CBQE-4593: For all security tests remove all permisison related to da…

…ta in cluster_admin and bucket_admin. For test cases where multiple roles were tested had to make changes to include a new set of validations. Change-Id: Ia26371894476f0b50d54db48c389cf36a60476dd Reviewed-on: http://review.couchbase.org/92175 Reviewed-by: Ritesh Agarwal <ritesh.agarwal@couchbase.com> Tested-by: Ritam Sharma <ritam@couchbase.com>
couchbase · Apr 5, 2018 · b10376f · b10376f
1 parent 6c58788
commit b10376f
Show file tree

Hide file tree

Showing 2 changed files with 93 additions and 14 deletions.
diff --git a/conf/security/py-rbac.conf b/conf/security/py-rbac.conf
@@ -20,12 +20,12 @@ security.rbacTest.rbacTest:
 
     #User with multiple roles
     test_role_permission_validate_multiple,user_id=ritam:password,user_role=admin:ro_admin,role_map=admin,GROUP=P0;INTUSER
-    test_role_permission_validate_multiple,user_id=ritam:password,user_role=cluster_admin:ro_admin,role_map=cluster_admin,GROUP=P0;INTUSER
+    test_role_permission_validate_multiple,user_id=ritam:password,user_role=cluster_admin:ro_admin,role_map=cluster_ro_admin,GROUP=P0;INTUSER
     test_role_permission_validate_multiple,user_id=ritam:password,user_role=bucket_admin[default]:cluster_admin,role_map=cluster_admin,GROUP=P0;INTUSER
-    test_role_permission_validate_multiple,user_id=ritam:password,user_role=bucket_admin[default]:views_admin[default],role_map=bucket_admin,GROUP=P0;INTUSER
+    test_role_permission_validate_multiple,user_id=ritam:password,user_role=bucket_admin[default]:views_admin[default],role_map=bucket_view_admin,GROUP=P0;INTUSER
     test_role_permission_validate_multiple,user_id=ritam:password,user_role=admin:cluster_admin,role_map=admin,GROUP=P0;INTUSER
     test_role_permission_validate_multiple,user_id=ritam:password,user_role=admin:cluster_admin:bucket_admin[default],role_map=admin,GROUP=P0;INTUSER
-    test_role_permission_validate_multiple,user_id=ritam:password,user_role=cluster_admin:bucket_admin[default]:views_admin[default]:replication_admin,role_map=cluster_admin,GROUP=P0;INTUSER
+    test_role_permission_validate_multiple,user_id=ritam:password,user_role=cluster_admin:bucket_admin[default]:views_admin[default]:replication_admin,role_map=cluster_view_admin,GROUP=P0;INTUSER
     test_role_permission_validate_multiple,user_id=ritam:password,user_role=bucket_admin[default]:views_admin[default]:replication_admin,role_map=bucket_view_replication_admin,GROUP=P0;INTUSER
     test_role_permission_validate_multiple,user_id=ritam:password,user_role=ro_admin:replication_admin,role_map=replication_admin_no_access,GROUP=P0;INTUSER
     test_role_permission_validate_multiple,user_id=ritam:password,user_role=replication_admin:views_admin[default],role_map=view_replication_admin,GROUP=P0;INTUSER

diff --git a/pytests/security/rbacRoles.py b/pytests/security/rbacRoles.py
@@ -55,14 +55,60 @@ def _cluster_admin_role_expected():
         per_set = {
             "name":"Cluster Admin expected",
             "permissionSet": {'cluster.bucket[<bucket_name>].xdcr!write': True, u'cluster.bucket[<bucket_name>].xdcr!read': True, u'cluster.bucket[<bucket_name>]!delete': True,\
-                              u'cluster.pools!read': True, u'cluster.bucket[<bucket_name>].views!write': True, u'cluster.tasks!read': True, u'cluster.nodes!write': True,\
+                              u'cluster.pools!read': True, u'cluster.bucket[<bucket_name>].views!write': False, u'cluster.tasks!read': True, u'cluster.nodes!write': True,\
                               u'cluster.server_groups!read': True, u'cluster.bucket[<bucket_name>]!create': True, u'cluster.bucket[<bucket_name>].recovery!write': True, \
-                              u'cluster.bucket[<bucket_name>].password!read': True, u'cluster.pools!write': True, u'cluster.indexes!write': True, u'cluster.indexes!read': True,\
+                              u'cluster.bucket[<bucket_name>].password!read': False, u'cluster.pools!write': True, u'cluster.indexes!write': True, u'cluster.indexes!read': True,\
                               u'cluster.nodes!read': True, u'cluster.xdcr.remote_clusters!read': True, u'cluster.bucket[<bucket_name>].settings!write': True, \
+                              u'cluster.xdcr.settings!read': True, u'cluster.samples!read': True, u'cluster.bucket[<bucket_name>]!compact': True, u'cluster.bucket[<bucket_name>].views!read': False,\
+                              u'cluster.bucket[<bucket_name>].recovery!read': True, u'cluster.bucket[<bucket_name>].settings!read': True, u'cluster.xdcr.settings!write': True,\
+                              u'cluster.bucket[<bucket_name>].xdcr!execute': True, u'cluster.settings!read': True, u'cluster.settings!write': True, u'cluster.server_groups!write': True,\
+                              u'cluster.stats!read': True, u'cluster.xdcr.remote_clusters!write': True, u'cluster.bucket[<bucket_name>].data!write': False, \
+                              u'cluster.bucket[<bucket_name>].data!read': False}
+            }
+        return per_set
+
+    @staticmethod
+    def _cluster_admin_roadmin_role_expected():
+        per_set = {
+            "name": "Cluster Admin expected",
+            "permissionSet": {'cluster.bucket[<bucket_name>].xdcr!write': True,
+                              u'cluster.bucket[<bucket_name>].xdcr!read': True,
+                              u'cluster.bucket[<bucket_name>]!delete': True, \
+                              u'cluster.pools!read': True, u'cluster.bucket[<bucket_name>].views!write': False,
+                              u'cluster.tasks!read': True, u'cluster.nodes!write': True, \
+                              u'cluster.server_groups!read': True, u'cluster.bucket[<bucket_name>]!create': True,
+                              u'cluster.bucket[<bucket_name>].recovery!write': True, \
+                              u'cluster.bucket[<bucket_name>].password!read': False, u'cluster.pools!write': True,
+                              u'cluster.indexes!write': True, u'cluster.indexes!read': True, \
+                              u'cluster.nodes!read': True, u'cluster.xdcr.remote_clusters!read': True,
+                              u'cluster.bucket[<bucket_name>].settings!write': True, \
+                              u'cluster.xdcr.settings!read': True, u'cluster.samples!read': True,
+                              u'cluster.bucket[<bucket_name>]!compact': True,
+                              u'cluster.bucket[<bucket_name>].views!read': True, \
+                              u'cluster.bucket[<bucket_name>].recovery!read': True,
+                              u'cluster.bucket[<bucket_name>].settings!read': True,
+                              u'cluster.xdcr.settings!write': True, \
+                              u'cluster.bucket[<bucket_name>].xdcr!execute': True, u'cluster.settings!read': True,
+                              u'cluster.settings!write': True, u'cluster.server_groups!write': True, \
+                              u'cluster.stats!read': True, u'cluster.xdcr.remote_clusters!write': True,
+                              u'cluster.bucket[<bucket_name>].data!write': False, \
+                              u'cluster.bucket[<bucket_name>].data!read': False}
+        }
+        return per_set
+
+    @staticmethod
+    def _cluster_view_admin_role_expected():
+        per_set = {
+            "name":"Cluster Admin expected",
+            "permissionSet": {'cluster.bucket[<bucket_name>].xdcr!write': True, u'cluster.bucket[<bucket_name>].xdcr!read': True, u'cluster.bucket[<bucket_name>]!delete': True,\
+                              u'cluster.pools!read': True, u'cluster.bucket[<bucket_name>].views!write': True, u'cluster.tasks!read': True, u'cluster.nodes!write': True,\
+                              u'cluster.server_groups!read': True, u'cluster.bucket[<bucket_name>]!create': True, u'cluster.bucket[<bucket_name>].recovery!write': True, \
+                              u'cluster.bucket[<bucket_name>].password!read': False, u'cluster.pools!write': True, u'cluster.indexes!write': True, u'cluster.indexes!read': True,\
+                              u'cluster.nodes!read': False, u'cluster.xdcr.remote_clusters!read': True, u'cluster.bucket[<bucket_name>].settings!write': True, \
                               u'cluster.xdcr.settings!read': True, u'cluster.samples!read': True, u'cluster.bucket[<bucket_name>]!compact': True, u'cluster.bucket[<bucket_name>].views!read': True,\
                               u'cluster.bucket[<bucket_name>].recovery!read': True, u'cluster.bucket[<bucket_name>].settings!read': True, u'cluster.xdcr.settings!write': True,\
                               u'cluster.bucket[<bucket_name>].xdcr!execute': True, u'cluster.settings!read': True, u'cluster.settings!write': True, u'cluster.server_groups!write': True,\
-                              u'cluster.stats!read': True, u'cluster.xdcr.remote_clusters!write': True, u'cluster.bucket[<bucket_name>].data!write': True, \
+                              u'cluster.stats!read': True, u'cluster.xdcr.remote_clusters!write': True, u'cluster.bucket[<bucket_name>].data!write': False, \
                               u'cluster.bucket[<bucket_name>].data!read': True}
             }
         return per_set
@@ -101,10 +147,10 @@ def _bucket_admin_role_master():
     def _bucket_admin_role_expected_incorrect_bucket():
         per_set = {
             "name":"Bucket Admin expected result for incorrect bucket",
-            "permissionSet": {'cluster.bucket[<bucket_name>].recovery!read': True, 'cluster.bucket[<bucket_name>].password!read': True, 'cluster.bucket[<bucket_name>].data!read': True,\
+            "permissionSet": {'cluster.bucket[<bucket_name>].recovery!read': True, 'cluster.bucket[<bucket_name>].password!read': False, 'cluster.bucket[<bucket_name>].data!read': False,\
                               'cluster.pools!read': True, 'cluster.bucket[<bucket_name>]!delete': False, 'cluster.bucket[<bucket_name>].xdcr!execute': False, 'cluster.tasks!read': True,\
                               'cluster.server_groups!read': True, 'cluster.bucket[<bucket_name>].recovery!write': False, 'cluster.indexes!read': True, 'cluster.nodes!read': True,\
-                              'cluster.xdcr.remote_clusters!read': False, 'cluster.xdcr.settings!read': False, 'cluster.samples!read': True, 'cluster.bucket[<bucket_name>].views!read': True,\
+                              'cluster.xdcr.remote_clusters!read': False, 'cluster.xdcr.settings!read': False, 'cluster.samples!read': True, 'cluster.bucket[<bucket_name>].views!read': False,\
                               'cluster.bucket[<bucket_name>].data!write': False, u'cluster.bucket[<bucket_name>]!compact': False, 'cluster.bucket[<bucket_name>]!create': False, 'cluster.settings!read': True,\
                               'cluster.stats!read': True, 'cluster.bucket[<bucket_name>].settings!read': True, 'cluster.bucket[<bucket_name>].views!write': False}
         }
@@ -114,15 +160,35 @@ def _bucket_admin_role_expected_incorrect_bucket():
     def _bucket_admin_role_expected_correct_bucket():
         per_set = {
             "name":"Bucket Admin expected result for correct bucket",
-            "permissionSet": {'cluster.bucket[<bucket_name>].recovery!read': True, 'cluster.bucket[<bucket_name>].password!read': True, 'cluster.bucket[<bucket_name>].data!read': True,\
+            "permissionSet": {'cluster.bucket[<bucket_name>].recovery!read': True, 'cluster.bucket[<bucket_name>].password!read': False, 'cluster.bucket[<bucket_name>].data!read': False,\
                               'cluster.pools!read': True, 'cluster.bucket[<bucket_name>]!delete': True, 'cluster.bucket[<bucket_name>].xdcr!execute': True, 'cluster.tasks!read': True,\
                               'cluster.server_groups!read': True, 'cluster.bucket[<bucket_name>].recovery!write': True, 'cluster.indexes!read': True, 'cluster.nodes!read': True,\
-                              'cluster.xdcr.remote_clusters!read': False, 'cluster.xdcr.settings!read': False, 'cluster.samples!read': True, 'cluster.bucket[<bucket_name>].views!read': True,\
-                              'cluster.bucket[<bucket_name>].data!write': True, u'cluster.bucket[<bucket_name>]!compact': True, 'cluster.settings!read': True,\
-                              'cluster.stats!read': True, 'cluster.bucket[<bucket_name>].settings!read': True, 'cluster.bucket[<bucket_name>].views!write': True}
+                              'cluster.xdcr.remote_clusters!read': False, 'cluster.xdcr.settings!read': False, 'cluster.samples!read': True, 'cluster.bucket[<bucket_name>].views!read': False,\
+                              'cluster.bucket[<bucket_name>].data!write': False, u'cluster.bucket[<bucket_name>]!compact': True, 'cluster.settings!read': True,\
+                              'cluster.stats!read': True, 'cluster.bucket[<bucket_name>].settings!read': True, 'cluster.bucket[<bucket_name>].views!write': False}
         }
         return  per_set
 
+    @staticmethod
+    def _bucket_view_admin_role_expected_correct_bucket():
+        per_set = {
+            "name": "Bucket Admin expected result for correct bucket",
+            "permissionSet": {'cluster.bucket[<bucket_name>].recovery!read': True,
+                              'cluster.bucket[<bucket_name>].password!read': False,
+                              'cluster.bucket[<bucket_name>].data!read': True, \
+                              'cluster.pools!read': True, 'cluster.bucket[<bucket_name>]!delete': True,
+                              'cluster.bucket[<bucket_name>].xdcr!execute': True, 'cluster.tasks!read': True, \
+                              'cluster.server_groups!read': True, 'cluster.bucket[<bucket_name>].recovery!write': True,
+                              'cluster.indexes!read': True, 'cluster.nodes!read': True, \
+                              'cluster.xdcr.remote_clusters!read': False, 'cluster.xdcr.settings!read': False,
+                              'cluster.samples!read': True, 'cluster.bucket[<bucket_name>].views!read': True, \
+                              'cluster.bucket[<bucket_name>].data!write': False,
+                              u'cluster.bucket[<bucket_name>]!compact': True, 'cluster.settings!read': True, \
+                              'cluster.stats!read': True, 'cluster.bucket[<bucket_name>].settings!read': True,
+                              'cluster.bucket[<bucket_name>].views!write': True}
+        }
+        return per_set
+
     @staticmethod
     def _bucket_admin_role_not_allowed_perm_master():
         per_set = {
@@ -369,11 +435,11 @@ def _bucket_admin_view_replication_admin_role_master():
     def _bucket_admin_view_replication_admin_role_master_expected():
         per_set = {
             "name":"Bucket Admin expected result for correct bucket",
-            "permissionSet": {'cluster.bucket[<bucket_name>].recovery!read': True, 'cluster.bucket[<bucket_name>].password!read': True, 'cluster.bucket[<bucket_name>].data!read': True,\
+            "permissionSet": {'cluster.bucket[<bucket_name>].recovery!read': True, 'cluster.bucket[<bucket_name>].password!read': False, 'cluster.bucket[<bucket_name>].data!read': True,\
                               'cluster.pools!read': True, 'cluster.bucket[<bucket_name>]!delete': True, 'cluster.bucket[<bucket_name>].xdcr!execute': True, 'cluster.tasks!read': True,\
                               'cluster.server_groups!read': True, 'cluster.bucket[<bucket_name>].recovery!write': True, 'cluster.indexes!read': True, 'cluster.nodes!read': True,\
                               'cluster.xdcr.remote_clusters!read': True, 'cluster.xdcr.settings!read': True, 'cluster.samples!read': True, 'cluster.bucket[<bucket_name>].views!read': True,\
-                              'cluster.bucket[<bucket_name>].data!write': True, u'cluster.bucket[<bucket_name>]!compact': True, 'cluster.bucket[<bucket_name>]!create': True, 'cluster.settings!read': True,\
+                              'cluster.bucket[<bucket_name>].data!write': False, u'cluster.bucket[<bucket_name>]!compact': True, 'cluster.bucket[<bucket_name>]!create': True, 'cluster.settings!read': True,\
                               'cluster.stats!read': True, 'cluster.bucket[<bucket_name>].settings!read': True, 'cluster.bucket[<bucket_name>].views!write': True}
         }
         return  per_set
@@ -396,11 +462,24 @@ def _return_permission_set(role=None):
             return_role_master = rbacRoles._cluster_admin_role_master()
             return_role_expected = rbacRoles._cluster_admin_role_expected()
 
+        if 'cluster_ro_admin' in role:
+            return_role_master = rbacRoles._cluster_admin_role_master()
+            return_role_expected = rbacRoles._cluster_admin_roadmin_role_expected()
+
+        if 'cluster_view_admin' in role:
+            print "Into cluster view admin"
+            return_role_master = rbacRoles._cluster_admin_role_master()
+            return_role_expected = rbacRoles._cluster_view_admin_role_expected()
+
         if 'bucket_admin' in role:
             return_role_master = rbacRoles._bucket_admin_role_master()
             return_role_expected = rbacRoles._bucket_admin_role_expected_correct_bucket()
             return_role_expected_negative = rbacRoles._bucket_admin_role_expected_incorrect_bucket()
 
+        if 'bucket_view_admin' in role:
+            return_role_master = rbacRoles._bucket_admin_role_master()
+            return_role_expected = rbacRoles._bucket_view_admin_role_expected_correct_bucket()
+
         if 'view_admin' in role:
             return_role_master = rbacRoles._view_admin_role_master()
             return_role_expected = rbacRoles._view_admin_role_expected()