Remove system scope token usage
Designate (like any other services) does not support the system
scope and now we are enabling the new defaults by default
- https://review.opendev.org/c/openstack/designate/+/925627
To enable the new defaults, we need to remove the usage of system
scope token from tests otherwise they fails
- https://review.opendev.org/c/openstack/designate/+/926446/
Needed-By: https://review.opendev.org/c/openstack/designate/+/925627
Needed-By: https://review.opendev.org/c/openstack/requirements/+/925464
Change-Id: I8162819f35e7aba5f9c5fab77f0308faf73287ea
diff --git a/designate_tempest_plugin/tests/api/admin/test_quotas.py b/designate_tempest_plugin/tests/api/admin/test_quotas.py
index dd4bed2..da76894 100644
--- a/designate_tempest_plugin/tests/api/admin/test_quotas.py
+++ b/designate_tempest_plugin/tests/api/admin/test_quotas.py
@@ -34,7 +34,7 @@
class QuotasAdminTest(BaseQuotasTest):
- credentials = ["admin", "primary", "system_admin"]
+ credentials = ["admin", "primary"]
def setUp(self):
super(QuotasAdminTest, self).setUp()
@@ -53,10 +53,7 @@
@classmethod
def setup_clients(cls):
super(QuotasAdminTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_admin.QuotasClient()
- else:
- cls.admin_client = cls.os_admin.dns_admin.QuotasClient()
+ cls.admin_client = cls.os_admin.dns_admin.QuotasClient()
cls.quotas_client = cls.os_primary.dns_v2.QuotasClient()
@decorators.idempotent_id('ed42f367-e5ba-40d7-a08d-366ad787d21c')
diff --git a/designate_tempest_plugin/tests/api/v2/test_blacklists.py b/designate_tempest_plugin/tests/api/v2/test_blacklists.py
index 48b3028..03aff02 100644
--- a/designate_tempest_plugin/tests/api/v2/test_blacklists.py
+++ b/designate_tempest_plugin/tests/api/v2/test_blacklists.py
@@ -39,11 +39,7 @@
@classmethod
def setup_clients(cls):
super(BlacklistsAdminTest, cls).setup_clients()
-
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.BlacklistsClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.BlacklistsClient()
+ cls.admin_client = cls.os_admin.dns_v2.BlacklistsClient()
cls.primary_client = cls.os_primary.dns_v2.BlacklistsClient()
@decorators.idempotent_id('3a7f7564-6bdd-446e-addc-a3475b4c3f71')
@@ -58,7 +54,7 @@
self.assertExpected(blacklist, body, self.excluded_keys)
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_CUD_RBAC_enforcement('BlacklistsClient', 'create_blacklist',
expected_allowed, False)
@@ -97,11 +93,7 @@
LOG.info('Ensure the fetched response matches the created blacklist')
self.assertExpected(blacklist, body, self.excluded_keys)
-
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin', 'os_system_reader']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'BlacklistsClient', 'show_blacklist', expected_allowed, False,
@@ -120,7 +112,7 @@
# A blacklist delete returns an empty body
self.assertEqual(body.strip(), b"")
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_CUD_RBAC_enforcement(
'BlacklistsClient', 'delete_blacklist', expected_allowed, False,
@@ -138,10 +130,7 @@
# TODO(pglass): Assert that the created blacklist is in the response
self.assertGreater(len(body['blacklists']), 0)
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'BlacklistsClient', 'list_blacklists',
@@ -166,7 +155,7 @@
self.assertEqual(pattern, body['pattern'])
self.assertEqual(description, body['description'])
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_CUD_RBAC_enforcement(
'BlacklistsClient', 'update_blacklist', expected_allowed, False,
@@ -175,7 +164,7 @@
class TestBlacklistNotFoundAdmin(BaseBlacklistsTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@@ -186,10 +175,7 @@
@classmethod
def setup_clients(cls):
super(TestBlacklistNotFoundAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.BlacklistsClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.BlacklistsClient()
+ cls.admin_client = cls.os_admin.dns_v2.BlacklistsClient()
@decorators.idempotent_id('9d65b638-fe98-47a8-853f-fa9244d144cc')
def test_show_blacklist_404(self):
@@ -221,7 +207,7 @@
class TestBlacklistInvalidIdAdmin(BaseBlacklistsTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@@ -232,10 +218,7 @@
@classmethod
def setup_clients(cls):
super(TestBlacklistInvalidIdAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.BlacklistsClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.BlacklistsClient()
+ cls.admin_client = cls.os_admin.dns_v2.BlacklistsClient()
@decorators.idempotent_id('c7bae53f-2edc-45d8-b254-8a81482728c1')
def test_show_blacklist_invalid_uuid(self):
diff --git a/designate_tempest_plugin/tests/api/v2/test_designate_limits.py b/designate_tempest_plugin/tests/api/v2/test_designate_limits.py
index 102f168..638d035 100644
--- a/designate_tempest_plugin/tests/api/v2/test_designate_limits.py
+++ b/designate_tempest_plugin/tests/api/v2/test_designate_limits.py
@@ -24,7 +24,7 @@
class DesignateLimit(base.BaseDnsV2Test):
- credentials = ["admin", "system_admin", "system_reader", "primary", "alt",
+ credentials = ["admin", "primary", "alt",
"project_member", "project_reader"]
@classmethod
@@ -36,11 +36,7 @@
@classmethod
def setup_clients(cls):
super(DesignateLimit, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = (cls.os_system_admin.dns_v2.
- DesignateLimitClient())
- else:
- cls.admin_client = cls.os_admin.dns_v2.DesignateLimitClient()
+ cls.admin_client = cls.os_admin.dns_v2.DesignateLimitClient()
cls.primary_client = cls.os_primary.dns_v2.DesignateLimitClient()
cls.alt_client = cls.os_alt.dns_v2.DesignateLimitClient()
@@ -108,8 +104,7 @@
def test_list_designate_limits_RBAC(self):
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_system_reader',
- 'os_project_member', 'os_project_reader'])
+ expected_allowed.extend(['os_project_member', 'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'DesignateLimitClient', 'list_designate_limits',
diff --git a/designate_tempest_plugin/tests/api/v2/test_pool.py b/designate_tempest_plugin/tests/api/v2/test_pool.py
index dd7d107..0e7753e 100644
--- a/designate_tempest_plugin/tests/api/v2/test_pool.py
+++ b/designate_tempest_plugin/tests/api/v2/test_pool.py
@@ -36,8 +36,8 @@
class PoolAdminTest(BasePoolTest):
- credentials = ["admin", "primary", "system_admin", "system_reader",
- "project_member", "project_reader", "alt"]
+ credentials = ["admin", "primary", "project_member",
+ "project_reader", "alt"]
@classmethod
def setup_credentials(cls):
@@ -48,10 +48,7 @@
@classmethod
def setup_clients(cls):
super(PoolAdminTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.PoolClient()
+ cls.admin_client = cls.os_admin.dns_v2.PoolClient()
@decorators.idempotent_id('69257f7c-b3d5-4e1b-998e-0677ad12f125')
def test_create_pool(self):
@@ -75,8 +72,6 @@
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'PoolClient', 'create_pool', expected_allowed, False,
@@ -102,10 +97,7 @@
# TODO(johnsom) Test reader roles once this bug is fixed.
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
# TODO(johnsom) The pools API seems inconsistent with the requirement
# of the all-projects header.
@@ -131,8 +123,6 @@
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'PoolClient', 'delete_pool', expected_allowed, False, pool['id'])
@@ -153,10 +143,7 @@
# TODO(johnsom) Test reader roles once this bug is fixed.
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'PoolClient', 'list_pools', expected_allowed, [pool['id']],
@@ -178,8 +165,6 @@
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'PoolClient', 'update_pool', expected_allowed, True,
@@ -195,7 +180,7 @@
class TestPoolNotFoundAdmin(BasePoolTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@@ -206,10 +191,7 @@
@classmethod
def setup_clients(cls):
super(TestPoolNotFoundAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.PoolClient()
+ cls.admin_client = cls.os_admin.dns_v2.PoolClient()
@decorators.idempotent_id('56281b2f-dd5a-4376-8c32-aba771062fa5')
def test_show_pool_404(self):
@@ -241,7 +223,7 @@
class TestPoolInvalidIdAdmin(BasePoolTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@@ -252,10 +234,7 @@
@classmethod
def setup_clients(cls):
super(TestPoolInvalidIdAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.PoolClient()
+ cls.admin_client = cls.os_admin.dns_v2.PoolClient()
@decorators.idempotent_id('081d0188-42a7-4953-af0e-b022960715e2')
def test_show_pool_invalid_uuid(self):
@@ -288,7 +267,7 @@
class TestPoolAdminNegative(BasePoolTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@@ -299,10 +278,7 @@
@classmethod
def setup_clients(cls):
super(TestPoolAdminNegative, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.PoolClient()
+ cls.admin_client = cls.os_admin.dns_v2.PoolClient()
@decorators.idempotent_id('0a8cdc1e-ac02-11eb-ae06-74e5f9e2a801')
def test_create_pool_invalid_name(self):
diff --git a/designate_tempest_plugin/tests/api/v2/test_ptrs.py b/designate_tempest_plugin/tests/api/v2/test_ptrs.py
index dcb31a9..a764505 100644
--- a/designate_tempest_plugin/tests/api/v2/test_ptrs.py
+++ b/designate_tempest_plugin/tests/api/v2/test_ptrs.py
@@ -38,10 +38,7 @@
def setup_clients(cls):
super(BasePtrTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.admin_network_client = cls.os_admin.networks_client
cls.admin_subnet_client = cls.os_admin.subnets_client
@@ -82,7 +79,7 @@
class DesignatePtrRecord(BasePtrTest, tempest.test.BaseTestCase):
- credentials = ['primary', 'admin', 'system_admin']
+ credentials = ['primary', 'admin']
@classmethod
def setup_credentials(cls):
@@ -93,10 +90,7 @@
@classmethod
def setup_clients(cls):
super(DesignatePtrRecord, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_ptr_client = cls.os_system_admin.dns_v2.PtrClient()
- else:
- cls.admin_ptr_client = cls.os_admin.dns_v2.PtrClient()
+ cls.admin_ptr_client = cls.os_admin.dns_v2.PtrClient()
cls.primary_ptr_client = cls.os_primary.dns_v2.PtrClient()
cls.primary_floating_ip_client = cls.os_primary.floating_ips_client
@@ -208,7 +202,7 @@
class DesignatePtrRecordNegative(BasePtrTest, tempest.test.BaseTestCase):
- credentials = ['primary', 'admin', 'system_admin']
+ credentials = ['primary', 'admin']
@classmethod
def setup_credentials(cls):
diff --git a/designate_tempest_plugin/tests/api/v2/test_quotas.py b/designate_tempest_plugin/tests/api/v2/test_quotas.py
index 37e07e3..2b78b49 100644
--- a/designate_tempest_plugin/tests/api/v2/test_quotas.py
+++ b/designate_tempest_plugin/tests/api/v2/test_quotas.py
@@ -29,7 +29,7 @@
class QuotasV2Test(base.BaseDnsV2Test):
- credentials = ["primary", "admin", "system_admin", "system_reader", "alt",
+ credentials = ["primary", "admin", "alt",
"project_member", "project_reader"]
@classmethod
@@ -51,10 +51,7 @@
def setup_clients(cls):
super(QuotasV2Test, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.QuotasClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.QuotasClient()
+ cls.admin_client = cls.os_admin.dns_v2.QuotasClient()
cls.quotas_client = cls.os_primary.dns_v2.QuotasClient()
cls.alt_client = cls.os_alt.dns_v2.QuotasClient()
@@ -93,8 +90,7 @@
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_system_reader',
- 'os_project_member', 'os_project_reader'])
+ expected_allowed.extend(['os_project_member', 'os_project_reader'])
self.check_list_show_with_ID_RBAC_enforcement(
'QuotasClient', 'show_quotas', expected_allowed, False)
@@ -106,8 +102,6 @@
LOG.info("Deleting (reset) quotas")
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin'])
self.check_CUD_RBAC_enforcement(
'QuotasClient', 'delete_quotas', expected_allowed, False,
@@ -130,8 +124,6 @@
**quotas, headers=self.all_projects_header)[1]
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin'])
self.check_CUD_RBAC_enforcement(
'QuotasClient', 'update_quotas', expected_allowed, False,
@@ -225,7 +217,7 @@
class QuotasV2TestNegative(base.BaseDnsV2Test):
- credentials = ["primary", "admin", "system_admin"]
+ credentials = ["primary", "admin"]
@classmethod
def setup_credentials(cls):
@@ -246,10 +238,7 @@
def setup_clients(cls):
super(QuotasV2TestNegative, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.QuotasClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.QuotasClient()
+ cls.admin_client = cls.os_admin.dns_v2.QuotasClient()
cls.quotas_client = cls.os_primary.dns_v2.QuotasClient()
@decorators.idempotent_id('ae82a0ba-da60-11eb-bf12-74e5f9e2a801')
diff --git a/designate_tempest_plugin/tests/api/v2/test_recordset.py b/designate_tempest_plugin/tests/api/v2/test_recordset.py
index a7cb4bc..f4ce02b 100644
--- a/designate_tempest_plugin/tests/api/v2/test_recordset.py
+++ b/designate_tempest_plugin/tests/api/v2/test_recordset.py
@@ -34,10 +34,7 @@
@classmethod
def setup_clients(cls):
super(BaseRecordsetsTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
@@ -64,7 +61,7 @@
class RecordsetsTest(BaseRecordsetsTest):
- credentials = ["admin", "system_admin", "system_reader", "primary", "alt",
+ credentials = ["admin", "primary", "alt",
"project_member", "project_reader"]
@classmethod
@@ -76,12 +73,8 @@
@classmethod
def setup_clients(cls):
super(RecordsetsTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.RecordsetClient()
- cls.admin_zone_client = cls.os_system_admin.dns_v2.ZonesClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
- cls.admin_zone_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.admin_zone_client = cls.os_admin.dns_v2.ZonesClient()
cls.client = cls.os_primary.dns_v2.RecordsetClient()
cls.alt_client = cls.os_alt.dns_v2.RecordsetClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
@@ -95,7 +88,6 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
@@ -300,10 +292,7 @@
expected_allowed, [recordset_id], self.zone['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'RecordsetClient', 'list_recordset', expected_allowed,
@@ -343,10 +332,7 @@
self.zone['id'], recordset_id)
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'RecordsetClient', 'show_recordset', expected_allowed, True,
@@ -372,7 +358,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'delete_recordset', expected_allowed, True,
@@ -380,8 +366,6 @@
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'delete_recordset', expected_allowed, False,
@@ -425,7 +409,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'update_recordset', expected_allowed, True,
@@ -434,7 +418,7 @@
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'update_recordset', expected_allowed, False,
@@ -613,7 +597,7 @@
class RecordsetsNegativeTest(BaseRecordsetsTest):
- credentials = ["admin", "system_admin", "primary", "alt"]
+ credentials = ["admin", "primary", "alt"]
@classmethod
def setup_credentials(cls):
@@ -749,7 +733,7 @@
class RootRecordsetsTests(BaseRecordsetsTest):
- credentials = ["admin", "primary", "system_admin", "alt"]
+ credentials = ["admin", "primary", "alt"]
@classmethod
def setup_credentials(cls):
@@ -859,7 +843,7 @@
class RecordsetOwnershipTest(BaseRecordsetsTest):
- credentials = ["primary", "alt", "admin", "system_admin"]
+ credentials = ["primary", "alt", "admin"]
@classmethod
def setup_credentials(cls):
@@ -870,10 +854,7 @@
@classmethod
def setup_clients(cls):
super(RecordsetOwnershipTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.RecordsetClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
cls.client = cls.os_primary.dns_v2.RecordsetClient()
cls.alt_client = cls.os_alt.dns_v2.RecordsetClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
@@ -1072,7 +1053,7 @@
class AdminManagedRecordsetTest(BaseRecordsetsTest):
- credentials = ["primary", "admin", "system_admin"]
+ credentials = ["primary", "admin"]
@classmethod
def setup_credentials(cls):
@@ -1083,10 +1064,7 @@
@classmethod
def setup_clients(cls):
super(AdminManagedRecordsetTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.RecordsetClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
cls.client = cls.os_primary.dns_v2.RecordsetClient()
@decorators.idempotent_id('84164ff4-8e68-11ec-983f-201e8823901f')
@@ -1131,17 +1109,13 @@
class RecordsetsManagedRecordsNegativeTest(BaseRecordsetsTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_clients(cls):
super(RecordsetsManagedRecordsNegativeTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.RecordsetClient()
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.recordset_client = cls.os_primary.dns_v2.RecordsetClient()
@decorators.idempotent_id('083fa738-bb1b-11ec-b581-201e8823901f')
diff --git a/designate_tempest_plugin/tests/api/v2/test_recordset_validation.py b/designate_tempest_plugin/tests/api/v2/test_recordset_validation.py
index e61e7fa..8675b66 100644
--- a/designate_tempest_plugin/tests/api/v2/test_recordset_validation.py
+++ b/designate_tempest_plugin/tests/api/v2/test_recordset_validation.py
@@ -57,7 +57,7 @@
class RecordsetValidationTest(base.BaseDnsV2Test):
- credentials = ["admin", "primary", "system_admin"]
+ credentials = ["admin", "primary"]
def setUp(self):
super(RecordsetValidationTest, self).setUp()
@@ -73,10 +73,7 @@
def setup_clients(cls):
super(RecordsetValidationTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.recordset_client = cls.os_primary.dns_v2.RecordsetClient()
@property
diff --git a/designate_tempest_plugin/tests/api/v2/test_service_statuses.py b/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
index 0b63f21..a6d4406 100644
--- a/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
+++ b/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
@@ -26,7 +26,7 @@
class ServiceStatusAdmin(base.BaseDnsV2Test):
- credentials = ["primary", "admin", "system_admin", "system_reader", "alt",
+ credentials = ["primary", "admin", "alt",
"project_reader", "project_member"]
mandatory_services = ['central', 'mdns', 'worker', 'producer']
@@ -43,10 +43,7 @@
@classmethod
def setup_clients(cls):
super(ServiceStatusAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ServiceClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ServiceClient()
+ cls.admin_client = cls.os_admin.dns_v2.ServiceClient()
@decorators.idempotent_id('bf277a76-8583-11eb-a557-74e5f9e2a801')
def test_admin_list_service_statuses(self):
@@ -73,10 +70,7 @@
"services: {}".format(services_statuses_tup))
# Test RBAC
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin', 'os_system_reader']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ServiceClient', 'list_statuses', expected_allowed, False)
diff --git a/designate_tempest_plugin/tests/api/v2/test_shared_zones.py b/designate_tempest_plugin/tests/api/v2/test_shared_zones.py
index 78d6233..a089cf0 100644
--- a/designate_tempest_plugin/tests/api/v2/test_shared_zones.py
+++ b/designate_tempest_plugin/tests/api/v2/test_shared_zones.py
@@ -30,8 +30,8 @@
class BaseSharedZoneTest(base.BaseDnsV2Test):
- credentials = ['admin', 'system_admin', 'system_reader', 'primary', 'alt',
- 'project_reader', 'project_member', ['demo', 'member']]
+ credentials = ['admin', 'primary', 'alt', 'project_reader',
+ 'project_member', ['demo', 'member']]
excluded_keys = ['links']
@@ -67,12 +67,8 @@
def setup_clients(cls):
super(BaseSharedZoneTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- cls.adm_shr_client = cls.os_system_admin.dns_v2.SharedZonesClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
- cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
cls.demo_zone_client = cls.os_demo.dns_v2.ZonesClient()
cls.share_zone_client = cls.os_primary.dns_v2.SharedZonesClient()
@@ -92,7 +88,6 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
'SharedZonesClient', 'create_zone_share', expected_allowed, True,
@@ -124,7 +119,6 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
self.check_CUD_RBAC_enforcement(
@@ -150,7 +144,6 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
'SharedZonesClient', 'delete_zone_share', expected_allowed, True,
@@ -176,7 +169,6 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
self.check_CUD_RBAC_enforcement(
diff --git a/designate_tempest_plugin/tests/api/v2/test_tld.py b/designate_tempest_plugin/tests/api/v2/test_tld.py
index a74edc1..a3d960e 100644
--- a/designate_tempest_plugin/tests/api/v2/test_tld.py
+++ b/designate_tempest_plugin/tests/api/v2/test_tld.py
@@ -29,8 +29,8 @@
class TldAdminTest(BaseTldTest):
- credentials = ["admin", "system_admin", "system_reader",
- "primary", "alt", "project_reader", "project_member"]
+ credentials = ["admin", "primary", "alt",
+ "project_reader", "project_member"]
# Use a TLD suffix unique to this test class.
local_tld_suffix = '.'.join(["tldadmintest", CONF.dns.tld_suffix])
@@ -44,10 +44,7 @@
@classmethod
def setup_clients(cls):
super(TldAdminTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_client = cls.os_admin.dns_v2.TldClient()
cls.primary_client = cls.os_primary.dns_v2.TldClient()
@classmethod
@@ -69,8 +66,6 @@
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement('TldClient', 'create_tld',
expected_allowed, False)
@@ -148,10 +143,7 @@
self.assertExpected(tld, body, self.excluded_keys)
# Test RBAC
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin', 'os_system_reader']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'TldClient', 'show_tld', expected_allowed, False, tld['id'])
@@ -172,8 +164,6 @@
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement('TldClient', 'delete_tld',
expected_allowed, False, tld['id'])
@@ -191,10 +181,7 @@
self.assertGreater(len(body['tlds']), 0)
# Test RBAC
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'TldClient', 'list_tlds', expected_allowed, [tld['id']],
@@ -222,8 +209,6 @@
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'TldClient', 'update_tld', expected_allowed, False, tld['id'],
@@ -239,7 +224,7 @@
class TestTldNotFoundAdmin(BaseTldTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@@ -250,10 +235,7 @@
@classmethod
def setup_clients(cls):
super(TestTldNotFoundAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_client = cls.os_admin.dns_v2.TldClient()
@decorators.idempotent_id('b237d5ee-0d76-4294-a3b6-c2f8bf4b0e30')
def test_show_tld_404(self):
@@ -285,7 +267,7 @@
class TestTldInvalidIdAdmin(BaseTldTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@@ -296,10 +278,7 @@
@classmethod
def setup_clients(cls):
super(TestTldInvalidIdAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_client = cls.os_admin.dns_v2.TldClient()
@decorators.idempotent_id('f9ec0730-57ff-4720-8d06-e11d377c7cfc')
def test_show_tld_invalid_uuid(self):
diff --git a/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py b/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
index 94c661a..73eab09 100644
--- a/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
+++ b/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
@@ -31,11 +31,7 @@
@classmethod
def setup_clients(cls):
super(BaseTransferAcceptTest, cls).setup_clients()
-
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
@@ -53,7 +49,7 @@
class TransferAcceptTest(BaseTransferAcceptTest):
- credentials = ["primary", "alt", "admin", "system_admin", "system_reader",
+ credentials = ["primary", "alt", "admin",
"project_member", "project_reader"]
@classmethod
@@ -76,18 +72,11 @@
cls.alt_accept_client = cls.os_alt.dns_v2.TransferAcceptClient()
# Admin clients
- if CONF.enforce_scope.designate:
- cls.admin_zone_client = cls.os_system_admin.dns_v2.ZonesClient()
- cls.admin_request_client = (cls.os_system_admin.dns_v2.
- TransferRequestClient())
- cls.admin_accept_client = (cls.os_system_admin.dns_v2.
- TransferAcceptClient())
- else:
- cls.admin_zone_client = cls.os_admin.dns_v2.ZonesClient()
- cls.admin_request_client = (cls.os_admin.dns_v2.
- TransferRequestClient())
- cls.admin_accept_client = (cls.os_admin.dns_v2.
- TransferAcceptClient())
+ cls.admin_zone_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_request_client = (cls.os_admin.dns_v2.
+ TransferRequestClient())
+ cls.admin_accept_client = (cls.os_admin.dns_v2.
+ TransferAcceptClient())
@decorators.idempotent_id('1c6baf97-a83e-4d2e-a5d8-9d37fb7808f3')
def test_create_transfer_accept(self):
@@ -120,11 +109,6 @@
# transfer key.
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
- # Note: system_reader is allowed because this API RBAC is based
- # on the target project ID. It will return a 401 instead of
- # a 403.
- expected_allowed.append('os_system_reader')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
@@ -188,10 +172,7 @@
True, transfer_accept['id'])
# Test RBAC with x-auth-all-projects
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
@@ -281,20 +262,14 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_RBAC_enforcement_count(
'TransferAcceptClient', 'list_transfer_accept',
expected_allowed, 0)
# Test that users who should see the zone, can see it.
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'TransferAcceptClient', 'list_transfer_accept',
@@ -403,10 +378,7 @@
self.wait_zone_delete, self.alt_zone_client, zone['id'])
# Test RBAC with x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
@@ -417,7 +389,7 @@
class TransferAcceptTestNegative(BaseTransferAcceptTest):
- credentials = ["primary", "alt", "admin", "system_admin"]
+ credentials = ["primary", "alt", "admin"]
@classmethod
def setup_credentials(cls):
diff --git a/designate_tempest_plugin/tests/api/v2/test_transfer_request.py b/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
index 20c68ed..963872c 100644
--- a/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
+++ b/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
@@ -30,11 +30,7 @@
@classmethod
def setup_clients(cls):
super(BaseTransferRequestTest, cls).setup_clients()
-
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
@@ -53,7 +49,7 @@
class TransferRequestTest(BaseTransferRequestTest):
- credentials = ["primary", "alt", "admin", "system_admin", "system_reader",
+ credentials = ["primary", "alt", "admin",
"project_member", "project_reader"]
@classmethod
@@ -65,12 +61,7 @@
@classmethod
def setup_clients(cls):
super(TransferRequestTest, cls).setup_clients()
-
- if CONF.enforce_scope.designate:
- cls.admin_client = (cls.os_system_admin.dns_v2.
- TransferRequestClient())
- else:
- cls.admin_client = cls.os_admin.dns_v2.TransferRequestClient()
+ cls.admin_client = cls.os_admin.dns_v2.TransferRequestClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
cls.client = cls.os_primary.dns_v2.TransferRequestClient()
cls.alt_client = cls.os_alt.dns_v2.TransferRequestClient()
@@ -86,7 +77,6 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
@@ -161,7 +151,6 @@
# Note: The create service client does not define a target project
# ID, so everyone should be able to see it.
expected_allowed = ['os_admin', 'os_primary', 'os_alt',
- 'os_system_admin', 'os_system_reader',
'os_project_member', 'os_project_reader']
self.check_list_show_RBAC_enforcement(
@@ -169,10 +158,7 @@
True, transfer_request['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
@@ -245,10 +231,10 @@
# Test RBAC when a transfer target project is specified.
if CONF.enforce_scope.designate:
expected_allowed = ['os_primary', 'os_alt',
- 'os_system_admin', 'os_project_member']
+ 'os_project_member']
else:
expected_allowed = ['os_primary', 'os_alt', 'os_admin',
- 'os_system_admin', 'os_project_member']
+ 'os_project_member']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
@@ -271,7 +257,6 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
@@ -304,7 +289,7 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_admin']
+ expected_allowed = ['os_admin']
else:
expected_allowed = ['os_alt']
@@ -371,10 +356,7 @@
"listed IDs{}".format(request_id, request_ids))
# Test RBAC with x-auth-all-projects
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'TransferRequestClient', 'list_transfer_requests',
@@ -417,10 +399,7 @@
self.assertEqual([alt_transfer_request['id']], request_ids)
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'TransferRequestClient', 'list_transfer_requests',
@@ -453,7 +432,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'TransferRequestClient', 'update_transfer_request',
@@ -462,8 +441,6 @@
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'TransferRequestClient', 'update_transfer_request',
@@ -485,7 +462,7 @@
class TestTransferRequestNotFound(BaseTransferRequestTest):
- credentials = ["admin", "primary", "system_admin"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@@ -535,7 +512,7 @@
class TestTransferRequestInvalidId(BaseTransferRequestTest):
- credentials = ["admin", "primary", "system_admin"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
diff --git a/designate_tempest_plugin/tests/api/v2/test_tsigkey.py b/designate_tempest_plugin/tests/api/v2/test_tsigkey.py
index 926797f..db92ca3 100644
--- a/designate_tempest_plugin/tests/api/v2/test_tsigkey.py
+++ b/designate_tempest_plugin/tests/api/v2/test_tsigkey.py
@@ -32,10 +32,7 @@
def setup_clients(cls):
super(BaseTsigkeyTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
@@ -53,8 +50,8 @@
class TsigkeyAdminTest(BaseTsigkeyTest):
- credentials = ["primary", "admin", "system_admin", "system_reader",
- "project_member", "project_reader", "alt"]
+ credentials = ["primary", "admin", "project_member",
+ "project_reader", "alt"]
@classmethod
def setup_credentials(cls):
@@ -65,12 +62,8 @@
@classmethod
def setup_clients(cls):
super(TsigkeyAdminTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.TsigkeyClient()
- cls.pool_admin_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.TsigkeyClient()
- cls.pool_admin_client = cls.os_admin.dns_v2.PoolClient()
+ cls.admin_client = cls.os_admin.dns_v2.TsigkeyClient()
+ cls.pool_admin_client = cls.os_admin.dns_v2.PoolClient()
cls.primary_client = cls.os_primary.dns_v2.TsigkeyClient()
@@ -122,8 +115,6 @@
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'TsigkeyClient', 'create_tsigkey', expected_allowed, False,
@@ -145,10 +136,7 @@
self.assertGreater(len(body['tsigkeys']), 0)
# Test RBAC
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'TsigkeyClient', 'list_tsigkeys', expected_allowed,
@@ -411,10 +399,7 @@
self.assertExpected(tsigkey, body, self.excluded_keys)
# Test RBAC
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin', 'os_system_reader']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'TsigkeyClient', 'show_tsigkey', expected_allowed, True,
@@ -446,8 +431,6 @@
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'TsigkeyClient', 'update_tsigkey', expected_allowed, False,
@@ -467,8 +450,6 @@
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'TsigkeyClient', 'delete_tsigkey', expected_allowed, False,
@@ -490,7 +471,7 @@
class TestTsigkeyNotFoundAdmin(BaseTsigkeyTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@@ -501,10 +482,7 @@
@classmethod
def setup_clients(cls):
super(TestTsigkeyNotFoundAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.TsigkeyClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.TsigkeyClient()
+ cls.admin_client = cls.os_admin.dns_v2.TsigkeyClient()
@decorators.idempotent_id('824c9b49-edc5-4282-929e-467a158d23e4')
def test_show_tsigkey_404(self):
@@ -536,7 +514,7 @@
class TestTsigkeyInvalidIdAdmin(BaseTsigkeyTest):
- credentials = ["admin", "primary", "system_admin"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
@@ -547,12 +525,8 @@
@classmethod
def setup_clients(cls):
super(TestTsigkeyInvalidIdAdmin, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.TsigkeyClient()
- cls.pool_admin_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.TsigkeyClient()
- cls.pool_admin_client = cls.os_admin.dns_v2.PoolClient()
+ cls.admin_client = cls.os_admin.dns_v2.TsigkeyClient()
+ cls.pool_admin_client = cls.os_admin.dns_v2.PoolClient()
@decorators.idempotent_id('2a8dfc75-9884-4b1c-8f1f-ed835d96f2fe')
def test_show_tsigkey_invalid_uuid(self):
diff --git a/designate_tempest_plugin/tests/api/v2/test_zone_tasks.py b/designate_tempest_plugin/tests/api/v2/test_zone_tasks.py
index 4523c53..42f6a84 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zone_tasks.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zone_tasks.py
@@ -39,10 +39,7 @@
def setup_clients(cls):
super(BaseZonesTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
@@ -60,7 +57,7 @@
class ZoneTasks(BaseZonesTest):
- credentials = ["primary", "alt", "admin", "system_admin", "system_reader",
+ credentials = ["primary", "alt", "admin",
"project_member", "project_reader"]
@classmethod
@@ -72,10 +69,7 @@
@classmethod
def setup_clients(cls):
super(ZoneTasks, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ZonesClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_client = cls.os_admin.dns_v2.ZonesClient()
cls.alt_client = cls.os_alt.dns_v2.ZonesClient()
@decorators.idempotent_id('287e2cd0-a0e7-11eb-b962-74e5f9e2a801')
@@ -104,8 +98,6 @@
# Test RBAC
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'ZonesClient', 'abandon_zone', expected_allowed, False,
@@ -158,7 +150,7 @@
class ZoneTasksNegative(BaseZonesTest):
- credentials = ["primary", "alt", "admin", "system_admin"]
+ credentials = ["primary", "alt", "admin"]
@classmethod
def setup_credentials(cls):
@@ -169,10 +161,7 @@
@classmethod
def setup_clients(cls):
super(ZoneTasksNegative, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ZonesClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_client = cls.os_admin.dns_v2.ZonesClient()
cls.alt_client = cls.os_alt.dns_v2.ZonesClient()
def _query_nameserver(self, nameserver, query_timeout,
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones.py b/designate_tempest_plugin/tests/api/v2/test_zones.py
index d971790..57a4596 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones.py
@@ -34,11 +34,7 @@
@classmethod
def setup_clients(cls):
super(BaseZonesTest, cls).setup_clients()
-
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
@@ -66,10 +62,7 @@
@classmethod
def setup_clients(cls):
super(ZonesTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.pool_client = cls.os_system_admin.dns_v2.PoolClient()
- else:
- cls.pool_client = cls.os_admin.dns_v2.PoolClient()
+ cls.pool_client = cls.os_admin.dns_v2.PoolClient()
cls.recordset_client = cls.os_primary.dns_v2.RecordsetClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
cls.share_zone_client = cls.os_primary.dns_v2.SharedZonesClient()
@@ -107,7 +100,6 @@
# Test with no extra header overrides (sudo-project-id)
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement('ZonesClient', 'create_zone',
@@ -115,8 +107,6 @@
# Test with x-auth-sudo-project-id header
expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
self.check_CUD_RBAC_enforcement(
'ZonesClient', 'create_zone', expected_allowed, False,
@@ -171,10 +161,7 @@
'ZonesClient', 'show_zone', expected_allowed, True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone', expected_allowed, False, zone['id'],
@@ -225,7 +212,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement('ZonesClient', 'delete_zone',
expected_allowed, True, zone['id'])
@@ -233,7 +220,7 @@
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement('ZonesClient', 'delete_zone',
expected_allowed, False, zone['id'],
@@ -310,7 +297,7 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_admin']
+ expected_allowed = ['os_admin']
else:
expected_allowed = ['os_alt']
@@ -324,10 +311,7 @@
'ZonesClient', 'list_zones', expected_allowed, [zone['id']])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'ZonesClient', 'list_zones', expected_allowed, [zone['id']],
@@ -403,7 +387,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZonesClient', 'update_zone', expected_allowed, True,
@@ -412,7 +396,7 @@
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZonesClient', 'update_zone', expected_allowed, False,
@@ -507,10 +491,7 @@
True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone_nameservers', expected_allowed,
@@ -541,7 +522,7 @@
class ZonesAdminTest(BaseZonesTest):
- credentials = ["primary", "admin", "system_admin", "alt"]
+ credentials = ["primary", "admin", "alt"]
@classmethod
def setup_credentials(cls):
@@ -552,10 +533,7 @@
@classmethod
def setup_clients(cls):
super(ZonesAdminTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ZonesClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_client = cls.os_admin.dns_v2.ZonesClient()
cls.alt_client = cls.os_alt.dns_v2.ZonesClient()
@decorators.idempotent_id('f6fe8cce-8b04-11eb-a861-74e5f9e2a801')
@@ -643,7 +621,7 @@
class ZoneOwnershipTest(BaseZonesTest):
- credentials = ["primary", "alt", "admin", "system_admin"]
+ credentials = ["primary", "alt", "admin"]
@classmethod
def setup_credentials(cls):
@@ -701,7 +679,7 @@
class ZonesNegativeTest(BaseZonesTest):
- credentials = ["admin", "primary", "system_admin"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_credentials(cls):
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones_exports.py b/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
index 5ca5495..1ba783d 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
@@ -35,10 +35,7 @@
def setup_clients(cls):
super(BaseZoneExportsTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
@@ -56,7 +53,7 @@
class ZonesExportTest(BaseZoneExportsTest):
- credentials = ["primary", "admin", "system_admin", "system_reader", "alt",
+ credentials = ["primary", "admin", "alt",
"project_member", "project_reader"]
@classmethod
@@ -68,10 +65,7 @@
@classmethod
def setup_clients(cls):
super(ZonesExportTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ZoneExportsClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ZoneExportsClient()
+ cls.admin_client = cls.os_admin.dns_v2.ZoneExportsClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
cls.client = cls.os_primary.dns_v2.ZoneExportsClient()
cls.alt_client = cls.os_alt.dns_v2.ZoneExportsClient()
@@ -100,7 +94,6 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
@@ -129,10 +122,7 @@
zone_export['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
@@ -164,10 +154,7 @@
zone_export['id'], listed_export_ids))
# Test RBAC with x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
@@ -189,7 +176,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneExportsClient', 'delete_zone_export', expected_allowed, True,
@@ -198,7 +185,7 @@
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneExportsClient', 'delete_zone_export', expected_allowed, False,
@@ -229,7 +216,7 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_admin']
+ expected_allowed = ['os_admin']
else:
expected_allowed = ['os_alt']
@@ -244,10 +231,7 @@
expected_allowed, [export['id']])
# Test RBAC with x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'ZoneExportsClient', 'list_zone_exports',
@@ -292,10 +276,7 @@
'listed IDs:{}'.format(id, listed_exports_ids))
# Test RBAC with x-auth-all-projects
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'ZoneExportsClient', 'list_zone_exports', expected_allowed,
@@ -362,7 +343,7 @@
class ZonesExportTestNegative(BaseZoneExportsTest):
- credentials = ["primary", "alt", "admin", "system_admin"]
+ credentials = ["primary", "alt", "admin"]
@classmethod
def setup_credentials(cls):
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones_imports.py b/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
index 025fa9a..86cf45e 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
@@ -33,11 +33,7 @@
@classmethod
def setup_clients(cls):
super(BaseZonesImportTest, cls).setup_clients()
-
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
@@ -55,7 +51,7 @@
class ZonesImportTest(BaseZonesImportTest):
- credentials = ["primary", "admin", "system_admin", "system_reader", "alt",
+ credentials = ["primary", "admin", "alt",
"project_member", "project_reader"]
@classmethod
@@ -67,10 +63,7 @@
@classmethod
def setup_clients(cls):
super(ZonesImportTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ZoneImportsClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ZoneImportsClient()
+ cls.admin_client = cls.os_admin.dns_v2.ZoneImportsClient()
cls.client = cls.os_primary.dns_v2.ZoneImportsClient()
cls.alt_client = cls.os_alt.dns_v2.ZoneImportsClient()
@@ -100,7 +93,6 @@
# Test with no extra header overrides (sudo-project-id)
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
expected_allowed.append('os_project_member')
self.check_CUD_RBAC_enforcement(
@@ -159,10 +151,7 @@
zone_import['id'])
# Test with x-auth-all-projects
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
@@ -186,7 +175,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneImportsClient', 'delete_zone_import', expected_allowed, True,
@@ -195,7 +184,7 @@
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ expected_allowed.extend(['os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneImportsClient', 'delete_zone_import', expected_allowed, False,
@@ -233,7 +222,7 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_admin']
+ expected_allowed = ['os_admin']
else:
expected_allowed = ['os_alt']
@@ -248,10 +237,7 @@
[zone_import['id']])
# Test RBAC with x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'ZoneImportsClient', 'list_zone_imports', expected_allowed,
@@ -306,10 +292,7 @@
zone_import, resp_body['imports'][0], self.excluded_keys)
# Test with x-auth-sudo-project-id header
- if CONF.enforce_scope.designate:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin', 'os_system_admin']
+ expected_allowed = ['os_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
@@ -361,10 +344,7 @@
zone_import['id'], listed_zone_import_ids))
# Test RBAC with x-auth-all-projects
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
- else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin']
self.check_list_IDs_RBAC_enforcement(
'ZoneImportsClient', 'list_zone_imports', expected_allowed,
@@ -372,7 +352,7 @@
class ZonesImportTestNegative(BaseZonesImportTest):
- credentials = ["primary", "admin", "system_admin"]
+ credentials = ["primary", "admin"]
@classmethod
def setup_credentials(cls):
diff --git a/designate_tempest_plugin/tests/base.py b/designate_tempest_plugin/tests/base.py
index 26f1f03..7a34419 100644
--- a/designate_tempest_plugin/tests/base.py
+++ b/designate_tempest_plugin/tests/base.py
@@ -68,8 +68,7 @@
# can test for allowed and disallowed RBAC policies.
credentials = ['admin', 'primary', 'alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- credentials.extend(['system_admin', 'system_reader',
- 'project_member', 'project_reader'])
+ credentials.extend(['project_member', 'project_reader'])
# A tuple of credentials that will be allocated by tempest using the
# 'credentials' list above. These are used to build RBAC test lists.
diff --git a/designate_tempest_plugin/tests/rbac_utils.py b/designate_tempest_plugin/tests/rbac_utils.py
index aa8bb6a..5638ca4 100644
--- a/designate_tempest_plugin/tests/rbac_utils.py
+++ b/designate_tempest_plugin/tests/rbac_utils.py
@@ -64,18 +64,10 @@
try:
cred_obj = getattr(self, cred)
except AttributeError:
- # TODO(johnsom) Remove once scoped tokens is the default.
- if ((cred == 'os_system_admin' or
- cred == 'os_system_reader') and
- not CONF.enforce_scope.designate):
- LOG.info('Skipping %s allowed RBAC test because '
- 'enforce_scope.designate is not True', cred)
- continue
- else:
- self.fail('Credential {} "expected_allowed" for RBAC '
- 'testing was not created by tempest '
- 'credentials setup. This is likely a bug in the '
- 'test.'.format(cred))
+ self.fail('Credential {} "expected_allowed" for RBAC '
+ 'testing was not created by tempest '
+ 'credentials setup. This is likely a bug in the '
+ 'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
project_id = self._get_client_project_id(cred_obj, client_str)
try:
@@ -277,18 +269,10 @@
try:
cred_obj = getattr(self, cred)
except AttributeError:
- # TODO(johnsom) Remove once scoped tokens is the default.
- if ((cred == 'os_system_admin' or
- cred == 'os_system_reader') and
- not CONF.enforce_scope.designate):
- LOG.info('Skipping %s allowed RBAC test because '
- 'enforce_scope.designate is not True', cred)
- continue
- else:
- self.fail('Credential {} "expected_allowed" for RBAC '
- 'testing was not created by tempest '
- 'credentials setup. This is likely a bug in the '
- 'test.'.format(cred))
+ self.fail('Credential {} "expected_allowed" for RBAC '
+ 'testing was not created by tempest '
+ 'credentials setup. This is likely a bug in the '
+ 'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
try:
# Get the result body
@@ -341,18 +325,10 @@
try:
cred_obj = getattr(self, cred)
except AttributeError:
- # TODO(johnsom) Remove once scoped tokens is the default.
- if ((cred == 'os_system_admin' or
- cred == 'os_system_reader') and
- not CONF.enforce_scope.designate):
- LOG.info('Skipping %s allowed RBAC test because '
- 'enforce_scope.designate is not True', cred)
- continue
- else:
- self.fail('Credential {} "expected_allowed" for RBAC '
- 'testing was not created by tempest '
- 'credentials setup. This is likely a bug in the '
- 'test.'.format(cred))
+ self.fail('Credential {} "expected_allowed" for RBAC '
+ 'testing was not created by tempest '
+ 'credentials setup. This is likely a bug in the '
+ 'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
try:
# Get the result body
diff --git a/designate_tempest_plugin/tests/scenario/v2/test_blacklists.py b/designate_tempest_plugin/tests/scenario/v2/test_blacklists.py
index 85d5d5a..c47db39 100644
--- a/designate_tempest_plugin/tests/scenario/v2/test_blacklists.py
+++ b/designate_tempest_plugin/tests/scenario/v2/test_blacklists.py
@@ -31,10 +31,7 @@
def setup_clients(cls):
super(BaseBlacklistsTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
@@ -53,7 +50,7 @@
class BlacklistE2E(BaseBlacklistsTest):
- credentials = ["admin", 'primary', 'system_admin']
+ credentials = ["admin", 'primary']
@classmethod
def setup_credentials(cls):
@@ -64,13 +61,8 @@
@classmethod
def setup_clients(cls):
super(BlacklistE2E, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_blacklist_client = (
- cls.os_system_admin.dns_v2.BlacklistsClient())
- cls.admin_zone_client = cls.os_system_admin.dns_v2.ZonesClient()
- else:
- cls.admin_blacklist_client = cls.os_admin.dns_v2.BlacklistsClient()
- cls.admin_zone_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_blacklist_client = cls.os_admin.dns_v2.BlacklistsClient()
+ cls.admin_zone_client = cls.os_admin.dns_v2.ZonesClient()
@decorators.idempotent_id('22b1ee72-d8d2-11eb-bcdc-74e5f9e2a801')
def test_primary_fails_to_create_zone_matches_blacklist_regex(self):
diff --git a/designate_tempest_plugin/tests/scenario/v2/test_classless_ptr.py b/designate_tempest_plugin/tests/scenario/v2/test_classless_ptr.py
index c149893..a50625f 100644
--- a/designate_tempest_plugin/tests/scenario/v2/test_classless_ptr.py
+++ b/designate_tempest_plugin/tests/scenario/v2/test_classless_ptr.py
@@ -30,7 +30,7 @@
# delegation scenarios.
class ClasslessPTRTest(base.BaseDnsV2Test):
- credentials = ['primary', 'admin', 'system_admin', 'alt']
+ credentials = ['primary', 'admin', 'alt']
@classmethod
def setup_credentials(cls):
@@ -41,10 +41,7 @@
@classmethod
def setup_clients(cls):
super(ClasslessPTRTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.zone_client = cls.os_primary.dns_v2.ZonesClient()
cls.recordset_client = cls.os_primary.dns_v2.RecordsetClient()
cls.alt_rec_client = cls.os_alt.dns_v2.RecordsetClient()
diff --git a/designate_tempest_plugin/tests/scenario/v2/test_quotas.py b/designate_tempest_plugin/tests/scenario/v2/test_quotas.py
index 7f6bc07..4a346f3 100644
--- a/designate_tempest_plugin/tests/scenario/v2/test_quotas.py
+++ b/designate_tempest_plugin/tests/scenario/v2/test_quotas.py
@@ -35,7 +35,7 @@
class QuotasV2Test(base.BaseDnsV2Test):
- credentials = ['primary', 'admin', 'system_admin', 'alt']
+ credentials = ['primary', 'admin', 'alt']
test_quota_limit = 3
@classmethod
@@ -56,12 +56,8 @@
@classmethod
def setup_clients(cls):
super(QuotasV2Test, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.QuotasClient()
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.QuotasClient()
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_client = cls.os_admin.dns_v2.QuotasClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.quotas_client = cls.os_primary.dns_v2.QuotasClient()
cls.alt_client = cls.os_alt.dns_v2.QuotasClient()
cls.alt_zone_client = cls.os_alt.dns_v2.ZonesClient()
@@ -285,7 +281,7 @@
class QuotasBoundary(base.BaseDnsV2Test, tempest.test.BaseTestCase):
- credentials = ['admin', 'system_admin', 'primary']
+ credentials = ['admin', 'primary']
@classmethod
def setup_credentials(cls):
@@ -304,21 +300,12 @@
@classmethod
def setup_clients(cls):
super(QuotasBoundary, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- cls.quota_client = cls.os_system_admin.dns_v2.QuotasClient()
- cls.project_client = cls.os_system_admin.projects_client
- cls.recordset_client = cls.os_system_admin.dns_v2.RecordsetClient()
- cls.export_zone_client = (
- cls.os_system_admin.dns_v2.ZoneExportsClient())
- cls.admin_zones_client = cls.os_system_admin.dns_v2.ZonesClient()
- else:
- cls.quota_client = cls.os_admin.dns_v2.QuotasClient()
- cls.project_client = cls.os_admin.projects_client
- cls.admin_zones_client = cls.os_admin.dns_v2.ZonesClient()
- cls.recordset_client = cls.os_admin.dns_v2.RecordsetClient()
- cls.export_zone_client = cls.os_admin.dns_v2.ZoneExportsClient()
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.quota_client = cls.os_admin.dns_v2.QuotasClient()
+ cls.project_client = cls.os_admin.projects_client
+ cls.admin_zones_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.recordset_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.export_zone_client = cls.os_admin.dns_v2.ZoneExportsClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
@classmethod
def resource_setup(cls):
@@ -379,23 +366,16 @@
class SharedZonesQuotaTest(base.BaseDnsV2Test):
- credentials = ['primary', 'admin', 'system_admin']
+ credentials = ['primary', 'admin']
@classmethod
def setup_clients(cls):
super(SharedZonesQuotaTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- cls.adm_project_client = cls.os_system_admin.projects_client
- cls.adm_quota_client = cls.os_system_admin.dns_v2.QuotasClient()
- cls.adm_zone_client = cls.os_system_admin.dns_v2.ZonesClient()
- cls.adm_shr_client = cls.os_system_admin.dns_v2.SharedZonesClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
- cls.adm_project_client = cls.os_admin.projects_client
- cls.adm_quota_client = cls.os_admin.dns_v2.QuotasClient()
- cls.adm_zone_client = cls.os_admin.dns_v2.ZonesClient()
- cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.adm_project_client = cls.os_admin.projects_client
+ cls.adm_quota_client = cls.os_admin.dns_v2.QuotasClient()
+ cls.adm_zone_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
cls.share_zone_client = cls.os_primary.dns_v2.SharedZonesClient()
cls.rec_client = cls.os_primary.dns_v2.RecordsetClient()
cls.export_zone_client = cls.os_primary.dns_v2.ZoneExportsClient()
diff --git a/designate_tempest_plugin/tests/scenario/v2/test_recordsets.py b/designate_tempest_plugin/tests/scenario/v2/test_recordsets.py
index 07ddde0..f2eeeea 100644
--- a/designate_tempest_plugin/tests/scenario/v2/test_recordsets.py
+++ b/designate_tempest_plugin/tests/scenario/v2/test_recordsets.py
@@ -33,17 +33,13 @@
class RecordsetsTest(base.BaseDnsV2Test):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
@classmethod
def setup_clients(cls):
super(RecordsetsTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.RecordsetClient()
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.recordset_client = cls.os_primary.dns_v2.RecordsetClient()
@classmethod
diff --git a/designate_tempest_plugin/tests/scenario/v2/test_shared_zones.py b/designate_tempest_plugin/tests/scenario/v2/test_shared_zones.py
index 75aa3c3..2106050 100644
--- a/designate_tempest_plugin/tests/scenario/v2/test_shared_zones.py
+++ b/designate_tempest_plugin/tests/scenario/v2/test_shared_zones.py
@@ -28,18 +28,14 @@
class SharedZonesTest(base.BaseDnsV2Test):
- credentials = ['primary', 'admin', 'system_admin', 'alt',
+ credentials = ['primary', 'admin', 'alt',
['demo', 'member']]
@classmethod
def setup_clients(cls):
super(SharedZonesTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- cls.adm_shr_client = cls.os_system_admin.dns_v2.SharedZonesClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
- cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
cls.share_zone_client = cls.os_primary.dns_v2.SharedZonesClient()
cls.rec_client = cls.os_primary.dns_v2.RecordsetClient()
cls.alt_rec_client = cls.os_alt.dns_v2.RecordsetClient()
@@ -366,18 +362,14 @@
class SharedZonesTestNegative(base.BaseDnsV2Test):
- credentials = ['primary', 'admin', 'system_admin', 'alt',
+ credentials = ['primary', 'admin', 'alt',
['demo', 'member']]
@classmethod
def setup_clients(cls):
super(SharedZonesTestNegative, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- cls.adm_shr_client = cls.os_system_admin.dns_v2.SharedZonesClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
- cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.adm_shr_client = cls.os_admin.dns_v2.SharedZonesClient()
cls.share_zone_client = cls.os_primary.dns_v2.SharedZonesClient()
cls.alt_export_client = cls.os_alt.dns_v2.ZoneExportsClient()
cls.primary_export_client = cls.os_primary.dns_v2.ZoneExportsClient()
diff --git a/designate_tempest_plugin/tests/scenario/v2/test_tld.py b/designate_tempest_plugin/tests/scenario/v2/test_tld.py
index bc90c90..c7d69fe 100644
--- a/designate_tempest_plugin/tests/scenario/v2/test_tld.py
+++ b/designate_tempest_plugin/tests/scenario/v2/test_tld.py
@@ -26,7 +26,7 @@
class TldZoneTest(base.BaseDnsV2Test):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "primary"]
tld_suffix = '.'.join(["TldZoneTest", CONF.dns.tld_suffix])
@classmethod
@@ -38,10 +38,7 @@
@classmethod
def setup_clients(cls):
super(TldZoneTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.primary_tld_client = cls.os_primary.dns_v2.TldClient()
@classmethod
diff --git a/designate_tempest_plugin/tests/scenario/v2/test_zones.py b/designate_tempest_plugin/tests/scenario/v2/test_zones.py
index 98b2f9c..d94132a 100644
--- a/designate_tempest_plugin/tests/scenario/v2/test_zones.py
+++ b/designate_tempest_plugin/tests/scenario/v2/test_zones.py
@@ -35,17 +35,13 @@
class ZonesTest(base.BaseDnsV2Test):
- credentials = ["primary", "admin", "system_admin"]
+ credentials = ["primary", "admin"]
@classmethod
def setup_clients(cls):
super(ZonesTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- cls.rec_client = cls.os_system_admin.dns_v2.RecordsetClient()
- else:
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
- cls.rec_client = cls.os_admin.dns_v2.RecordsetClient()
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.rec_client = cls.os_admin.dns_v2.RecordsetClient()
cls.primary_client = cls.os_primary.dns_v2.BlacklistsClient()
@classmethod
diff --git a/designate_tempest_plugin/tests/scenario/v2/test_zones_export.py b/designate_tempest_plugin/tests/scenario/v2/test_zones_export.py
index 8c8d674..bf5d628 100644
--- a/designate_tempest_plugin/tests/scenario/v2/test_zones_export.py
+++ b/designate_tempest_plugin/tests/scenario/v2/test_zones_export.py
@@ -30,7 +30,7 @@
class ZonesExportTest(BaseZoneExportsTest):
- credentials = ["primary", "admin", "system_admin"]
+ credentials = ["primary", "admin"]
@classmethod
def setup_credentials(cls):
@@ -41,10 +41,7 @@
@classmethod
def setup_clients(cls):
super(ZonesExportTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_client = cls.os_system_admin.dns_v2.ZoneExportsClient()
- else:
- cls.admin_client = cls.os_admin.dns_v2.ZoneExportsClient()
+ cls.admin_client = cls.os_admin.dns_v2.ZoneExportsClient()
cls.client = cls.os_primary.dns_v2.ZoneExportsClient()
cls.recordset_client = cls.os_primary.dns_v2.RecordsetClient()
diff --git a/designate_tempest_plugin/tests/scenario/v2/test_zones_import.py b/designate_tempest_plugin/tests/scenario/v2/test_zones_import.py
index 9518d82..9a8b245 100644
--- a/designate_tempest_plugin/tests/scenario/v2/test_zones_import.py
+++ b/designate_tempest_plugin/tests/scenario/v2/test_zones_import.py
@@ -25,7 +25,7 @@
class ZonesImportTest(BaseZonesImportTest):
- credentials = ["primary", "admin", "system_admin"]
+ credentials = ["primary", "admin"]
@classmethod
def setup_clients(cls):
diff --git a/designate_tempest_plugin/tests/scenario/v2/test_zones_transfer.py b/designate_tempest_plugin/tests/scenario/v2/test_zones_transfer.py
index 8527e46..c01424b 100644
--- a/designate_tempest_plugin/tests/scenario/v2/test_zones_transfer.py
+++ b/designate_tempest_plugin/tests/scenario/v2/test_zones_transfer.py
@@ -25,21 +25,15 @@
class ZonesTransferTest(base.BaseDnsV2Test):
- credentials = ['primary', 'alt', 'admin', 'system_admin']
+ credentials = ['primary', 'alt', 'admin']
@classmethod
def setup_clients(cls):
super(ZonesTransferTest, cls).setup_clients()
- if CONF.enforce_scope.designate:
- cls.admin_zones_client = cls.os_system_admin.dns_v2.ZonesClient()
- cls.admin_accept_client = (
- cls.os_system_admin.dns_v2.TransferAcceptClient())
- cls.admin_tld_client = cls.os_system_admin.dns_v2.TldClient()
- else:
- cls.admin_zones_client = cls.os_admin.dns_v2.ZonesClient()
- cls.admin_accept_client = (
- cls.os_admin.dns_v2.TransferAcceptClient())
- cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
+ cls.admin_zones_client = cls.os_admin.dns_v2.ZonesClient()
+ cls.admin_accept_client = (
+ cls.os_admin.dns_v2.TransferAcceptClient())
+ cls.admin_tld_client = cls.os_admin.dns_v2.TldClient()
cls.alt_zones_client = cls.os_alt.dns_v2.ZonesClient()
cls.request_client = cls.os_primary.dns_v2.TransferRequestClient()
cls.alt_request_client = cls.os_alt.dns_v2.TransferRequestClient()