Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add negative test for dashboard RBAC on Model Registry #2039

Merged
merged 4 commits into from
Nov 20, 2024
Merged

Add negative test for dashboard RBAC on Model Registry #2039

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cb9c288
Add negative test for dashboard RBAC on Model Registry
lugi0 Nov 15, 2024
2353e98
Merge branch 'master' into feature/mr-dashboard-rbac-negative-test
lugi0 Nov 18, 2024
0d90e87
Merge branch 'master' into feature/mr-dashboard-rbac-negative-test
lugi0 Nov 18, 2024
9e31263
Merge branch 'master' into feature/mr-dashboard-rbac-negative-test
lugi0 Nov 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 15 additions & 12 deletions ods_ci/tests/Resources/Page/ModelRegistry/ModelRegistry.resource
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,6 +282,7 @@

Open Model Registry Dashboard Page
[Documentation] Opens the Model Registry page from the dashboard nav bar
[Arguments] ${allowed_user}=${TRUE}
${mr_present}= Run Keyword And Return Status SeleniumLibrary.Page Should Contain Model Registry
WHILE ${mr_present}!=${TRUE} limit=120s
SeleniumLibrary.Reload Page
Expand All @@ -294,15 +295,22 @@
Wait For RHODS Dashboard To Load wait_for_cards=${FALSE} expected_page=Model Registry
SeleniumLibrary.Wait Until Page Contains Select a model registry to view and manage your registered models.
Maybe Wait For Dashboard Loading Spinner Page
${loaded}= Run Keyword And Return Status
... SeleniumLibrary.Page Should Not Contain Request access to model registries
WHILE ${loaded}!=${TRUE} limit=12 # Retries for 2 minutes - wait for user group to reconcile
SeleniumLibrary.Reload Page
SeleniumLibrary.Wait Until Page Contains Model Registry
SeleniumLibrary.Wait Until Page Contains Select a model registry to view and manage your registered models.
# This works assuming there's a single MR instance and the user is either allowed or not allowed to see it
# TODO: Improve logic to handle multiple registries
IF ${allowed_user}
${loaded}= Run Keyword And Return Status
... SeleniumLibrary.Page Should Not Contain Request access to model registries
Sleep 10s
WHILE ${loaded}!=${TRUE} limit=12 # Retries for 2 minutes - wait for user group to reconcile
Dismissed Show dismissed Hide dismissed
SeleniumLibrary.Reload Page
SeleniumLibrary.Wait Until Page Contains Model Registry
SeleniumLibrary.Wait Until Page Contains
... Select a model registry to view and manage your registered models.
${loaded}= Run Keyword And Return Status
... SeleniumLibrary.Page Should Not Contain Request access to model registries
Sleep 10s
END
ELSE
SeleniumLibrary.Page Should Contain Request access to model registries
END
Maybe Wait For Dashboard Loading Spinner Page

Expand Down Expand Up @@ -344,11 +352,6 @@
Workbench Should Be Listed workbench_title=${WORKBENCH_TITLE}
Open Data Science Project Details Page project_title=${PRJ_TITLE}
${workbenches}= Create List ${WORKBENCH_TITLE}
Create S3 Data Connection project_title=${PRJ_TITLE} dc_name=${DC_S3_NAME}
... aws_access_key=${S3.AWS_ACCESS_KEY_ID} aws_secret_access=${S3.AWS_SECRET_ACCESS_KEY}
... aws_bucket_name=${AWS_BUCKET} connected_workbench=${workbenches}
Data Connection Should Be Listed name=${DC_S3_NAME} type=${DC_S3_TYPE} connected_workbench=${workbenches}
Open Data Science Project Details Page project_title=${prj_title} tab_id=workbenches
Wait Until Workbench Is Started workbench_title=${WORKBENCH_TITLE} timeout=120s
Sleep 15s reason=Workbench might not be ready right away, wait for a few seconds before opening it
${handle}= Launch And Access Workbench workbench_title=${WORKBENCH_TITLE}
Expand Down
16 changes: 11 additions & 5 deletions ods_ci/tests/Tests/1300__model_registry/1301_model_registry_model_serving.robot
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,11 +47,6 @@ Verify Model Registry Integration With Secured-DB
Workbench Should Be Listed workbench_title=${WORKBENCH_TITLE}
Open Data Science Project Details Page project_title=${PRJ_TITLE}
${workbenches}= Create List ${WORKBENCH_TITLE}
Create S3 Data Connection project_title=${PRJ_TITLE} dc_name=${DC_S3_NAME}
... aws_access_key=${S3.AWS_ACCESS_KEY_ID} aws_secret_access=${S3.AWS_SECRET_ACCESS_KEY}
... aws_bucket_name=${AWS_BUCKET} connected_workbench=${workbenches}
Data Connection Should Be Listed name=${DC_S3_NAME} type=${DC_S3_TYPE} connected_workbench=${workbenches}
Open Data Science Project Details Page project_title=${prj_title} tab_id=workbenches
Wait Until Workbench Is Started workbench_title=${WORKBENCH_TITLE} timeout=120s
${handle}= Launch And Access Workbench workbench_title=${WORKBENCH_TITLE}
... username=${TEST_USER.USERNAME} password=${TEST_USER.PASSWORD}
Expand All @@ -76,3 +71,14 @@ Verify Model Registry Integration With Secured-DB
Maybe Wait For Dashboard Loading Spinner Page
SeleniumLibrary.Page Should Contain Element xpath:${MR_VERSION_TABLE_XPATH}/tbody/tr/td[@data-label="Version name"]//a[.="${MR_REGISTERED_MODEL_VERSION}"]
SeleniumLibrary.Page Should Contain Element xpath:${MR_VERSION_TABLE_XPATH}/tbody/tr/td[@data-label="Author" and .="${MR_REGISTERED_MODEL_AUTHOR}"]
SeleniumLibrary.Close All Browsers

Verify Unallowed User Cannot See Model Registry From The Dashboard
[Documentation] Negative path test for dashboard RBAC on the Model Registry. User not part of the group that is
... allowed to use a Model Registry instace should not be able to see it from the dashboard.
[Tags] Smoke MRMS1301 ModelRegistry
Depends On Test Verify Model Registry Integration With Secured-DB
Launch Dashboard ${TEST_USER_3.USERNAME} ${TEST_USER_3.PASSWORD} ${TEST_USER_3.AUTH_TYPE}
... ${ODH_DASHBOARD_URL} ${BROWSER.NAME} ${BROWSER.OPTIONS}
Open Model Registry Dashboard Page allowed_user=${FALSE}
SeleniumLibrary.Page Should Contain Request access to model registries
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't this already checked here https://github.com/red-hat-data-services/ods-ci/pull/2039/files#diff-d120a1bd56f9d1fb5afc47239d24ae89b2ae6da94f25d270134f304a412bea40R313

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is, but I wanted to surface it as an explicit step in this TC just for clarity when going through the logs

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm okay, although the step will not run in case of unallowed user cos it would fail in the previous keyword.

Maybe an alternative approach would be to split the permission check from the keyword to open the Registry UI page.

Example

Open Model Registry Dashboard Page
User Should Not Be Allowed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes more sense to have it defined this way because if the user is allowed we need to refresh the page in case the permissions have not been reconciled yet, and so the keyword will still need to be passed some variable to define if the user is allowed or not.
Once you have that information in the keyword what makes the most sense IMHO is to have that logic defined in the keyword

Loading