def test_view_application_configurations(user_policy: Policy,
user_sdk: ADCMClient, prepare_objects,
second_objects):
"""Test that View application configuration role is ok"""
cluster, service, component, provider, host = as_user_objects(
user_sdk, *prepare_objects)
cluster_via_admin, *_ = prepare_objects
user_second_objects = as_user_objects(user_sdk, *second_objects)
second_service_on_first_cluster = user_sdk.service(
id=cluster_via_admin.service_add(name="new_service").id)
second_component_on_first_cluster = second_service_on_first_cluster.component(
name="test_component")
objects_affected_by_policy = (
cluster,
service,
component,
second_service_on_first_cluster,
second_component_on_first_cluster,
)
is_allowed_to_view(*objects_affected_by_policy)
is_denied_to_edit(*objects_affected_by_policy)
is_denied_to_view(provider, host, *user_second_objects)
delete_policy(user_policy)
is_denied_to_view(*objects_affected_by_policy)
def test_service_administrator(user, user_sdk: ADCMClient, sdk_client_fs,
prepare_objects, second_objects):
"""Test that service administrator role grants access to single service and its components"""
cluster, service, component, *provider_objects = as_user_objects(
user_sdk, *prepare_objects)
cluster_via_admin, *_ = prepare_objects
second_service_on_first_cluster = user_sdk.service(
id=cluster_via_admin.service_add(name="new_service").id)
second_cluster, second_service, second_component, *second_provider_objects = as_user_objects(
user_sdk, *second_objects)
role = sdk_client_fs.role(name=RbacRoles.ServiceAdministrator.value)
sdk_client_fs.policy_create(name=f"Policy with role {role.name}",
role=role,
objects=[service],
user=[user],
group=[])
is_allowed_to_view(service, component)
is_allowed_to_edit(service, component)
is_denied_to_view(
cluster,
second_cluster,
second_service,
second_component,
second_service_on_first_cluster,
*provider_objects,
*second_provider_objects,
)
def check_role_with_parametrization(clients, user, cluster_bundle: Bundle, provider_bundle: Bundle):
"""Check that update of role with parametrization leads to correct permissions update"""
cluster, provider = cluster_bundle.cluster_create('clusteraster'), provider_bundle.provider_create('provideraider')
role_name = "Role with parametrization"
role = clients.admin.role_create(
name=role_name,
display_name=role_name,
child=_form_children(clients.admin, BusinessRoles.EditClusterConfigurations),
)
policy = clients.admin.policy_create(name="User policy", role=role, objects=[cluster], user=[user])
with new_client_instance(*TEST_USER_CREDENTIALS, clients.user.url) as user_client:
user_cluster, user_provider = as_user_objects(user_client, cluster, provider)
is_allowed(user_cluster, BusinessRoles.EditClusterConfigurations)
is_denied(user_provider, BusinessRoles.EditProviderConfigurations)
role.update(child=_form_children(clients.admin, BusinessRoles.EditProviderConfigurations))
with new_client_instance(*TEST_USER_CREDENTIALS, clients.user.url) as user_client:
user_cluster, user_provider = as_user_objects(user_client, cluster, provider)
is_denied(user_cluster, BusinessRoles.EditClusterConfigurations)
is_denied(user_provider, BusinessRoles.EditProviderConfigurations)
policy.update(object=[{'type': 'provider', 'id': provider.id}])
with new_client_instance(*TEST_USER_CREDENTIALS, clients.user.url) as user_client:
user_cluster, user_provider = as_user_objects(user_client, cluster, provider)
is_denied(user_cluster, BusinessRoles.EditClusterConfigurations)
is_allowed(user_provider, BusinessRoles.EditProviderConfigurations)
policy.delete()
role.delete()
def test_access(superuser_sdk, prepare_objects, second_objects):
"""Test that superuser has the same access as Admin"""
superuser_objects = as_user_objects(superuser_sdk, *prepare_objects)
superuser_second_objects = as_user_objects(superuser_sdk, *second_objects)
check_access_to_cluster_objects(superuser_objects,
superuser_second_objects)
check_access_to_provider_objects(superuser_objects)
check_access_to_general_operations(superuser_sdk, superuser_objects)
check_access_to_actions_launch(superuser_objects)
def test_change_hostcomponent(self, clients, prepare_objects, user):
"""Test that change of HC map correctly affects access to components"""
admin_cluster, *_, admin_provider, admin_host = prepare_objects
admin_new_service = admin_cluster.service_add(name='new_service')
another_host = admin_provider.host_create(fqdn='another-host')
admin_cluster.host_add(admin_host)
admin_cluster.host_add(another_host)
_, test_service, *_, host, another_host = as_user_objects(clients.user, *prepare_objects, another_host)
def _check_host_configs(allowed_on: Collection[Host] = (), denied_on: Collection[Host] = ()):
with new_client_instance(*TEST_USER_CREDENTIALS, clients.user.url) as user_client:
for obj in as_user_objects(user_client, *allowed_on):
is_allowed(obj, BusinessRoles.ViewHostConfigurations)
for obj in as_user_objects(user_client, *denied_on):
is_denied(obj, BusinessRoles.ViewHostConfigurations)
with allure.step("Check configs of hosts aren't allowed to view before Service Admin is granted to user"):
_check_host_configs([], [host, another_host])
self.grant_role(clients.admin, user, RbacRoles.ServiceAdministrator, test_service)
with allure.step("Check configs of hosts aren't allowed to view before HC map is set"):
_check_host_configs([], [host, another_host])
test_service_test_component, test_service_new_component = test_service.component(
name='test_component'
), test_service.component(name='new_component')
new_service_test_component, new_service_new_component = as_user_objects(
clients.user,
admin_new_service.component(name='test_component'),
admin_new_service.component(name='new_component'),
)
with allure.step(f'Assign component of test_service on host {host.fqdn}'):
admin_cluster.hostcomponent_set((host, test_service_test_component))
_check_host_configs([host], [another_host])
with allure.step('Assign components of new_service on two hosts'):
admin_cluster.hostcomponent_set(
(host, new_service_test_component), (another_host, new_service_new_component)
)
_check_host_configs([], [host, another_host])
with allure.step(
f'Assign components of new_service on two hosts, and component of test_service on {another_host.fqdn}'
):
admin_cluster.hostcomponent_set(
(host, new_service_test_component),
(another_host, new_service_new_component),
(another_host, test_service_new_component),
)
_check_host_configs([another_host], [host])
def test_create_provider(user_policy, user_sdk: ADCMClient, prepare_objects,
second_objects):
"""Test that Create provider role is ok"""
cluster, *_, provider, _ = as_user_objects(user_sdk, *prepare_objects)
*_, second_provider, _ = as_user_objects(user_sdk, *second_objects)
is_allowed(provider.bundle(), BR.CreateHostProvider)
is_allowed(second_provider.bundle(), BR.CreateHostProvider)
is_denied(provider, BR.CreateHost)
is_denied(user_sdk.provider_list()[-1], BR.CreateHost)
is_denied(cluster.bundle(), BR.CreateCluster)
delete_policy(user_policy)
is_denied(provider.bundle(), BR.CreateHostProvider)
def test_edit_application_configurations(user_policy: Policy,
user_sdk: ADCMClient, prepare_objects,
second_objects):
"""Test that Edit application configuration role is ok"""
cluster, service, component, provider, host = as_user_objects(
user_sdk, *prepare_objects)
user_second_objects = as_user_objects(user_sdk, *second_objects)
is_allowed_to_view(cluster, service, component)
is_allowed_to_edit(cluster, service, component)
is_denied_to_edit(*user_second_objects, user_sdk.adcm(), provider, host)
delete_policy(user_policy)
is_denied_to_edit(cluster, service, component)
is_denied_to_view(cluster, service, component)
def test_view_imports(user_policy: Policy, user_sdk: ADCMClient,
prepare_objects, second_objects):
"""Test that View imports role is ok"""
cluster, service, *_ = as_user_objects(user_sdk, *prepare_objects)
second_cluster, second_service, *_ = as_user_objects(
user_sdk, *second_objects)
for base_object in [cluster, service]:
is_allowed(base_object, BR.ViewImports)
is_denied(base_object, BR.ManageImports, second_service)
for base_object in [second_cluster, second_service]:
is_denied(base_object, BR.ViewImports)
delete_policy(user_policy)
for base_object in [cluster, service]:
is_denied(base_object, BR.ViewImports)
def test_view_hostcomponents(user_policy: Policy, user_sdk: ADCMClient,
prepare_objects, second_objects):
"""Test that View host-components role is ok"""
cluster, _, component, _, host = as_user_objects(user_sdk,
*prepare_objects)
cluster_via_admin, *_, host_via_admin = prepare_objects
second_cluster, *_ = as_user_objects(user_sdk, *second_objects)
cluster_via_admin.host_add(host_via_admin)
is_allowed(cluster, BR.ViewHostComponents)
is_denied(second_cluster, BR.ViewHostComponents)
is_denied(cluster, BR.EditHostComponents, (host, component))
delete_policy(user_policy)
is_denied(cluster, BR.ViewHostComponents)
def test_add_service(user_policy: Policy, user_sdk: ADCMClient,
prepare_objects, second_objects):
"""Test that Add service role is ok"""
cluster, *_ = as_user_objects(user_sdk, *prepare_objects)
cluster_via_admin, *_ = prepare_objects
second_cluster, *_ = as_user_objects(user_sdk, *second_objects)
is_allowed(cluster, BR.AddService)
added_service = cluster.service(name="new_service")
is_denied(cluster, BR.RemoveService, added_service)
is_denied(second_cluster, BR.AddService)
cluster_via_admin.service(name="new_service").delete()
delete_policy(user_policy)
is_denied(cluster, BR.AddService)
def _test_config_change(
action_owner_object: AnyADCMObject,
objects_to_change: Tuple[AnyADCMObject, ...],
admin_client: ADCMClient,
user: User,
) -> None:
"""
Grant policy to user to run actions that change config of objects.
Then try to change config of an object via adcm_config plugin without having explicit permission to change config.
:param action_owner_object: Object on which to run action that changes config.
:param objects_to_change: Plain collection of objects (e.g. tuple) containing objects which config should be changed
by corresponding action on `action_owner_object`.
These objects should be from user SDK.
:param admin_client: Admin SDK to check config.
:param user: User instance to apply policy to.
"""
owner_object_represent = get_object_represent(action_owner_object)
action_names = [CHANGE_ACTION_NAME_TEMPLATE.format(object_type=obj.__class__.__name__) for obj in objects_to_change]
business_roles = [action_business_role(action_owner_object, action_name) for action_name in action_names]
object_role_map = tuple(zip(objects_to_change, business_roles))
with allure.step(
f'Apply policy on "{owner_object_represent}" and check config change is allowed without explicit permission'
):
policy = create_action_policy(admin_client, action_owner_object, *business_roles, user=user)
for adcm_object, business_role in object_role_map:
admin_object = as_user_objects(admin_client, adcm_object)[0]
config_field_value = admin_object.config()[CONFIG_FIELD_TO_CHANGE]
new_value = f'{config_field_value}_{adcm_object.__class__.__name__}'
with allure.step(f'Try to change {get_object_represent(admin_object)} from {owner_object_represent}'):
task = is_allowed(action_owner_object, business_role, config={ACTION_CONFIG_ARGUMENT: new_value})
assert task.wait() == 'success', 'Action should succeeded'
assert (
admin_object.config()[CONFIG_FIELD_TO_CHANGE] == new_value
), f"Config of object {get_object_represent(admin_object)} should've been changed"
with allure.step('Delete policy and check actions are denied and config stays the same'):
delete_policy(policy)
for adcm_object, business_role in object_role_map:
admin_object = as_user_objects(admin_client, adcm_object)[0]
with allure.step(f'Try to change {get_object_represent(admin_object)} from {owner_object_represent}'):
config_val_before = admin_object.config()[CONFIG_FIELD_TO_CHANGE]
is_denied(action_owner_object, business_role, config={ACTION_CONFIG_ARGUMENT: "This you seen't"})
config_val_after = admin_object.config()[CONFIG_FIELD_TO_CHANGE]
assert (
config_val_before == config_val_after
), f'Config value should stay the same for object {get_object_represent(admin_object)}'
def test_create_host(user_policy, user_sdk: ADCMClient, prepare_objects,
second_objects):
"""Test that Create host role is ok"""
cluster, *_, provider, host = as_user_objects(user_sdk, *prepare_objects)
*_, second_provider, second_host = as_user_objects(user_sdk,
*second_objects)
is_allowed(provider, BR.CreateHost)
is_denied(host, BR.RemoveHosts)
is_denied(cluster, BR.MapHosts, host)
is_denied(second_provider, BR.CreateHost)
is_denied(second_host, BR.RemoveHosts)
delete_policy(user_policy)
is_denied(provider, BR.CreateHost)
def test_map_hosts(user_policy: Policy, user_sdk: ADCMClient, prepare_objects,
second_objects):
"""Test that Map hosts role is ok"""
cluster, *_, host = as_user_objects(user_sdk, *prepare_objects)
*_, provider_via_admin, _ = prepare_objects
second_cluster, *_, second_host = as_user_objects(user_sdk,
*second_objects)
new_host = provider_via_admin.host_create(fqdn="new_host")
is_allowed(cluster, BR.MapHosts, host)
is_denied(cluster, BR.UnmapHosts, host)
is_denied(second_cluster, BR.MapHosts, second_host)
delete_policy(user_policy)
is_denied(cluster, BR.MapHosts, new_host)
def test_provider_hierarchy(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Parametrize role with provider related objects
"""
cluster, service, component, provider, host = as_user_objects(
user_sdk, *prepare_objects)
policy = create_policy(sdk_client_fs,
PROVIDER_VIEW_CONFIG_ROLES,
objects=[provider],
users=[user],
groups=[])
is_allowed(provider, BusinessRoles.ViewProviderConfigurations)
is_allowed(host, BusinessRoles.ViewHostConfigurations)
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
is_denied(service, BusinessRoles.ViewServiceConfigurations)
is_denied(component, BusinessRoles.ViewComponentConfigurations)
delete_policy(policy)
create_policy(sdk_client_fs,
PROVIDER_VIEW_CONFIG_ROLES,
objects=[host],
users=[user],
groups=[])
is_denied(provider, BusinessRoles.ViewProviderConfigurations)
is_allowed(host, BusinessRoles.ViewHostConfigurations)
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
is_denied(service, BusinessRoles.ViewServiceConfigurations)
is_denied(component, BusinessRoles.ViewComponentConfigurations)
def test_any_object_roles(clients, user, prepare_objects):
"""Test that ViewAnyObject... default roles works as expected with ADCM User"""
cluster, *_ = user_objects = as_user_objects(clients.user,
*prepare_objects)
@allure.step("Check user has no access to any of objects")
def check_has_no_rights():
is_denied(cluster, BR.ViewAnyObjectImport)
is_denied(cluster, BR.ViewAnyObjectHostComponents)
is_denied_to_view(*user_objects)
is_denied_to_edit(*user_objects)
check_has_no_rights()
policy = clients.admin.policy_create(
name="ADCM User for a User",
role=clients.admin.role(name=RbacRoles.ADCMUser.value),
objects=[],
user=[user],
)
is_allowed(cluster, BR.ViewAnyObjectImport)
is_allowed(cluster, BR.ViewAnyObjectHostComponents)
is_allowed_to_view(*user_objects)
is_denied_to_edit(*user_objects)
delete_policy(policy)
check_has_no_rights()
def test_host_actions(clients, actions_cluster, actions_cluster_bundle, actions_provider, user):
"""Test permissions on host actions"""
host_action_template = '{object_type} ready for host'
service_name, component_name = 'actions_service', 'single_component'
actions_service = actions_cluster.service(name=service_name)
single_component = actions_service.component(name=component_name)
second_cluster = actions_cluster_bundle.cluster_create(name='Test Second Cluster')
second_cluster.service_add(name=service_name)
with allure.step('Add hosts to clusters'):
first_host = actions_provider.host()
second_host = actions_provider.host_create(fqdn='test-new-host')
for cluster, host in ((actions_cluster, first_host), (second_cluster, second_host)):
cluster.host_add(host)
service = cluster.service(name=service_name)
component = service.component(name=component_name)
cluster.hostcomponent_set((host, component))
host, second_host = as_user_objects(clients.user, first_host, second_host)
cluster, _, _ = user_cluster_objects = as_user_objects(
clients.user, actions_cluster, actions_service, single_component
)
with allure.step('Grant permission to run host actions on cluster, service and component'):
business_roles = [
action_business_role(obj, host_action_template.format(object_type=obj.__class__.__name__))
for obj in user_cluster_objects
]
policy = create_action_policy(
clients.admin,
cluster,
*business_roles,
user=user,
)
with allure.step('Run host actions from cluster, service and component on host in and out of cluster'):
for role in business_roles:
is_allowed(host, role).wait()
is_denied(second_host, role)
with allure.step('Check policy deletion leads to denial of host action execution'):
delete_policy(policy)
for role in business_roles:
is_denied(host, role)
is_denied(second_host, role)
def test_view_infrastructure_configurations(user_policy: Policy,
user_sdk: ADCMClient,
prepare_objects, second_objects):
"""Test that View infrastructure configuration role is ok"""
cluster, service, component, provider, host = as_user_objects(
user_sdk, *prepare_objects)
*_, provider_via_admin, _ = prepare_objects
user_second_objects = as_user_objects(user_sdk, *second_objects)
second_host_on_first_provider = user_sdk.host(
id=provider_via_admin.host_create(fqdn="new_host").id)
# second host on first provider will be allowed to view because of provider's permission
is_allowed_to_view(provider, host, second_host_on_first_provider)
is_denied_to_edit(provider, host, second_host_on_first_provider)
is_denied_to_view(cluster, service, component, *user_second_objects)
delete_policy(user_policy)
is_denied_to_view(provider, host)
def test_remove_cluster(user_policy, user_sdk: ADCMClient, prepare_objects,
second_objects, sdk_client_fs, user):
"""Test that Remove cluster role is ok"""
cluster, *_ = as_user_objects(user_sdk, *prepare_objects)
second_cluster, *_ = as_user_objects(user_sdk, *second_objects)
is_denied(cluster.bundle(), BR.CreateCluster)
is_allowed(cluster, BR.RemoveCluster)
is_denied(second_cluster, BR.RemoveCluster)
new_policy = create_policy(sdk_client_fs,
BR.RemoveCluster,
objects=[second_cluster],
users=[user],
groups=[])
delete_policy(new_policy)
is_denied(second_cluster, BR.RemoveCluster)
def test_add_remove_service_from_cluster(self, clients, prepare_objects, user):
"""Test that policies are applied/removed after service add/remove after the policy was assigned at first"""
cluster, service, *_ = as_user_objects(clients.user, *prepare_objects)
is_denied(cluster, BusinessRoles.AddService)
is_denied(service, BusinessRoles.EditServiceConfigurations)
self.grant_role(clients.admin, user, RbacRoles.ClusterAdministrator, cluster)
is_allowed(service, BusinessRoles.EditServiceConfigurations)
new_service = is_allowed(cluster, BusinessRoles.AddService)
with new_client_instance(*TEST_USER_CREDENTIALS, url=clients.admin.url) as client:
user_cluster, user_new_service = as_user_objects(client, cluster, new_service)
is_allowed(user_new_service, BusinessRoles.EditServiceConfigurations)
is_allowed(user_cluster, BusinessRoles.RemoveService, new_service)
is_allowed(service, BusinessRoles.EditServiceConfigurations)
def test_remove_hosts(user_policy: Policy, user_sdk: ADCMClient,
prepare_objects, second_objects, sdk_client_fs, user):
"""Test that Remove hosts role is ok"""
*_, host = as_user_objects(user_sdk, *prepare_objects)
*_, second_host = as_user_objects(user_sdk, *second_objects)
is_allowed(host, BR.RemoveHosts)
is_denied(second_host, BR.RemoveHosts)
with allure.step("Assert that policy is valid after object removing"):
user_policy.reread()
new_policy = create_policy(sdk_client_fs,
BR.RemoveHosts,
objects=[second_host],
users=[user],
groups=[])
delete_policy(new_policy)
is_denied(second_host, BR.RemoveHosts)
def check_role_wo_parametrization(clients, user, cluster_bundle, provider_bundle):
"""Check that update of role without parametrization leads to correct permissions update"""
role_name = "Role without parametrization"
role = clients.admin.role_create(
name=role_name, display_name=role_name, child=_form_children(clients.admin, BusinessRoles.CreateCluster)
)
policy = clients.admin.policy_create(name="User policy", role=role, user=[user])
with new_client_instance(*TEST_USER_CREDENTIALS, clients.user.url) as user_client:
cluster_bundle, provider_bundle = as_user_objects(user_client, cluster_bundle, provider_bundle)
is_allowed(cluster_bundle, BusinessRoles.CreateCluster)
is_denied(provider_bundle, BusinessRoles.CreateHostProvider)
role.update(child=_form_children(clients.admin, BusinessRoles.CreateHostProvider))
with new_client_instance(*TEST_USER_CREDENTIALS, clients.user.url) as user_client:
cluster_bundle, provider_bundle = as_user_objects(user_client, cluster_bundle, provider_bundle)
is_denied(cluster_bundle, BusinessRoles.CreateCluster)
is_allowed(provider_bundle, BusinessRoles.CreateHostProvider)
policy.delete()
role.delete()
def test_manage_imports(user_policy: Policy, user_sdk: ADCMClient,
prepare_objects, second_objects):
"""Test that Manage imports role is ok"""
cluster, service, *_ = as_user_objects(user_sdk, *prepare_objects)
cluster_via_admin, service_via_admin, *_ = prepare_objects
second_cluster, second_service, *_ = as_user_objects(
user_sdk, *second_objects)
for base_object in [cluster, service]:
is_allowed(base_object, BR.ViewImports)
is_allowed(base_object, BR.ManageImports, second_service)
for base_object in [second_cluster, second_service]:
is_denied(base_object, BR.ViewImports)
delete_policy(user_policy)
_ = (bind.delete() for bind in cluster_via_admin.bind_list())
_ = (bind.delete() for bind in service_via_admin.bind_list())
for base_object in [cluster, service]:
is_denied(base_object, BR.ViewImports)
is_denied(base_object, BR.ManageImports, second_service)
def test_cluster_administrator(user, user_sdk: ADCMClient, sdk_client_fs,
prepare_objects, second_objects):
"""Test that cluster administrator role grants access to single cluster and related services and components"""
cluster, service, component, *provider_objects = as_user_objects(
user_sdk, *prepare_objects)
second_cluster, second_service, second_component, *second_provider_objects = as_user_objects(
user_sdk, *second_objects)
role = sdk_client_fs.role(name=RbacRoles.ClusterAdministrator.value)
sdk_client_fs.policy_create(name=f"Policy with role {role.name}",
role=role,
objects=[cluster],
user=[user],
group=[])
is_allowed_to_view(cluster, service, component)
is_allowed_to_edit(cluster, service, component)
is_denied_to_view(second_cluster, second_service, second_component,
*provider_objects, *second_provider_objects)
def test_view_adcm_settings(user_policy, user_sdk: ADCMClient,
prepare_objects):
"""Test that View ADCM Settings role is ok"""
(cluster, ) = as_user_objects(user_sdk, prepare_objects[0])
is_allowed(user_sdk.adcm(), BusinessRoles.ViewADCMSettings)
is_denied(user_sdk.adcm(), BusinessRoles.EditADCMSettings)
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
delete_policy(user_policy)
is_denied(user_sdk.adcm(), BusinessRoles.ViewADCMSettings)
def test_remove_provider(user_policy, user_sdk: ADCMClient, prepare_objects,
second_objects, sdk_client_fs, user):
"""Test that Remove provider role is ok"""
*_, provider, host = as_user_objects(user_sdk, *prepare_objects)
*_, host_via_admin = prepare_objects
*_, second_provider, _ = as_user_objects(user_sdk, *second_objects)
*_, second_host_via_admin = second_objects
is_denied(host, BR.RemoveHosts)
host_via_admin.delete()
second_host_via_admin.delete()
is_allowed(provider, BR.RemoveHostProvider)
is_denied(second_provider, BR.RemoveHostProvider)
new_policy = create_policy(sdk_client_fs,
BR.RemoveHostProvider,
objects=[second_provider],
users=[user],
groups=[])
delete_policy(new_policy)
is_denied(second_provider, BR.RemoveHostProvider)
def check_single_action_is_allowed_on_object(
action_display_name: str,
adcm_object: AnyADCMObject,
user_sdk: ADCMClient,
business_role: Optional[BusinessRole] = None,
):
"""Check that only one action is allowed on object and the access to others is denied"""
(allowed_object,) = as_user_objects(user_sdk, adcm_object)
business_role = business_role or action_business_role(allowed_object, action_display_name)
is_allowed(allowed_object, business_role).wait()
for action_name in (a.display_name for a in adcm_object.action_list() if a.display_name != action_display_name):
is_denied(allowed_object, action_business_role(allowed_object, action_name))
def check_new_action_can_be_launched(self, clients, user,
upgraded_cluster: Cluster):
"""Check that policy can be created to run new action from cluster bundle and action actually can be launched"""
service = upgraded_cluster.service()
component = service.component()
for adcm_object in as_user_objects(clients.user, upgraded_cluster,
service, component):
business_role = action_business_role(adcm_object, NEW_ACTION)
create_action_policy(clients.admin,
adcm_object,
business_role,
user=user)
is_allowed(adcm_object, business_role).wait()
def test_service_in_cluster_hierarchy(user, prepare_objects, sdk_client_fs,
second_objects):
"""
Test that service related role can be parametrized by cluster
"""
cluster_via_admin, *_ = prepare_objects
cluster_via_admin.service_add(name="new_service")
service_role = {
"id":
sdk_client_fs.role(name=BusinessRoles.RemoveService.value.role_name).id
}
cluster_role = {
"id":
sdk_client_fs.role(name=BusinessRoles.AddService.value.role_name).id
}
common_role = sdk_client_fs.role_create("Common role",
display_name="Common role",
child=[service_role, cluster_role])
sdk_client_fs.policy_create(name="Common policy",
role=common_role,
objects=[cluster_via_admin],
user=[user],
group=[])
username, password = TEST_USER_CREDENTIALS
user_sdk = ADCMClient(url=sdk_client_fs.url,
user=username,
password=password)
cluster, service, *_ = as_user_objects(user_sdk, *prepare_objects)
second_cluster, *_ = as_user_objects(user_sdk, *second_objects)
for service in cluster.service_list():
is_allowed(cluster, BusinessRoles.RemoveService, service)
for service in second_cluster.service_list():
is_denied(second_cluster, BusinessRoles.RemoveService, service)
def test_action_on_host_available_with_cluster_parametrization(clients, actions_cluster, actions_provider, user):
"""Test that host owned action is still available"""
admin_host = actions_provider.host()
actions_cluster.host_add(admin_host)
user_cluster, user_host = as_user_objects(clients.user, actions_cluster, admin_host)
cluster_business_role, host_business_role = action_business_role(
user_cluster, DO_NOTHING_ACTION
), action_business_role(user_host, DO_NOTHING_ACTION)
policy = create_action_policy(clients.admin, user_cluster, cluster_business_role, host_business_role, user=user)
is_allowed(user_cluster, cluster_business_role).wait()
is_allowed(user_host, host_business_role).wait()
delete_policy(policy)
is_denied(user_cluster, cluster_business_role)
is_denied(user_host, host_business_role)
def test_upgrade_application_bundle(user_policy, user_sdk: ADCMClient,
prepare_objects, sdk_client_fs, user):
"""Test that Upgrade application bundle role is ok"""
cluster, *_, provider, _ = as_user_objects(user_sdk, *prepare_objects)
cluster_via_admin, *_ = prepare_objects
second_cluster = user_sdk.cluster(
id=cluster_via_admin.bundle().cluster_create(name="Second cluster").id)
is_allowed(cluster, BR.UpgradeClusterBundle)
is_denied(provider, BR.UpgradeClusterBundle)
is_denied(second_cluster, BR.UpgradeClusterBundle)
new_policy = create_policy(sdk_client_fs,
BR.UpgradeClusterBundle,
objects=[second_cluster],
users=[user],
groups=[])
delete_policy(new_policy)
is_denied(second_cluster, BR.UpgradeClusterBundle)
