class QuotasAdminTest(BaseQuotasTest):
- credentials = ["admin", "primary", "system_admin"]
+ credentials = ["admin", "primary"]
def setUp(self):
super(QuotasAdminTest, self).setUp()
@classmethod
def setup_clients(cls):
super(QuotasAdminTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_admin.QuotasClient()
- else:
- cls.admin_client = cls.os_admin.dns_admin.QuotasClient()
+ cls.admin_client = cls.os_admin.dns_admin.QuotasClient()
cls.quotas_client = cls.os_primary.dns_v2.QuotasClient()
@decorators.idempotent_id('ed42f367-e5ba-40d7-a08d-366ad787d21c')
@classmethod
def setup_clients(cls):
super(BlacklistsAdminTest, cls).setup_clients()
-
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.BlacklistsClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.BlacklistsClient()
+ cls.admin_client = cls.os_admin.dns_v2.BlacklistsClient()
cls.primary_client = cls.os_primary.dns_v2.BlacklistsClient()
@decorators.idempotent_id('3a7f7564-6bdd-446e-addc-a3475b4c3f71')
self.assertExpected(blacklist, body, self.excluded_keys)
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_CUD_RBAC_enforcement('BlacklistsClient', 'create_blacklist',
expected_allowed, False)
LOG.info('Ensure the fetched response matches the created blacklist')
self.assertExpected(blacklist, body, self.excluded_keys)
-
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin', 'os_system_reader']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'BlacklistsClient', 'show_blacklist', expected_allowed, False,
# A blacklist delete returns an empty body
self.assertEqual(body.strip(), b"")
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_CUD_RBAC_enforcement(
'BlacklistsClient', 'delete_blacklist', expected_allowed, False,
# TODO(pglass): Assert that the created blacklist is in the response
self.assertGreater(len(body['blacklists']), 0)
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'BlacklistsClient', 'list_blacklists',
self.assertEqual(pattern, body['pattern'])
self.assertEqual(description, body['description'])
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_CUD_RBAC_enforcement(
'BlacklistsClient', 'update_blacklist', expected_allowed, False,
class TestBlacklistNotFoundAdmin(BaseBlacklistsTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(TestBlacklistNotFoundAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.BlacklistsClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.BlacklistsClient()
+ cls.admin_client = cls.os_admin.dns_v2.BlacklistsClient()
@decorators.idempotent_id('9d65b638-fe98-47a8-853f-fa9244d144cc')
def test_show_blacklist_404(self):
class TestBlacklistInvalidIdAdmin(BaseBlacklistsTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(TestBlacklistInvalidIdAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.BlacklistsClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.BlacklistsClient()
+ cls.admin_client = cls.os_admin.dns_v2.BlacklistsClient()
@decorators.idempotent_id('c7bae53f-2edc-45d8-b254-8a81482728c1')
def test_show_blacklist_invalid_uuid(self):
class DesignateLimit(base.BaseDnsV2Test):
- credentials = ["admin", "system_admin", "system_reader", "primary", "alt",
+ credentials = ["admin", "primary", "alt",
"project_member", "project_reader"]
@classmethod
@classmethod
def setup_clients(cls):
super(DesignateLimit, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = (cls.os_system_admin.dns_v2.
- DesignateLimitClient())
- else:
- cls.admin_client = cls.os_admin.dns_v2.DesignateLimitClient()
+ cls.admin_client = cls.os_admin.dns_v2.DesignateLimitClient()
cls.primary_client = cls.os_primary.dns_v2.DesignateLimitClient()
cls.alt_client = cls.os_alt.dns_v2.DesignateLimitClient()
def test_list_designate_limits_RBAC(self):
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_system_reader',
- 'os_project_member', 'os_project_reader'])
+ expected_allowed.extend(['os_project_member', 'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'DesignateLimitClient', 'list_designate_limits',
class PoolAdminTest(BasePoolTest):
- credentials = ["admin", "primary", "system_admin", "system_reader",
- "project_member", "project_reader", "alt"]
+ credentials = ["admin", "primary", "project_member",
+ "project_reader", "alt"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(PoolAdminTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.PoolClient()
+ cls.admin_client = cls.os_admin.dns_v2.PoolClient()
@decorators.idempotent_id('69257f7c-b3d5-4e1b-998e-0677ad12f125')
def test_create_pool(self):
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'PoolClient', 'create_pool', expected_allowed, False,
# TODO(johnsom) Test reader roles once this bug is fixed.
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
# TODO(johnsom) The pools API seems inconsistent with the requirement
# of the all-projects header.
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'PoolClient', 'delete_pool', expected_allowed, False, pool['id'])
# TODO(johnsom) Test reader roles once this bug is fixed.
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'PoolClient', 'list_pools', expected_allowed, [pool['id']],
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'PoolClient', 'update_pool', expected_allowed, True,
class TestPoolNotFoundAdmin(BasePoolTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(TestPoolNotFoundAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.PoolClient()
+ cls.admin_client = cls.os_admin.dns_v2.PoolClient()
@decorators.idempotent_id('56281b2f-dd5a-4376-8c32-aba771062fa5')
def test_show_pool_404(self):
class TestPoolInvalidIdAdmin(BasePoolTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(TestPoolInvalidIdAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.PoolClient()
+ cls.admin_client = cls.os_admin.dns_v2.PoolClient()
@decorators.idempotent_id('081d0188-42a7-4953-af0e-b022960715e2')
def test_show_pool_invalid_uuid(self):
class TestPoolAdminNegative(BasePoolTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(TestPoolAdminNegative, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.PoolClient()
+ cls.admin_client = cls.os_admin.dns_v2.PoolClient()
@decorators.idempotent_id('0a8cdc1e-ac02-11eb-ae06-74e5f9e2a801')
def test_create_pool_invalid_name(self):
def setup_clients(cls):
super(BasePtrTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.admin_network_client = cls.os_admin.networks_client
cls.admin_subnet_client = cls.os_admin.subnets_client
class DesignatePtrRecord(BasePtrTest, tempest.test.BaseTestCase):
- credentials = ['primary', 'admin', 'system_admin']
+ credentials = ['primary', 'admin']
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(DesignatePtrRecord, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_ptr_client = cls.os_system_admin.dns_v2.PtrClient()
- else:
- cls.admin_ptr_client = cls.os_admin.dns_v2.PtrClient()
+ cls.admin_ptr_client = cls.os_admin.dns_v2.PtrClient()
cls.primary_ptr_client = cls.os_primary.dns_v2.PtrClient()
cls.primary_floating_ip_client = cls.os_primary.floating_ips_client
class DesignatePtrRecordNegative(BasePtrTest, tempest.test.BaseTestCase):
- credentials = ['primary', 'admin', 'system_admin']
+ credentials = ['primary', 'admin']
@classmethod
def setup_credentials(cls):
class QuotasV2Test(base.BaseDnsV2Test):
- credentials = ["primary", "admin", "system_admin", "system_reader", "alt",
+ credentials = ["primary", "admin", "alt",
"project_member", "project_reader"]
@classmethod
def setup_clients(cls):
super(QuotasV2Test, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.QuotasClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.QuotasClient()
+ cls.admin_client = cls.os_admin.dns_v2.QuotasClient()
cls.quotas_client = cls.os_primary.dns_v2.QuotasClient()
cls.alt_client = cls.os_alt.dns_v2.QuotasClient()
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_system_reader',
- 'os_project_member', 'os_project_reader'])
+ expected_allowed.extend(['os_project_member', 'os_project_reader'])
self.check_list_show_with_ID_RBAC_enforcement(
'QuotasClient', 'show_quotas', expected_allowed, False)
LOG.info("Deleting (reset) quotas")
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin'])
self.check_CUD_RBAC_enforcement(
'QuotasClient', 'delete_quotas', expected_allowed, False,
**quotas, headers=self.all_projects_header)[1]
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin'])
self.check_CUD_RBAC_enforcement(
'QuotasClient', 'update_quotas', expected_allowed, False,
class QuotasV2TestNegative(base.BaseDnsV2Test):
- credentials = ["primary", "admin", "system_admin"]
+ credentials = ["primary", "admin"]
@classmethod
def setup_credentials(cls):
def setup_clients(cls):
super(QuotasV2TestNegative, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.QuotasClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.QuotasClient()
+ cls.admin_client = cls.os_admin.dns_v2.QuotasClient()
cls.quotas_client = cls.os_primary.dns_v2.QuotasClient()
@decorators.idempotent_id('ae82a0ba-da60-11eb-bf12-74e5f9e2a801')
@classmethod
def setup_clients(cls):
super(BaseRecordsetsTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
class RecordsetsTest(BaseRecordsetsTest):
- credentials = ["admin", "system_admin", "system_reader", "primary", "alt",
+ credentials = ["admin", "primary", "alt",
"project_member", "project_reader"]
@classmethod
@classmethod
def setup_clients(cls):
super(RecordsetsTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.RecordsetClient()
- cls.admin_zone_client = cls.os_system_admin.dns_v2.ZonesClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
- cls.admin_zone_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.admin_zone_client = cls.os_admin.dns_v2.ZonesClient()
cls.client = cls.os_primary.dns_v2.RecordsetClient()
cls.alt_client = cls.os_alt.dns_v2.RecordsetClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
expected_allowed, [recordset_id], self.zone['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'RecordsetClient', 'list_recordset', expected_allowed,
self.zone['id'], recordset_id)
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'RecordsetClient', 'show_recordset', expected_allowed, True,
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'delete_recordset', expected_allowed, True,
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'delete_recordset', expected_allowed, False,
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'update_recordset', expected_allowed, True,
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'update_recordset', expected_allowed, False,
class RecordsetsNegativeTest(BaseRecordsetsTest):
- credentials = ["admin", "system_admin", "primary", "alt"]
+ credentials = ["admin", "primary", "alt"]
@classmethod
def setup_credentials(cls):
class RootRecordsetsTests(BaseRecordsetsTest):
- credentials = ["admin", "primary", "system_admin", "alt"]
+ credentials = ["admin", "primary", "alt"]
@classmethod
def setup_credentials(cls):
class RecordsetOwnershipTest(BaseRecordsetsTest):
- credentials = ["primary", "alt", "admin", "system_admin"]
+ credentials = ["primary", "alt", "admin"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(RecordsetOwnershipTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.RecordsetClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
cls.client = cls.os_primary.dns_v2.RecordsetClient()
cls.alt_client = cls.os_alt.dns_v2.RecordsetClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
class AdminManagedRecordsetTest(BaseRecordsetsTest):
- credentials = ["primary", "admin", "system_admin"]
+ credentials = ["primary", "admin"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(AdminManagedRecordsetTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.RecordsetClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
cls.client = cls.os_primary.dns_v2.RecordsetClient()
@decorators.idempotent_id('84164ff4-8e68-11ec-983f-201e8823901f')
class RecordsetsManagedRecordsNegativeTest(BaseRecordsetsTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_clients(cls):
super(RecordsetsManagedRecordsNegativeTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.RecordsetClient()
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.recordset_client = cls.os_primary.dns_v2.RecordsetClient()
@decorators.idempotent_id('083fa738-bb1b-11ec-b581-201e8823901f')
class RecordsetValidationTest(base.BaseDnsV2Test):
- credentials = ["admin", "primary", "system_admin"]
+ credentials = ["admin", "primary"]
def setUp(self):
super(RecordsetValidationTest, self).setUp()
def setup_clients(cls):
super(RecordsetValidationTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.recordset_client = cls.os_primary.dns_v2.RecordsetClient()
@property
class ServiceStatusAdmin(base.BaseDnsV2Test):
- credentials = ["primary", "admin", "system_admin", "system_reader", "alt",
+ credentials = ["primary", "admin", "alt",
"project_reader", "project_member"]
mandatory_services = ['central', 'mdns', 'worker', 'producer']
@classmethod
def setup_clients(cls):
super(ServiceStatusAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ServiceClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ServiceClient()
+ cls.admin_client = cls.os_admin.dns_v2.ServiceClient()
@decorators.idempotent_id('bf277a76-8583-11eb-a557-74e5f9e2a801')
def test_admin_list_service_statuses(self):
"services: {}".format(services_statuses_tup))
# Test RBAC
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin', 'os_system_reader']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ServiceClient', 'list_statuses', expected_allowed, False)
class BaseSharedZoneTest(base.BaseDnsV2Test):
- credentials = ['admin', 'system_admin', 'system_reader', 'primary', 'alt',
- 'project_reader', 'project_member', ['demo', 'member']]
+ credentials = ['admin', 'primary', 'alt', 'project_reader',
+ 'project_member', ['demo', 'member']]
excluded_keys = ['links']
def setup_clients(cls):
super(BaseSharedZoneTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- cls.adm_shr_client = cls.os_system_admin.dns_v2.SharedZonesClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
- cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
cls.demo_zone_client = cls.os_demo.dns_v2.ZonesClient()
cls.share_zone_client = cls.os_primary.dns_v2.SharedZonesClient()
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
'SharedZonesClient', 'create_zone_share', expected_allowed, True,
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
self.check_CUD_RBAC_enforcement(
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
'SharedZonesClient', 'delete_zone_share', expected_allowed, True,
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
self.check_CUD_RBAC_enforcement(
class TldAdminTest(BaseTldTest):
- credentials = ["admin", "system_admin", "system_reader",
- "primary", "alt", "project_reader", "project_member"]
+ credentials = ["admin", "primary", "alt",
+ "project_reader", "project_member"]
# Use a TLD suffix unique to this test class.
local_tld_suffix = '.'.join(["tldadmintest", CONF.dns.tld_suffix])
@classmethod
def setup_clients(cls):
super(TldAdminTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_client = cls.os_admin.dns_v2.TldClient()
cls.primary_client = cls.os_primary.dns_v2.TldClient()
@classmethod
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement('TldClient', 'create_tld',
expected_allowed, False)
self.assertExpected(tld, body, self.excluded_keys)
# Test RBAC
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin', 'os_system_reader']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'TldClient', 'show_tld', expected_allowed, False, tld['id'])
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement('TldClient', 'delete_tld',
expected_allowed, False, tld['id'])
self.assertGreater(len(body['tlds']), 0)
# Test RBAC
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'TldClient', 'list_tlds', expected_allowed, [tld['id']],
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'TldClient', 'update_tld', expected_allowed, False, tld['id'],
class TestTldNotFoundAdmin(BaseTldTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(TestTldNotFoundAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_client = cls.os_admin.dns_v2.TldClient()
@decorators.idempotent_id('b237d5ee-0d76-4294-a3b6-c2f8bf4b0e30')
def test_show_tld_404(self):
class TestTldInvalidIdAdmin(BaseTldTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(TestTldInvalidIdAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_client = cls.os_admin.dns_v2.TldClient()
@decorators.idempotent_id('f9ec0730-57ff-4720-8d06-e11d377c7cfc')
def test_show_tld_invalid_uuid(self):
@classmethod
def setup_clients(cls):
super(BaseTransferAcceptTest, cls).setup_clients()
-
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
class TransferAcceptTest(BaseTransferAcceptTest):
- credentials = ["primary", "alt", "admin", "system_admin", "system_reader",
+ credentials = ["primary", "alt", "admin",
"project_member", "project_reader"]
@classmethod
cls.alt_accept_client = cls.os_alt.dns_v2.TransferAcceptClient()
# Admin clients
- if CONF.enforce_scope.designate:
- cls.admin_zone_client = cls.os_system_admin.dns_v2.ZonesClient()
- cls.admin_request_client = (cls.os_system_admin.dns_v2.
- TransferRequestClient())
- cls.admin_accept_client = (cls.os_system_admin.dns_v2.
- TransferAcceptClient())
- else:
- cls.admin_zone_client = cls.os_admin.dns_v2.ZonesClient()
- cls.admin_request_client = (cls.os_admin.dns_v2.
- TransferRequestClient())
- cls.admin_accept_client = (cls.os_admin.dns_v2.
- TransferAcceptClient())
+ cls.admin_zone_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_request_client = (cls.os_admin.dns_v2.
+ TransferRequestClient())
+ cls.admin_accept_client = (cls.os_admin.dns_v2.
+ TransferAcceptClient())
@decorators.idempotent_id('1c6baf97-a83e-4d2e-a5d8-9d37fb7808f3')
def test_create_transfer_accept(self):
# transfer key.
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
- # Note: system_reader is allowed because this API RBAC is based
- # on the target project ID. It will return a 401 instead of
- # a 403.
- expected_allowed.append('os_system_reader')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
True, transfer_accept['id'])
# Test RBAC with x-auth-all-projects
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_RBAC_enforcement_count(
'TransferAcceptClient', 'list_transfer_accept',
expected_allowed, 0)
# Test that users who should see the zone, can see it.
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'TransferAcceptClient', 'list_transfer_accept',
self.wait_zone_delete, self.alt_zone_client, zone['id'])
# Test RBAC with x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
class TransferAcceptTestNegative(BaseTransferAcceptTest):
- credentials = ["primary", "alt", "admin", "system_admin"]
+ credentials = ["primary", "alt", "admin"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(BaseTransferRequestTest, cls).setup_clients()
-
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
class TransferRequestTest(BaseTransferRequestTest):
- credentials = ["primary", "alt", "admin", "system_admin", "system_reader",
+ credentials = ["primary", "alt", "admin",
"project_member", "project_reader"]
@classmethod
@classmethod
def setup_clients(cls):
super(TransferRequestTest, cls).setup_clients()
-
- if CONF.enforce_scope.designate:
- cls.admin_client = (cls.os_system_admin.dns_v2.
- TransferRequestClient())
- else:
- cls.admin_client = cls.os_admin.dns_v2.TransferRequestClient()
+ cls.admin_client = cls.os_admin.dns_v2.TransferRequestClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
cls.client = cls.os_primary.dns_v2.TransferRequestClient()
cls.alt_client = cls.os_alt.dns_v2.TransferRequestClient()
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
# Note: The create service client does not define a target project
# ID, so everyone should be able to see it.
expected_allowed = ['os_admin', 'os_primary', 'os_alt',
- 'os_system_admin', 'os_system_reader',
'os_project_member', 'os_project_reader']
self.check_list_show_RBAC_enforcement(
True, transfer_request['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
# Test RBAC when a transfer target project is specified.
if CONF.enforce_scope.designate:
expected_allowed = ['os_primary', 'os_alt',
- 'os_system_admin', 'os_project_member']
+ 'os_project_member']
else:
expected_allowed = ['os_primary', 'os_alt', 'os_admin',
- 'os_system_admin', 'os_project_member']
+ 'os_project_member']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_admin']
+ expected_allowed = ['os_admin']
else:
expected_allowed = ['os_alt']
"listed IDs{}".format(request_id, request_ids))
# Test RBAC with x-auth-all-projects
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'TransferRequestClient', 'list_transfer_requests',
self.assertEqual([alt_transfer_request['id']], request_ids)
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'TransferRequestClient', 'list_transfer_requests',
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'TransferRequestClient', 'update_transfer_request',
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'TransferRequestClient', 'update_transfer_request',
class TestTransferRequestNotFound(BaseTransferRequestTest):
- credentials = ["admin", "primary", "system_admin"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
class TestTransferRequestInvalidId(BaseTransferRequestTest):
- credentials = ["admin", "primary", "system_admin"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
def setup_clients(cls):
super(BaseTsigkeyTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
class TsigkeyAdminTest(BaseTsigkeyTest):
- credentials = ["primary", "admin", "system_admin", "system_reader",
- "project_member", "project_reader", "alt"]
+ credentials = ["primary", "admin", "project_member",
+ "project_reader", "alt"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(TsigkeyAdminTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.TsigkeyClient()
- cls.pool_admin_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.TsigkeyClient()
- cls.pool_admin_client = cls.os_admin.dns_v2.PoolClient()
+ cls.admin_client = cls.os_admin.dns_v2.TsigkeyClient()
+ cls.pool_admin_client = cls.os_admin.dns_v2.PoolClient()
cls.primary_client = cls.os_primary.dns_v2.TsigkeyClient()
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'TsigkeyClient', 'create_tsigkey', expected_allowed, False,
self.assertGreater(len(body['tsigkeys']), 0)
# Test RBAC
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'TsigkeyClient', 'list_tsigkeys', expected_allowed,
self.assertExpected(tsigkey, body, self.excluded_keys)
# Test RBAC
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin', 'os_system_reader']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'TsigkeyClient', 'show_tsigkey', expected_allowed, True,
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'TsigkeyClient', 'update_tsigkey', expected_allowed, False,
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'TsigkeyClient', 'delete_tsigkey', expected_allowed, False,
class TestTsigkeyNotFoundAdmin(BaseTsigkeyTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(TestTsigkeyNotFoundAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.TsigkeyClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.TsigkeyClient()
+ cls.admin_client = cls.os_admin.dns_v2.TsigkeyClient()
@decorators.idempotent_id('824c9b49-edc5-4282-929e-467a158d23e4')
def test_show_tsigkey_404(self):
class TestTsigkeyInvalidIdAdmin(BaseTsigkeyTest):
- credentials = ["admin", "primary", "system_admin"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(TestTsigkeyInvalidIdAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.TsigkeyClient()
- cls.pool_admin_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.TsigkeyClient()
- cls.pool_admin_client = cls.os_admin.dns_v2.PoolClient()
+ cls.admin_client = cls.os_admin.dns_v2.TsigkeyClient()
+ cls.pool_admin_client = cls.os_admin.dns_v2.PoolClient()
@decorators.idempotent_id('2a8dfc75-9884-4b1c-8f1f-ed835d96f2fe')
def test_show_tsigkey_invalid_uuid(self):
def setup_clients(cls):
super(BaseZonesTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
class ZoneTasks(BaseZonesTest):
- credentials = ["primary", "alt", "admin", "system_admin", "system_reader",
+ credentials = ["primary", "alt", "admin",
"project_member", "project_reader"]
@classmethod
@classmethod
def setup_clients(cls):
super(ZoneTasks, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ZonesClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_client = cls.os_admin.dns_v2.ZonesClient()
cls.alt_client = cls.os_alt.dns_v2.ZonesClient()
@decorators.idempotent_id('287e2cd0-a0e7-11eb-b962-74e5f9e2a801')
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'ZonesClient', 'abandon_zone', expected_allowed, False,
class ZoneTasksNegative(BaseZonesTest):
- credentials = ["primary", "alt", "admin", "system_admin"]
+ credentials = ["primary", "alt", "admin"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(ZoneTasksNegative, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ZonesClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_client = cls.os_admin.dns_v2.ZonesClient()
cls.alt_client = cls.os_alt.dns_v2.ZonesClient()
def _query_nameserver(self, nameserver, query_timeout,
@classmethod
def setup_clients(cls):
super(BaseZonesTest, cls).setup_clients()
-
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
@classmethod
def setup_clients(cls):
super(ZonesTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.pool_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.pool_client = cls.os_admin.dns_v2.PoolClient()
+ cls.pool_client = cls.os_admin.dns_v2.PoolClient()
cls.recordset_client = cls.os_primary.dns_v2.RecordsetClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
cls.share_zone_client = cls.os_primary.dns_v2.SharedZonesClient()
# Test with no extra header overrides (sudo-project-id)
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement('ZonesClient', 'create_zone',
# Test with x-auth-sudo-project-id header
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'ZonesClient', 'create_zone', expected_allowed, False,
'ZonesClient', 'show_zone', expected_allowed, True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone', expected_allowed, False, zone['id'],
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement('ZonesClient', 'delete_zone',
expected_allowed, True, zone['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement('ZonesClient', 'delete_zone',
expected_allowed, False, zone['id'],
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_admin']
+ expected_allowed = ['os_admin']
else:
expected_allowed = ['os_alt']
'ZonesClient', 'list_zones', expected_allowed, [zone['id']])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'ZonesClient', 'list_zones', expected_allowed, [zone['id']],
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZonesClient', 'update_zone', expected_allowed, True,
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZonesClient', 'update_zone', expected_allowed, False,
True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone_nameservers', expected_allowed,
class ZonesAdminTest(BaseZonesTest):
- credentials = ["primary", "admin", "system_admin", "alt"]
+ credentials = ["primary", "admin", "alt"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(ZonesAdminTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ZonesClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_client = cls.os_admin.dns_v2.ZonesClient()
cls.alt_client = cls.os_alt.dns_v2.ZonesClient()
@decorators.idempotent_id('f6fe8cce-8b04-11eb-a861-74e5f9e2a801')
class ZoneOwnershipTest(BaseZonesTest):
- credentials = ["primary", "alt", "admin", "system_admin"]
+ credentials = ["primary", "alt", "admin"]
@classmethod
def setup_credentials(cls):
class ZonesNegativeTest(BaseZonesTest):
- credentials = ["admin", "primary", "system_admin"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
def setup_clients(cls):
super(BaseZoneExportsTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
class ZonesExportTest(BaseZoneExportsTest):
- credentials = ["primary", "admin", "system_admin", "system_reader", "alt",
+ credentials = ["primary", "admin", "alt",
"project_member", "project_reader"]
@classmethod
@classmethod
def setup_clients(cls):
super(ZonesExportTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ZoneExportsClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ZoneExportsClient()
+ cls.admin_client = cls.os_admin.dns_v2.ZoneExportsClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
cls.client = cls.os_primary.dns_v2.ZoneExportsClient()
cls.alt_client = cls.os_alt.dns_v2.ZoneExportsClient()
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
zone_export['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
zone_export['id'], listed_export_ids))
# Test RBAC with x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneExportsClient', 'delete_zone_export', expected_allowed, True,
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneExportsClient', 'delete_zone_export', expected_allowed, False,
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_admin']
+ expected_allowed = ['os_admin']
else:
expected_allowed = ['os_alt']
expected_allowed, [export['id']])
# Test RBAC with x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'ZoneExportsClient', 'list_zone_exports',
'listed IDs:{}'.format(id, listed_exports_ids))
# Test RBAC with x-auth-all-projects
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'ZoneExportsClient', 'list_zone_exports', expected_allowed,
class ZonesExportTestNegative(BaseZoneExportsTest):
- credentials = ["primary", "alt", "admin", "system_admin"]
+ credentials = ["primary", "alt", "admin"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(BaseZonesImportTest, cls).setup_clients()
-
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
class ZonesImportTest(BaseZonesImportTest):
- credentials = ["primary", "admin", "system_admin", "system_reader", "alt",
+ credentials = ["primary", "admin", "alt",
"project_member", "project_reader"]
@classmethod
@classmethod
def setup_clients(cls):
super(ZonesImportTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ZoneImportsClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ZoneImportsClient()
+ cls.admin_client = cls.os_admin.dns_v2.ZoneImportsClient()
cls.client = cls.os_primary.dns_v2.ZoneImportsClient()
cls.alt_client = cls.os_alt.dns_v2.ZoneImportsClient()
# Test with no extra header overrides (sudo-project-id)
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
zone_import['id'])
# Test with x-auth-all-projects
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneImportsClient', 'delete_zone_import', expected_allowed, True,
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneImportsClient', 'delete_zone_import', expected_allowed, False,
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_admin']
+ expected_allowed = ['os_admin']
else:
expected_allowed = ['os_alt']
[zone_import['id']])
# Test RBAC with x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'ZoneImportsClient', 'list_zone_imports', expected_allowed,
zone_import, resp_body['imports'][0], self.excluded_keys)
# Test with x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
zone_import['id'], listed_zone_import_ids))
# Test RBAC with x-auth-all-projects
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'ZoneImportsClient', 'list_zone_imports', expected_allowed,
class ZonesImportTestNegative(BaseZonesImportTest):
- credentials = ["primary", "admin", "system_admin"]
+ credentials = ["primary", "admin"]
@classmethod
def setup_credentials(cls):
# can test for allowed and disallowed RBAC policies.
credentials = ['admin', 'primary', 'alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- credentials.extend(['system_admin', 'system_reader',
- 'project_member', 'project_reader'])
+ credentials.extend(['project_member', 'project_reader'])
# A tuple of credentials that will be allocated by tempest using the
# 'credentials' list above. These are used to build RBAC test lists.
try:
cred_obj = getattr(self, cred)
except AttributeError:
- # TODO(johnsom) Remove once scoped tokens is the default.
- if ((cred == 'os_system_admin' or
- cred == 'os_system_reader') and
- not CONF.enforce_scope.designate):
- LOG.info('Skipping %s allowed RBAC test because '
- 'enforce_scope.designate is not True', cred)
- continue
- else:
- self.fail('Credential {} "expected_allowed" for RBAC '
- 'testing was not created by tempest '
- 'credentials setup. This is likely a bug in the '
- 'test.'.format(cred))
+ self.fail('Credential {} "expected_allowed" for RBAC '
+ 'testing was not created by tempest '
+ 'credentials setup. This is likely a bug in the '
+ 'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
project_id = self._get_client_project_id(cred_obj, client_str)
try:
try:
cred_obj = getattr(self, cred)
except AttributeError:
- # TODO(johnsom) Remove once scoped tokens is the default.
- if ((cred == 'os_system_admin' or
- cred == 'os_system_reader') and
- not CONF.enforce_scope.designate):
- LOG.info('Skipping %s allowed RBAC test because '
- 'enforce_scope.designate is not True', cred)
- continue
- else:
- self.fail('Credential {} "expected_allowed" for RBAC '
- 'testing was not created by tempest '
- 'credentials setup. This is likely a bug in the '
- 'test.'.format(cred))
+ self.fail('Credential {} "expected_allowed" for RBAC '
+ 'testing was not created by tempest '
+ 'credentials setup. This is likely a bug in the '
+ 'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
try:
# Get the result body
try:
cred_obj = getattr(self, cred)
except AttributeError:
- # TODO(johnsom) Remove once scoped tokens is the default.
- if ((cred == 'os_system_admin' or
- cred == 'os_system_reader') and
- not CONF.enforce_scope.designate):
- LOG.info('Skipping %s allowed RBAC test because '
- 'enforce_scope.designate is not True', cred)
- continue
- else:
- self.fail('Credential {} "expected_allowed" for RBAC '
- 'testing was not created by tempest '
- 'credentials setup. This is likely a bug in the '
- 'test.'.format(cred))
+ self.fail('Credential {} "expected_allowed" for RBAC '
+ 'testing was not created by tempest '
+ 'credentials setup. This is likely a bug in the '
+ 'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
try:
# Get the result body
def setup_clients(cls):
super(BaseBlacklistsTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
class BlacklistE2E(BaseBlacklistsTest):
- credentials = ["admin", 'primary', 'system_admin']
+ credentials = ["admin", 'primary']
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(BlacklistE2E, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_blacklist_client = (
- cls.os_system_admin.dns_v2.BlacklistsClient())
- cls.admin_zone_client = cls.os_system_admin.dns_v2.ZonesClient()
- else:
- cls.admin_blacklist_client = cls.os_admin.dns_v2.BlacklistsClient()
- cls.admin_zone_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_blacklist_client = cls.os_admin.dns_v2.BlacklistsClient()
+ cls.admin_zone_client = cls.os_admin.dns_v2.ZonesClient()
@decorators.idempotent_id('22b1ee72-d8d2-11eb-bcdc-74e5f9e2a801')
def test_primary_fails_to_create_zone_matches_blacklist_regex(self):
# delegation scenarios.
class ClasslessPTRTest(base.BaseDnsV2Test):
- credentials = ['primary', 'admin', 'system_admin', 'alt']
+ credentials = ['primary', 'admin', 'alt']
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(ClasslessPTRTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.zone_client = cls.os_primary.dns_v2.ZonesClient()
cls.recordset_client = cls.os_primary.dns_v2.RecordsetClient()
cls.alt_rec_client = cls.os_alt.dns_v2.RecordsetClient()
class QuotasV2Test(base.BaseDnsV2Test):
- credentials = ['primary', 'admin', 'system_admin', 'alt']
+ credentials = ['primary', 'admin', 'alt']
test_quota_limit = 3
@classmethod
@classmethod
def setup_clients(cls):
super(QuotasV2Test, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.QuotasClient()
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.QuotasClient()
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_client = cls.os_admin.dns_v2.QuotasClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.quotas_client = cls.os_primary.dns_v2.QuotasClient()
cls.alt_client = cls.os_alt.dns_v2.QuotasClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
class QuotasBoundary(base.BaseDnsV2Test, tempest.test.BaseTestCase):
- credentials = ['admin', 'system_admin', 'primary']
+ credentials = ['admin', 'primary']
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(QuotasBoundary, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- cls.quota_client = cls.os_system_admin.dns_v2.QuotasClient()
- cls.project_client = cls.os_system_admin.projects_client
- cls.recordset_client = cls.os_system_admin.dns_v2.RecordsetClient()
- cls.export_zone_client = (
- cls.os_system_admin.dns_v2.ZoneExportsClient())
- cls.admin_zones_client = cls.os_system_admin.dns_v2.ZonesClient()
- else:
- cls.quota_client = cls.os_admin.dns_v2.QuotasClient()
- cls.project_client = cls.os_admin.projects_client
- cls.admin_zones_client = cls.os_admin.dns_v2.ZonesClient()
- cls.recordset_client = cls.os_admin.dns_v2.RecordsetClient()
- cls.export_zone_client = cls.os_admin.dns_v2.ZoneExportsClient()
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.quota_client = cls.os_admin.dns_v2.QuotasClient()
+ cls.project_client = cls.os_admin.projects_client
+ cls.admin_zones_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.recordset_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.export_zone_client = cls.os_admin.dns_v2.ZoneExportsClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
class SharedZonesQuotaTest(base.BaseDnsV2Test):
- credentials = ['primary', 'admin', 'system_admin']
+ credentials = ['primary', 'admin']
@classmethod
def setup_clients(cls):
super(SharedZonesQuotaTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- cls.adm_project_client = cls.os_system_admin.projects_client
- cls.adm_quota_client = cls.os_system_admin.dns_v2.QuotasClient()
- cls.adm_zone_client = cls.os_system_admin.dns_v2.ZonesClient()
- cls.adm_shr_client = cls.os_system_admin.dns_v2.SharedZonesClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
- cls.adm_project_client = cls.os_admin.projects_client
- cls.adm_quota_client = cls.os_admin.dns_v2.QuotasClient()
- cls.adm_zone_client = cls.os_admin.dns_v2.ZonesClient()
- cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.adm_project_client = cls.os_admin.projects_client
+ cls.adm_quota_client = cls.os_admin.dns_v2.QuotasClient()
+ cls.adm_zone_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
cls.share_zone_client = cls.os_primary.dns_v2.SharedZonesClient()
cls.rec_client = cls.os_primary.dns_v2.RecordsetClient()
cls.export_zone_client = cls.os_primary.dns_v2.ZoneExportsClient()
class RecordsetsTest(base.BaseDnsV2Test):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_clients(cls):
super(RecordsetsTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.RecordsetClient()
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.recordset_client = cls.os_primary.dns_v2.RecordsetClient()
@classmethod
class SharedZonesTest(base.BaseDnsV2Test):
- credentials = ['primary', 'admin', 'system_admin', 'alt',
+ credentials = ['primary', 'admin', 'alt',
['demo', 'member']]
@classmethod
def setup_clients(cls):
super(SharedZonesTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- cls.adm_shr_client = cls.os_system_admin.dns_v2.SharedZonesClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
- cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
cls.share_zone_client = cls.os_primary.dns_v2.SharedZonesClient()
cls.rec_client = cls.os_primary.dns_v2.RecordsetClient()
cls.alt_rec_client = cls.os_alt.dns_v2.RecordsetClient()
class SharedZonesTestNegative(base.BaseDnsV2Test):
- credentials = ['primary', 'admin', 'system_admin', 'alt',
+ credentials = ['primary', 'admin', 'alt',
['demo', 'member']]
@classmethod
def setup_clients(cls):
super(SharedZonesTestNegative, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- cls.adm_shr_client = cls.os_system_admin.dns_v2.SharedZonesClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
- cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
cls.share_zone_client = cls.os_primary.dns_v2.SharedZonesClient()
cls.alt_export_client = cls.os_alt.dns_v2.ZoneExportsClient()
cls.primary_export_client = cls.os_primary.dns_v2.ZoneExportsClient()
class TldZoneTest(base.BaseDnsV2Test):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
tld_suffix = '.'.join(["TldZoneTest", CONF.dns.tld_suffix])
@classmethod
@classmethod
def setup_clients(cls):
super(TldZoneTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.primary_tld_client = cls.os_primary.dns_v2.TldClient()
@classmethod
class ZonesTest(base.BaseDnsV2Test):
- credentials = ["primary", "admin", "system_admin"]
+ credentials = ["primary", "admin"]
@classmethod
def setup_clients(cls):
super(ZonesTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- cls.rec_client = cls.os_system_admin.dns_v2.RecordsetClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
- cls.rec_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.rec_client = cls.os_admin.dns_v2.RecordsetClient()
cls.primary_client = cls.os_primary.dns_v2.BlacklistsClient()
@classmethod
class ZonesExportTest(BaseZoneExportsTest):
- credentials = ["primary", "admin", "system_admin"]
+ credentials = ["primary", "admin"]
@classmethod
def setup_credentials(cls):
@classmethod
def setup_clients(cls):
super(ZonesExportTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ZoneExportsClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ZoneExportsClient()
+ cls.admin_client = cls.os_admin.dns_v2.ZoneExportsClient()
cls.client = cls.os_primary.dns_v2.ZoneExportsClient()
cls.recordset_client = cls.os_primary.dns_v2.RecordsetClient()
class ZonesImportTest(BaseZonesImportTest):
- credentials = ["primary", "admin", "system_admin"]
+ credentials = ["primary", "admin"]
@classmethod
def setup_clients(cls):
class ZonesTransferTest(base.BaseDnsV2Test):
- credentials = ['primary', 'alt', 'admin', 'system_admin']
+ credentials = ['primary', 'alt', 'admin']
@classmethod
def setup_clients(cls):
super(ZonesTransferTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_zones_client = cls.os_system_admin.dns_v2.ZonesClient()
- cls.admin_accept_client = (
- cls.os_system_admin.dns_v2.TransferAcceptClient())
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_zones_client = cls.os_admin.dns_v2.ZonesClient()
- cls.admin_accept_client = (
- cls.os_admin.dns_v2.TransferAcceptClient())
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_zones_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_accept_client = (
+ cls.os_admin.dns_v2.TransferAcceptClient())
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.alt_zones_client = cls.os_alt.dns_v2.ZonesClient()
cls.request_client = cls.os_primary.dns_v2.TransferRequestClient()
cls.alt_request_client = cls.os_alt.dns_v2.TransferRequestClient()
Code Review / packaging / sources / designate-tempest-plugin.git / commitdiff