[openstack-dev] [nova] how safe is it to change NoAuthMiddlewareBase?
Sean Dague
sean at dague.net
Mon Mar 2 15:38:15 UTC 2015
On 02/28/2015 11:51 AM, Jay Pipes wrote:
> On 02/26/2015 04:27 AM, Sean Dague wrote:
>> In trying to move the flavor manage negative tests out of Tempest and
>> into the Nova functional tree, I ran into one set of tests which are
>> permissions checking. Basically that a regular user isn't allowed to do
>> certain things.
>>
>> In (nearly) all our tests we use auth_strategy=noauth which takes you to
>> NoAuthMiddlewareBase instead of to keystone. That path makes you an
>> admin regardless of what credentials you send in -
>> https://github.com/openstack/nova/blob/master/nova/api/openstack/auth.py#L56-L59
>>
>>
>> What I'd like to do is to change this so that if you specify
>> user_id='admin' then is_admin is set true, and it's not true otherwise.
>>
>> That has a bunch of test fall out, because up until this point most of
>> the test users are things like 'fake', which would regress to non admin.
>> About 25% of the api samples tests fail in such a change, so they would
>> need to be fixed.
>
> Taking a step back... what exactly is the purpose of the API samples
> "functional tests"? If the purpose of these tests has anything to do
> with validating some policy thing, then I suppose it's worth changing
> the auth middleware to support non-adminness. But, I don't think the API
> samples test purpose has anything to do with that (I think the purpose
> of the API samples tests is fuzzy, at best, actually). So, I'd just
> leave them as-is and not change anything at all.
If we are going to do things like bring API bounds testing into tree,
I'd like to have that also include permissions enforcement. Given that
permissions enforcement is currently happening at multiple levels in
Nova, having a way to actually test that surface in tree seems like a
good thing.
-Sean
--
Sean Dague
http://dague.net
More information about the OpenStack-dev
mailing list