)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"013b9903fe3d4357fe1bc239ab5a6a15f02f3f32","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"f76901be_7c02dbd4","updated":"2022-12-26 18:13:06.000000000","message":"swift does not use oslo policy RBAC its different framework there. ","commit_id":"6a4d404699af893ff6e72277a4d0596cb3008988"},{"author":{"_account_id":6968,"name":"Christian Schwede","email":"cschwede@nvidia.com","username":"cschwede"},"change_message_id":"4edcbf9c9215324cfdb55cb3e53bbac92df844a5","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"abcd1cb3_def01544","in_reply_to":"0305ada7_77187ac9","updated":"2023-05-04 17:01:49.000000000","message":"Thanks Ghanshyam for your detailed response! \n\nYes, you\u0027re right that Swift is not using oslo_policy and there is a different ACL system in place. However, there are additional roles to define different levels of access, namely system_reader and project_reader. These are only available if Keystone is used as the auth backend: \n\nhttps://github.com/openstack/swift/blob/master/etc/proxy-server.conf-sample#L518-L529\n\nTesting these roles is already covered by unit tests in Swift itself:\n\nhttps://github.com/openstack/swift/blob/master/test/unit/common/middleware/test_keystoneauth.py#L1513-L1603\n\nThere are no functional tests in Swift itself to test these role. One reason for this is the fact that these roles are only available if Keystone is used as the auth backend, and by default Swift functional tests are running against the tempauth middleware in Swift and don\u0027t require Keystone for testing.\n\nIt would be great to have integration tests with Keystone and system_reader/project_reader roles set up to ensure Swift API is behaving as expected end-to-end. This is the reason why Tempest looks like the right place for these kind of tests to me.\n\nPlease let us know what you think.","commit_id":"6a4d404699af893ff6e72277a4d0596cb3008988"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"40dd088bad2a1ddf290ba55d888d43f8cfd826b1","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"b4164d3e_63605927","in_reply_to":"abcd1cb3_def01544","updated":"2023-05-05 00:37:49.000000000","message":"I think swift functional test has keystone middleware enabled in functional tests\n\n- https://github.com/openstack/swift/blob/f99a6e5762896c7789d168bc49d8cdcb47903264/test/functional/test_access_control.py\n\nand this is job enable keystone and run functionla test\n\u0027swift-dsvm-functional\u0027\n- https://github.com/openstack/swift/blob/f99a6e5762896c7789d168bc49d8cdcb47903264/.zuul.yaml#L279\n\nIn addition, if you would like to test more role like project reader access or not then you can extend the existing test (create new if needed in same file) to assert for those role\n\n- https://github.com/openstack/tempest/blob/8f9c77b368285a732f59594abbe3cadd5f7f52f6/tempest/api/object_storage/test_container_acl.py","commit_id":"6a4d404699af893ff6e72277a4d0596cb3008988"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"32bbc0b04da8ce4d927eac8bb9542bf34af0276d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"0305ada7_77187ac9","in_reply_to":"f76901be_7c02dbd4","updated":"2023-03-30 22:25:10.000000000","message":"Let me elaborate more. Swift does not use the olso_policy mechanism to control/enforce the API access control, unlike other OpenStack services. They have a different way to control the access on containers, objects or accounts via header; details of those are in \n\n- https://docs.openstack.org/swift/latest/overview_acl.html\n- https://github.com/openstack/swift/blob/629516cbe7eb583c18f429aa04d912c2df24b1a5/swift/common/middleware/acl.py\n\nHaving a different framework for the ACL does not mean we cannot test them. But seeing the Tempest scope, it is an integration test suite, not the RBAC positive or negative testing place. Like any other service, we should test swift API, scenario tests with their default access permission, and any other testing, for example, negative tests, RBAC with the positive and negative tests should be testable as a unit or functional test in the swift side. As we do for Nova, I have written ~1000 unit test, and they covered all the things we wanted to test as part of RBAC, along with Tempest integration tests testing the default policy (https://github.com/openstack/nova/tree/29de62bf3b3bf5eda8986bc94babf1c94d67bd4e/nova/tests/unit/policies)\n\nI am not against of creating the Tempest plugin for swift, but that will be unnecessary and extra deliverables to maintain where the swift team already lacks maintainers. It will be good to start with the unit or functional tests, and then we can see if any test coverage is left and need tempest-like test.","commit_id":"6a4d404699af893ff6e72277a4d0596cb3008988"}],"tempest/config.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"32bbc0b04da8ce4d927eac8bb9542bf34af0276d","unresolved":true,"context_lines":[{"line_number":1275,"context_line":"                     \u0027enforce_scope options are enabled in cinder conf.\u0027),"},{"line_number":1276,"context_line":"    cfg.BoolOpt(\u0027swift\u0027,"},{"line_number":1277,"context_line":"                default\u003dFalse,"},{"line_number":1278,"context_line":"                help\u003d\u0027Does the object storage service API policies enforce \u0027"},{"line_number":1279,"context_line":"                     \u0027scope and new defaults? This configuration value should \u0027"},{"line_number":1280,"context_line":"                     \u0027be enabled when swift.conf: [oslo_policy]. \u0027"},{"line_number":1281,"context_line":"                     \u0027enforce_new_defaults and swift.conf: [oslo_policy]. \u0027"},{"line_number":1282,"context_line":"                     \u0027enforce_scope options are enabled in swift conf.\u0027),"},{"line_number":1283,"context_line":"    cfg.BoolOpt(\u0027keystone\u0027,"},{"line_number":1284,"context_line":"                default\u003dFalse,"},{"line_number":1285,"context_line":"                help\u003d\u0027Does the Identity service API policies enforce scope \u0027"}],"source_content_type":"text/x-python","patch_set":2,"id":"6b21f6dd_cbb6b4a4","line":1282,"range":{"start_line":1278,"start_character":0,"end_line":1282,"end_character":73},"updated":"2023-03-30 22:25:10.000000000","message":"I do not think any of these config have any impact on swift API access control. Swift ACL are controlled by the header like X-Account-Access-Control for account acl. As I mentioned earlier, swift does not use the olso_policy mehanism to control/enforce the API access control.\n\nhttps://github.com/openstack/swift/blob/629516cbe7eb583c18f429aa04d912c2df24b1a5/swift/common/middleware/acl.py","commit_id":"6a4d404699af893ff6e72277a4d0596cb3008988"},{"author":{"_account_id":6968,"name":"Christian Schwede","email":"cschwede@nvidia.com","username":"cschwede"},"change_message_id":"4edcbf9c9215324cfdb55cb3e53bbac92df844a5","unresolved":true,"context_lines":[{"line_number":1275,"context_line":"                     \u0027enforce_scope options are enabled in cinder conf.\u0027),"},{"line_number":1276,"context_line":"    cfg.BoolOpt(\u0027swift\u0027,"},{"line_number":1277,"context_line":"                default\u003dFalse,"},{"line_number":1278,"context_line":"                help\u003d\u0027Does the object storage service API policies enforce \u0027"},{"line_number":1279,"context_line":"                     \u0027scope and new defaults? This configuration value should \u0027"},{"line_number":1280,"context_line":"                     \u0027be enabled when swift.conf: [oslo_policy]. \u0027"},{"line_number":1281,"context_line":"                     \u0027enforce_new_defaults and swift.conf: [oslo_policy]. \u0027"},{"line_number":1282,"context_line":"                     \u0027enforce_scope options are enabled in swift conf.\u0027),"},{"line_number":1283,"context_line":"    cfg.BoolOpt(\u0027keystone\u0027,"},{"line_number":1284,"context_line":"                default\u003dFalse,"},{"line_number":1285,"context_line":"                help\u003d\u0027Does the Identity service API policies enforce scope \u0027"}],"source_content_type":"text/x-python","patch_set":2,"id":"fe4bfa4f_0ea73338","line":1282,"range":{"start_line":1278,"start_character":0,"end_line":1282,"end_character":73},"in_reply_to":"6b21f6dd_cbb6b4a4","updated":"2023-05-04 17:01:49.000000000","message":"Ack","commit_id":"6a4d404699af893ff6e72277a4d0596cb3008988"}]}