Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / heat-tempest-plugin / b2bca1be5f0aefa6c96f54b131a62d1005ef7c92^! / .
commitb2bca1be5f0aefa6c96f54b131a62d1005ef7c92[log] [tgz]
authorOleksii Chuprykov <ochuprykov@mirantis.com>Mon Mar 07 17:16:29 2016 +0200
committerSergey Kraynev <skraynev@mirantis.com>Wed Mar 16 06:14:13 2016 +0000
treef5064d12cdf616490f59fc5db9710f4a15fc5618
parent74690ce76e044f90f64d232fc5b95357737cb097 [diff]
Check RBAC policy for nested stacks

This prevents stacks with forbidden resources start
to create/update or stuck in DELETE_IN_PROGRESS state,
if delete the stack with admin resources in nested stacks.
Also we need to allow get id of resource that in SUSPEND
state, because of we use stack preview in SUSPEND state.

Change-Id: I328891e62b4f4bcf620c52ef9d4d8ab60801a651
Closes-Bug: #1539145

diff --git a/functional/test_conditional_exposure.py b/functional/test_conditional_exposure.py
index c1175f1..77159fe 100644
--- a/functional/test_conditional_exposure.py
+++ b/functional/test_conditional_exposure.py

@@ -76,6 +76,19 @@
       ram: 20000
       vcpus: 10
 """
+    fl_tmpl_nested = """
+heat_template_version: 2015-10-15
+resources:
+  not4everyonerg:
+    type: OS::Heat::ResourceGroup
+    properties:
+        count: 1
+        resource_def:
+            type: OS::Nova::Flavor
+            properties:
+              ram: 20000
+              vcpus: 10
+"""
 
     def test_non_admin_forbidden_create_flavors(self):
         """Fail to create Flavor resource w/o admin role.
@@ -95,3 +108,11 @@
         resources = self.client.resource_types.list()
         self.assertNotIn(self.forbidden_resource_type,
                          (r.resource_type for r in resources))
+
+    def test_non_admin_forbidden_create_flavors_nested(self):
+        stack_name = self._stack_rand_name()
+        ex = self.assertRaises(exc.Forbidden,
+                               self.client.stacks.create,
+                               stack_name=stack_name,
+                               template=self.fl_tmpl_nested)
+        self.assertIn(self.forbidden_resource_type, ex.message)