From e28b9e0c48aac07517a435b62c7cdd3153aadb96 Mon Sep 17 00:00:00 2001 From: Frode Nordahl Date: Wed, 11 Mar 2020 13:50:04 +0100 Subject: [PATCH] policyd: Use different policy for test of Keystone A side effect of migrating to bootstrapping Keystone as opposed to using the admin_token is that the charm credentials is now subject to the Keystone policy. At present the ``list_services`` policy is used as a test of the Policy Override feature, however revoking access to said call will make the charm go into an error state as it attempts to use it as part of managing the Keystone CRUD. Change the test to use the ``list_credentials`` policy for test instead. --- zaza/openstack/charm_tests/policyd/tests.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/zaza/openstack/charm_tests/policyd/tests.py b/zaza/openstack/charm_tests/policyd/tests.py index f332765..703f0af 100644 --- a/zaza/openstack/charm_tests/policyd/tests.py +++ b/zaza/openstack/charm_tests/policyd/tests.py @@ -258,7 +258,7 @@ class BasePolicydSpecialization(PolicydTest, class KeystonePolicydTest(BasePolicydSpecialization): - _rule = {'rule.yaml': "{'identity:list_services': '!'}"} + _rule = {'rule.yaml': "{'identity:list_credentials': '!'}"} def get_client_and_attempt_operation(self, keystone_session): ... etc. @@ -485,7 +485,7 @@ class BasePolicydSpecialization(PolicydTest, class KeystoneTests(BasePolicydSpecialization): """Test the policyd override using the keystone client.""" - _rule = {'rule.yaml': "{'identity:list_services': '!'}"} + _rule = {'rule.yaml': "{'identity:list_credentials': '!'}"} @classmethod def setUpClass(cls, application_name=None): @@ -506,7 +506,7 @@ class KeystoneTests(BasePolicydSpecialization): keystone_client = openstack_utils.get_keystone_session_client( self.get_keystone_session_demo_admin_user(ip)) try: - keystone_client.services.list() + keystone_client.credentials.list() except keystoneauth1.exceptions.http.Forbidden: raise PolicydOperationFailedException()