[openstack-dev] [nova] how safe is it to change NoAuthMiddlewareBase?

Christopher Yeoh cbkyeoh at gmail.com
Sun Mar 15 07:23:05 UTC 2015 

On Sat, 28 Feb 2015 09:51:27 -0700
Jay Pipes <jaypipes at gmail.com> wrote:

> On 02/26/2015 04:27 AM, Sean Dague wrote:
> > In trying to move the flavor manage negative tests out of Tempest
> > and into the Nova functional tree, I ran into one set of tests
> > which are permissions checking. Basically that a regular user isn't
> > allowed to do certain things.
> >
> > In (nearly) all our tests we use auth_strategy=noauth which takes
> > you to NoAuthMiddlewareBase instead of to keystone. That path makes
> > you an admin regardless of what credentials you send in -
> > https://github.com/openstack/nova/blob/master/nova/api/openstack/auth.py#L56-L59
> >
> > What I'd like to do is to change this so that if you specify
> > user_id='admin' then is_admin is set true, and it's not true
> > otherwise.
> >
> > That has a bunch of test fall out, because up until this point most
> > of the test users are things like 'fake', which would regress to
> > non admin. About 25% of the api samples tests fail in such a
> > change, so they would need to be fixed.
> 
> Taking a step back... what exactly is the purpose of the API samples 
> "functional tests"? If the purpose of these tests has anything to do 
> with validating some policy thing, then I suppose it's worth changing 
> the auth middleware to support non-adminness. But, 

Historically I think its been a couple of reasons
- to generate api samples for documentation purposes
- to do more thorough testing of Nova that previously should have
gone into tempest (but everything is moving back now right?) but writing
tempests tests has been seen as too hard a postponed until after
the Nova change has merged and then the intent has been lost.

>I don't think the
> API samples test purpose has anything to do with that (I think the
> purpose of the API samples tests is fuzzy, at best, actually). So,
> I'd just leave them as-is and not change anything at all.

If we're moving stuff over from tempest to nova we definitely need to
keep tracking of what has been done and what we need to do.
Eg we need to find out what state we're in first. Definitely have picked
up lots of issues in the past with the functional tests that
the unitests have missed.

Chris
> 
> Best,
> -jay
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list