patrole_tempest_plugin.rbac_utils module

class patrole_tempest_plugin.rbac_utils.RbacUtilsMixin(*args, **kwargs)[source]

Bases: object

Utility mixin responsible for switching os_primary role.

Should be used as a mixin class alongside an instance of tempest.test.BaseTestCase to perform Patrole class setup for a base RBAC class. Child classes should not use this mixin.


class BaseRbacTest(rbac_utils.RbacUtilsMixin, base.BaseV2ComputeTest):

    def setup_clients(cls):
        super(BaseRbacTest, cls).setup_clients()

        cls.hosts_client = cls.os_primary.hosts_client

This class is responsible for overriding the value of the primary Tempest credential’s role (i.e. os_primary role). By doing so, it is possible to seamlessly swap between admin credentials, needed for setup and clean up, and primary credentials, needed to perform the API call which does policy enforcement. The primary credentials always cycle between roles defined by CONF.identity.admin_role and CONF.patrole.rbac_test_roles.

admin_roles_client = None
credentials = ['primary', 'admin']

Extending given roles with roles from mapping


[“admin”] >> [“admin”, “member”, “reader”] [“member”] >> [“member”, “reader”] [“reader”] >> [“reader”] [“custom_role”] >> [“custom_role”]


roles – list of roles


extended list of roles

classmethod get_auth_providers()[source]

Returns list of auth_providers used within test.

Tests may redefine this method to include their own or third party client auth_providers.


Override the role used by os_primary Tempest credentials.

Temporarily change the role used by os_primary credentials to:

  • [patrole] rbac_test_roles before test execution

  • [identity] admin_role after test execution

Automatically switches to admin role after test execution.




This function can alter user roles for pre-provisioned credentials. Work is underway to safely clean up after this function.


def test_foo(self):
    # Allocate test-level resources here.
    with self.override_role():
        # The role for `os_primary` has now been overridden. Within
        # this block, call the API endpoint that enforces the
        # expected policy specified by "rule" in the decorator.
    # The role is switched back to admin automatically. Note that
    # if the API call above threw an exception, any code below this
    # point in the test is not executed.
override_role_and_validate_list(admin_resources=None, admin_resource_id=None)[source]

Call override_role and validate RBAC for a list API action.

List actions usually do soft authorization: partial or empty response bodies are returned instead of exceptions. This helper validates that unauthorized roles only return a subset of the available resources. Should only be used for validating list API actions.

  • test_obj – Instance of tempest.test.BaseTestCase.

  • admin_resources (list) – The list of resources received before calling the override_role_and_validate_list function.

  • admin_resource_id (UUID) – An ID of a resource created before calling the override_role_and_validate_list function.


py:class:_ValidateListContext object.


# the resource created by admin
admin_resource_id = (
with self.override_role_and_validate_list(
        admin_resource_id=admin_resource_id) as ctx:
    # the list of resources available for member role
    ctx.resources = self.ntp_client.list_dscp_marking_rules(
classmethod restore_roles()[source]
classmethod setup_clients()[source]

Verifies whether the current test role equals the admin role.


True if rbac_test_roles contain the admin role.