[Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests
Martin Babinsky
mbabinsk at redhat.com
Fri Sep 11 12:40:05 UTC 2015
On 09/10/2015 06:41 PM, Milan Kubík wrote:
> On 09/10/2015 06:36 PM, Alexander Bokovoy wrote:
>> On Thu, 10 Sep 2015, Milan Kubík wrote:
>>> Hi list,
>>>
>>> before my PTO, I was trying to write a functional test for CA ACLs
>>> with the tracker along all other acceptance/functional tests.
>>>
>>> I wasn't successful, the approach doesn't seem to work for CA ACLs as
>>> they have specific requirements for kerberos credentials
>>> that none of my attempts were able to met. I have tried several
>>> approaches and the memo I got out of this is that currently, there
>>> seems to be no way how to conveniently run a test that changes the
>>> user identity during the functional test (xmlrpc tests).
>>>
>>> I haven't had much time to write an integration test that should
>>> solve these problems with changing identity.
>>>
>>> The approaches I have tried include, in no particular order:
>>>
>>> * switch the default ccache to the identity desired, before calls
>>> made on an API object
>>> - in case of FILE ccache, moving it back and forth
>>> - in case of kernel keyring, using kswitch
>>>
>>> * instantiating another API instance in the process running the test,
>>> while the other ccache is active
>>> - the API object internals seem to prevent this as there is still
>>> a lot of shared state between the API instances
>>>
>>> * running the command supposed to have different identity as a
>>> subprocess after switching the identity
>>> - this attempt seemed to have inherited the opened connection to
>>> the backend from the parent python process,
>>> creating a conflict during the client bootstrap
>>>
>>> * injecting the KRB5CCNAME environment variable with second identity
>>> into the python process
>>> - the API instance doesn't seem to be affected by this value half
>>> of the times.
>>> - randomly, the new credentials are used, breaking all the things.
>>>
>>> Unable to change the user during the test, the code I wrote for this
>>> wasn't doing what I intended it to do
>>> because the admin user used in the tests overrides all CA ACLs.
>> One way to do it is to use keyctl to create subsessions for different
>> authenticated users and switch between subsessions for the separate
>> calls.
>>
>> See keyctl manual page and 'keyctl session <name>' part.
> Thanks, I'll take a look at this next week.
>
Maybe you can also try to wrap the user auth, connection and API calls
in 'ipapython.ipautil.private_ccache' context manager like this:
"""
from ipalib import api
from ipapython.ipautil import private_ccache, kinit_password, run
api.bootstrap()
api.finalize()
tmp_ccache='krb5cc_jdoe'
run(['klist']) # should list admin as default principal
with private_ccache(tmp_ccache):
kinit_password(u'jdoe', u'jdoepasswd', tmp_ccache)
run(['klist']) # lists jdoe as default principal
api.Backend.rpcclient.connect(ccache=tmp_ccache)
api.Command.ping()
api.backend.rpcclient.disconnect()
run(['klist']) # KRB5CCNAME should be reset back to admin ccache
"""
I have tested it and it seems to work. I haven't played with it very
extensively, though.
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list