Merge "Add a test for removing security group from ACTIVE instance"
diff --git a/neutron_tempest_plugin/scenario/test_security_groups.py b/neutron_tempest_plugin/scenario/test_security_groups.py
index f47ce44..cb8adac 100644
--- a/neutron_tempest_plugin/scenario/test_security_groups.py
+++ b/neutron_tempest_plugin/scenario/test_security_groups.py
@@ -663,3 +663,33 @@
for port in range(tcp_port, tcp_port + 3):
self._verify_http_connection(client_ssh[1], srv_ssh, srv_ip,
port, [])
+
+ @decorators.idempotent_id('96dcd5ff-9d45-4e0d-bea0-0b438cbd388f')
+ def test_remove_sec_grp_from_active_vm(self):
+ """Tests the following:
+
+ 1. Create SG associated with ICMP rule
+ 2. Create Port (assoiated to SG #1) and use it to create the VM
+ 3. Ping the VM, expected should be PASS
+ 4. Remove the security group from VM by Port update
+ 5. Ping the VM, expected should be FAIL
+ """
+ sec_grp_name = data_utils.rand_name('test_sg')
+ secgrp = self.os_primary.network_client.create_security_group(
+ name=sec_grp_name)
+ self.security_groups.append(secgrp['security_group'])
+ sec_grp_id = secgrp['security_group']['id']
+ self.create_pingable_secgroup_rule(sec_grp_id)
+
+ ex_port = self.create_port(
+ self.network, fixed_ips=[{'subnet_id': self.subnet['id']}],
+ security_groups=[sec_grp_id])
+ fip = self.create_vm_testing_sec_grp(
+ num_servers=1, security_groups=[{'name': sec_grp_name}],
+ ports=[ex_port])[1][0]
+
+ self.ping_ip_address(fip['floating_ip_address'])
+ self.client.update_port(ex_port['id'],
+ security_groups=[])
+ self.ping_ip_address(fip['floating_ip_address'],
+ should_succeed=False)