[openstack-dev] [nova] how safe is it to change NoAuthMiddlewareBase?

Jay Pipes jaypipes at gmail.com
Sat Feb 28 16:51:27 UTC 2015


On 02/26/2015 04:27 AM, Sean Dague wrote:
> In trying to move the flavor manage negative tests out of Tempest and
> into the Nova functional tree, I ran into one set of tests which are
> permissions checking. Basically that a regular user isn't allowed to do
> certain things.
>
> In (nearly) all our tests we use auth_strategy=noauth which takes you to
> NoAuthMiddlewareBase instead of to keystone. That path makes you an
> admin regardless of what credentials you send in -
> https://github.com/openstack/nova/blob/master/nova/api/openstack/auth.py#L56-L59
>
> What I'd like to do is to change this so that if you specify
> user_id='admin' then is_admin is set true, and it's not true otherwise.
>
> That has a bunch of test fall out, because up until this point most of
> the test users are things like 'fake', which would regress to non admin.
> About 25% of the api samples tests fail in such a change, so they would
> need to be fixed.

Taking a step back... what exactly is the purpose of the API samples 
"functional tests"? If the purpose of these tests has anything to do 
with validating some policy thing, then I suppose it's worth changing 
the auth middleware to support non-adminness. But, I don't think the API 
samples test purpose has anything to do with that (I think the purpose 
of the API samples tests is fuzzy, at best, actually). So, I'd just 
leave them as-is and not change anything at all.

Best,
-jay



More information about the OpenStack-dev mailing list