[Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests

Milan Kubík mkubik at redhat.com
Thu Sep 10 16:41:30 UTC 2015 

On 09/10/2015 06:36 PM, Alexander Bokovoy wrote:
> On Thu, 10 Sep 2015, Milan Kubík wrote:
>> Hi list,
>>
>> before my PTO, I was trying to write a functional test for CA ACLs 
>> with the tracker along all other acceptance/functional tests.
>>
>> I wasn't successful, the approach doesn't seem to work for CA ACLs as 
>> they have specific requirements for kerberos credentials
>> that none of my attempts were able to met. I have tried several 
>> approaches and the memo I got out of this is that currently, there
>> seems to be no way how to conveniently run a test that changes the 
>> user identity during the functional test (xmlrpc tests).
>>
>> I haven't had much time to write an integration test that should 
>> solve these problems with changing identity.
>>
>> The approaches I have tried include, in no particular order:
>>
>> * switch the default ccache to the identity desired, before calls 
>> made on an API object
>>    - in case of FILE ccache, moving it back and forth
>>    - in case of kernel keyring, using kswitch
>>
>> * instantiating another API instance in the process running the test, 
>> while the other ccache is active
>>    - the API object internals seem to prevent this as there is still 
>> a lot of shared state between the API instances
>>
>> * running the command supposed to have different identity as a 
>> subprocess after switching the identity
>>    - this attempt seemed to have inherited the opened connection to 
>> the backend from the parent python process,
>>      creating a conflict during the client bootstrap
>>
>> * injecting the KRB5CCNAME environment variable with second identity 
>> into the python process
>>    - the API instance doesn't seem to be affected by this value half 
>> of the times.
>>    - randomly, the new credentials are used, breaking all the things.
>>
>> Unable to change the user during the test, the code I wrote for this 
>> wasn't doing what I intended it to do
>> because the admin user used in the tests overrides all CA ACLs.
> One way to do it is to use keyctl to create subsessions for different
> authenticated users and switch between subsessions for the separate
> calls.
>
> See keyctl manual page and 'keyctl session <name>' part.
Thanks, I'll take a look at this next week.

More information about the Freeipa-devel mailing list