)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"539781a22a0fe9a6af94e7d10d895c54cd06c9f7","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Refactor RBAC tests"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This patch adds a secure_rbac option to tempest.conf to enable RBAC"},{"line_number":10,"context_line":"tests when the deployment has Secure RBAC turned on, but enforce_scope"},{"line_number":11,"context_line":"is turned off i.e. when the deployment is done using TripleO and the"},{"line_number":12,"context_line":"enable-secure-rbac.yaml environment."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Co-Authored-By: Dave Wilde \u003cdwilde@redhat.com\u003e"},{"line_number":15,"context_line":"Depends-On: I1218e017f599f710c423db7fb8daa3f9da8391f0"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"417d6e28_989251d0","line":12,"range":{"start_line":9,"start_character":0,"end_line":12,"end_character":36},"updated":"2023-06-28 20:14:31.000000000","message":"this is very specific to test the tripleo deployed env with custom policy or it can be any env deployed with custom policy.\n\nTempest and any tempest plugins tests are written with the default policy rules so they will not work with incompatible custome policy. For example:\n- If a API \u0027A\u0027 has default policy with \u0027member\u0027 role\n- Custom policy (overridden) is changed from \u0027member\u0027 to \u0027admin\u0027 role\n- Tempest/keystone-tempest-plugin test for API \u0027A\u0027 is written to access via \u0027member\u0027 role and it pass on default policy.\n- Now with custom policy which require \u0027admin\u0027 role to access API \u0027A\u0027, tempest/keystone-tempest-plugin test will fail.\n\nMaking tempest and tempest plugin tests work with custom policy is not in the design and if we want to pass them with any custom policy it 1. require a re-design the complete framework and tests 2. change the scope of tempest and its plugin which is to test functionality not the customize RBAC.\n\nThere was a another project called \u0027Patrole\u0027 to test such customize policy but after many years of effort it did not attracted much maintainers and at the end I have to retire that project\n- https://github.com/openstack-archive/patrole/tree/0.16.0\n- https://review.opendev.org/c/openstack/patrole/+/880012","commit_id":"1e438452052a5f5cea81fe172f4365feb94449ad"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":34637,"name":"Milana Levy","email":"millevy@redhat.com","username":"millevy"},"change_message_id":"b4a6cecbc0626aa032eed38cbde6465b92d4b39e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"9ec4ae47_5da64b2c","updated":"2023-06-19 08:17:41.000000000","message":"As I understood, we need both secure_rbac and enforce_scope. One is for RBAC policies, the other scope-aware policies. +1 from my side.","commit_id":"528be18648970b9cb90a3c0b5d5b48a42285666b"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"e0baced234c02356d7034605a226c60840a4ba32","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"3289fb76_6134d5d0","updated":"2023-06-21 13:32:27.000000000","message":"Still needs work, but it\u0027s headed in the right direction.","commit_id":"528be18648970b9cb90a3c0b5d5b48a42285666b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"539781a22a0fe9a6af94e7d10d895c54cd06c9f7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"1a0c84db_c1a14374","in_reply_to":"81347360_97e0a750","updated":"2023-06-28 20:14:31.000000000","message":"ok, I got your point now. I think in that case we need to name this new config option as \"custom_policy\" so that it give clear reading that this is to run the keystone-tempest-plugin when custome policy are enabled. \"secure_rbac\" is conflicting with our default rbac and oslo policy config options to enable the secure-rbac\n\nBut testing the custome policy is not easy, I am adding the reason in commit msg comment so that it will be clear that why tempest or any tempest plugins will not work for customize policy.","commit_id":"528be18648970b9cb90a3c0b5d5b48a42285666b"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"e0baced234c02356d7034605a226c60840a4ba32","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"81347360_97e0a750","in_reply_to":"9e33595a_013f6064","updated":"2023-06-21 13:32:27.000000000","message":"Maybe it\u0027s not clear from the patch comment, but this refactor is needed to be able to test deployments that are using TripleO\u0027s enable-secure-rbac.yaml environment file.\n\nWhen TripleO is used to deploy an environment in this way, all services are deployed with custom policies that are mostly identical to the default SRBAC policies, however, one big difference is that it does not enable scope checking (because it does not support system scoping).\n\nYou can review the custom policies for this TripleO-specific RBAC environment here: https://opendev.org/openstack/tripleo-heat-templates/src/branch/master/environments/enable-secure-rbac.yaml","commit_id":"528be18648970b9cb90a3c0b5d5b48a42285666b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1c79e529ce0082c8ebb6bcc844eadb83854ffb11","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"9e33595a_013f6064","in_reply_to":"9ec4ae47_5da64b2c","updated":"2023-06-19 21:37:29.000000000","message":"why we need both? in upstream testing we enable the new defaults as well as scope based on enforce_scope flag only in devstack.","commit_id":"528be18648970b9cb90a3c0b5d5b48a42285666b"}],"keystone_tempest_plugin/config.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"db5c3266770f58dc7e20c0d7c91e32fd850da4c7","unresolved":true,"context_lines":[{"line_number":25,"context_line":"                help\u003d\u0027Whether to test federated scenarios against an external \u0027"},{"line_number":26,"context_line":"                     \u0027identity provider. If disabled, only \u0027"},{"line_number":27,"context_line":"                     \u0027Keystone-to-Keystone tests will be enabled.\u0027),"},{"line_number":28,"context_line":"    cfg.BoolOpt(\u0027secure_rbac\u0027,"},{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\u0027Does the keystone service enforce consistent and secure \u0027"},{"line_number":31,"context_line":"                     \u0027default RBAC policies?\u0027),"},{"line_number":32,"context_line":"    cfg.BoolOpt(\u0027enforce_scope\u0027,"},{"line_number":33,"context_line":"                default\u003dFalse,"},{"line_number":34,"context_line":"                help\u003d\u0027Does the keystone service enforce scope and use \u0027"}],"source_content_type":"text/x-python","patch_set":1,"id":"c9c66042_835c5ba3","line":31,"range":{"start_line":28,"start_character":0,"end_line":31,"end_character":47},"updated":"2023-06-11 00:33:37.000000000","message":"we already have the config option registered in tempest which you can use to know if keystone new RBAC is enabled. That is consistent for all the services tempest tests\nhttps://github.com/openstack/tempest/blob/e9b98c6bef71caba535e7670faa1f5d9a8184025/tempest/config.py#L1283","commit_id":"528be18648970b9cb90a3c0b5d5b48a42285666b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"539781a22a0fe9a6af94e7d10d895c54cd06c9f7","unresolved":true,"context_lines":[{"line_number":25,"context_line":"                help\u003d\u0027Whether to test federated scenarios against an external \u0027"},{"line_number":26,"context_line":"                     \u0027identity provider. If disabled, only \u0027"},{"line_number":27,"context_line":"                     \u0027Keystone-to-Keystone tests will be enabled.\u0027),"},{"line_number":28,"context_line":"    cfg.BoolOpt(\u0027secure_rbac\u0027,"},{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\u0027Does the keystone service enforce consistent and secure \u0027"},{"line_number":31,"context_line":"                     \u0027default RBAC policies?\u0027),"},{"line_number":32,"context_line":"    cfg.BoolOpt(\u0027enforce_scope\u0027,"},{"line_number":33,"context_line":"                default\u003dFalse,"},{"line_number":34,"context_line":"                help\u003d\u0027Does the keystone service enforce scope and use \u0027"}],"source_content_type":"text/x-python","patch_set":1,"id":"755a3ae0_52110cbb","line":31,"range":{"start_line":28,"start_character":0,"end_line":31,"end_character":47},"in_reply_to":"c9c66042_835c5ba3","updated":"2023-06-28 20:14:31.000000000","message":"let\u0027s name it custome_policy so that it will be clear that if this config is true then we have env with custom policy. Also, help msg you can chnage,","commit_id":"528be18648970b9cb90a3c0b5d5b48a42285666b"}],"keystone_tempest_plugin/tests/rbac/v3/base.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"db5c3266770f58dc7e20c0d7c91e32fd850da4c7","unresolved":true,"context_lines":[{"line_number":24,"context_line":"    @classmethod"},{"line_number":25,"context_line":"    def skip_checks(cls):"},{"line_number":26,"context_line":"        super(IdentityV3RbacBaseTests, cls).skip_checks()"},{"line_number":27,"context_line":"        if not CONF.identity_feature_enabled.secure_rbac:"},{"line_number":28,"context_line":"            raise cls.skipException(\"secure_rbac is not enabled for \""},{"line_number":29,"context_line":"                                    \"keystone, skipping RBAC tests\")"},{"line_number":30,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"0aa3892b_0ac1aabf","line":27,"range":{"start_line":27,"start_character":0,"end_line":27,"end_character":57},"updated":"2023-06-11 00:33:37.000000000","message":"you can use the tempest config option like below\n\nif not CONF.enforce_scope.keystone:","commit_id":"528be18648970b9cb90a3c0b5d5b48a42285666b"}]}