commit c2d1e0f9a028336e17f9b74be67a90b914c16e16
author Jenkins <jenkins@review.openstack.org> Mon Feb 22 10:54:51 2016 +0000
committer Gerrit Code Review <review@openstack.org> Mon Feb 22 10:54:51 2016 +0000
tree 51dc719454abea6258d5d8a2a2827cda99ebd7a6
parent e9ecb5cdc134d06288c9d30de732a190edc063dd
parent de2c55bad905abcd78d3360e79c667dad1d32f87

Merge "Check RBAC policy for nested stacks"

functional/test_conditional_exposure.py

diff --git a/functional/test_conditional_exposure.py b/functional/test_conditional_exposure.py
index c1175f1..f1b7d97 100644
--- a/functional/test_conditional_exposure.py
+++ b/functional/test_conditional_exposure.py
@@ -76,6 +76,20 @@
       ram: 20000
       vcpus: 10
 """
+    fl_tmpl_nested = """
+heat_template_version: 2015-10-15
+
+resources:
+  not4everyonerg:
+    type: OS::Heat::ResourceGroup
+    properties:
+        count: 1
+        resource_def:
+            type: OS::Nova::Flavor
+            properties:
+              ram: 20000
+              vcpus: 10
+"""
 
     def test_non_admin_forbidden_create_flavors(self):
         """Fail to create Flavor resource w/o admin role.
@@ -91,6 +105,14 @@
                                template=self.fl_tmpl)
         self.assertIn(self.forbidden_resource_type, ex.message)
 
+    def test_non_admin_forbidden_create_flavors_nested(self):
+        stack_name = self._stack_rand_name()
+        ex = self.assertRaises(exc.Forbidden,
+                               self.client.stacks.create,
+                               stack_name=stack_name,
+                               template=self.fl_tmpl_nested)
+        self.assertIn(self.forbidden_resource_type, ex.message)
+
     def test_forbidden_resource_not_listed(self):
         resources = self.client.resource_types.list()
         self.assertNotIn(self.forbidden_resource_type,