Merge "Remove system scope token usage"
diff --git a/octavia_tempest_plugin/config.py b/octavia_tempest_plugin/config.py
index 9e259d3..78f57ed 100644
--- a/octavia_tempest_plugin/config.py
+++ b/octavia_tempest_plugin/config.py
@@ -105,7 +105,7 @@
cfg.StrOpt('provider',
default='octavia',
help='The provider driver to use for the tests.'),
- cfg.StrOpt('RBAC_test_type', default=const.ADVANCED,
+ cfg.StrOpt('RBAC_test_type', default=const.KEYSTONE_DEFAULT_ROLES,
choices=[const.ADVANCED, const.KEYSTONE_DEFAULT_ROLES,
const.OWNERADMIN, const.NONE],
help='Type of RBAC tests to run. "advanced" runs the octavia '
diff --git a/octavia_tempest_plugin/tests/RBAC_tests.py b/octavia_tempest_plugin/tests/RBAC_tests.py
index 8dae024..8fc356c 100644
--- a/octavia_tempest_plugin/tests/RBAC_tests.py
+++ b/octavia_tempest_plugin/tests/RBAC_tests.py
@@ -59,17 +59,10 @@
try:
cred_obj = getattr(self, cred)
except AttributeError:
- # TODO(johnsom) Remove once scoped tokens is the default.
- if ((cred == 'os_system_admin' or cred == 'os_system_reader')
- and not CONF.enforce_scope.octavia):
- LOG.info('Skipping %s allowed RBAC test because '
- 'enforce_scope.octavia is not True', cred)
- continue
- else:
- self.fail('Credential {} "expected_allowed" for RBAC '
- 'testing was not created by tempest '
- 'credentials setup. This is likely a bug in the '
- 'test.'.format(cred))
+ self.fail('Credential {} "expected_allowed" for RBAC '
+ 'testing was not created by tempest '
+ 'credentials setup. This is likely a bug in the '
+ 'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
try:
method(*args, **kwargs)
@@ -155,15 +148,6 @@
"""
allowed_list = copy.deepcopy(expected_allowed)
- # The legacy admin behavior changed during the sRBAC development,
- # os_admin is still a valid admin [0]
- # [0] https://governance.openstack.org/tc/goals/selected/
- # consistent-and-secure-rbac.html
- # #legacy-admin-continues-to-work-as-it-is
- # TODO(gthiemonge) we may have to revisit it in the future if the
- # legacy admin scope changes.
- if 'os_system_admin' in expected_allowed:
- allowed_list.append('os_admin')
# #### Test that disallowed credentials cannot access the API.
self._check_disallowed(client_str, method_str, allowed_list,
@@ -192,6 +176,8 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
self._list_get_RBAC_enforcement(client_str, method_str,
expected_allowed, *args, **kwargs)
@@ -214,6 +200,8 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
self._list_get_RBAC_enforcement(client_str, method_str,
expected_allowed, *args, **kwargs)
@@ -243,15 +231,6 @@
"""
allowed_list = copy.deepcopy(expected_allowed)
- # The legacy admin behavior changed during the sRBAC development,
- # os_admin is still a valid admin [0]
- # [0] https://governance.openstack.org/tc/goals/selected/
- # consistent-and-secure-rbac.html
- # #legacy-admin-continues-to-work-as-it-is
- # TODO(gthiemonge) we may have to revisit it in the future if the
- # legacy admin scope changes.
- if 'os_system_admin' in expected_allowed:
- allowed_list.append('os_admin')
# #### Test that disallowed credentials cannot access the API.
self._check_disallowed(client_str, method_str, allowed_list,
@@ -281,6 +260,8 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed,
status_method, obj_id, *args, **kwargs)
@@ -308,6 +289,8 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed,
status_method, obj_id, *args, **kwargs)
@@ -335,6 +318,8 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed,
status_method, obj_id, *args, **kwargs)
@@ -367,33 +352,19 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
allowed_list = copy.deepcopy(expected_allowed)
- # The legacy admin behavior changed during the sRBAC development,
- # os_admin is still a valid admin [0]
- # [0] https://governance.openstack.org/tc/goals/selected/
- # consistent-and-secure-rbac.html
- # #legacy-admin-continues-to-work-as-it-is
- # TODO(gthiemonge) we may have to revisit it in the future if the
- # legacy admin scope changes.
- if 'os_system_admin' in expected_allowed:
- allowed_list.append('os_admin')
for cred in allowed_list:
try:
cred_obj = getattr(self, cred)
except AttributeError:
- # TODO(johnsom) Remove once scoped tokens is the default.
- if ((cred == 'os_system_admin' or cred == 'os_system_reader')
- and not CONF.enforce_scope.octavia):
- LOG.info('Skipping %s allowed RBAC test because '
- 'enforce_scope.octavia is not True', cred)
- continue
- else:
- self.fail('Credential {} "expected_allowed" for RBAC '
- 'testing was not created by tempest '
- 'credentials setup. This is likely a bug in the '
- 'test.'.format(cred))
+ self.fail('Credential {} "expected_allowed" for RBAC '
+ 'testing was not created by tempest '
+ 'credentials setup. This is likely a bug in the '
+ 'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
try:
result = method(*args, **kwargs)
@@ -434,33 +405,19 @@
correct scope for access is denied.
:returns: None on success
"""
+ if CONF.load_balancer.RBAC_test_type == constants.NONE:
+ return
allowed_list = copy.deepcopy(expected_allowed)
- # The legacy admin behavior changed during the sRBAC development,
- # os_admin is still a valid admin [0]
- # [0] https://governance.openstack.org/tc/goals/selected/
- # consistent-and-secure-rbac.html
- # #legacy-admin-continues-to-work-as-it-is
- # TODO(gthiemonge) we may have to revisit it in the future if the
- # legacy admin scope changes.
- if 'os_system_admin' in expected_allowed:
- allowed_list.append('os_admin')
for cred in allowed_list:
try:
cred_obj = getattr(self, cred)
except AttributeError:
- # TODO(johnsom) Remove once scoped tokens is the default.
- if ((cred == 'os_system_admin' or cred == 'os_system_reader')
- and not CONF.enforce_scope.octavia):
- LOG.info('Skipping %s allowed RBAC test because '
- 'enforce_scope.octavia is not True', cred)
- continue
- else:
- self.fail('Credential {} "expected_allowed" for RBAC '
- 'testing was not created by tempest '
- 'credentials setup. This is likely a bug in the '
- 'test.'.format(cred))
+ self.fail('Credential {} "expected_allowed" for RBAC '
+ 'testing was not created by tempest '
+ 'credentials setup. This is likely a bug in the '
+ 'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
try:
result = method(*args, **kwargs)
diff --git a/octavia_tempest_plugin/tests/api/v2/test_amphora.py b/octavia_tempest_plugin/tests/api/v2/test_amphora.py
index 8d591cc..06f93ac 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_amphora.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_amphora.py
@@ -90,16 +90,9 @@
CONF.load_balancer.lb_build_timeout)
# Test RBAC for list amphorae
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_list_RBAC_enforcement(
- 'AmphoraClient', 'list_amphorae', expected_allowed)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_list_RBAC_enforcement(
+ 'AmphoraClient', 'list_amphorae', expected_allowed)
# Get an actual list of the amphorae
amphorae = self.lb_admin_amphora_client.list_amphorae()
@@ -178,17 +171,10 @@
amphora_1 = amphorae[0]
# Test RBAC for update an amphora
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'AmphoraClient', 'update_amphora_config', expected_allowed,
- None, None, amphora_1[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'AmphoraClient', 'update_amphora_config', expected_allowed,
+ None, None, amphora_1[const.ID])
self.lb_admin_amphora_client.update_amphora_config(amphora_1[const.ID])
@@ -213,17 +199,10 @@
amphora_1 = amphorae[0]
# Test RBAC for failover an amphora
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'AmphoraClient', 'amphora_failover', expected_allowed,
- None, None, amphora_1[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'AmphoraClient', 'amphora_failover', expected_allowed,
+ None, None, amphora_1[const.ID])
self.lb_admin_amphora_client.amphora_failover(amphora_1[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py
index fe80084..adcb75a 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py
@@ -105,17 +105,10 @@
# Test that a user without the load balancer admin role cannot
# create an availability zone.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'AvailabilityZoneClient', 'create_availability_zone',
- expected_allowed, **availability_zone_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_create_RBAC_enforcement(
+ 'AvailabilityZoneClient', 'create_availability_zone',
+ expected_allowed, **availability_zone_kwargs)
# Happy path
availability_zone = (
@@ -233,12 +226,12 @@
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
- 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin',
+ 'os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -386,12 +379,12 @@
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
- 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin',
+ 'os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -454,18 +447,11 @@
# Test that a user without the load balancer role cannot
# update availability zone details.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'AvailabilityZoneClient', 'update_availability_zone',
- expected_allowed, None, None, availability_zone[const.NAME],
- **availability_zone_updated_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'AvailabilityZoneClient', 'update_availability_zone',
+ expected_allowed, None, None, availability_zone[const.NAME],
+ **availability_zone_updated_kwargs)
updated_availability_zone = (
self.lb_admin_availability_zone_client.update_availability_zone(
@@ -531,17 +517,10 @@
# Test that a user without the load balancer admin role cannot
# delete an availability zone.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'AvailabilityZoneClient', 'delete_availability_zone',
- expected_allowed, None, None, availability_zone[const.NAME])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_delete_RBAC_enforcement(
+ 'AvailabilityZoneClient', 'delete_availability_zone',
+ expected_allowed, None, None, availability_zone[const.NAME])
# Happy path
self.lb_admin_availability_zone_client.delete_availability_zone(
diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py
index 6f67d8f..7bcb4d7 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py
@@ -44,18 +44,11 @@
# Test that a user without the load balancer admin role cannot
# list provider availability zone capabilities.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_list_RBAC_enforcement(
- 'AvailabilityZoneCapabilitiesClient',
- 'list_availability_zone_capabilities', expected_allowed,
- CONF.load_balancer.provider)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_list_RBAC_enforcement(
+ 'AvailabilityZoneCapabilitiesClient',
+ 'list_availability_zone_capabilities', expected_allowed,
+ CONF.load_balancer.provider)
# Check for an expected availability zone capability for the
# configured provider
diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py
index 6984420..78e12ed 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py
@@ -76,18 +76,11 @@
# Test that a user without the load balancer admin role cannot
# create an availability zone profile.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'AvailabilityZoneProfileClient',
- 'create_availability_zone_profile',
- expected_allowed, **availability_zone_profile_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_create_RBAC_enforcement(
+ 'AvailabilityZoneProfileClient',
+ 'create_availability_zone_profile',
+ expected_allowed, **availability_zone_profile_kwargs)
# Happy path
availability_zone_profile = (
@@ -231,17 +224,10 @@
# Test that a user without the load balancer admin role cannot
# list availability zone profiles.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_list_RBAC_enforcement(
- 'AvailabilityZoneProfileClient',
- 'list_availability_zone_profiles', expected_allowed)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_list_RBAC_enforcement(
+ 'AvailabilityZoneProfileClient',
+ 'list_availability_zone_profiles', expected_allowed)
# Check the default sort order (by ID)
profiles = (self.lb_admin_availability_zone_profile_client
@@ -392,18 +378,11 @@
# Test that a user without the load balancer admin role cannot
# show an availability zone profile
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'AvailabilityZoneProfileClient',
- 'show_availability_zone_profile', expected_allowed,
- availability_zone_profile[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_show_RBAC_enforcement(
+ 'AvailabilityZoneProfileClient',
+ 'show_availability_zone_profile', expected_allowed,
+ availability_zone_profile[const.ID])
result = (
self.lb_admin_availability_zone_profile_client
@@ -494,19 +473,12 @@
# Test that a user without the load balancer admin role cannot
# update an availability zone profile.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'AvailabilityZoneProfileClient',
- 'update_availability_zone_profile', expected_allowed,
- None, None, availability_zone_profile[const.ID],
- **availability_zone_profile_updated_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'AvailabilityZoneProfileClient',
+ 'update_availability_zone_profile', expected_allowed,
+ None, None, availability_zone_profile[const.ID],
+ **availability_zone_profile_updated_kwargs)
result = (
self.lb_admin_availability_zone_profile_client
@@ -576,18 +548,11 @@
# Test that a user without the load balancer admin role cannot
# delete an availability zone profile.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'AvailabilityZoneProfileClient',
- 'delete_availability_zone_profile', expected_allowed,
- None, None, availability_zone_profile[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_delete_RBAC_enforcement(
+ 'AvailabilityZoneProfileClient',
+ 'delete_availability_zone_profile', expected_allowed,
+ None, None, availability_zone_profile[const.ID])
# Happy path
(self.lb_admin_availability_zone_profile_client
diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor.py b/octavia_tempest_plugin/tests/api/v2/test_flavor.py
index 565ff99..53503bd 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_flavor.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_flavor.py
@@ -88,17 +88,10 @@
# Test that a user without the load balancer admin role cannot
# create a flavor.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'FlavorClient', 'create_flavor',
- expected_allowed, None, None, **flavor_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_create_RBAC_enforcement(
+ 'FlavorClient', 'create_flavor',
+ expected_allowed, None, None, **flavor_kwargs)
# Happy path
flavor = self.lb_admin_flavor_client.create_flavor(**flavor_kwargs)
@@ -199,12 +192,12 @@
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
- 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin',
+ 'os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -327,12 +320,12 @@
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
- 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin',
+ 'os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -390,17 +383,10 @@
# Test that a user without the load balancer role cannot
# update flavor details.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'FlavorClient', 'update_flavor', expected_allowed, None, None,
- flavor[const.ID], **flavor_updated_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'FlavorClient', 'update_flavor', expected_allowed, None, None,
+ flavor[const.ID], **flavor_updated_kwargs)
updated_flavor = self.lb_admin_flavor_client.update_flavor(
flavor[const.ID], **flavor_updated_kwargs)
@@ -454,17 +440,10 @@
# Test that a user without the load balancer admin role cannot
# delete a flavor.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'FlavorClient', 'delete_flavor', expected_allowed,
- None, None, flavor[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_delete_RBAC_enforcement(
+ 'FlavorClient', 'delete_flavor', expected_allowed,
+ None, None, flavor[const.ID])
# Happy path
self.lb_admin_flavor_client.delete_flavor(flavor[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py b/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py
index 285df19..cd2770c 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py
@@ -42,18 +42,11 @@
# Test that a user without the load balancer admin role cannot
# list provider flavor capabilities.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_list_RBAC_enforcement(
- 'FlavorCapabilitiesClient',
- 'list_flavor_capabilities', expected_allowed,
- CONF.load_balancer.provider)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_list_RBAC_enforcement(
+ 'FlavorCapabilitiesClient',
+ 'list_flavor_capabilities', expected_allowed,
+ CONF.load_balancer.provider)
# Check for an expected flavor capability for the configured provider
admin_capabilities_client = self.lb_admin_flavor_capabilities_client
diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py b/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py
index 48ade67..0b6a1ee 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py
@@ -60,17 +60,10 @@
# Test that a user without the load balancer admin role cannot
# create a flavor profile
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'FlavorProfileClient', 'create_flavor_profile',
- expected_allowed, None, None, **flavor_profile_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_create_RBAC_enforcement(
+ 'FlavorProfileClient', 'create_flavor_profile',
+ expected_allowed, None, None, **flavor_profile_kwargs)
# Happy path
flavor_profile = (
@@ -180,17 +173,10 @@
# Test that a user without the load balancer admin role cannot
# list flavor profiles.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_list_RBAC_enforcement(
- 'FlavorProfileClient', 'list_flavor_profiles',
- expected_allowed)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_list_RBAC_enforcement(
+ 'FlavorProfileClient', 'list_flavor_profiles',
+ expected_allowed)
# Check the default sort order (by ID)
profiles = self.lb_admin_flavor_profile_client.list_flavor_profiles()
@@ -309,17 +295,10 @@
# Test that a user without the load balancer admin role cannot
# show a flavor profile.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'FlavorProfileClient', 'show_flavor_profile',
- expected_allowed, flavor_profile[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_show_RBAC_enforcement(
+ 'FlavorProfileClient', 'show_flavor_profile',
+ expected_allowed, flavor_profile[const.ID])
result = (
self.lb_admin_flavor_profile_client.show_flavor_profile(
@@ -387,18 +366,11 @@
# Test that a user without the load balancer admin role cannot
# update a flavor profile.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'FlavorProfileClient', 'update_flavor_profile',
- expected_allowed, None, None, flavor_profile[const.ID],
- **flavor_profile_updated_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'FlavorProfileClient', 'update_flavor_profile',
+ expected_allowed, None, None, flavor_profile[const.ID],
+ **flavor_profile_updated_kwargs)
result = self.lb_admin_flavor_profile_client.update_flavor_profile(
flavor_profile[const.ID], **flavor_profile_updated_kwargs)
@@ -454,17 +426,10 @@
# Test that a user without the load balancer admin role cannot
# delete a flavor profile
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'FlavorProfileClient', 'delete_flavor_profile',
- expected_allowed, None, None, flavor_profile[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_delete_RBAC_enforcement(
+ 'FlavorProfileClient', 'delete_flavor_profile',
+ expected_allowed, None, None, flavor_profile[const.ID])
# Happy path
self.lb_admin_flavor_profile_client.delete_flavor_profile(
diff --git a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py
index 64368aa..3713552 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py
@@ -277,22 +277,13 @@
# Test that a user without the loadbalancer role cannot
# create a healthmonitor
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'HealthMonitorClient', 'create_healthmonitor',
- expected_allowed,
- status_method=self.mem_lb_client.show_loadbalancer,
- obj_id=self.lb_id, **hm_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_create_RBAC_enforcement(
+ 'HealthMonitorClient', 'create_healthmonitor',
+ expected_allowed,
+ status_method=self.mem_lb_client.show_loadbalancer,
+ obj_id=self.lb_id, **hm_kwargs)
hm = self.mem_healthmonitor_client.create_healthmonitor(**hm_kwargs)
self.addCleanup(
@@ -741,10 +732,10 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@@ -765,12 +756,12 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_observer',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -1195,10 +1186,9 @@
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
@@ -1471,21 +1461,12 @@
# Test that a user, without the loadbalancer member role, cannot
# update this healthmonitor.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'HealthMonitorClient', 'update_healthmonitor',
- expected_allowed, None, None, hm[const.ID],
- admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'HealthMonitorClient', 'update_healthmonitor',
+ expected_allowed, None, None, hm[const.ID],
+ admin_state_up=True)
# Assert we didn't go into PENDING_*
hm_check = self.mem_healthmonitor_client.show_healthmonitor(
@@ -1775,20 +1756,11 @@
# Test that a user without the loadbalancer role cannot delete this
# healthmonitor.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'HealthMonitorClient', 'delete_healthmonitor',
- expected_allowed, None, None, hm[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'HealthMonitorClient', 'delete_healthmonitor',
+ expected_allowed, None, None, hm[const.ID])
self.mem_healthmonitor_client.delete_healthmonitor(hm[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py
index 47b2faa..868950f 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py
@@ -144,22 +144,13 @@
# Test that a user without the load balancer role cannot
# create a l7policy
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'L7PolicyClient', 'create_l7policy',
- expected_allowed,
- status_method=self.mem_lb_client.show_loadbalancer,
- obj_id=self.lb_id, **l7policy_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_create_RBAC_enforcement(
+ 'L7PolicyClient', 'create_l7policy',
+ expected_allowed,
+ status_method=self.mem_lb_client.show_loadbalancer,
+ obj_id=self.lb_id, **l7policy_kwargs)
l7policy = self.mem_l7policy_client.create_l7policy(**l7policy_kwargs)
@@ -397,10 +388,10 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@@ -423,12 +414,12 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_observer',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -668,22 +659,16 @@
# Test that the appropriate users can see or not see the L7 policies
# based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'L7PolicyClient', 'show_l7policy',
- expected_allowed, l7policy[const.ID])
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'L7PolicyClient', 'show_l7policy',
+ expected_allowed, l7policy[const.ID])
@decorators.idempotent_id('08f73b22-550b-4e5a-b3d6-2ec03251ca13')
def test_l7policy_update(self):
@@ -782,21 +767,12 @@
# Test that a user, without the loadbalancer member role, cannot
# update this L7 policy.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'L7PolicyClient', 'update_l7policy',
- expected_allowed, None, None, l7policy[const.ID],
- admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'L7PolicyClient', 'update_l7policy',
+ expected_allowed, None, None, l7policy[const.ID],
+ admin_state_up=True)
# Assert we didn't go into PENDING_*
l7policy_check = self.mem_l7policy_client.show_l7policy(
@@ -899,20 +875,11 @@
# Test that a user without the loadbalancer role cannot delete this
# L7 policy.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'L7PolicyClient', 'delete_l7policy',
- expected_allowed, None, None, l7policy[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'L7PolicyClient', 'delete_l7policy',
+ expected_allowed, None, None, l7policy[const.ID])
self.mem_l7policy_client.delete_l7policy(l7policy[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_l7rule.py b/octavia_tempest_plugin/tests/api/v2/test_l7rule.py
index c0eb1d2..0e9bb15 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_l7rule.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_l7rule.py
@@ -142,22 +142,13 @@
# Test that a user without the loadbalancer role cannot
# create an L7 rule.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'L7RuleClient', 'create_l7rule',
- expected_allowed,
- status_method=self.mem_lb_client.show_loadbalancer,
- obj_id=self.lb_id, **l7rule_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_create_RBAC_enforcement(
+ 'L7RuleClient', 'create_l7rule',
+ expected_allowed,
+ status_method=self.mem_lb_client.show_loadbalancer,
+ obj_id=self.lb_id, **l7rule_kwargs)
l7rule = self.mem_l7rule_client.create_l7rule(**l7rule_kwargs)
self.addClassResourceCleanup(
@@ -359,10 +350,10 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@@ -382,10 +373,9 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
@@ -562,23 +552,17 @@
# Test that the appropriate users can see or not see the L7 rule
# based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'L7RuleClient', 'show_l7rule',
- expected_allowed, l7rule[const.ID],
- l7policy_id=self.l7policy_id)
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'L7RuleClient', 'show_l7rule',
+ expected_allowed, l7rule[const.ID],
+ l7policy_id=self.l7policy_id)
@decorators.idempotent_id('f8cee23b-89b6-4f3a-a842-1463daf42cf7')
def test_l7rule_update(self):
@@ -650,21 +634,12 @@
# Test that a user, without the loadbalancer member role, cannot
# update this L7 rule.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'L7RuleClient', 'update_l7rule',
- expected_allowed, None, None, l7rule[const.ID],
- l7policy_id=self.l7policy_id, admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'L7RuleClient', 'update_l7rule',
+ expected_allowed, None, None, l7rule[const.ID],
+ l7policy_id=self.l7policy_id, admin_state_up=True)
# Assert we didn't go into PENDING_*
l7rule_check = self.mem_l7rule_client.show_l7rule(
@@ -753,21 +728,12 @@
# Test that a user without the loadbalancer role cannot delete this
# L7 rule.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'L7RuleClient', 'delete_l7rule',
- expected_allowed, None, None, l7rule[const.ID],
- l7policy_id=self.l7policy_id)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'L7RuleClient', 'delete_l7rule',
+ expected_allowed, None, None, l7rule[const.ID],
+ l7policy_id=self.l7policy_id)
self.mem_l7rule_client.delete_l7rule(l7rule[const.ID],
l7policy_id=self.l7policy_id)
diff --git a/octavia_tempest_plugin/tests/api/v2/test_listener.py b/octavia_tempest_plugin/tests/api/v2/test_listener.py
index 06a6848..46735a5 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_listener.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_listener.py
@@ -362,22 +362,13 @@
# Test that a user without the loadbalancer role cannot
# create a listener.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'ListenerClient', 'create_listener',
- expected_allowed,
- status_method=self.mem_lb_client.show_loadbalancer,
- obj_id=self.lb_id, **listener_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_create_RBAC_enforcement(
+ 'ListenerClient', 'create_listener',
+ expected_allowed,
+ status_method=self.mem_lb_client.show_loadbalancer,
+ obj_id=self.lb_id, **listener_kwargs)
listener = self.mem_listener_client.create_listener(**listener_kwargs)
@@ -938,10 +929,10 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@@ -963,12 +954,12 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_observer',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -1293,22 +1284,16 @@
# Test that the appropriate users can see or not see the listener
# based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'ListenerClient', 'show_listener',
- expected_allowed, listener[const.ID])
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'ListenerClient', 'show_listener',
+ expected_allowed, listener[const.ID])
@decorators.idempotent_id('aaae0298-5778-4c7e-a27a-01549a71b319')
def test_http_listener_update(self):
@@ -1479,23 +1464,14 @@
# Test that a user without the loadbalancer role cannot
# update a listener.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'ListenerClient', 'update_listener',
- expected_allowed,
- status_method=self.mem_listener_client.show_listener,
- obj_id=listener[const.ID], listener_id=listener[const.ID],
- admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'ListenerClient', 'update_listener',
+ expected_allowed,
+ status_method=self.mem_listener_client.show_listener,
+ obj_id=listener[const.ID], listener_id=listener[const.ID],
+ admin_state_up=True)
new_name = data_utils.rand_name("lb_member_listener1-UPDATED")
new_description = data_utils.arbitrary_string(size=255,
@@ -1713,22 +1689,13 @@
# Test that a user without the loadbalancer role cannot
# delete a listener.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'ListenerClient', 'delete_listener',
- expected_allowed,
- status_method=self.mem_listener_client.show_listener,
- obj_id=listener[const.ID], listener_id=listener[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'ListenerClient', 'delete_listener',
+ expected_allowed,
+ status_method=self.mem_listener_client.show_listener,
+ obj_id=listener[const.ID], listener_id=listener[const.ID])
self.mem_listener_client.delete_listener(listener[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py
index 9035260..5159dc4 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py
@@ -84,20 +84,11 @@
lb_kwargs_with_project_id = copy.deepcopy(lb_kwargs)
lb_kwargs_with_project_id[const.PROJECT_ID] = (
self.os_roles_lb_member.credentials.project_id)
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_roles_lb_member', 'os_roles_lb_member2']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member', 'os_roles_lb_member2']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member', 'os_roles_lb_member2']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'LoadbalancerClient', 'create_loadbalancer',
- expected_allowed, None, None, **lb_kwargs_with_project_id)
+ expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
+ 'os_roles_lb_member', 'os_roles_lb_member2']
+ self.check_create_RBAC_enforcement(
+ 'LoadbalancerClient', 'create_loadbalancer',
+ expected_allowed, None, None, **lb_kwargs_with_project_id)
lb = self.mem_lb_client.create_loadbalancer(**lb_kwargs)
@@ -188,20 +179,11 @@
# Test that a user without the loadbalancer role cannot delete this
# load balancer.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'LoadbalancerClient', 'delete_loadbalancer',
- expected_allowed, None, None, lb[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'LoadbalancerClient', 'delete_loadbalancer',
+ expected_allowed, None, None, lb[const.ID])
self.mem_lb_client.delete_loadbalancer(lb[const.ID])
@@ -238,20 +220,11 @@
# Test that a user without the loadbalancer role cannot delete this
# load balancer.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'LoadbalancerClient', 'delete_loadbalancer',
- expected_allowed, None, None, lb[const.ID], cascade=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'LoadbalancerClient', 'delete_loadbalancer',
+ expected_allowed, None, None, lb[const.ID], cascade=True)
self.mem_lb_client.delete_loadbalancer(lb[const.ID], cascade=True)
@@ -436,10 +409,10 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@@ -460,12 +433,12 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_observer',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -632,22 +605,16 @@
# Test that the appropriate users can see or not see the load
# balancer based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'LoadbalancerClient', 'show_loadbalancer',
- expected_allowed, lb[const.ID])
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'LoadbalancerClient', 'show_loadbalancer',
+ expected_allowed, lb[const.ID])
# Attempt to clean up so that one full test run doesn't start 10+
# amps before the cleanup phase fires
@@ -736,21 +703,12 @@
# Test that a user, without the loadbalancer member role, cannot
# update this load balancer.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'LoadbalancerClient', 'update_loadbalancer',
- expected_allowed, None, None, lb[const.ID],
- admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'LoadbalancerClient', 'update_loadbalancer',
+ expected_allowed, None, None, lb[const.ID],
+ admin_state_up=True)
# Assert we didn't go into PENDING_*
lb_check = self.mem_lb_client.show_loadbalancer(lb[const.ID])
@@ -829,22 +787,16 @@
# Test that the appropriate users can see or not see the load
# balancer stats based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'LoadbalancerClient', 'get_loadbalancer_stats',
- expected_allowed, lb[const.ID])
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'LoadbalancerClient', 'get_loadbalancer_stats',
+ expected_allowed, lb[const.ID])
stats = self.mem_lb_client.get_loadbalancer_stats(lb[const.ID])
@@ -900,22 +852,16 @@
# Test that the appropriate users can see or not see the load
# balancer status based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'LoadbalancerClient', 'get_loadbalancer_status',
- expected_allowed, lb[const.ID])
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'LoadbalancerClient', 'get_loadbalancer_status',
+ expected_allowed, lb[const.ID])
status = self.mem_lb_client.get_loadbalancer_status(lb[const.ID])
@@ -977,17 +923,10 @@
# Test that a user without the load balancer admin role cannot
# failover a load balancer.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'LoadbalancerClient', 'failover_loadbalancer',
- expected_allowed, None, None, lb[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
+ self.check_update_RBAC_enforcement(
+ 'LoadbalancerClient', 'failover_loadbalancer',
+ expected_allowed, None, None, lb[const.ID])
# Assert we didn't go into PENDING_*
lb = self.mem_lb_client.show_loadbalancer(lb[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_member.py b/octavia_tempest_plugin/tests/api/v2/test_member.py
index ed3fba6..fa35b03 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_member.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_member.py
@@ -930,22 +930,13 @@
# Test that a user without the loadbalancer role cannot
# create a member.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'MemberClient', 'create_member',
- expected_allowed,
- status_method=self.mem_lb_client.show_loadbalancer,
- obj_id=self.lb_id, **member_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_create_RBAC_enforcement(
+ 'MemberClient', 'create_member',
+ expected_allowed,
+ status_method=self.mem_lb_client.show_loadbalancer,
+ obj_id=self.lb_id, **member_kwargs)
member = self.mem_member_client.create_member(**member_kwargs)
@@ -1287,10 +1278,10 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@@ -1309,10 +1300,9 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
@@ -1874,23 +1864,16 @@
# Test that the appropriate users can see or not see the member
# based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'MemberClient', 'show_member',
- expected_allowed, member[const.ID],
- pool_id=pool_id)
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'MemberClient', 'show_member', expected_allowed, member[const.ID],
+ pool_id=pool_id)
@decorators.idempotent_id('592c19c3-1e0d-4d6d-b2ff-0d39d8654c99')
def test_HTTP_LC_backup_member_update(self):
@@ -2348,21 +2331,12 @@
# Test that a user, without the loadbalancer member role, cannot
# update this member.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'MemberClient', 'update_member',
- expected_allowed, None, None, member[const.ID],
- pool_id=pool_id, admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'MemberClient', 'update_member',
+ expected_allowed, None, None, member[const.ID],
+ pool_id=pool_id, admin_state_up=True)
# Assert we didn't go into PENDING_*
member_check = self.mem_member_client.show_member(
@@ -2817,21 +2791,12 @@
# Test that a user, without the loadbalancer member role, cannot
# batch update this member.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'MemberClient', 'update_members',
- expected_allowed, None, None,
- pool_id=pool_id, members_list=batch_update_list)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'MemberClient', 'update_members',
+ expected_allowed, None, None,
+ pool_id=pool_id, members_list=batch_update_list)
# Assert we didn't go into PENDING_*
member_check = self.mem_member_client.show_member(
@@ -3086,21 +3051,11 @@
# Test that a user without the loadbalancer role cannot delete this
# member.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'MemberClient', 'delete_member',
- expected_allowed, None, None, member[const.ID],
- pool_id=pool_id)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'MemberClient', 'delete_member', expected_allowed, None, None,
+ member[const.ID], pool_id=pool_id)
self.mem_member_client.delete_member(member[const.ID],
pool_id=pool_id)
diff --git a/octavia_tempest_plugin/tests/api/v2/test_pool.py b/octavia_tempest_plugin/tests/api/v2/test_pool.py
index 4e3e667..2f62376 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_pool.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_pool.py
@@ -408,22 +408,13 @@
# Test that a user without the loadbalancer role cannot
# create a pool.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_create_RBAC_enforcement(
- 'PoolClient', 'create_pool',
- expected_allowed,
- status_method=self.mem_lb_client.show_loadbalancer,
- obj_id=self.lb_id, **pool_kwargs)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_create_RBAC_enforcement(
+ 'PoolClient', 'create_pool',
+ expected_allowed,
+ status_method=self.mem_lb_client.show_loadbalancer,
+ obj_id=self.lb_id, **pool_kwargs)
# This is a special case as the reference driver does not support
# SOURCE-IP-PORT. Since it runs with not_implemented_is_error, we must
@@ -763,10 +754,10 @@
'os_roles_lb_global_observer']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2']
- if expected_allowed:
- self.check_list_RBAC_enforcement_count(
- 'PoolClient', 'list_pools', expected_allowed, 0,
- query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id))
+# if expected_allowed:
+# self.check_list_RBAC_enforcement_count(
+# 'PoolClient', 'list_pools', expected_allowed, 0,
+# query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id))
# Test credentials that should see these pools can see them.
expected_allowed = []
@@ -774,15 +765,15 @@
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_member',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member',
'os_roles_lb_global_observer']
- if expected_allowed:
- self.check_list_IDs_RBAC_enforcement(
- 'PoolClient', 'list_pools', expected_allowed, test_ids,
- query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id))
+# if expected_allowed:
+# self.check_list_IDs_RBAC_enforcement(
+# 'PoolClient', 'list_pools', expected_allowed, test_ids,
+# query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id))
# Test that users without the lb member role cannot list pools.
# Note: non-owners can still call this API, they will just get the list
@@ -798,12 +789,12 @@
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin', 'os_roles_lb_observer',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@@ -1132,22 +1123,16 @@
# Test that the appropriate users can see or not see the pool
# based on the API RBAC.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
- if expected_allowed:
- self.check_show_RBAC_enforcement(
- 'PoolClient', 'show_pool',
- expected_allowed, pool[const.ID])
+ else:
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_show_RBAC_enforcement(
+ 'PoolClient', 'show_pool',
+ expected_allowed, pool[const.ID])
@decorators.idempotent_id('d73755fe-ba3a-4248-9543-8e167a5aa7f4')
def test_HTTP_LC_pool_update(self):
@@ -1372,21 +1357,12 @@
# Test that a user, without the loadbalancer member role, cannot
# update this pool.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_update_RBAC_enforcement(
- 'PoolClient', 'update_pool',
- expected_allowed, None, None, pool[const.ID],
- admin_state_up=True)
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_update_RBAC_enforcement(
+ 'PoolClient', 'update_pool',
+ expected_allowed, None, None, pool[const.ID],
+ admin_state_up=True)
# Assert we didn't go into PENDING_*
pool_check = self.mem_pool_client.show_pool(
@@ -1675,20 +1651,11 @@
# Test that a user without the loadbalancer role cannot delete this
# pool.
- expected_allowed = []
- if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
- 'os_roles_lb_member']
- if expected_allowed:
- self.check_delete_RBAC_enforcement(
- 'PoolClient', 'delete_pool',
- expected_allowed, None, None, pool[const.ID])
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
+ self.check_delete_RBAC_enforcement(
+ 'PoolClient', 'delete_pool',
+ expected_allowed, None, None, pool[const.ID])
self.mem_pool_client.delete_pool(pool[const.ID])
diff --git a/octavia_tempest_plugin/tests/api/v2/test_provider.py b/octavia_tempest_plugin/tests/api/v2/test_provider.py
index e47ae8e..b6bf12a 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_provider.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_provider.py
@@ -50,14 +50,15 @@
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_system_reader', 'os_roles_lb_observer',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
- 'os_system_admin', 'os_system_reader', 'os_roles_lb_observer',
- 'os_roles_lb_global_observer', 'os_roles_lb_admin',
- 'os_roles_lb_member', 'os_roles_lb_member2']
+ 'os_admin', 'os_roles_lb_observer',
+ 'os_roles_lb_global_observer',
+ 'os_roles_lb_admin', 'os_roles_lb_member',
+ 'os_roles_lb_member2']
if expected_allowed:
self.check_list_RBAC_enforcement(
'ProviderClient', 'list_providers', expected_allowed)
diff --git a/octavia_tempest_plugin/tests/test_base.py b/octavia_tempest_plugin/tests/test_base.py
index f176cb1..3f10ad9 100644
--- a/octavia_tempest_plugin/tests/test_base.py
+++ b/octavia_tempest_plugin/tests/test_base.py
@@ -79,11 +79,6 @@
['lb_member', CONF.load_balancer.member_role, 'member'],
['lb_member2', CONF.load_balancer.member_role, 'member']]
- # If scope enforcement is enabled, add in the system scope credentials.
- # The project scope is already handled by the above credentials.
- if CONF.enforce_scope.octavia:
- credentials.extend(['system_admin', 'system_reader'])
-
# A tuple of credentials that will be allocated by tempest using the
# 'credentials' list above. These are used to build RBAC test lists.
allocated_creds = []
diff --git a/releasenotes/notes/Make-keystone-default-roles-tests-default-a65a62864b93a296.yaml b/releasenotes/notes/Make-keystone-default-roles-tests-default-a65a62864b93a296.yaml
new file mode 100644
index 0000000..d38181a
--- /dev/null
+++ b/releasenotes/notes/Make-keystone-default-roles-tests-default-a65a62864b93a296.yaml
@@ -0,0 +1,8 @@
+---
+upgrade:
+ - |
+ The default tempest tests will now expect the keystone default roles RBAC
+ enabled. The legacy behavior can be enabled by setting
+ "RBAC_test_type: advanced" in the [load_balancer] section of your
+ tempest.conf. This change also removes the ability to test system scoped
+ tokens with Octavia.
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 452e1e4..36c57e1 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -528,23 +528,16 @@
- ^octavia_tempest_plugin/tests/spare_pool_scenario/.* # TODO: remove
- job:
- name: octavia-v2-dsvm-noop-api-keystone-default-roles
+ name: octavia-v2-dsvm-noop-api-advanced-rbac
parent: octavia-v2-dsvm-noop-api
vars:
devstack_localrc:
- OCTAVIA_USE_KEYSTONE_DEFAULT_ROLES: True
+ OCTAVIA_USE_ADVANCED_RBAC: True
devstack_local_conf:
- post-config:
- $OCTAVIA_CONF:
- oslo_policy:
- enforce_scope: False
- enforce_new_defaults: True
test-config:
"$TEMPEST_CONFIG":
- enforce_scope:
- octavia: False
load_balancer:
- RBAC_test_type: keystone_default_roles
+ RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-noop-py2-api
@@ -558,18 +551,36 @@
parent: octavia-v2-dsvm-noop-api
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.2
+ vars:
+ devstack_local_conf:
+ test-config:
+ "$TEMPEST_CONFIG":
+ load_balancer:
+ RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-noop-api-stable-2024-1
parent: octavia-v2-dsvm-noop-api
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.1
+ vars:
+ devstack_local_conf:
+ test-config:
+ "$TEMPEST_CONFIG":
+ load_balancer:
+ RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-noop-api-stable-2023-2
parent: octavia-v2-dsvm-noop-api
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2023.2
+ vars:
+ devstack_local_conf:
+ test-config:
+ "$TEMPEST_CONFIG":
+ load_balancer:
+ RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-scenario-base
@@ -662,6 +673,12 @@
parent: octavia-v2-dsvm-scenario
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.2
+ vars:
+ devstack_local_conf:
+ test-config:
+ "$TEMPEST_CONFIG":
+ load_balancer:
+ RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-scenario-traffic-ops-stable-2024-2
@@ -680,6 +697,12 @@
parent: octavia-v2-dsvm-scenario
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.1
+ vars:
+ devstack_local_conf:
+ test-config:
+ "$TEMPEST_CONFIG":
+ load_balancer:
+ RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-scenario-traffic-ops-stable-2024-1
@@ -698,6 +721,12 @@
parent: octavia-v2-dsvm-scenario
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2023.2
+ vars:
+ devstack_local_conf:
+ test-config:
+ "$TEMPEST_CONFIG":
+ load_balancer:
+ RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-scenario-traffic-ops-stable-2023-2
@@ -913,18 +942,36 @@
parent: octavia-v2-dsvm-tls-barbican
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.2
+ vars:
+ devstack_local_conf:
+ test-config:
+ "$TEMPEST_CONFIG":
+ load_balancer:
+ RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-tls-barbican-stable-2024-1
parent: octavia-v2-dsvm-tls-barbican
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.1
+ vars:
+ devstack_local_conf:
+ test-config:
+ "$TEMPEST_CONFIG":
+ load_balancer:
+ RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-tls-barbican-stable-2023-2
parent: octavia-v2-dsvm-tls-barbican
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2023.2
+ vars:
+ devstack_local_conf:
+ test-config:
+ "$TEMPEST_CONFIG":
+ load_balancer:
+ RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-spare-pool
@@ -1078,18 +1125,56 @@
parent: octavia-v2-act-stdby-dsvm-scenario
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.2
+ vars:
+ devstack_local_conf:
+ test-config:
+ "$TEMPEST_CONFIG":
+ load_balancer:
+ RBAC_test_type: advanced
- job:
name: octavia-v2-act-stdby-dsvm-scenario-stable-2024-1
parent: octavia-v2-act-stdby-dsvm-scenario
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.1
+ vars:
+ devstack_local_conf:
+ test-config:
+ "$TEMPEST_CONFIG":
+ load_balancer:
+ RBAC_test_type: advanced
- job:
name: octavia-v2-act-stdby-dsvm-scenario-stable-2023-2
parent: octavia-v2-act-stdby-dsvm-scenario
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2023.2
+ vars:
+ devstack_local_conf:
+ test-config:
+ "$TEMPEST_CONFIG":
+ load_balancer:
+ RBAC_test_type: advanced
+
+# Temporary job, remove once it is no longer used in octavia gates
+- job:
+ name: octavia-v2-dsvm-noop-api-keystone-default-roles
+ parent: octavia-v2-dsvm-noop-api
+ vars:
+ devstack_localrc:
+ OCTAVIA_USE_KEYSTONE_DEFAULT_ROLES: True
+ devstack_local_conf:
+ post-config:
+ $OCTAVIA_CONF:
+ oslo_policy:
+ enforce_scope: True
+ enforce_new_defaults: True
+ test-config:
+ "$TEMPEST_CONFIG":
+ enforce_scope:
+ octavia: True
+ load_balancer:
+ RBAC_test_type: keystone_default_roles
######### Third party jobs ##########
diff --git a/zuul.d/projects.yaml b/zuul.d/projects.yaml
index fee26dd..9034367 100644
--- a/zuul.d/projects.yaml
+++ b/zuul.d/projects.yaml
@@ -12,7 +12,7 @@
- octavia-v2-dsvm-noop-api-stable-2024-2
- octavia-v2-dsvm-noop-api-stable-2024-1
- octavia-v2-dsvm-noop-api-stable-2023-2
- - octavia-v2-dsvm-noop-api-keystone-default-roles
+ - octavia-v2-dsvm-noop-api-advanced-rbac
- octavia-v2-dsvm-scenario-traffic-ops
- octavia-v2-dsvm-scenario-non-traffic-ops
- octavia-v2-dsvm-scenario-traffic-ops-stable-2024-2
@@ -60,7 +60,7 @@
- octavia-v2-dsvm-noop-api-stable-2024-2
- octavia-v2-dsvm-noop-api-stable-2024-1
- octavia-v2-dsvm-noop-api-stable-2023-2
- - octavia-v2-dsvm-noop-api-keystone-default-roles
+ - octavia-v2-dsvm-noop-api-advanced-rbac
- octavia-v2-dsvm-scenario-traffic-ops
- octavia-v2-dsvm-scenario-non-traffic-ops
- octavia-v2-dsvm-scenario-traffic-ops-stable-2024-2