${output} SSHLibrary.Open_Connection ${TOOLS_SYSTEM_IP} timeout=20s
SSHKeywords.Flexible_Controller_Login
SSHLibrary.Put File ${CURDIR}/../../suites/aaa/keystone/start_keystone.sh
- SSHLibrary.Execute Command ./start_keystone.sh
+ ${output}= SSHLibrary.Execute Command ./start_keystone.sh
+ Log ${output}
+ ${output}= SSHLibrary.Execute Command docker ps --all
+ Log ${output}
Wait Until Keyword Succeeds 10x 15 Check Keystone Log File For String GET
SSHLibrary.Execute Command docker exec -t keystone bash -c "source openrc;openstack user create --password cscuser CSC_user;openstack user set --project admin CSC_user;openstack role add --project admin --user CSC_user admin;openstack role add --domain default --user CSC_user admin;openstack user list"
SSHLibrary.Execute Command docker exec -t keystone bash -c "source openrc;openstack user create --password cscusernoadmin CSC_user_no_admin;openstack user set --project admin CSC_user_no_admin;openstack role add --project admin --user CSC_user_no_admin user;openstack role add --domain default --user CSC_user_no_admin user"
Check Keystone Log File For String
[Arguments] ${string}
[Documentation] Check provided log exists in /var/log/nginx-access.log
- ${status} SSHLibrary.Execute Command docker exec -t keystone bash -c "grep ${string} /var/log/nginx-access.log"
- Log ${status}
- BuiltIn.Should Contain ${status} ${string}
+ ${output} SSHLibrary.Execute Command docker exec -t keystone bash -c "grep ${string} /var/log/nginx-access.log"
+ Log ${output}
+ BuiltIn.Should Contain ${output} ${string}
*** Settings ***
Documentation Test suite: Authentication Support for Keystone
...
-... This feature implements the user management for ODL NBI REST APIs integrated with OpenStack, so that the authentication functionality provided by Keystone can be used. This allows consuming ODL NBI REST APIs using the same authentication procedures as any OpenStack project, such as Nova, Neutron, etc. bringing the benefits of a centralized / unified user management framework.
+... This feature implements the user management for ODL NBI REST APIs integrated with OpenStack, so that
+... the authentication functionality provided by Keystone can be used. This allows consuming ODL NBI REST
+... APIs using the same authentication procedures as any OpenStack project, such as Nova, Neutron, etc.
+... bringing the benefits of a centralized / unified user management framework.
...
-... As a first step, It shall be possible to authenticate users against Keystone by using passwords provided by the users.
+... As a first step, It shall be possible to authenticate users against Keystone by using passwords
+... provided by the users.
Suite Setup Init Suite
Suite Teardown Cleanup Suite
-Test Timeout
Library SSHLibrary
Library Collections
Library OperatingSystem
... - URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" ia authorized just for "admin" roles according to shiro.ini configuration. As "sdnadmin" has "admin" role in keystone the access is authorized too
...
... - URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is not specified neither in shiro.ini nor in MDSAL Dynamic Authorization so no specific role is required
- [Tags]
Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_DOMAIN} headers=${HEADERS}
${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
... - URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" ia authorized just for "admin" roles according to shiro.ini configuration. As "CSC_user" has "admin" role in keystone the access is authorized too
...
... - URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is not specified neither in shiro.ini nor in MDSAL Dynamic Authorization so no specific role is required
- [Tags]
Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_SDN} headers=${HEADERS}
${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
... Note:
...
... Due to authentication fails, authorization is not evaluated
- [Tags]
Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_INVALID} headers=${HEADERS}
${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
... Note:
...
... Due to authentication fails, authorization is not evaluated
- [Tags]
Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN} headers=${HEADERS}
${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
... Note:
...
... Due to authentication fails, authorization is not evaluated
- [Tags]
Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_WRONG_DOM} headers=${HEADERS}
${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
... - Create an HTTP session with ODL as "CSC_user_no_admin" user
... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is authorized becaiuse that URL is not specified in shiro.ini and in MDSAL Dynamic Authorization access to all URLs is allowed to all user with "user" role
- [Tags]
Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth.json
Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_NO_ADMIN} headers=${HEADERS}
... - Create an HTTP session with ODL as "CSC_user_no_admin" user
... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is NOT authorized because although the URL is not specified in shiro.ini, in MDSAL Dynamic Authorization access to all URLs is allowed just for users with "admin" role and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role
- [Tags]
Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth-2.json
Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_NO_ADMIN} headers=${HEADERS}
... - Create an HTTP session with ODL as "CSC_user_no_admin" user
... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is authorized because the URL is not specified in shiro.ini and in MDSAL Dynamic Authorization access to that URL is allowed just for users with "user" role and "CSC_user_no_admin" does \ have \ "user" role in keystone
- [Tags] include
Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth-3.json
Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_DOMAIN} headers=${HEADERS}
...
... - Put down Keystone
... - All accesses are forbidden
- [Tags] include
Cleanup Suite
Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_DOMAIN} headers=${HEADERS}
${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
${result} Run Keyword And Return Status Set Domain To False ${domain} ${HEADERS_TOKEN}
Run Keyword If ${result} == True Delete Keystone Domain ${domain} ${HEADERS_TOKEN}
Run Keyword If ${result} == True Destroy Docker Keystone
+ SSHLibrary.Close All Connections
Configure AAA In Controller
[Arguments] ${TOOLS_SYSTEM_NAME}
ClusterManagement.ClusterManagement_Setup
Wait Until Keyword Succeeds 5x 20 Stop_Single_Member 1
Start_Single_Member 1 wait_for_sync=False timeout=120
+ # TODO: the below Get Controller Modules keyword ends up giving a lot of WARN messages in the robot
+ # log as the controller is coming up and the initial requests are failing. This is just cosmetic at this point, but
+ # would be nice to clean up somehow.
Wait Until Keyword Succeeds 30x 5s Get Controller Modules
Get Controller Modules