[Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests
Milan Kubík
mkubik at redhat.com
Thu Sep 10 16:41:30 UTC 2015
On 09/10/2015 06:36 PM, Alexander Bokovoy wrote:
> On Thu, 10 Sep 2015, Milan Kubík wrote:
>> Hi list,
>>
>> before my PTO, I was trying to write a functional test for CA ACLs
>> with the tracker along all other acceptance/functional tests.
>>
>> I wasn't successful, the approach doesn't seem to work for CA ACLs as
>> they have specific requirements for kerberos credentials
>> that none of my attempts were able to met. I have tried several
>> approaches and the memo I got out of this is that currently, there
>> seems to be no way how to conveniently run a test that changes the
>> user identity during the functional test (xmlrpc tests).
>>
>> I haven't had much time to write an integration test that should
>> solve these problems with changing identity.
>>
>> The approaches I have tried include, in no particular order:
>>
>> * switch the default ccache to the identity desired, before calls
>> made on an API object
>> - in case of FILE ccache, moving it back and forth
>> - in case of kernel keyring, using kswitch
>>
>> * instantiating another API instance in the process running the test,
>> while the other ccache is active
>> - the API object internals seem to prevent this as there is still
>> a lot of shared state between the API instances
>>
>> * running the command supposed to have different identity as a
>> subprocess after switching the identity
>> - this attempt seemed to have inherited the opened connection to
>> the backend from the parent python process,
>> creating a conflict during the client bootstrap
>>
>> * injecting the KRB5CCNAME environment variable with second identity
>> into the python process
>> - the API instance doesn't seem to be affected by this value half
>> of the times.
>> - randomly, the new credentials are used, breaking all the things.
>>
>> Unable to change the user during the test, the code I wrote for this
>> wasn't doing what I intended it to do
>> because the admin user used in the tests overrides all CA ACLs.
> One way to do it is to use keyctl to create subsessions for different
> authenticated users and switch between subsessions for the separate
> calls.
>
> See keyctl manual page and 'keyctl session <name>' part.
Thanks, I'll take a look at this next week.
More information about the Freeipa-devel
mailing list