Expand Designate RBAC testing - Designate Limits
This patch adds RBAC testing for allowed and disallowed credentials.
This is one of a series of patches adding testing. This patch covers the
limits API.
Change-Id: Id9d421f34922044b40e1e79b06ff99b4a6e0f549
diff --git a/designate_tempest_plugin/tests/api/v2/test_designate_limits.py b/designate_tempest_plugin/tests/api/v2/test_designate_limits.py
index 2cb9d9e..102f168 100644
--- a/designate_tempest_plugin/tests/api/v2/test_designate_limits.py
+++ b/designate_tempest_plugin/tests/api/v2/test_designate_limits.py
@@ -24,7 +24,8 @@
class DesignateLimit(base.BaseDnsV2Test):
- credentials = ["admin", "system_admin", "primary", "alt"]
+ credentials = ["admin", "system_admin", "system_reader", "primary", "alt",
+ "project_member", "project_reader"]
@classmethod
def setup_credentials(cls):
@@ -102,3 +103,14 @@
project_id, received_project_ids,
'Failed, expected project_id:{} is missing in:{} '.format(
project_id, received_project_ids))
+
+ @decorators.idempotent_id('fc57fa6b-5280-4186-9be9-ff4da0961db0')
+ def test_list_designate_limits_RBAC(self):
+ expected_allowed = ['os_admin', 'os_primary', 'os_alt']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.extend(['os_system_admin', 'os_system_reader',
+ 'os_project_member', 'os_project_reader'])
+
+ self.check_list_show_RBAC_enforcement(
+ 'DesignateLimitClient', 'list_designate_limits',
+ expected_allowed, False)