Add project_reader in new RBAC tests
Tempest is fixing the bug#1964509 (depends-on) where
project_reader user will be created under the same project
as primary, project_member, project_admin users.
'primary', 'project_admin', 'project_member', and 'project_reader'
creds will be created in same projects. All the alt creds will be
created under the new projects. non alt and alt creds will use
different project, for example, 'project_alt_member' and
'project_member' creds will be created in different project.
Related-Bug: #1964509
Depends-On: https://review.opendev.org/c/openstack/tempest/+/871018
Change-Id: I143e69c1e150ddf7fa1757dea7bced6bff6739a9
diff --git a/designate_tempest_plugin/tests/api/v2/test_recordset.py b/designate_tempest_plugin/tests/api/v2/test_recordset.py
index 4970071..1526ccf 100644
--- a/designate_tempest_plugin/tests/api/v2/test_recordset.py
+++ b/designate_tempest_plugin/tests/api/v2/test_recordset.py
@@ -233,10 +233,11 @@
self.assertGreater(len(body), 0)
- # TODO(johnsom) Test reader role once this bug is fixed:
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
expected_allowed = ['os_primary']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.extend(['os_project_reader',
+ 'os_project_member'])
self.check_list_show_RBAC_enforcement(
'RecordsetClient', 'list_recordset', expected_allowed, True,
@@ -244,6 +245,9 @@
# Test that users who should see the zone, can see it.
expected_allowed = ['os_primary']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.extend(['os_project_reader',
+ 'os_project_member'])
self.check_list_IDs_RBAC_enforcement(
'RecordsetClient', 'list_recordset',
@@ -282,10 +286,11 @@
LOG.info('Ensure the fetched response matches the expected one')
self.assertExpected(body, record, self.excluded_keys)
- # TODO(johnsom) Test reader role once this bug is fixed:
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
expected_allowed = ['os_primary']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.extend(['os_project_member',
+ 'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'RecordsetClient', 'show_recordset', expected_allowed, True,
@@ -321,7 +326,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
+ expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'delete_recordset', expected_allowed, True,
@@ -374,7 +379,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
+ expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'update_recordset', expected_allowed, True,
@@ -383,7 +388,7 @@
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
+ expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'RecordsetClient', 'update_recordset', expected_allowed, False,
diff --git a/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py b/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
index dfa91c1..7cc9f11 100644
--- a/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
+++ b/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
@@ -174,10 +174,11 @@
'created transfer_accept')
self.assertExpected(transfer_accept, body, self.excluded_keys)
- # TODO(johnsom) Test reader role once this bug is fixed:
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
expected_allowed = ['os_primary']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.extend(['os_project_member',
+ 'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
@@ -275,8 +276,6 @@
self.assertEqual('COMPLETE', transfer_accept['status'])
transfer_request_ids.append(transfer_accept['id'])
- # TODO(johnsom) Test reader role once this bug is fixed:
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
diff --git a/designate_tempest_plugin/tests/api/v2/test_transfer_request.py b/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
index d7dfd2a..c646c2b 100644
--- a/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
+++ b/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
@@ -157,8 +157,6 @@
'created transfer_request')
self.assertExpected(transfer_request, body, self.excluded_keys)
- # TODO(johnsom) Test reader role once this bug is fixed:
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
# Note: The create service client does not define a target project
# ID, so everyone should be able to see it.
@@ -245,12 +243,10 @@
"project_id"]
self.assertExpected(transfer_request, body, excluded_keys)
- # TODO(johnsom) Test reader role once this bug is fixed:
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC when a transfer target project is specified.
expected_allowed = ['os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
+ expected_allowed.extend(['os_system_admin', 'os_project_member'])
else:
expected_allowed.append('os_admin')
@@ -305,14 +301,11 @@
self.assertGreater(len(body['transfer_requests']), 0)
- # TODO(johnsom) Test reader role once this bug is fixed:
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_admin', 'os_project_member',
- 'os_project_reader']
+ 'os_admin']
else:
expected_allowed = ['os_alt']
@@ -461,7 +454,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
+ expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'TransferRequestClient', 'update_transfer_request',
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones.py b/designate_tempest_plugin/tests/api/v2/test_zones.py
index aa7edd8..2d8194b 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones.py
@@ -160,10 +160,11 @@
LOG.info('Ensure the fetched response matches the created zone')
self.assertExpected(zone, body, self.excluded_keys)
- # TODO(johnsom) Test reader roles once this bug is fixed.
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test with no extra header overrides (all_projects, sudo-project-id)
expected_allowed = ['os_primary']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.extend(['os_project_member',
+ 'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone', expected_allowed, True, zone['id'])
@@ -194,7 +195,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
+ expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement('ZonesClient', 'delete_zone',
expected_allowed, True, zone['id'])
@@ -202,7 +203,7 @@
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
+ expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement('ZonesClient', 'delete_zone',
expected_allowed, False, zone['id'],
@@ -233,14 +234,11 @@
# present in the response.
self.assertGreater(len(body['zones']), 0)
- # TODO(johnsom) Test reader role once this bug is fixed:
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_admin', 'os_project_member',
- 'os_project_reader']
+ 'os_admin']
else:
expected_allowed = ['os_alt']
@@ -291,7 +289,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
+ expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZonesClient', 'update_zone', expected_allowed, True,
@@ -300,7 +298,7 @@
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
+ expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZonesClient', 'update_zone', expected_allowed, False,
@@ -384,10 +382,11 @@
pool_nameservers, zone_nameservers,
'Failed - Pool and Zone nameservers should be the same')
- # TODO(johnsom) Test reader role once this bug is fixed:
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
expected_allowed = ['os_primary']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.extend(['os_project_member',
+ 'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone_nameservers', expected_allowed,
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones_exports.py b/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
index d1e37fe..0e6d54b 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
@@ -118,10 +118,11 @@
LOG.info('Ensure the fetched response matches the zone export')
self.assertExpected(zone_export, body, self.excluded_keys)
- # TODO(johnsom) Test reader role once this bug is fixed:
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
expected_allowed = ['os_primary']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.extend(['os_project_member',
+ 'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
@@ -188,7 +189,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
+ expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneExportsClient', 'delete_zone_export', expected_allowed, True,
@@ -197,7 +198,7 @@
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
+ expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneExportsClient', 'delete_zone_export', expected_allowed, False,
@@ -225,14 +226,11 @@
self.assertGreater(len(body['exports']), 0)
- # TODO(johnsom) Test reader role once this bug is fixed:
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_admin', 'os_project_member',
- 'os_project_reader']
+ 'os_admin']
else:
expected_allowed = ['os_alt']
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones_imports.py b/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
index 8fdfb26..d9ef8e9 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
@@ -148,10 +148,11 @@
LOG.info('Ensure the fetched response matches the expected one')
self.assertExpected(zone_import, body, self.excluded_keys)
- # TODO(johnsom) Test reader roles once this bug is fixed.
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test with no extra header overrides (all_projects, sudo-project-id)
expected_allowed = ['os_primary']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.extend(['os_project_member',
+ 'os_project_reader'])
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, True,
@@ -185,7 +186,7 @@
# Test RBAC
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
+ expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneImportsClient', 'delete_zone_import', expected_allowed, True,
@@ -194,7 +195,7 @@
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
expected_allowed = ['os_admin', 'os_primary']
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.append('os_system_admin')
+ expected_allowed.extend(['os_system_admin', 'os_project_member'])
self.check_CUD_RBAC_enforcement(
'ZoneImportsClient', 'delete_zone_import', expected_allowed, False,
@@ -229,14 +230,11 @@
self.assertGreater(len(body['imports']), 0)
- # TODO(johnsom) Test reader role once this bug is fixed:
- # https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_admin', 'os_project_member',
- 'os_project_reader']
+ 'os_admin']
else:
expected_allowed = ['os_alt']