Add a test for removing security group from ACTIVE instance
Test name: "test_remove_sec_grp_from_active_vm"
1) Create SG associated with ICMP rule
2) Create Port (assoiated to SG #1) and use it to create the VM
3) Ping the VM, expected should be PASS
4) Remove the security group from VM by Port update
5) Ping the VM, expected should be FAIL
Change-Id: I9fbcdd0f30beeb6985bab4de4d53af639f408c75
diff --git a/neutron_tempest_plugin/scenario/test_security_groups.py b/neutron_tempest_plugin/scenario/test_security_groups.py
index f47ce44..cb8adac 100644
--- a/neutron_tempest_plugin/scenario/test_security_groups.py
+++ b/neutron_tempest_plugin/scenario/test_security_groups.py
@@ -663,3 +663,33 @@
for port in range(tcp_port, tcp_port + 3):
self._verify_http_connection(client_ssh[1], srv_ssh, srv_ip,
port, [])
+
+ @decorators.idempotent_id('96dcd5ff-9d45-4e0d-bea0-0b438cbd388f')
+ def test_remove_sec_grp_from_active_vm(self):
+ """Tests the following:
+
+ 1. Create SG associated with ICMP rule
+ 2. Create Port (assoiated to SG #1) and use it to create the VM
+ 3. Ping the VM, expected should be PASS
+ 4. Remove the security group from VM by Port update
+ 5. Ping the VM, expected should be FAIL
+ """
+ sec_grp_name = data_utils.rand_name('test_sg')
+ secgrp = self.os_primary.network_client.create_security_group(
+ name=sec_grp_name)
+ self.security_groups.append(secgrp['security_group'])
+ sec_grp_id = secgrp['security_group']['id']
+ self.create_pingable_secgroup_rule(sec_grp_id)
+
+ ex_port = self.create_port(
+ self.network, fixed_ips=[{'subnet_id': self.subnet['id']}],
+ security_groups=[sec_grp_id])
+ fip = self.create_vm_testing_sec_grp(
+ num_servers=1, security_groups=[{'name': sec_grp_name}],
+ ports=[ex_port])[1][0]
+
+ self.ping_ip_address(fip['floating_ip_address'])
+ self.client.update_port(ex_port['id'],
+ security_groups=[])
+ self.ping_ip_address(fip['floating_ip_address'],
+ should_succeed=False)