From 0bf8ee2ddf6cbc15c001ec9d64bd2f9f00be885b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20B=C3=BCchse?= Date: Wed, 17 Sep 2025 20:06:26 +0200 Subject: [PATCH 1/2] Add general sanity check to OpenStack tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit closes #991 Signed-off-by: Matthias Büchse --- Tests/iaas/openstack_test.py | 17 ++++++++++++++++- Tests/iaas/scs_0116_key_manager/key_manager.py | 4 +++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/Tests/iaas/openstack_test.py b/Tests/iaas/openstack_test.py index 57587c11e..126bcc6ed 100755 --- a/Tests/iaas/openstack_test.py +++ b/Tests/iaas/openstack_test.py @@ -40,7 +40,7 @@ from scs_0115_security_groups.security_groups import \ compute_scs_0115_default_rules from scs_0116_key_manager.key_manager import \ - compute_services_lookup, compute_scs_0116_presence, compute_scs_0116_permissions + ensure_unprivileged, compute_services_lookup, compute_scs_0116_presence, compute_scs_0116_permissions from scs_0117_volume_backup.volume_backup import \ compute_scs_0117_test_backup from scs_0123_mandatory_services.mandatory_services import \ @@ -280,6 +280,20 @@ def harness(name, *check_fns): print(f"{name}: {result}") +def run_sanity_checks(container): + # make sure that we can connect to the cloud and that the user doesn't have elevated privileges + # the former would lead to each testcase aborting with a marginally useful message; + # the latter would lead to scs_0116_permissions aborting, which we don't want to single out + try: + conn = container.conn + except openstack.exceptions.ConfigException: + logger.critical("Please make sure that ~/.config/openstack/clouds.yaml exists and is correct!") + raise + if "member" not in ensure_unprivileged(conn, quiet=True): + logger.critical("Please make sure that your OpenStack user has role member.") + raise RuntimeError("OpenStack user has elevated privileges.") + + def main(argv): # configure logging, disable verbose library logging logging.basicConfig(format='%(levelname)s: %(message)s', level=logging.DEBUG) @@ -320,6 +334,7 @@ def main(argv): sys.exit(1) c = make_container(cloud) + run_sanity_checks(c) for testcase in testcases: testcase_name = testcase.rsplit('/', 1)[0] # see the note above harness(testcase_name, lambda: getattr(c, testcase.replace('-', '_').replace('/', '_'))) diff --git a/Tests/iaas/scs_0116_key_manager/key_manager.py b/Tests/iaas/scs_0116_key_manager/key_manager.py index a8399f7bb..6f70755f9 100644 --- a/Tests/iaas/scs_0116_key_manager/key_manager.py +++ b/Tests/iaas/scs_0116_key_manager/key_manager.py @@ -7,7 +7,7 @@ logger = logging.getLogger(__name__) -def ensure_unprivileged(conn: openstack.connection.Connection) -> list: +def ensure_unprivileged(conn: openstack.connection.Connection, quiet=False) -> list: """ Retrieves role names. Raises exception if elevated privileges (admin, manager) are present. @@ -19,6 +19,8 @@ def ensure_unprivileged(conn: openstack.connection.Connection) -> list: role_names = set(conn.session.auth.get_access(conn.session).role_names) if role_names & {"admin", "manager"}: raise RuntimeError("user privileges too high: admin/manager roles detected") + if quiet: + return role_names if "reader" in role_names: logger.info("User has reader role.") custom_roles = sorted(role_names - {"reader", "member"}) From e786c87752f96c6ca18e4435e08041db86926a19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20B=C3=BCchse?= Date: Thu, 18 Sep 2025 10:24:51 +0200 Subject: [PATCH 2/2] Fix error message when user is missing member role MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Matthias Büchse --- Tests/iaas/openstack_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tests/iaas/openstack_test.py b/Tests/iaas/openstack_test.py index 126bcc6ed..6874dd2e8 100755 --- a/Tests/iaas/openstack_test.py +++ b/Tests/iaas/openstack_test.py @@ -291,7 +291,7 @@ def run_sanity_checks(container): raise if "member" not in ensure_unprivileged(conn, quiet=True): logger.critical("Please make sure that your OpenStack user has role member.") - raise RuntimeError("OpenStack user has elevated privileges.") + raise RuntimeError("OpenStack user is missing member role.") def main(argv):