test(e2e): add orchestrator RBAC e2e tests #4009
Conversation
|
/ok-to-test |
|
/test e2e-ocp-helm |
|
The image is available at: /test e2e-ocp-helm |
|
/test e2e-ocp-operator-nightly |
chadcrum
changed the title
|
/test e2e-ocp-operator-nightly |
|
/retest-required |
|
The image is available at: /test e2e-ocp-helm |
|
This PR is stale because it has been open 7 days with no activity. Remove stale label or comment or this will be closed in 21 days. |
chadcrum
force-pushed
the
add-e2e-orchestrator-rbac-tests-rhdh-1-9
branch
from
aee3607 to
bc99305
Compare
|
/test e2e-ocp-helm-nightly |
ⓘ Your monthly quota for Qodo has expired. Upgrade your plan ⓘ Paying users. Check that your Qodo account is linked with this Git user account |
1 similar comment
ⓘ Your monthly quota for Qodo has expired. Upgrade your plan ⓘ Paying users. Check that your Qodo account is linked with this Git user account |
|
The image is available at: |
|
/test e2e-ocp-helm-nightly |
ⓘ Your monthly quota for Qodo has expired. Upgrade your plan ⓘ Paying users. Check that your Qodo account is linked with this Git user account |
|
The image is available at: |
|
/test e2e-ocp-helm-nightly |
ⓘ Your monthly quota for Qodo has expired. Upgrade your plan ⓘ Paying users. Check that your Qodo account is linked with this Git user account |
|
The image is available at: |
|
/test e2e-ocp-helm-nightly |
ⓘ Your monthly quota for Qodo has expired. Upgrade your plan ⓘ Paying users. Check that your Qodo account is linked with this Git user account |
|
The image is available at: |
|
/test e2e-ocp-helm-nightly |
ⓘ Your monthly quota for Qodo has expired. Upgrade your plan ⓘ Paying users. Check that your Qodo account is linked with this Git user account |
|
🚫 Image Push Skipped. The container image push was skipped because the build was skipped (either due to [skip-build] tag or no relevant changes with existing image) |
chadcrum
force-pushed
the
add-e2e-orchestrator-rbac-tests-rhdh-1-9
branch
from
51bc2cb to
de7c0bb
Compare
|
🚫 Image Push Skipped. The container image push was skipped because the build was skipped (either due to [skip-build] tag or no relevant changes with existing image) |
|
@gustavolira this is has been tested against helm and operator nightly jobs and the rbac tests succeed consistently. Ready for review / merge |
chadcrum
force-pushed
the
add-e2e-orchestrator-rbac-tests-rhdh-1-9
branch
from
de7c0bb to
f2a475f
Compare
|
The image is available at: |
|
The image is available at: |
|
/lgtm |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
Add comprehensive RBAC end-to-end tests for the Orchestrator plugin covering workflow and instance access control: ## New Test File: orchestrator-rbac.spec.ts (28 tests) ### Global Workflow Permissions (9 tests) - Read-write access: users can view and execute all workflows - Read-only access: users can view but not execute workflows - Denied access: users cannot see any workflows ### Individual Workflow Permissions (9 tests) - Workflow-specific read-write: access only to specific workflow - Workflow-specific read-only: view only specific workflow - Workflow-specific denied: hide specific workflow ### Workflow Instance Access (10 tests) - Initiator-based access: users can only see their own instances - Admin override: instanceAdminView grants access to all instances - Cross-user isolation verification ## Changes to Existing Files ### rbac.spec.ts - Re-enable RBAC API validation test (previously test.fixme) - Add filtering for dynamically created workflow roles/policies - Prevents test interference during parallel execution ### orchestrator.ts (support page) - Add waitForWorkflowVisible() helper with configurable timeout - Add timeout parameter to selectGreetingWorkflowItem() - Add timeout parameter to selectFailSwitchWorkflowItem() - Handles RBAC permission propagation delay ## Permissions Tested - orchestrator.workflow / orchestrator.workflow.<id> (read) - orchestrator.workflow.use / orchestrator.workflow.use.<id> (update) - orchestrator.instanceAdminView (read) - admin access to all instances Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add testIgnore to SHOWCASE_RBAC, SHOWCASE_RBAC_K8S, and SHOWCASE_OPERATOR_RBAC projects to prevent orchestrator-rbac.spec.ts from running on PR jobs and K8s environments where orchestrator is not deployed. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
chadcrum
force-pushed
the
add-e2e-orchestrator-rbac-tests-rhdh-1-9
branch
from
63dacb9 to
ddde1be
Compare
|
|
The image is available at: |
|
@chadcrum: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/retest |
|
This pr had lgtm from others before and was just rebased. Reapply lgtm to merge it. /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: christoph-jerolimov, gustavolira The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit 1e75c20
into
redhat-developer:main
* test(e2e): add orchestrator RBAC e2e test suite Add comprehensive RBAC end-to-end tests for the Orchestrator plugin covering workflow and instance access control: - Read-write access: users can view and execute all workflows - Read-only access: users can view but not execute workflows - Denied access: users cannot see any workflows - Workflow-specific read-write: access only to specific workflow - Workflow-specific read-only: view only specific workflow - Workflow-specific denied: hide specific workflow - Initiator-based access: users can only see their own instances - Admin override: instanceAdminView grants access to all instances - Cross-user isolation verification - Re-enable RBAC API validation test (previously test.fixme) - Add filtering for dynamically created workflow roles/policies - Prevents test interference during parallel execution - Add waitForWorkflowVisible() helper with configurable timeout - Add timeout parameter to selectGreetingWorkflowItem() - Add timeout parameter to selectFailSwitchWorkflowItem() - Handles RBAC permission propagation delay - orchestrator.workflow / orchestrator.workflow.<id> (read) - orchestrator.workflow.use / orchestrator.workflow.use.<id> (update) - orchestrator.instanceAdminView (read) - admin access to all instances Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(e2e): skip orchestrator RBAC tests when orchestrator not deployed Add testIgnore to SHOWCASE_RBAC, SHOWCASE_RBAC_K8S, and SHOWCASE_OPERATOR_RBAC projects to prevent orchestrator-rbac.spec.ts from running on PR jobs and K8s environments where orchestrator is not deployed. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
3 participants
Summary
Add comprehensive RBAC e2e tests for the Orchestrator plugin covering workflow and instance access control.
Changes
New:
orchestrator-rbac.spec.ts(28 tests)instanceAdminViewgrants access to all instancesModified:
rbac.spec.tstest.fixme)Modified:
orchestrator.ts(support page)Permissions Tested
orchestrator.workfloworchestrator.workflow.useorchestrator.workflow.<id>orchestrator.workflow.use.<id>orchestrator.instanceAdminViewTesting
Note
#4140 fixes the pre-existing flaky rbac tests, so there should be no issue re-enabling them.
Co-Authored-By: Claude Opus 4.5 noreply@anthropic.com