Remove system scope token usage
Octavia supports the system scope and now we are enabling the new defaults
by default that raise an error when system scoped tokens are used.
To enable the new defaults, we need to remove the usage of system
scope token from tests otherwise they fail.
- https://review.opendev.org/c/openstack/octavia/+/925625
Depends-On: https://review.opendev.org/c/openstack/octavia/+/929580
Change-Id: I1bf193807eb254507626b4e7f2bb071ba46d7290
diff --git a/octavia_tempest_plugin/tests/RBAC_tests.py b/octavia_tempest_plugin/tests/RBAC_tests.py
index 8dae024..8fc356c 100644
--- a/octavia_tempest_plugin/tests/RBAC_tests.py
+++ b/octavia_tempest_plugin/tests/RBAC_tests.py
@@ -59,17 +59,10 @@
try:
cred_obj = getattr(self, cred)
except AttributeError:
- # TODO(johnsom) Remove once scoped tokens is the default.
- if ((cred == 'os_system_admin' or cred == 'os_system_reader')
- and not CONF.enforce_scope.octavia):
- LOG.info('Skipping %s allowed RBAC test because '
- 'enforce_scope.octavia is not True', cred)
- continue
- else:
- self.fail('Credential {} "expected_allowed" for RBAC '
- 'testing was not created by tempest '
- 'credentials setup. This is likely a bug in the '
- 'test.'.format(cred))
+ self.fail('Credential {} "expected_allowed" for RBAC '
+ 'testing was not created by tempest '
+ 'credentials setup. This is likely a bug in the '
+ 'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
try:
method(*args, **kwargs)
@@ -155,15 +148,6 @@
"""
allowed_list = copy.deepcopy(expected_allowed)
- # The legacy admin behavior changed during the sRBAC development,
- # os_admin is still a valid admin [0]
- # [0] https://governance.openstack.org/tc/goals/selected/
- # consistent-and-secure-rbac.html
- # #legacy-admin-continues-to-work-as-it-is
- # TODO(gthiemonge) we may have to revisit it in the future if the
- # legacy admin scope changes.
- if 'os_system_admin' in expected_allowed:
- allowed_list.append('os_admin')
# #### Test that disallowed credentials cannot access the API.
self._check_disallowed(client_str, method_str, allowed_list,
@@ -192,6 +176,8 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
self._list_get_RBAC_enforcement(client_str, method_str,
expected_allowed, *args, **kwargs)
@@ -214,6 +200,8 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
self._list_get_RBAC_enforcement(client_str, method_str,
expected_allowed, *args, **kwargs)
@@ -243,15 +231,6 @@
"""
allowed_list = copy.deepcopy(expected_allowed)
- # The legacy admin behavior changed during the sRBAC development,
- # os_admin is still a valid admin [0]
- # [0] https://governance.openstack.org/tc/goals/selected/
- # consistent-and-secure-rbac.html
- # #legacy-admin-continues-to-work-as-it-is
- # TODO(gthiemonge) we may have to revisit it in the future if the
- # legacy admin scope changes.
- if 'os_system_admin' in expected_allowed:
- allowed_list.append('os_admin')
# #### Test that disallowed credentials cannot access the API.
self._check_disallowed(client_str, method_str, allowed_list,
@@ -281,6 +260,8 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed,
status_method, obj_id, *args, **kwargs)
@@ -308,6 +289,8 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed,
status_method, obj_id, *args, **kwargs)
@@ -335,6 +318,8 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed,
status_method, obj_id, *args, **kwargs)
@@ -367,33 +352,19 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
allowed_list = copy.deepcopy(expected_allowed)
- # The legacy admin behavior changed during the sRBAC development,
- # os_admin is still a valid admin [0]
- # [0] https://governance.openstack.org/tc/goals/selected/
- # consistent-and-secure-rbac.html
- # #legacy-admin-continues-to-work-as-it-is
- # TODO(gthiemonge) we may have to revisit it in the future if the
- # legacy admin scope changes.
- if 'os_system_admin' in expected_allowed:
- allowed_list.append('os_admin')
for cred in allowed_list:
try:
cred_obj = getattr(self, cred)
except AttributeError:
- # TODO(johnsom) Remove once scoped tokens is the default.
- if ((cred == 'os_system_admin' or cred == 'os_system_reader')
- and not CONF.enforce_scope.octavia):
- LOG.info('Skipping %s allowed RBAC test because '
- 'enforce_scope.octavia is not True', cred)
- continue
- else:
- self.fail('Credential {} "expected_allowed" for RBAC '
- 'testing was not created by tempest '
- 'credentials setup. This is likely a bug in the '
- 'test.'.format(cred))
+ self.fail('Credential {} "expected_allowed" for RBAC '
+ 'testing was not created by tempest '
+ 'credentials setup. This is likely a bug in the '
+ 'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
try:
result = method(*args, **kwargs)
@@ -434,33 +405,19 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
allowed_list = copy.deepcopy(expected_allowed)
- # The legacy admin behavior changed during the sRBAC development,
- # os_admin is still a valid admin [0]
- # [0] https://governance.openstack.org/tc/goals/selected/
- # consistent-and-secure-rbac.html
- # #legacy-admin-continues-to-work-as-it-is
- # TODO(gthiemonge) we may have to revisit it in the future if the
- # legacy admin scope changes.
- if 'os_system_admin' in expected_allowed:
- allowed_list.append('os_admin')
for cred in allowed_list:
try:
cred_obj = getattr(self, cred)
except AttributeError:
- # TODO(johnsom) Remove once scoped tokens is the default.
- if ((cred == 'os_system_admin' or cred == 'os_system_reader')
- and not CONF.enforce_scope.octavia):
- LOG.info('Skipping %s allowed RBAC test because '
- 'enforce_scope.octavia is not True', cred)
- continue
- else:
- self.fail('Credential {} "expected_allowed" for RBAC '
- 'testing was not created by tempest '
- 'credentials setup. This is likely a bug in the '
- 'test.'.format(cred))
+ self.fail('Credential {} "expected_allowed" for RBAC '
+ 'testing was not created by tempest '
+ 'credentials setup. This is likely a bug in the '
+ 'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
try:
result = method(*args, **kwargs)
diff --git a/octavia_tempest_plugin/tests/api/v2/test_amphora.py b/octavia_tempest_plugin/tests/api/v2/test_amphora.py
index 8d591cc..06f93ac 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_amphora.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_amphora.py
@@ -90,16 +90,9 @@
CONF.load_balancer.lb_build_timeout)
# Test RBAC for list amphorae
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_list_RBAC_enforcement(
- 'AmphoraClient', 'list_amphorae', expected_allowed)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_list_RBAC_enforcement(
+ 'AmphoraClient', 'list_amphorae', expected_allowed)
# Get an actual list of the amphorae
amphorae = self.lb_admin_amphora_client.list_amphorae()
@@ -178,17 +171,10 @@
amphora_1 = amphorae[0]
# Test RBAC for update an amphora
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'AmphoraClient', 'update_amphora_config', expected_allowed,
- None, None, amphora_1[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'AmphoraClient', 'update_amphora_config', expected_allowed,
+ None, None, amphora_1[const.ID])
self.lb_admin_amphora_client.update_amphora_config(amphora_1[const.ID])
@@ -213,17 +199,10 @@
amphora_1 = amphorae[0]
# Test RBAC for failover an amphora
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'AmphoraClient', 'amphora_failover', expected_allowed,
- None, None, amphora_1[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'AmphoraClient', 'amphora_failover', expected_allowed,
+ None, None, amphora_1[const.ID])
self.lb_admin_amphora_client.amphora_failover(amphora_1[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py
index fe80084..adcb75a 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py
@@ -105,17 +105,10 @@
# Test that a user without the load balancer admin role cannot
# create an availability zone.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'AvailabilityZoneClient', 'create_availability_zone',
- expected_allowed, **availability_zone_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_create_RBAC_enforcement(
+ 'AvailabilityZoneClient', 'create_availability_zone',
+ expected_allowed, **availability_zone_kwargs)
# Happy path
availability_zone = (
@@ -233,12 +226,12 @@
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
- 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin',
+ 'os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -386,12 +379,12 @@
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
- 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin',
+ 'os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -454,18 +447,11 @@
# Test that a user without the load balancer role cannot
# update availability zone details.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'AvailabilityZoneClient', 'update_availability_zone',
- expected_allowed, None, None, availability_zone[const.NAME],
- **availability_zone_updated_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'AvailabilityZoneClient', 'update_availability_zone',
+ expected_allowed, None, None, availability_zone[const.NAME],
+ **availability_zone_updated_kwargs)
updated_availability_zone = (
self.lb_admin_availability_zone_client.update_availability_zone(
@@ -531,17 +517,10 @@
# Test that a user without the load balancer admin role cannot
# delete an availability zone.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'AvailabilityZoneClient', 'delete_availability_zone',
- expected_allowed, None, None, availability_zone[const.NAME])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_delete_RBAC_enforcement(
+ 'AvailabilityZoneClient', 'delete_availability_zone',
+ expected_allowed, None, None, availability_zone[const.NAME])
# Happy path
self.lb_admin_availability_zone_client.delete_availability_zone(
diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py
index 6f67d8f..7bcb4d7 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py
@@ -44,18 +44,11 @@
# Test that a user without the load balancer admin role cannot
# list provider availability zone capabilities.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_list_RBAC_enforcement(
- 'AvailabilityZoneCapabilitiesClient',
- 'list_availability_zone_capabilities', expected_allowed,
- CONF.load_balancer.provider)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_list_RBAC_enforcement(
+ 'AvailabilityZoneCapabilitiesClient',
+ 'list_availability_zone_capabilities', expected_allowed,
+ CONF.load_balancer.provider)
# Check for an expected availability zone capability for the
# configured provider
diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py
index 6984420..78e12ed 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py
@@ -76,18 +76,11 @@
# Test that a user without the load balancer admin role cannot
# create an availability zone profile.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'AvailabilityZoneProfileClient',
- 'create_availability_zone_profile',
- expected_allowed, **availability_zone_profile_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_create_RBAC_enforcement(
+ 'AvailabilityZoneProfileClient',
+ 'create_availability_zone_profile',
+ expected_allowed, **availability_zone_profile_kwargs)
# Happy path
availability_zone_profile = (
@@ -231,17 +224,10 @@
# Test that a user without the load balancer admin role cannot
# list availability zone profiles.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_list_RBAC_enforcement(
- 'AvailabilityZoneProfileClient',
- 'list_availability_zone_profiles', expected_allowed)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_list_RBAC_enforcement(
+ 'AvailabilityZoneProfileClient',
+ 'list_availability_zone_profiles', expected_allowed)
# Check the default sort order (by ID)
profiles = (self.lb_admin_availability_zone_profile_client
@@ -392,18 +378,11 @@
# Test that a user without the load balancer admin role cannot
# show an availability zone profile
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'AvailabilityZoneProfileClient',
- 'show_availability_zone_profile', expected_allowed,
- availability_zone_profile[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_show_RBAC_enforcement(
+ 'AvailabilityZoneProfileClient',
+ 'show_availability_zone_profile', expected_allowed,
+ availability_zone_profile[const.ID])
result = (
self.lb_admin_availability_zone_profile_client
@@ -494,19 +473,12 @@
# Test that a user without the load balancer admin role cannot
# update an availability zone profile.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'AvailabilityZoneProfileClient',
- 'update_availability_zone_profile', expected_allowed,
- None, None, availability_zone_profile[const.ID],
- **availability_zone_profile_updated_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'AvailabilityZoneProfileClient',
+ 'update_availability_zone_profile', expected_allowed,
+ None, None, availability_zone_profile[const.ID],
+ **availability_zone_profile_updated_kwargs)
result = (
self.lb_admin_availability_zone_profile_client
@@ -576,18 +548,11 @@
# Test that a user without the load balancer admin role cannot
# delete an availability zone profile.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'AvailabilityZoneProfileClient',
- 'delete_availability_zone_profile', expected_allowed,
- None, None, availability_zone_profile[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_delete_RBAC_enforcement(
+ 'AvailabilityZoneProfileClient',
+ 'delete_availability_zone_profile', expected_allowed,
+ None, None, availability_zone_profile[const.ID])
# Happy path
(self.lb_admin_availability_zone_profile_client
diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor.py b/octavia_tempest_plugin/tests/api/v2/test_flavor.py
index 565ff99..53503bd 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_flavor.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_flavor.py
@@ -88,17 +88,10 @@
# Test that a user without the load balancer admin role cannot
# create a flavor.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'FlavorClient', 'create_flavor',
- expected_allowed, None, None, **flavor_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_create_RBAC_enforcement(
+ 'FlavorClient', 'create_flavor',
+ expected_allowed, None, None, **flavor_kwargs)
# Happy path
flavor = self.lb_admin_flavor_client.create_flavor(**flavor_kwargs)
@@ -199,12 +192,12 @@
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
- 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin',
+ 'os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -327,12 +320,12 @@
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
- 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin',
+ 'os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -390,17 +383,10 @@
# Test that a user without the load balancer role cannot
# update flavor details.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'FlavorClient', 'update_flavor', expected_allowed, None, None,
- flavor[const.ID], **flavor_updated_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'FlavorClient', 'update_flavor', expected_allowed, None, None,
+ flavor[const.ID], **flavor_updated_kwargs)
updated_flavor = self.lb_admin_flavor_client.update_flavor(
flavor[const.ID], **flavor_updated_kwargs)
@@ -454,17 +440,10 @@
# Test that a user without the load balancer admin role cannot
# delete a flavor.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'FlavorClient', 'delete_flavor', expected_allowed,
- None, None, flavor[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_delete_RBAC_enforcement(
+ 'FlavorClient', 'delete_flavor', expected_allowed,
+ None, None, flavor[const.ID])
# Happy path
self.lb_admin_flavor_client.delete_flavor(flavor[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py b/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py
index 285df19..cd2770c 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py
@@ -42,18 +42,11 @@
# Test that a user without the load balancer admin role cannot
# list provider flavor capabilities.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_list_RBAC_enforcement(
- 'FlavorCapabilitiesClient',
- 'list_flavor_capabilities', expected_allowed,
- CONF.load_balancer.provider)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_list_RBAC_enforcement(
+ 'FlavorCapabilitiesClient',
+ 'list_flavor_capabilities', expected_allowed,
+ CONF.load_balancer.provider)
# Check for an expected flavor capability for the configured provider
admin_capabilities_client = self.lb_admin_flavor_capabilities_client
diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py b/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py
index 48ade67..0b6a1ee 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py
@@ -60,17 +60,10 @@
# Test that a user without the load balancer admin role cannot
# create a flavor profile
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'FlavorProfileClient', 'create_flavor_profile',
- expected_allowed, None, None, **flavor_profile_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_create_RBAC_enforcement(
+ 'FlavorProfileClient', 'create_flavor_profile',
+ expected_allowed, None, None, **flavor_profile_kwargs)
# Happy path
flavor_profile = (
@@ -180,17 +173,10 @@
# Test that a user without the load balancer admin role cannot
# list flavor profiles.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_list_RBAC_enforcement(
- 'FlavorProfileClient', 'list_flavor_profiles',
- expected_allowed)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_list_RBAC_enforcement(
+ 'FlavorProfileClient', 'list_flavor_profiles',
+ expected_allowed)
# Check the default sort order (by ID)
profiles = self.lb_admin_flavor_profile_client.list_flavor_profiles()
@@ -309,17 +295,10 @@
# Test that a user without the load balancer admin role cannot
# show a flavor profile.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'FlavorProfileClient', 'show_flavor_profile',
- expected_allowed, flavor_profile[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_show_RBAC_enforcement(
+ 'FlavorProfileClient', 'show_flavor_profile',
+ expected_allowed, flavor_profile[const.ID])
result = (
self.lb_admin_flavor_profile_client.show_flavor_profile(
@@ -387,18 +366,11 @@
# Test that a user without the load balancer admin role cannot
# update a flavor profile.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'FlavorProfileClient', 'update_flavor_profile',
- expected_allowed, None, None, flavor_profile[const.ID],
- **flavor_profile_updated_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'FlavorProfileClient', 'update_flavor_profile',
+ expected_allowed, None, None, flavor_profile[const.ID],
+ **flavor_profile_updated_kwargs)
result = self.lb_admin_flavor_profile_client.update_flavor_profile(
flavor_profile[const.ID], **flavor_profile_updated_kwargs)
@@ -454,17 +426,10 @@
# Test that a user without the load balancer admin role cannot
# delete a flavor profile
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'FlavorProfileClient', 'delete_flavor_profile',
- expected_allowed, None, None, flavor_profile[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_delete_RBAC_enforcement(
+ 'FlavorProfileClient', 'delete_flavor_profile',
+ expected_allowed, None, None, flavor_profile[const.ID])
# Happy path
self.lb_admin_flavor_profile_client.delete_flavor_profile(
diff --git a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py
index 64368aa..3713552 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py
@@ -277,22 +277,13 @@
# Test that a user without the loadbalancer role cannot
# create a healthmonitor
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'HealthMonitorClient', 'create_healthmonitor',
- expected_allowed,
- status_method=self.mem_lb_client.show_loadbalancer,
- obj_id=self.lb_id, **hm_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_create_RBAC_enforcement(
+ 'HealthMonitorClient', 'create_healthmonitor',
+ expected_allowed,
+ status_method=self.mem_lb_client.show_loadbalancer,
+ obj_id=self.lb_id, **hm_kwargs)
hm = self.mem_healthmonitor_client.create_healthmonitor(**hm_kwargs)
self.addCleanup(
@@ -741,10 +732,10 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@@ -765,12 +756,12 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_observer',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -1195,10 +1186,9 @@
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
@@ -1471,21 +1461,12 @@
# Test that a user, without the loadbalancer member role, cannot
# update this healthmonitor.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'HealthMonitorClient', 'update_healthmonitor',
- expected_allowed, None, None, hm[const.ID],
- admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'HealthMonitorClient', 'update_healthmonitor',
+ expected_allowed, None, None, hm[const.ID],
+ admin_state_up=True)
# Assert we didn't go into PENDING_*
hm_check = self.mem_healthmonitor_client.show_healthmonitor(
@@ -1775,20 +1756,11 @@
# Test that a user without the loadbalancer role cannot delete this
# healthmonitor.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'HealthMonitorClient', 'delete_healthmonitor',
- expected_allowed, None, None, hm[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'HealthMonitorClient', 'delete_healthmonitor',
+ expected_allowed, None, None, hm[const.ID])
self.mem_healthmonitor_client.delete_healthmonitor(hm[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py
index 47b2faa..868950f 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py
@@ -144,22 +144,13 @@
# Test that a user without the load balancer role cannot
# create a l7policy
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'L7PolicyClient', 'create_l7policy',
- expected_allowed,
- status_method=self.mem_lb_client.show_loadbalancer,
- obj_id=self.lb_id, **l7policy_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_create_RBAC_enforcement(
+ 'L7PolicyClient', 'create_l7policy',
+ expected_allowed,
+ status_method=self.mem_lb_client.show_loadbalancer,
+ obj_id=self.lb_id, **l7policy_kwargs)
l7policy = self.mem_l7policy_client.create_l7policy(**l7policy_kwargs)
@@ -397,10 +388,10 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@@ -423,12 +414,12 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_observer',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -668,22 +659,16 @@
# Test that the appropriate users can see or not see the L7 policies
# based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'L7PolicyClient', 'show_l7policy',
- expected_allowed, l7policy[const.ID])
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'L7PolicyClient', 'show_l7policy',
+ expected_allowed, l7policy[const.ID])
@decorators.idempotent_id('08f73b22-550b-4e5a-b3d6-2ec03251ca13')
def test_l7policy_update(self):
@@ -782,21 +767,12 @@
# Test that a user, without the loadbalancer member role, cannot
# update this L7 policy.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'L7PolicyClient', 'update_l7policy',
- expected_allowed, None, None, l7policy[const.ID],
- admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'L7PolicyClient', 'update_l7policy',
+ expected_allowed, None, None, l7policy[const.ID],
+ admin_state_up=True)
# Assert we didn't go into PENDING_*
l7policy_check = self.mem_l7policy_client.show_l7policy(
@@ -899,20 +875,11 @@
# Test that a user without the loadbalancer role cannot delete this
# L7 policy.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'L7PolicyClient', 'delete_l7policy',
- expected_allowed, None, None, l7policy[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'L7PolicyClient', 'delete_l7policy',
+ expected_allowed, None, None, l7policy[const.ID])
self.mem_l7policy_client.delete_l7policy(l7policy[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_l7rule.py b/octavia_tempest_plugin/tests/api/v2/test_l7rule.py
index c0eb1d2..0e9bb15 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_l7rule.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_l7rule.py
@@ -142,22 +142,13 @@
# Test that a user without the loadbalancer role cannot
# create an L7 rule.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'L7RuleClient', 'create_l7rule',
- expected_allowed,
- status_method=self.mem_lb_client.show_loadbalancer,
- obj_id=self.lb_id, **l7rule_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_create_RBAC_enforcement(
+ 'L7RuleClient', 'create_l7rule',
+ expected_allowed,
+ status_method=self.mem_lb_client.show_loadbalancer,
+ obj_id=self.lb_id, **l7rule_kwargs)
l7rule = self.mem_l7rule_client.create_l7rule(**l7rule_kwargs)
self.addClassResourceCleanup(
@@ -359,10 +350,10 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@@ -382,10 +373,9 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
@@ -562,23 +552,17 @@
# Test that the appropriate users can see or not see the L7 rule
# based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'L7RuleClient', 'show_l7rule',
- expected_allowed, l7rule[const.ID],
- l7policy_id=self.l7policy_id)
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'L7RuleClient', 'show_l7rule',
+ expected_allowed, l7rule[const.ID],
+ l7policy_id=self.l7policy_id)
@decorators.idempotent_id('f8cee23b-89b6-4f3a-a842-1463daf42cf7')
def test_l7rule_update(self):
@@ -650,21 +634,12 @@
# Test that a user, without the loadbalancer member role, cannot
# update this L7 rule.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'L7RuleClient', 'update_l7rule',
- expected_allowed, None, None, l7rule[const.ID],
- l7policy_id=self.l7policy_id, admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'L7RuleClient', 'update_l7rule',
+ expected_allowed, None, None, l7rule[const.ID],
+ l7policy_id=self.l7policy_id, admin_state_up=True)
# Assert we didn't go into PENDING_*
l7rule_check = self.mem_l7rule_client.show_l7rule(
@@ -753,21 +728,12 @@
# Test that a user without the loadbalancer role cannot delete this
# L7 rule.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'L7RuleClient', 'delete_l7rule',
- expected_allowed, None, None, l7rule[const.ID],
- l7policy_id=self.l7policy_id)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'L7RuleClient', 'delete_l7rule',
+ expected_allowed, None, None, l7rule[const.ID],
+ l7policy_id=self.l7policy_id)
self.mem_l7rule_client.delete_l7rule(l7rule[const.ID],
l7policy_id=self.l7policy_id)
diff --git a/octavia_tempest_plugin/tests/api/v2/test_listener.py b/octavia_tempest_plugin/tests/api/v2/test_listener.py
index 06a6848..46735a5 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_listener.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_listener.py
@@ -362,22 +362,13 @@
# Test that a user without the loadbalancer role cannot
# create a listener.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'ListenerClient', 'create_listener',
- expected_allowed,
- status_method=self.mem_lb_client.show_loadbalancer,
- obj_id=self.lb_id, **listener_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_create_RBAC_enforcement(
+ 'ListenerClient', 'create_listener',
+ expected_allowed,
+ status_method=self.mem_lb_client.show_loadbalancer,
+ obj_id=self.lb_id, **listener_kwargs)
listener = self.mem_listener_client.create_listener(**listener_kwargs)
@@ -938,10 +929,10 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@@ -963,12 +954,12 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_observer',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -1293,22 +1284,16 @@
# Test that the appropriate users can see or not see the listener
# based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'ListenerClient', 'show_listener',
- expected_allowed, listener[const.ID])
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'ListenerClient', 'show_listener',
+ expected_allowed, listener[const.ID])
@decorators.idempotent_id('aaae0298-5778-4c7e-a27a-01549a71b319')
def test_http_listener_update(self):
@@ -1479,23 +1464,14 @@
# Test that a user without the loadbalancer role cannot
# update a listener.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'ListenerClient', 'update_listener',
- expected_allowed,
- status_method=self.mem_listener_client.show_listener,
- obj_id=listener[const.ID], listener_id=listener[const.ID],
- admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'ListenerClient', 'update_listener',
+ expected_allowed,
+ status_method=self.mem_listener_client.show_listener,
+ obj_id=listener[const.ID], listener_id=listener[const.ID],
+ admin_state_up=True)
new_name = data_utils.rand_name("lb_member_listener1-UPDATED")
new_description = data_utils.arbitrary_string(size=255,
@@ -1713,22 +1689,13 @@
# Test that a user without the loadbalancer role cannot
# delete a listener.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'ListenerClient', 'delete_listener',
- expected_allowed,
- status_method=self.mem_listener_client.show_listener,
- obj_id=listener[const.ID], listener_id=listener[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'ListenerClient', 'delete_listener',
+ expected_allowed,
+ status_method=self.mem_listener_client.show_listener,
+ obj_id=listener[const.ID], listener_id=listener[const.ID])
self.mem_listener_client.delete_listener(listener[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py
index 9035260..5159dc4 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py
@@ -84,20 +84,11 @@
lb_kwargs_with_project_id = copy.deepcopy(lb_kwargs)
lb_kwargs_with_project_id[const.PROJECT_ID] = (
self.os_roles_lb_member.credentials.project_id)
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_roles_lb_member', 'os_roles_lb_member2']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member', 'os_roles_lb_member2']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member', 'os_roles_lb_member2']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'LoadbalancerClient', 'create_loadbalancer',
- expected_allowed, None, None, **lb_kwargs_with_project_id)
+ expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
+ 'os_roles_lb_member', 'os_roles_lb_member2']
+ self.check_create_RBAC_enforcement(
+ 'LoadbalancerClient', 'create_loadbalancer',
+ expected_allowed, None, None, **lb_kwargs_with_project_id)
lb = self.mem_lb_client.create_loadbalancer(**lb_kwargs)
@@ -188,20 +179,11 @@
# Test that a user without the loadbalancer role cannot delete this
# load balancer.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'LoadbalancerClient', 'delete_loadbalancer',
- expected_allowed, None, None, lb[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'LoadbalancerClient', 'delete_loadbalancer',
+ expected_allowed, None, None, lb[const.ID])
self.mem_lb_client.delete_loadbalancer(lb[const.ID])
@@ -238,20 +220,11 @@
# Test that a user without the loadbalancer role cannot delete this
# load balancer.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'LoadbalancerClient', 'delete_loadbalancer',
- expected_allowed, None, None, lb[const.ID], cascade=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'LoadbalancerClient', 'delete_loadbalancer',
+ expected_allowed, None, None, lb[const.ID], cascade=True)
self.mem_lb_client.delete_loadbalancer(lb[const.ID], cascade=True)
@@ -436,10 +409,10 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@@ -460,12 +433,12 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_observer',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -632,22 +605,16 @@
# Test that the appropriate users can see or not see the load
# balancer based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'LoadbalancerClient', 'show_loadbalancer',
- expected_allowed, lb[const.ID])
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'LoadbalancerClient', 'show_loadbalancer',
+ expected_allowed, lb[const.ID])
# Attempt to clean up so that one full test run doesn't start 10+
# amps before the cleanup phase fires
@@ -736,21 +703,12 @@
# Test that a user, without the loadbalancer member role, cannot
# update this load balancer.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'LoadbalancerClient', 'update_loadbalancer',
- expected_allowed, None, None, lb[const.ID],
- admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'LoadbalancerClient', 'update_loadbalancer',
+ expected_allowed, None, None, lb[const.ID],
+ admin_state_up=True)
# Assert we didn't go into PENDING_*
lb_check = self.mem_lb_client.show_loadbalancer(lb[const.ID])
@@ -829,22 +787,16 @@
# Test that the appropriate users can see or not see the load
# balancer stats based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'LoadbalancerClient', 'get_loadbalancer_stats',
- expected_allowed, lb[const.ID])
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'LoadbalancerClient', 'get_loadbalancer_stats',
+ expected_allowed, lb[const.ID])
stats = self.mem_lb_client.get_loadbalancer_stats(lb[const.ID])
@@ -900,22 +852,16 @@
# Test that the appropriate users can see or not see the load
# balancer status based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'LoadbalancerClient', 'get_loadbalancer_status',
- expected_allowed, lb[const.ID])
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'LoadbalancerClient', 'get_loadbalancer_status',
+ expected_allowed, lb[const.ID])
status = self.mem_lb_client.get_loadbalancer_status(lb[const.ID])
@@ -977,17 +923,10 @@
# Test that a user without the load balancer admin role cannot
# failover a load balancer.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'LoadbalancerClient', 'failover_loadbalancer',
- expected_allowed, None, None, lb[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'LoadbalancerClient', 'failover_loadbalancer',
+ expected_allowed, None, None, lb[const.ID])
# Assert we didn't go into PENDING_*
lb = self.mem_lb_client.show_loadbalancer(lb[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_member.py b/octavia_tempest_plugin/tests/api/v2/test_member.py
index ed3fba6..fa35b03 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_member.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_member.py
@@ -930,22 +930,13 @@
# Test that a user without the loadbalancer role cannot
# create a member.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'MemberClient', 'create_member',
- expected_allowed,
- status_method=self.mem_lb_client.show_loadbalancer,
- obj_id=self.lb_id, **member_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_create_RBAC_enforcement(
+ 'MemberClient', 'create_member',
+ expected_allowed,
+ status_method=self.mem_lb_client.show_loadbalancer,
+ obj_id=self.lb_id, **member_kwargs)
member = self.mem_member_client.create_member(**member_kwargs)
@@ -1287,10 +1278,10 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@@ -1309,10 +1300,9 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
@@ -1874,23 +1864,16 @@
# Test that the appropriate users can see or not see the member
# based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'MemberClient', 'show_member',
- expected_allowed, member[const.ID],
- pool_id=pool_id)
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'MemberClient', 'show_member', expected_allowed, member[const.ID],
+ pool_id=pool_id)
@decorators.idempotent_id('592c19c3-1e0d-4d6d-b2ff-0d39d8654c99')
def test_HTTP_LC_backup_member_update(self):
@@ -2348,21 +2331,12 @@
# Test that a user, without the loadbalancer member role, cannot
# update this member.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'MemberClient', 'update_member',
- expected_allowed, None, None, member[const.ID],
- pool_id=pool_id, admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'MemberClient', 'update_member',
+ expected_allowed, None, None, member[const.ID],
+ pool_id=pool_id, admin_state_up=True)
# Assert we didn't go into PENDING_*
member_check = self.mem_member_client.show_member(
@@ -2817,21 +2791,12 @@
# Test that a user, without the loadbalancer member role, cannot
# batch update this member.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'MemberClient', 'update_members',
- expected_allowed, None, None,
- pool_id=pool_id, members_list=batch_update_list)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'MemberClient', 'update_members',
+ expected_allowed, None, None,
+ pool_id=pool_id, members_list=batch_update_list)
# Assert we didn't go into PENDING_*
member_check = self.mem_member_client.show_member(
@@ -3086,21 +3051,11 @@
# Test that a user without the loadbalancer role cannot delete this
# member.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'MemberClient', 'delete_member',
- expected_allowed, None, None, member[const.ID],
- pool_id=pool_id)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'MemberClient', 'delete_member', expected_allowed, None, None,
+ member[const.ID], pool_id=pool_id)
self.mem_member_client.delete_member(member[const.ID],
pool_id=pool_id)
diff --git a/octavia_tempest_plugin/tests/api/v2/test_pool.py b/octavia_tempest_plugin/tests/api/v2/test_pool.py
index 4e3e667..2f62376 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_pool.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_pool.py
@@ -408,22 +408,13 @@
# Test that a user without the loadbalancer role cannot
# create a pool.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'PoolClient', 'create_pool',
- expected_allowed,
- status_method=self.mem_lb_client.show_loadbalancer,
- obj_id=self.lb_id, **pool_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_create_RBAC_enforcement(
+ 'PoolClient', 'create_pool',
+ expected_allowed,
+ status_method=self.mem_lb_client.show_loadbalancer,
+ obj_id=self.lb_id, **pool_kwargs)
# This is a special case as the reference driver does not support
# SOURCE-IP-PORT. Since it runs with not_implemented_is_error, we must
@@ -763,10 +754,10 @@
'os_roles_lb_global_observer']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2']
- if expected_allowed:
- self.check_list_RBAC_enforcement_count(
- 'PoolClient', 'list_pools', expected_allowed, 0,
- query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id))
+# if expected_allowed:
+# self.check_list_RBAC_enforcement_count(
+# 'PoolClient', 'list_pools', expected_allowed, 0,
+# query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id))
# Test credentials that should see these pools can see them.
expected_allowed = []
@@ -774,15 +765,15 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
- if expected_allowed:
- self.check_list_IDs_RBAC_enforcement(
- 'PoolClient', 'list_pools', expected_allowed, test_ids,
- query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id))
+# if expected_allowed:
+# self.check_list_IDs_RBAC_enforcement(
+# 'PoolClient', 'list_pools', expected_allowed, test_ids,
+# query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id))
# Test that users without the lb member role cannot list pools.
# Note: non-owners can still call this API, they will just get the list
@@ -798,12 +789,12 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_observer',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -1132,22 +1123,16 @@
# Test that the appropriate users can see or not see the pool
# based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'PoolClient', 'show_pool',
- expected_allowed, pool[const.ID])
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'PoolClient', 'show_pool',
+ expected_allowed, pool[const.ID])
@decorators.idempotent_id('d73755fe-ba3a-4248-9543-8e167a5aa7f4')
def test_HTTP_LC_pool_update(self):
@@ -1372,21 +1357,12 @@
# Test that a user, without the loadbalancer member role, cannot
# update this pool.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'PoolClient', 'update_pool',
- expected_allowed, None, None, pool[const.ID],
- admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'PoolClient', 'update_pool',
+ expected_allowed, None, None, pool[const.ID],
+ admin_state_up=True)
# Assert we didn't go into PENDING_*
pool_check = self.mem_pool_client.show_pool(
@@ -1675,20 +1651,11 @@
# Test that a user without the loadbalancer role cannot delete this
# pool.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'PoolClient', 'delete_pool',
- expected_allowed, None, None, pool[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'PoolClient', 'delete_pool',
+ expected_allowed, None, None, pool[const.ID])
self.mem_pool_client.delete_pool(pool[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_provider.py b/octavia_tempest_plugin/tests/api/v2/test_provider.py
index e47ae8e..b6bf12a 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_provider.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_provider.py
@@ -50,14 +50,15 @@
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
- 'os_system_admin', 'os_system_reader', 'os_roles_lb_observer',
- 'os_roles_lb_global_observer', 'os_roles_lb_admin',
- 'os_roles_lb_member', 'os_roles_lb_member2']
+ 'os_admin', 'os_roles_lb_observer',
+ 'os_roles_lb_global_observer',
+ 'os_roles_lb_admin', 'os_roles_lb_member',
+ 'os_roles_lb_member2']
if expected_allowed:
self.check_list_RBAC_enforcement(
'ProviderClient', 'list_providers', expected_allowed)
diff --git a/octavia_tempest_plugin/tests/test_base.py b/octavia_tempest_plugin/tests/test_base.py
index 7f4ae3e..38f931c 100644
--- a/octavia_tempest_plugin/tests/test_base.py
+++ b/octavia_tempest_plugin/tests/test_base.py
@@ -79,11 +79,6 @@
['lb_member', CONF.load_balancer.member_role, 'member'],
['lb_member2', CONF.load_balancer.member_role, 'member']]
- # If scope enforcement is enabled, add in the system scope credentials.
- # The project scope is already handled by the above credentials.
- if CONF.enforce_scope.octavia:
- credentials.extend(['system_admin', 'system_reader'])
-
# A tuple of credentials that will be allocated by tempest using the
# 'credentials' list above. These are used to build RBAC test lists.
allocated_creds = []