MAAS

Merge ~blake-rouse/maas:pools-modified-tracking into maas:master

Proposed by Blake Rouse on 2018-10-03

Status:	Merged
Approved by:	Blake Rouse on 2018-10-04
Approved revision:	b4b742a4529f03fbd2fd87a452cdd1d583222a6b
Merge reported by:	MAAS Lander
Merged at revision:	not available
Proposed branch:	~blake-rouse/maas:pools-modified-tracking
Merge into:	maas:master
Diff against target:	661 lines (+558/-0) 9 files modified src/maasserver/migrations/builtin/maasserver/0179_rbacsync.py (+30/-0) src/maasserver/models/__init__.py (+2/-0) src/maasserver/models/rbacsync.py (+95/-0) src/maasserver/models/tests/test_rbacsync.py (+42/-0) src/maasserver/triggers/system.py (+152/-0) src/maasserver/triggers/testing.py (+45/-0) src/maasserver/triggers/tests/test_init.py (+6/-0) src/maasserver/triggers/tests/test_system.py (+5/-0) src/maasserver/triggers/tests/test_system_listener.py (+181/-0)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
MAAS Lander		Needs Fixing on 2018-10-04
Alberto Donato (community)	2018-10-03	Approve on 2018-10-04
Review via email: mp+356106@code.launchpad.net

Commit message

Add tracking of when resource pools are created/updated/deleted. Send a notification when this occurs.

Description of the change

In a following branch the regiond will listen for the sys_rpool notification to sync the resource pools to the RBAC micro-service.

Revision history for this message

Alberto Donato (ack) wrote on 2018-10-04:

The mechanism implemented here seems quite generic.
Maybe we could add a "resource_type" field so that a single table would track all type of resources that need sync.

Manager methods would then filter on that type (and the pg notification would also carry the type).

This way we don't need a different table and notification handler for each resource we cover with rbac.

review: Needs Information

Revision history for this message

Blake Rouse (blake-rouse) on 2018-10-04:

Revision history for this message

Blake Rouse (blake-rouse) wrote on 2018-10-04:

I was actually thinking the same thing that I didn't make it generic enough. Because I also need to get notifications when the settings change.

I have re-done the branch to make it generic just for syncing with RBAC in general. We can easily add on to it as we add more resources to RBAC.

Revision history for this message

Alberto Donato (ack) wrote on 2018-10-04:

+1, just minor comments inline

review: Approve

Revision history for this message

MAAS Lander (maas-lander) wrote on 2018-10-04:

UNIT TESTS
-b pools-modified-tracking lp:~blake-rouse/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: FAILED
LOG: http://maas-ci-jenkins.internal:8080/job/maas/job/branch-tester/4065/console
COMMIT: 1b10f2bc36346903128f4891f04f16aefe040a89

review: Needs Fixing

Revision history for this message

MAAS Lander (maas-lander) wrote on 2018-10-04:

LANDING
-b pools-modified-tracking lp:~blake-rouse/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: FAILED BUILD
LOG: http://maas-ci-jenkins.internal:8080/job/maas/job/branch-tester/4066/consoleText

Revision history for this message

MAAS Lander (maas-lander) wrote on 2018-10-04:

UNIT TESTS
-b pools-modified-tracking lp:~blake-rouse/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: FAILED
LOG: http://maas-ci-jenkins.internal:8080/job/maas/job/branch-tester/4072/console
COMMIT: aad64793fd2ef8f99aa345f42c1ff53a463b10ee

review: Needs Fixing

~blake-rouse/maas:pools-modified-tracking updated on 2018-10-04

b4b742a... by Blake Rouse on 2018-10-04: Fix tests.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Blake Rouse

MAAS Committers

Matvej Jurbin

Shane Holloman

 diff --git a/src/maasserver/migrations/builtin/maasserver/0179_rbacsync.py b/src/maasserver/migrations/builtin/maasserver/0179_rbacsync.py
 new file mode 100644
 index 0000000..3422aed
 --- /dev/null
 +++ b/src/maasserver/migrations/builtin/maasserver/0179_rbacsync.py
@@ -0,0 +1,30 @@
++# -*- coding: utf-8 -*-
++# Generated by Django 1.11.11 on 2018-10-04 14:25
++from __future__ import unicode_literals
++
++from django.db import (
++    migrations,
++    models,
++)
++
++
++class Migration(migrations.Migration):
++
++    dependencies = [
++        ('maasserver', '0178_break_apart_linked_bmcs'),
++    ]
++
++    operations = [
++        migrations.CreateModel(
++            name='RBACSync',
++            fields=[
++                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
++                ('action', models.CharField(blank=True, choices=[('full', 'full'), ('add', 'add'), ('update', 'update'), ('remove', 'remove')], default='full', editable=False, help_text='Action that should occur on the RBAC service.', max_length=6)),
++                ('resource_type', models.CharField(blank=True, editable=False, help_text='Resource type that as been added/updated/removed.', max_length=255)),
++                ('resource_id', models.IntegerField(blank=True, editable=False, help_text='Resource ID that has been added/updated/removed.', null=True)),
++                ('resource_name', models.CharField(blank=True, editable=False, help_text='Resource name that has been added/updated/removed.', max_length=255)),
++                ('created', models.DateTimeField(auto_now_add=True)),
++                ('source', models.CharField(blank=True, editable=False, help_text='A brief explanation what changed.', max_length=255)),
++            ],
++        ),
++    ]
 diff --git a/src/maasserver/models/__init__.py b/src/maasserver/models/__init__.py
 index 9177321..fc75e92 100644
 --- a/src/maasserver/models/__init__.py
 +++ b/src/maasserver/models/__init__.py
@@ -60,6 +60,7 @@ __all__ = [
      'PodStoragePool',
      'RackController',
      'RAID',
++    'RBACSync',
      'RDNS',
      'RegionController',
      'RegionControllerProcess',
@@ -167,6 +168,7 @@ from maasserver.models.partitiontable import PartitionTable
  from maasserver.models.physicalblockdevice import PhysicalBlockDevice
  from maasserver.models.podhints import PodHints
  from maasserver.models.podstoragepool import PodStoragePool
++from maasserver.models.rbacsync import RBACSync
  from maasserver.models.rdns import RDNS
  from maasserver.models.regioncontrollerprocess import RegionControllerProcess
  from maasserver.models.regioncontrollerprocessendpoint import (
 diff --git a/src/maasserver/models/rbacsync.py b/src/maasserver/models/rbacsync.py
 new file mode 100644
 index 0000000..40905db
 --- /dev/null
 +++ b/src/maasserver/models/rbacsync.py
@@ -0,0 +1,95 @@
++# Copyright 2018 Canonical Ltd.  This software is licensed under the
++# GNU Affero General Public License version 3 (see the file LICENSE).
++
++"""RBACSync objects."""
++
++__all__ = [
++    "RBACSync",
++]
++
++from django.db.models import (
++    Manager,
++    Model,
++)
++from django.db.models.fields import (
++    CharField,
++    DateTimeField,
++    IntegerField,
++)
++from maasserver import DefaultMeta
++
++
++class RBAC_ACTION:
++    #: Perform a full sync.
++    FULL = 'full'
++    #: Add a new resource.
++    ADD = 'add'
++    #: Update a resource.
++    UPDATE = 'update'
++    #: Remove a resource.
++    REMOVE = 'remove'
++
++
++RBAC_ACTION_CHOICES = [
++    (RBAC_ACTION.FULL, 'full'),
++    (RBAC_ACTION.ADD, 'add'),
++    (RBAC_ACTION.UPDATE, 'update'),
++    (RBAC_ACTION.REMOVE, 'remove'),
++]
++
++
++class RBACSyncManager(Manager):
++    """Manager for `RBACSync` records."""
++
++    def changes(self):
++        """Returns the changes that have occurred."""
++        return list(self.order_by('id'))
++
++    def clear(self):
++        """Deletes all `RBACSync`."""
++        self.all().delete()
++
++
++class RBACSync(Model):
++    """A row in this table denotes a change that requires information RBAC
++    micro-service to be updated.
++
++    Typically this will be populated by a trigger within the database. A
++    listeners in regiond will be notified and consult the un-synced records
++    in this table. This way we can consistently publish RBAC information to the
++    RBAC service in an HA environment.
++    """
++
++    class Meta(DefaultMeta):
++        """Default meta."""
++
++    objects = RBACSyncManager()
++
++    action = CharField(
++        editable=False, max_length=6, null=False, blank=True,
++        choices=RBAC_ACTION_CHOICES, default=RBAC_ACTION.FULL,
++        help_text="Action that should occur on the RBAC service.")
++
++    # An '' string is used when action is 'full'.
++    resource_type = CharField(
++        editable=False, max_length=255, null=False, blank=True,
++        help_text="Resource type that as been added/updated/removed.")
++
++    # A `None` is used when action is 'full'.
++    resource_id = IntegerField(
++        editable=False, null=True, blank=True,
++        help_text="Resource ID that has been added/updated/removed.")
++
++    # A '' string is used when action is 'full'.
++    resource_name = CharField(
++        editable=False, max_length=255, null=False, blank=True,
++        help_text="Resource name that has been added/updated/removed.")
++
++    # This field is informational.
++    created = DateTimeField(
++        editable=False, null=False, auto_now=False, auto_now_add=True)
++
++    # This field is informational.
++    source = CharField(
++        editable=False, max_length=255, null=False, blank=True,
++        help_text="A brief explanation what changed.")
 diff --git a/src/maasserver/models/tests/test_rbacsync.py b/src/maasserver/models/tests/test_rbacsync.py
 new file mode 100644
 index 0000000..8d1f670
 --- /dev/null
 +++ b/src/maasserver/models/tests/test_rbacsync.py
@@ -0,0 +1,42 @@
++# Copyright 2018 Canonical Ltd.  This software is licensed under the
++# GNU Affero General Public License version 3 (see the file LICENSE).
++
++"""Tests for RBACSync models."""
++
++__all__ = []
++
++from maasserver.models.rbacsync import RBACSync
++from maasserver.testing.testcase import MAASServerTestCase
++from testtools.matchers import (
++    Equals,
++    HasLength,
++)
++
++
++class TestRBACSync(MAASServerTestCase):
++    """Test `RBACSync`."""
++
++    def setUp(self):
++        super(TestRBACSync, self).setUp()
++        # These tests expect the RBACSync table to be empty.
++        RBACSync.objects.all().delete()
++
++    def test_changes(self):
++        synced = [
++            RBACSync.objects.create()
++            for _ in range(3)
++        ]
++        self.assertThat(
++            RBACSync.objects.changes(), Equals(synced))
++
++    def test_clear_does_nothing_when_nothing(self):
++        self.assertThat(RBACSync.objects.all(), HasLength(0))
++        RBACSync.objects.clear()
++        self.assertThat(RBACSync.objects.all(), HasLength(0))
++
++    def test_clear_removes_all(self):
++        for _ in range(3):
++            RBACSync.objects.create()
++        self.assertThat(RBACSync.objects.all(), HasLength(3))
++        RBACSync.objects.clear()
++        self.assertThat(RBACSync.objects.all(), HasLength(0))
 diff --git a/src/maasserver/triggers/system.py b/src/maasserver/triggers/system.py
 index ef0f07e..f73d11e 100644
 --- a/src/maasserver/triggers/system.py
 +++ b/src/maasserver/triggers/system.py
@@ -1654,6 +1654,130 @@ PEER_PROXY_CONFIG_UPDATE = dedent("""\
      """)
++# Triggered when RBAC need to be synced. In essense this means on
++# insert into maasserver_rbacsync.
++RBAC_SYNC = dedent("""\
++    CREATE OR REPLACE FUNCTION sys_rbac_sync()
++    RETURNS trigger AS $$
++    BEGIN
++      PERFORM pg_notify('sys_rbac', '');
++      RETURN NEW;
++    END;
++    $$ LANGUAGE plpgsql;
++    """)
++
++
++# Procedure to mark RBAC as needing a sync.
++RBAC_SYNC_UPDATE = dedent("""\
++    CREATE OR REPLACE FUNCTION sys_rbac_sync_update(
++      reason text,
++      action text DEFAULT 'full',
++      resource_type text DEFAULT '',
++      resource_id int DEFAULT NULL,
++      resource_name text DEFAULT '')
++    RETURNS void as $$
++    BEGIN
++      INSERT INTO maasserver_rbacsync
++        (created, source, action, resource_type, resource_id, resource_name)
++      VALUES (
++        now(), substring(reason FOR 255),
++        action, resource_type, resource_id, resource_name);
++    END;
++    $$ LANGUAGE plpgsql;
++    """)
++
++
++# Triggered when a new resource pool is added. Notifies that RBAC needs
++# to be synced.
++RBAC_RPOOL_INSERT = dedent("""\
++    CREATE OR REPLACE FUNCTION sys_rbac_rpool_insert()
++    RETURNS trigger as $$
++    BEGIN
++      PERFORM sys_rbac_sync_update(
++        'added resource pool ' || NEW.name,
++        'add', 'resource-pool', NEW.id, NEW.name);
++      RETURN NEW;
++    END;
++    $$ LANGUAGE plpgsql;
++    """)
++
++
++# Triggered when a resource pool is updated. Notifies that RBAC needs
++# to be synced. Only watches name.
++RBAC_RPOOL_UPDATE = dedent("""\
++    CREATE OR REPLACE FUNCTION sys_rbac_rpool_update()
++    RETURNS trigger as $$
++    DECLARE
++      changes text[];
++    BEGIN
++      IF OLD.name != NEW.name THEN
++        PERFORM sys_rbac_sync_update(
++          'renamed resource pool ' || OLD.name || ' to ' || NEW.name,
++          'update', 'resource-pool', OLD.id, NEW.name);
++      END IF;
++      RETURN NEW;
++    END;
++    $$ LANGUAGE plpgsql;
++    """)
++
++
++# Triggered when a resource pool is deleted. Notifies that RBAC needs
++# to be synced.
++RBAC_RPOOL_DELETE = dedent("""\
++    CREATE OR REPLACE FUNCTION sys_rbac_rpool_delete()
++    RETURNS trigger as $$
++    BEGIN
++      PERFORM sys_rbac_sync_update(
++        'removed resource pool ' || OLD.name,
++        'remove', 'resource-pool', OLD.id, OLD.name);
++      RETURN OLD;
++    END;
++    $$ LANGUAGE plpgsql;
++    """)
++
++
++# Triggered when the Candid/RBAC settings are inserted. Notifies that RBAC
++# needs to be synced.
++RBAC_CONFIG_INSERT = dedent("""\
++    CREATE OR REPLACE FUNCTION sys_rbac_config_insert()
++    RETURNS trigger as $$
++    BEGIN
++      IF (NEW.name = 'external_auth_url' OR
++          NEW.name = 'external_auth_user' OR
++          NEW.name = 'external_auth_key' OR
++          NEW.name = 'rbac_url') THEN
++        PERFORM sys_rbac_sync_update(
++          'configuration ' || NEW.name || ' set to ' ||
++          COALESCE(NEW.value, 'NULL'));
++      END IF;
++      RETURN NEW;
++    END;
++    $$ LANGUAGE plpgsql;
++    """)
++
++
++# Triggered when the Candid/RBAC settings are updated. Notifies that RBAC
++# needs to be synced. The external_auth_* keys are included that way if
++# the agent account that MAAS uses to update RBAC is updated in MAAS, MAAS will
++# ensure that a full sync of data is performed.
++RBAC_CONFIG_UPDATE = dedent("""\
++    CREATE OR REPLACE FUNCTION sys_rbac_config_update()
++    RETURNS trigger as $$
++    BEGIN
++      IF (OLD.value != NEW.value AND (
++          NEW.name = 'external_auth_url' OR
++          NEW.name = 'external_auth_user' OR
++          NEW.name = 'external_auth_key' OR
++          NEW.name = 'rbac_url')) THEN
++        PERFORM sys_rbac_sync_update(
++          'configuration ' || NEW.name || ' changed to ' || NEW.value);
++      END IF;
++      RETURN NEW;
++    END;
++    $$ LANGUAGE plpgsql;
++    """)
++
++
  def render_sys_proxy_procedure(proc_name, on_delete=False):
      """Render a database procedure with name `proc_name` that notifies that a
      proxy update is needed.
@@ -1914,3 +2038,31 @@ def register_system_triggers():
      register_trigger(
          "maasserver_config", "sys_proxy_config_use_peer_proxy_update",
          "update")
++
++    # - RBACSync
++    register_procedure(RBAC_SYNC)
++    register_trigger(
++        "maasserver_rbacsync",
++        "sys_rbac_sync", "insert")
++    register_procedure(RBAC_SYNC_UPDATE)
++
++    # - ResourcePool
++    register_procedure(RBAC_RPOOL_INSERT)
++    register_trigger(
++        "maasserver_resourcepool", "sys_rbac_rpool_insert", "insert")
++    register_procedure(RBAC_RPOOL_UPDATE)
++    register_trigger(
++        "maasserver_resourcepool", "sys_rbac_rpool_update", "update")
++    register_procedure(RBAC_RPOOL_DELETE)
++    register_trigger(
++        "maasserver_resourcepool", "sys_rbac_rpool_delete", "delete")
++
++    # - Config (Candid/RBAC)
++    register_procedure(RBAC_CONFIG_INSERT)
++    register_trigger(
++        "maasserver_config", "sys_rbac_config_insert",
++        "insert")
++    register_procedure(RBAC_CONFIG_UPDATE)
++    register_trigger(
++        "maasserver_config", "sys_rbac_config_update",
++        "update")
 diff --git a/src/maasserver/triggers/testing.py b/src/maasserver/triggers/testing.py
 index 73a6b48..0fec0ac 100644
 --- a/src/maasserver/triggers/testing.py
 +++ b/src/maasserver/triggers/testing.py
@@ -41,6 +41,7 @@ from maasserver.models.packagerepository import PackageRepository
  from maasserver.models.partition import Partition
  from maasserver.models.partitiontable import PartitionTable
  from maasserver.models.physicalblockdevice import PhysicalBlockDevice
++from maasserver.models.rbacsync import RBACSync
  from maasserver.models.regioncontrollerprocess import RegionControllerProcess
  from maasserver.models.regioncontrollerprocessendpoint import (
      RegionControllerProcessEndpoint,
@@ -847,3 +848,47 @@ class DNSHelpersMixin:
              self.assertThat(
                  new.serial, GreaterThan(old.serial),
                  "DNS has not been published again.")
++
++
++class RBACHelpersMixin:
++    """Helper to get the latest rbac sync."""
++
++    @transactional
++    def getSynced(self):
++        try:
++            return RBACSync.objects.order_by('-id').first()
++        except RBACSync.DoesNotExist:
++            return None
++
++    @inlineCallbacks
++    def captureSynced(self):
++        """Capture the most recent `RBACSync` record."""
++        self.__synced = yield deferToDatabase(self.getSynced)
++        returnValue(self.__synced)
++
++    def getCapturedSynced(self):
++        """Return the captured sync record."""
++        try:
++            return self.__synced
++        except AttributeError:
++            self.fail(
++                "No reference modification has been captured; "
++                "use `captureSynced` before calling "
++                "`getCapturedSynced`.")
++
++    @inlineCallbacks
++    def assertSynced(self):
++        """Assert there's a newer `RBACSync` record.
++
++        Call `captureSynced` first to obtain a reference record.
++        """
++        old = self.getCapturedSynced()
++        new = yield self.captureSynced()
++        if old is None:
++            self.assertThat(
++                new, Not(Is(None)),
++                "RBAC sync tracking has not been modified at all.")
++        else:
++            self.assertThat(
++                new.id, GreaterThan(old.id),
++                "RBAC sync tracking has not been modified again.")
 diff --git a/src/maasserver/triggers/tests/test_init.py b/src/maasserver/triggers/tests/test_init.py
 index e5bce9e..d03a833 100644
 --- a/src/maasserver/triggers/tests/test_init.py
 +++ b/src/maasserver/triggers/tests/test_init.py
@@ -105,6 +105,12 @@ class TestTriggersUsed(MAASServerTestCase):
          "subnet_sys_proxy_subnet_insert",
          "subnet_sys_proxy_subnet_update",
          "vlan_sys_dhcp_vlan_update",
++        "rbacsync_sys_rbac_sync",
++        "resourcepool_sys_rbac_rpool_insert",
++        "resourcepool_sys_rbac_rpool_update",
++        "resourcepool_sys_rbac_rpool_delete",
++        "config_sys_rbac_config_insert",
++        "config_sys_rbac_config_update",
+     }
      triggers_websocket = {
 diff --git a/src/maasserver/triggers/tests/test_system.py b/src/maasserver/triggers/tests/test_system.py
 index 1fe4615..eeccb47 100644
 --- a/src/maasserver/triggers/tests/test_system.py
 +++ b/src/maasserver/triggers/tests/test_system.py
@@ -61,6 +61,11 @@ class TestTriggers(MAASServerTestCase):
              "subnet_sys_proxy_subnet_insert",
              "subnet_sys_proxy_subnet_update",
              "subnet_sys_proxy_subnet_delete",
++            "resourcepool_sys_rbac_rpool_insert",
++            "resourcepool_sys_rbac_rpool_update",
++            "resourcepool_sys_rbac_rpool_delete",
++            "config_sys_rbac_config_insert",
++            "config_sys_rbac_config_update",
+             ]
          sql, args = psql_array(triggers, sql_type="text")
          with closing(connection.cursor()) as cursor:
 diff --git a/src/maasserver/triggers/tests/test_system_listener.py b/src/maasserver/triggers/tests/test_system_listener.py
 index d6e2adc..c543ca3 100644
 --- a/src/maasserver/triggers/tests/test_system_listener.py
 +++ b/src/maasserver/triggers/tests/test_system_listener.py
@@ -36,6 +36,7 @@ from maasserver.testing.testcase import (
  from maasserver.triggers.system import register_system_triggers
  from maasserver.triggers.testing import (
      DNSHelpersMixin,
++    RBACHelpersMixin,
      TransactionalHelpersMixin,
+ )
  from maasserver.utils.orm import transactional
@@ -4688,3 +4689,183 @@ class TestProxyListener(
              yield dv.get(timeout=2)
          finally:
              yield listener.stopService()
++
++
++class TestRBACResourcePoolListener(
++        MAASTransactionServerTestCase, TransactionalHelpersMixin,
++        RBACHelpersMixin):
++    """End-to-end test for the resource pool RBAC triggers code."""
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test_sends_message_for_resource_pool_insert(self):
++        yield deferToDatabase(register_system_triggers)
++        yield self.captureSynced()
++        name = factory.make_name('pool')
++        dv = DeferredValue()
++        listener = self.make_listener_without_delay()
++        listener.register(
++            "sys_rbac", lambda *args: dv.set(args))
++        yield listener.startService()
++        try:
++            pool = yield deferToDatabase(
++                self.create_resource_pool, {'name': name})
++            yield dv.get(timeout=2)
++            yield self.assertSynced()
++        finally:
++            yield listener.stopService()
++        change = self.getCapturedSynced()
++        self.assertThat(
++            change.source,
++            Equals("added resource pool %s" % name))
++        self.assertThat(
++            change.action, Equals("add"))
++        self.assertThat(
++            change.resource_type, Equals("resource-pool"))
++        self.assertThat(
++            change.resource_id, Equals(pool.id))
++        self.assertThat(
++            change.resource_name, Equals(name))
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test_sends_message_for_resource_pool_update(self):
++        yield deferToDatabase(register_system_triggers)
++        pool = yield deferToDatabase(
++            self.create_resource_pool, {})
++        pool_name = factory.make_name('pool')
++        yield self.captureSynced()
++        dv = DeferredValue()
++        listener = self.make_listener_without_delay()
++        listener.register(
++            "sys_rbac", lambda *args: dv.set(args))
++        yield listener.startService()
++        try:
++            yield deferToDatabase(self.update_resource_pool, pool.id, {
++                "name": pool_name,
++            })
++            yield dv.get(timeout=2)
++            yield self.assertSynced()
++        finally:
++            yield listener.stopService()
++        change = self.getCapturedSynced()
++        self.assertThat(
++            change.source,
++            Equals("renamed resource pool %s to %s" % (pool.name, pool_name)))
++        self.assertThat(
++            change.action, Equals("update"))
++        self.assertThat(
++            change.resource_type, Equals("resource-pool"))
++        self.assertThat(
++            change.resource_id, Equals(pool.id))
++        self.assertThat(
++            change.resource_name, Equals(pool_name))
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test_sends_message_for_resource_pool_delete(self):
++        yield deferToDatabase(register_system_triggers)
++        pool = yield deferToDatabase(self.create_resource_pool)
++        yield self.captureSynced()
++        dv = DeferredValue()
++        listener = self.make_listener_without_delay()
++        listener.register(
++            "sys_rbac", lambda *args: dv.set(args))
++        yield listener.startService()
++        try:
++            yield deferToDatabase(self.delete_resource_pool, pool.id)
++            yield dv.get(timeout=2)
++            yield self.assertSynced()
++        finally:
++            yield listener.stopService()
++        change = self.getCapturedSynced()
++        self.assertThat(
++            change.source,
++            Equals("removed resource pool %s" % pool.name))
++        self.assertThat(
++            change.action, Equals("remove"))
++        self.assertThat(
++            change.resource_type, Equals("resource-pool"))
++        self.assertThat(
++            change.resource_id, Equals(pool.id))
++        self.assertThat(
++            change.resource_name, Equals(pool.name))
++
++
++class TestRBACConfigListener(
++        MAASTransactionServerTestCase, TransactionalHelpersMixin,
++        RBACHelpersMixin):
++    """End-to-end test for the config RBAC triggers code."""
++
++    scenarios = (
++        ('external_auth_url', {
++            'config': 'external_auth_url',
++        }),
++        ('external_auth_user', {
++            'config': 'external_auth_user',
++        }),
++        ('external_auth_key', {
++            'config': 'external_auth_key',
++        }),
++        ('rbac_url', {
++            'config': 'rbac_url',
++        }),
++    )
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test_sends_message_for_config_insert(self):
++        new_value = factory.make_name("value")
++        yield deferToDatabase(register_system_triggers)
++        yield self.captureSynced()
++        dv = DeferredValue()
++        listener = self.make_listener_without_delay()
++        listener.register(
++            "sys_rbac", lambda *args: dv.set(args))
++        yield listener.startService()
++        try:
++            yield deferToDatabase(
++                Config.objects.set_config,
++                self.config, new_value)
++            yield dv.get(timeout=2)
++            yield self.assertSynced()
++        finally:
++            yield listener.stopService()
++        change = self.getCapturedSynced()
++        self.assertThat(
++            change.source, Equals(
++                "configuration %s set to %s"
++                % (self.config, json.dumps(new_value))))
++        self.assertThat(
++            change.action, Equals("full"))
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test_sends_message_for_config_update(self):
++        old_value = factory.make_name("old")
++        new_value = factory.make_name("new")
++        yield deferToDatabase(register_system_triggers)
++        yield deferToDatabase(
++            Config.objects.set_config,
++            self.config, old_value)
++        yield self.captureSynced()
++        dv = DeferredValue()
++        listener = self.make_listener_without_delay()
++        listener.register(
++            "sys_rbac", lambda *args: dv.set(args))
++        yield listener.startService()
++        try:
++            yield deferToDatabase(
++                Config.objects.set_config,
++                self.config, new_value)
++            yield dv.get(timeout=2)
++            yield self.assertSynced()
++        finally:
++            yield listener.stopService()
++        change = self.getCapturedSynced()
++        self.assertThat(
++            change.source, Equals(
++                "configuration %s changed to %s"
++                % (self.config, json.dumps(new_value))))
++        self.assertThat(
++            change.action, Equals("full"))