor

Change-Id: Id376193521671bdb0ebc08ea8e563578bbaa541f
This commit is contained in:
Dan Smith 2021-06-30 09:28:52 -07:00
parent 21257615e7
commit 8201f5f101
3 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.zuul.yaml
View File

@ -48,6 +48,16 @@
- name: openstack/stevedore - name: openstack/stevedore
- name: openstack/taskflow - name: openstack/taskflow
- job:
name: glance-tox-functional-py38-rbac-defaults
parent: openstack-tox-functional-py38
voting: false
description: |
Glance py38 functional tests with enforce_secure_rbac=True
vars:
python_version: 3.8
tox_envlist: functional-py38-rbac
- job: - job:
name: glance-tox-functional-py38-oslo-tips name: glance-tox-functional-py38-oslo-tips
parent: glance-tox-oslo-tips-base parent: glance-tox-oslo-tips-base
@ -298,6 +308,7 @@
jobs: jobs:
- openstack-tox-functional-py36 - openstack-tox-functional-py36
- openstack-tox-functional-py38 - openstack-tox-functional-py38
- glance-tox-functional-py38-rbac-defaults
- glance-code-constants-check - glance-code-constants-check
- glance-ceph-thin-provisioning: - glance-ceph-thin-provisioning:
voting: false voting: false

10
glance/tests/functional/__init__.py
View File

@ -412,6 +412,10 @@ class ApiServer(Server):
self.image_location_quota = 2 self.image_location_quota = 2
self.disable_path = None self.disable_path = None
secure_rbac = bool(os.getenv('OS_GLANCE_TEST_RBAC_DEFAULTS'))
self.enforce_secure_rbac = secure_rbac
self.enforce_new_defaults = secure_rbac
self.needs_database = True self.needs_database = True
default_sql_connection = SQLITE_CONN_TEMPLATE % self.test_dir default_sql_connection = SQLITE_CONN_TEMPLATE % self.test_dir
self.sql_connection = os.environ.get('GLANCE_TEST_SQL_CONNECTION', self.sql_connection = os.environ.get('GLANCE_TEST_SQL_CONNECTION',
@ -456,9 +460,11 @@ image_location_quota=%(image_location_quota)s
location_strategy=%(location_strategy)s location_strategy=%(location_strategy)s
allow_additional_image_properties = True allow_additional_image_properties = True
node_staging_uri=%(node_staging_uri)s node_staging_uri=%(node_staging_uri)s
enforce_secure_rbac=%(enforce_secure_rbac)s
[oslo_policy] [oslo_policy]
policy_file = %(policy_file)s policy_file = %(policy_file)s
policy_default_rule = %(policy_default_rule)s policy_default_rule = %(policy_default_rule)s
enforce_new_defaults=%(enforce_new_defaults)s
[paste_deploy] [paste_deploy]
flavor = %(deployment_flavor)s flavor = %(deployment_flavor)s
[store_type_location_strategy] [store_type_location_strategy]
@ -1592,6 +1598,10 @@ class SynchronousAPIBase(test_utils.BaseTestCase):
config.set_config_defaults() config.set_config_defaults()
self.api = config.load_paste_app('glance-api', self.api = config.load_paste_app('glance-api',
conf_file=self.paste_config) conf_file=self.paste_config)
secure_rbac = bool(os.getenv('OS_GLANCE_TEST_RBAC_DEFAULTS'))
self.config(enforce_secure_rbac=secure_rbac)
self.config(enforce_new_defaults=secure_rbac,
group='oslo_policy')
def _headers(self, custom_headers=None): def _headers(self, custom_headers=None):
base_headers = { base_headers = {

6
tox.ini
View File

@ -58,6 +58,12 @@ commands = {[testenv:functional]commands}
setenv = {[testenv:functional]setenv} setenv = {[testenv:functional]setenv}
commands = {[testenv:functional]commands} commands = {[testenv:functional]commands}
[testenv:functional-py38-rbac]
setenv =
{[testenv:functional]setenv}
OS_GLANCE_TEST_RBAC_DEFAULTS = True
commands = {[testenv:functional]commands}
[testenv:genpolicy] [testenv:genpolicy]
basepython = python3 basepython = python3
commands = commands =