[openstack-dev] [nova] how safe is it to change NoAuthMiddlewareBase?
sean at dague.net
Mon Mar 16 12:14:55 UTC 2015
On 03/15/2015 03:23 AM, Christopher Yeoh wrote:
> On Sat, 28 Feb 2015 09:51:27 -0700
> Jay Pipes <jaypipes at gmail.com> wrote:
>> On 02/26/2015 04:27 AM, Sean Dague wrote:
>>> In trying to move the flavor manage negative tests out of Tempest
>>> and into the Nova functional tree, I ran into one set of tests
>>> which are permissions checking. Basically that a regular user isn't
>>> allowed to do certain things.
>>> In (nearly) all our tests we use auth_strategy=noauth which takes
>>> you to NoAuthMiddlewareBase instead of to keystone. That path makes
>>> you an admin regardless of what credentials you send in -
>>> What I'd like to do is to change this so that if you specify
>>> user_id='admin' then is_admin is set true, and it's not true
>>> That has a bunch of test fall out, because up until this point most
>>> of the test users are things like 'fake', which would regress to
>>> non admin. About 25% of the api samples tests fail in such a
>>> change, so they would need to be fixed.
>> Taking a step back... what exactly is the purpose of the API samples
>> "functional tests"? If the purpose of these tests has anything to do
>> with validating some policy thing, then I suppose it's worth changing
>> the auth middleware to support non-adminness. But,
> Historically I think its been a couple of reasons
> - to generate api samples for documentation purposes
> - to do more thorough testing of Nova that previously should have
> gone into tempest (but everything is moving back now right?) but writing
> tempests tests has been seen as too hard a postponed until after
> the Nova change has merged and then the intent has been lost.
>> I don't think the
>> API samples test purpose has anything to do with that (I think the
>> purpose of the API samples tests is fuzzy, at best, actually). So,
>> I'd just leave them as-is and not change anything at all.
> If we're moving stuff over from tempest to nova we definitely need to
> keep tracking of what has been done and what we need to do.
> Eg we need to find out what state we're in first. Definitely have picked
> up lots of issues in the past with the functional tests that
> the unitests have missed.
The samples have been actually quite useful in blocking some
regressions. They could be better, but they have blocked unintentional
API slides in the past. They have also been pretty useful to the docs
team for understanding our payloads.
Anyway, better samples is a different future thing to sort out. The
patch in question merged for new NoAuthMiddleWare.
More information about the OpenStack-dev