commit de2c55bad905abcd78d3360e79c667dad1d32f87
author Oleksii Chuprykov <ochuprykov@mirantis.com> Thu Jan 28 17:33:29 2016 +0200
committer Oleksii Chuprykov <ochuprykov@mirantis.com> Tue Feb 02 14:41:23 2016 +0000
tree 6ee68fe2eaed4bd8451e13d43867e59ef7da9ee1
parent 2bf8a9741a6c0f30db2bb8e47c7c9b553563d843

Check RBAC policy for nested stacks

This prevents stacks with forbidden resources start to
create/update or stuck in DELETE_IN_PROGRESS state, if
delete the stack with admin resources in nested stacks.
Also we need to allow get id of resource that in SUSPEND
state, because of we use stack preview in SUSPEND state.

Closes-Bug: #1539145
Change-Id: Ic0a6d6c334aa5fdb6d2c3ba549df86aeb1263e9e

functional/test_conditional_exposure.py

diff --git a/functional/test_conditional_exposure.py b/functional/test_conditional_exposure.py
index 90f7d7a..0361a9b 100644
--- a/functional/test_conditional_exposure.py
+++ b/functional/test_conditional_exposure.py
@@ -80,6 +80,20 @@
       ram: 20000
       vcpus: 10
 """
+    fl_tmpl_nested = """
+heat_template_version: 2015-10-15
+
+resources:
+  not4everyonerg:
+    type: OS::Heat::ResourceGroup
+    properties:
+        count: 1
+        resource_def:
+            type: OS::Nova::Flavor
+            properties:
+              ram: 20000
+              vcpus: 10
+"""
 
     def test_non_admin_forbidden_create_flavors(self):
         """Fail to create Flavor resource w/o admin role.
@@ -95,6 +109,14 @@
                                template=self.fl_tmpl)
         self.assertIn(self.forbidden_resource_type, ex.message)
 
+    def test_non_admin_forbidden_create_flavors_nested(self):
+        stack_name = self._stack_rand_name()
+        ex = self.assertRaises(exc.Forbidden,
+                               self.client.stacks.create,
+                               stack_name=stack_name,
+                               template=self.fl_tmpl_nested)
+        self.assertIn(self.forbidden_resource_type, ex.message)
+
     def test_forbidden_resource_not_listed(self):
         resources = self.client.resource_types.list()
         self.assertNotIn(self.forbidden_resource_type,