def test_end_user_domain_admin_access(self):
"""Verify that end-user domain admin does not have elevated privileges.
In additon to validating that the `policy.json` is written and the
service is restarted on config-changed, the test validates that our
`policy.json` is correct.
Catch regressions like LP: #1651989
"""
if (openstack_utils.get_os_release() <
openstack_utils.get_os_release('xenial_ocata')):
logging.info('skipping test < xenial_ocata')
return
with self.config_change(
{'preferred-api-version': self.default_api_version},
{'preferred-api-version': '3'},
application_name="keystone"):
for ip in self.keystone_ips:
openrc = {
'API_VERSION': 3,
'OS_USERNAME': DEMO_ADMIN_USER,
'OS_PASSWORD': DEMO_ADMIN_USER_PASSWORD,
'OS_AUTH_URL': 'http://{}:5000/v3'.format(ip),
'OS_USER_DOMAIN_NAME': DEMO_DOMAIN,
'OS_DOMAIN_NAME': DEMO_DOMAIN,
}
if self.tls_rid:
openrc['OS_CACERT'] = openstack_utils.KEYSTONE_LOCAL_CACERT
openrc['OS_AUTH_URL'] = (openrc['OS_AUTH_URL'].replace(
'http', 'https'))
logging.info('keystone IP {}'.format(ip))
keystone_session = openstack_utils.get_keystone_session(
openrc, scope='DOMAIN')
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
try:
# expect failure
keystone_client.domains.list()
except keystoneauth1.exceptions.http.Forbidden as e:
logging.debug('Retrieve domain list as end-user domain '
'admin NOT allowed...OK ({})'.format(e))
pass
else:
raise zaza_exceptions.KeystoneAuthorizationPermissive(
'Retrieve domain list as end-user domain admin '
'allowed when it should not be.')
logging.info('OK')
def test_end_user_domain_admin_access(self):
"""Verify that end-user domain admin does not have elevated privileges.
In additon to validating that the `policy.json` is written and the
service is restarted on config-changed, the test validates that our
`policy.json` is correct.
Catch regressions like LP: #1651989
"""
if (openstack_utils.get_os_release() <
openstack_utils.get_os_release('xenial_ocata')):
logging.info('skipping test < xenial_ocata')
return
with self.config_change(
{'preferred-api-version': self.default_api_version},
{'preferred-api-version': '3'},
application_name="keystone"):
for ip in self.keystone_ips:
openrc = {
'API_VERSION': 3,
'OS_USERNAME': DEMO_ADMIN_USER,
'OS_PASSWORD': DEMO_ADMIN_USER_PASSWORD,
'OS_AUTH_URL': 'http://{}:5000/v3'.format(ip),
'OS_USER_DOMAIN_NAME': DEMO_DOMAIN,
'OS_DOMAIN_NAME': DEMO_DOMAIN,
}
if self.tls_rid:
openrc['OS_CACERT'] = openstack_utils.KEYSTONE_LOCAL_CACERT
openrc['OS_AUTH_URL'] = (openrc['OS_AUTH_URL'].replace(
'http', 'https'))
logging.info('keystone IP {}'.format(ip))
keystone_session = openstack_utils.get_keystone_session(
openrc, scope='DOMAIN')
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
try:
# expect failure
keystone_client.domains.list()
except keystoneauth1.exceptions.http.Unauthorized as e:
# This is to handle LP bug 1834287. We handle this error
# separately because it's a case of the client not being
# authenticated whereas the test is about checking if the
# client is authenticated but not authorized. We catch it
# so that we can log it properly and then re-raise it to
# indicate an underlying error that this test is unable
# to handle.
#
# Note that without catching this, the test will fail
# anyway but why it failed is not immediately obvious.
# This puts the reason front and center for the sake of
# efficiency
logging.error('Client is not authenticated. Test cannot '
'continue...ERROR ({})'.format(e))
raise e
except keystoneauth1.exceptions.http.Forbidden as e:
logging.debug('Retrieve domain list as end-user domain '
'admin NOT allowed...OK ({})'.format(e))
pass
else:
raise zaza_exceptions.KeystoneAuthorizationPermissive(
'Retrieve domain list as end-user domain admin '
'allowed when it should not be.')
logging.info('OK')