Merge "Additional network router RBAC tests"
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index ba04a30..53f84ff 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -29,6 +29,8 @@
CONF = config.CONF
LOG = logging.getLogger(__name__)
+_SUPPORTED_ERROR_CODES = [403, 404]
+
def action(service, rule='', admin_only=False, expected_error_code=403,
extra_target_data=None):
@@ -47,15 +49,13 @@
:param service: A OpenStack service: for example, "nova" or "neutron".
:param rule: A policy action defined in a policy.json file (or in code).
:param admin_only: Skips over oslo.policy check because the policy action
- defined by `rule` is not enforced by the service's
- policy enforcement logic. For example, Keystone v2
- performs an admin check for most of its endpoints. If
- True, `rule` is effectively ignored.
+ defined by `rule` is not enforced by the service's policy enforcement
+ logic. For example, Keystone v2 performs an admin check for most of its
+ endpoints. If True, `rule` is effectively ignored.
:param expected_error_code: Overrides default value of 403 (Forbidden)
- with endpoint-specific error code. Currently
- only supports 403 and 404. Support for 404
- is needed because some services, like Neutron,
- intentionally throw a 404 for security reasons.
+ with endpoint-specific error code. Currently only supports 403 and 404.
+ Support for 404 is needed because some services, like Neutron,
+ intentionally throw a 404 for security reasons.
:raises NotFound: if `service` is invalid or
if Tempest credentials cannot be found.
@@ -163,10 +163,29 @@
return False
-def _get_exception_type(expected_error_code):
+def _get_exception_type(expected_error_code=403):
+ """Dynamically calculate the expected exception to be caught.
+
+ Dynamically calculate the expected exception to be caught by the test case.
+ Only `Forbidden` and `NotFound` exceptions are permitted. `NotFound` is
+ supported because Neutron, for security reasons, masks `Forbidden`
+ exceptions as `NotFound` exceptions.
+
+ :param expected_error_code: the integer representation of the expected
+ exception to be caught. Must be contained in `_SUPPORTED_ERROR_CODES`.
+ :returns: tuple of the exception type corresponding to
+ `expected_error_code` and a message explaining that a non-Forbidden
+ exception was expected, if applicable.
+ """
expected_exception = None
irregular_msg = None
- supported_error_codes = [403, 404]
+
+ if not isinstance(expected_error_code, six.integer_types) \
+ or expected_error_code not in _SUPPORTED_ERROR_CODES:
+ msg = ("Please pass an expected error code. Currently "
+ "supported codes: {0}".format(_SUPPORTED_ERROR_CODES))
+ LOG.error(msg)
+ raise rbac_exceptions.RbacInvalidErrorCode(msg)
if expected_error_code == 403:
expected_exception = exceptions.Forbidden
@@ -175,11 +194,6 @@
irregular_msg = ("NotFound exception was caught for policy action "
"{0}. The service {1} throws a 404 instead of a 403, "
"which is irregular.")
- else:
- msg = ("Please pass an expected error code. Currently "
- "supported codes: {0}".format(str(supported_error_codes)))
- LOG.error(msg)
- raise rbac_exceptions.RbacInvalidErrorCode()
return expected_exception, irregular_msg
@@ -200,7 +214,7 @@
:param test_obj: type BaseTestCase (tempest base test class)
:param extra_target_data: dictionary with unresolved string literals that
- reference nested BaseTestCase attributes
+ reference nested BaseTestCase attributes
:returns: dictionary with resolved BaseTestCase attributes
"""
attr_value = test_obj
diff --git a/patrole_tempest_plugin/tests/api/compute/test_admin_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_admin_server_actions_rbac.py
deleted file mode 100644
index 37fad18..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_admin_server_actions_rbac.py
+++ /dev/null
@@ -1,65 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest import config
-from tempest.lib import decorators
-from tempest import test
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-CONF = config.CONF
-
-
-class AdminServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def skip_checks(cls):
- super(AdminServerActionsRbacTest, cls).skip_checks()
- if not test.is_extension_enabled('os-admin-actions', 'compute'):
- msg = "%s skipped as os-admin-actions not enabled." % cls.__name__
- raise cls.skipException(msg)
-
- @classmethod
- def resource_setup(cls):
- super(AdminServerActionsRbacTest, cls).resource_setup()
- cls.server_id = cls.create_test_server(wait_until='ACTIVE')['id']
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-admin-actions:reset_state")
- @decorators.idempotent_id('ae84dd0b-f364-462e-b565-3457f9c019ef')
- def test_reset_server_state(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.reset_state(self.server_id, state='error')
- self.addCleanup(self.servers_client.reset_state,
- self.server_id,
- state='active')
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-admin-actions:inject_network_info")
- @decorators.idempotent_id('ce48c340-51c1-4cff-9b6e-0cc5ef008630')
- def test_inject_network_info(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.inject_network_info(self.server_id)
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-admin-actions:reset_network")
- @decorators.idempotent_id('2911a242-15c4-4fcb-80d5-80a8930661b0')
- def test_reset_network(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.reset_network(self.server_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_deferred_delete_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_deferred_delete_rbac.py
deleted file mode 100644
index ebeab76..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_deferred_delete_rbac.py
+++ /dev/null
@@ -1,47 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest.lib import decorators
-from tempest import test
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-
-class DeferredDeleteRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def skip_checks(cls):
- super(DeferredDeleteRbacTest, cls).skip_checks()
- if not test.is_extension_enabled('os-deferred-delete', 'compute'):
- msg = "%s skipped as os-deferred-delete extension not enabled." \
- % cls.__name__
- raise cls.skipException(msg)
-
- @classmethod
- def resource_setup(cls):
- super(DeferredDeleteRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server(wait_until='ACTIVE')
-
- @decorators.idempotent_id('189bfed4-1e6d-475c-bb8c-d57e60895391')
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-deferred-delete")
- def test_force_delete_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Force-deleting a server enforces os-deferred-delete according to the
- # following API: https://github.com/openstack/nova/blob/master/nova/api
- # /openstack/compute/deferred_delete.py
- self.servers_client.force_delete_server(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_lock_server_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_lock_server_rbac.py
new file mode 100644
index 0000000..1daf305
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_lock_server_rbac.py
@@ -0,0 +1,58 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base as base
+
+
+class ComputeLockServersRbacTest(base.BaseV2ComputeRbacTest):
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-lock-server:lock")
+ @decorators.idempotent_id('b81e10fb-1864-498f-8c1d-5175c6fec5fb')
+ def test_lock_server(self):
+ server = self.create_test_server(wait_until='ACTIVE')
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.lock_server(server['id'])
+ self.addCleanup(self.servers_client.unlock_server, server['id'])
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-lock-server:unlock")
+ @decorators.idempotent_id('d50ef8e8-4bce-11e7-b114-b2f933d5fe66')
+ def test_unlock_server(self):
+ server = self.create_test_server(wait_until='ACTIVE')
+ self.servers_client.lock_server(server['id'])
+ self.addCleanup(self.servers_client.unlock_server, server['id'])
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.unlock_server(server['id'])
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-lock-server:unlock:unlock_override")
+ @decorators.idempotent_id('40dfeef9-73ee-48a9-be19-a219875de457')
+ def test_unlock_server_override(self):
+ server = self.create_test_server(wait_until='ACTIVE')
+ # In order to trigger the unlock:unlock_override policy instead
+ # of the unlock policy, the server must be locked by a different
+ # user than the one who is attempting to unlock it.
+ self.os_admin.servers_client.lock_server(server['id'])
+ self.addCleanup(self.servers_client.unlock_server, server['id'])
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.unlock_server(server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_rescue_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_rescue_rbac.py
deleted file mode 100644
index a0a021f..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_rescue_rbac.py
+++ /dev/null
@@ -1,43 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest.lib import decorators
-from tempest import test
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-
-class RescueRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def skip_checks(cls):
- super(RescueRbacTest, cls).skip_checks()
- if not test.is_extension_enabled('os-rescue', 'compute'):
- msg = "%s skipped as os-rescue not enabled." % cls.__name__
- raise cls.skipException(msg)
-
- @classmethod
- def resource_setup(cls):
- super(RescueRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server(wait_until='ACTIVE')
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-rescue")
- @decorators.idempotent_id('fbbb2afc-ed0e-4552-887d-ac00fb5d436e')
- def test_rescue_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.rescue_server(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_diagnostics_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_diagnostics_rbac.py
deleted file mode 100644
index f6359b4..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_server_diagnostics_rbac.py
+++ /dev/null
@@ -1,44 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest.lib import decorators
-from tempest import test
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-
-class ServerDiagnosticsRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def skip_checks(cls):
- super(ServerDiagnosticsRbacTest, cls).skip_checks()
- if not test.is_extension_enabled('os-server-diagnostics', 'compute'):
- msg = ("%s skipped as os-server-diagnostics not "
- "enabled." % cls.__name__)
- raise cls.skipException(msg)
-
- @classmethod
- def resource_setup(cls):
- super(ServerDiagnosticsRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server(wait_until='ACTIVE')
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-server-diagnostics")
- @decorators.idempotent_id('5dabfcc4-bedb-417b-8247-b3ee7c5c0f3e')
- def test_show_server_diagnostics(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.show_server_diagnostics(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
new file mode 100644
index 0000000..cb826e3
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
@@ -0,0 +1,154 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.common import waiters
+from tempest.lib import decorators
+from tempest.lib import exceptions as lib_exc
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+
+class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+ """Test multiple policy actions that require a server to be created.
+
+ Minimize the number of servers that need to be created across classes
+ by consolidating test cases related to different policy "families" into
+ one class. This reduces the risk of running into `BuildErrorException`
+ errors being raised due to too many servers being created simultaneously
+ especially when higher concurrency is used.
+
+ Only applies to:
+ * policy "families" that require server creation
+ * small policy "families" -- i.e. containing one to three policies
+ """
+
+ @classmethod
+ def resource_setup(cls):
+ super(MiscPolicyActionsRbacTest, cls).resource_setup()
+ cls.server_id = cls.create_test_server(wait_until='ACTIVE')['id']
+
+ def setUp(self):
+ super(MiscPolicyActionsRbacTest, self).setUp()
+ try:
+ waiters.wait_for_server_status(self.servers_client,
+ self.server_id, 'ACTIVE')
+ except lib_exc.NotFound:
+ # If the server was found to be deleted by a previous test,
+ # a new one is built
+ server = self.create_test_server(wait_until='ACTIVE')
+ self.__class__.server_id = server['id']
+ except Exception:
+ # Rebuilding the server in case something happened during a test
+ self.__class__.server_id = self.rebuild_server(self.server_id)
+
+ @test.requires_ext(extension='os-admin-actions', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:reset_state")
+ @decorators.idempotent_id('ae84dd0b-f364-462e-b565-3457f9c019ef')
+ def test_reset_server_state(self):
+ """Test reset server state, part of os-admin-actions."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.reset_state(self.server_id, state='error')
+ self.addCleanup(self.servers_client.reset_state, self.server_id,
+ state='active')
+
+ @test.requires_ext(extension='os-admin-actions', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:inject_network_info")
+ @decorators.idempotent_id('ce48c340-51c1-4cff-9b6e-0cc5ef008630')
+ def test_inject_network_info(self):
+ """Test inject network info, part of os-admin-actions."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.inject_network_info(self.server_id)
+
+ @test.attr(type=['slow'])
+ @test.requires_ext(extension='os-admin-actions', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:reset_network")
+ @decorators.idempotent_id('2911a242-15c4-4fcb-80d5-80a8930661b0')
+ def test_reset_network(self):
+ """Test reset network, part of os-admin-actions."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.reset_network(self.server_id)
+
+ @test.requires_ext(extension='os-deferred-delete', service='compute')
+ @decorators.idempotent_id('189bfed4-1e6d-475c-bb8c-d57e60895391')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-deferred-delete")
+ def test_force_delete_server(self):
+ """Test force delete server, part of os-deferred-delete."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ # Force-deleting a server enforces os-deferred-delete.
+ self.servers_client.force_delete_server(self.server_id)
+
+ @test.requires_ext(extension='os-rescue', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-rescue")
+ @decorators.idempotent_id('fbbb2afc-ed0e-4552-887d-ac00fb5d436e')
+ def test_rescue_server(self):
+ """Test rescue server, part of os-rescue."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.rescue_server(self.server_id)
+
+ @test.requires_ext(extension='os-server-diagnostics', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-diagnostics")
+ @decorators.idempotent_id('5dabfcc4-bedb-417b-8247-b3ee7c5c0f3e')
+ def test_show_server_diagnostics(self):
+ """Test show server diagnostics, part of os-server-diagnostics."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.show_server_diagnostics(self.server_id)
+
+ @test.requires_ext(extension='os-server-password', service='compute')
+ @decorators.idempotent_id('aaf43f78-c178-4581-ac18-14afd3f1f6ba')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-password")
+ def test_delete_server_password(self):
+ """Test delete server password, part of os-server-password."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.delete_password(self.server_id)
+
+ @test.requires_ext(extension='os-server-password', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-password")
+ @decorators.idempotent_id('f677971a-7d20-493c-977f-6ff0a74b5b2c')
+ def test_get_server_password(self):
+ """Test show server password, part of os-server-password."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.show_password(self.server_id)
+
+ @test.requires_ext(extension='OS-SRV-USG', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-usage")
+ @decorators.idempotent_id('f0437ead-b9fb-462a-9f3d-ce53fac9d57a')
+ def test_show_server_usage(self):
+ """Test show server usage, part of os-server-usage.
+
+ TODO(felipemonteiro): Once multiple policy test is supported, this
+ test can be combined with the generic test for showing a server.
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.show_server(self.server_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py
deleted file mode 100644
index 7826268..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py
+++ /dev/null
@@ -1,52 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest.lib import decorators
-from tempest import test
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-
-class ServerPasswordRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def skip_checks(cls):
- super(ServerPasswordRbacTest, cls).skip_checks()
- if not test.is_extension_enabled('os-server-password', 'compute'):
- msg = "%s skipped as os-server-password extension not enabled." \
- % cls.__name__
- raise cls.skipException(msg)
-
- @classmethod
- def resource_setup(cls):
- super(ServerPasswordRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server(wait_until="ACTIVE")
-
- @decorators.idempotent_id('aaf43f78-c178-4581-ac18-14afd3f1f6ba')
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-server-password")
- def test_delete_server_password(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.delete_password(self.server['id'])
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-server-password")
- @decorators.idempotent_id('f677971a-7d20-493c-977f-6ff0a74b5b2c')
- def test_get_server_password(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.show_password(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_usage_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_usage_rbac.py
deleted file mode 100644
index 777af29..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_server_usage_rbac.py
+++ /dev/null
@@ -1,43 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest.lib import decorators
-from tempest import test
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-
-class ServerUsageRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def skip_checks(cls):
- super(ServerUsageRbacTest, cls).skip_checks()
- if not test.is_extension_enabled('OS-SRV-USG', 'compute'):
- msg = "%s skipped as OS-SRV-USG not enabled." % cls.__name__
- raise cls.skipException(msg)
-
- @classmethod
- def resource_setup(cls):
- super(ServerUsageRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server(wait_until='ACTIVE')
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-server-usage")
- @decorators.idempotent_id('f0437ead-b9fb-462a-9f3d-ce53fac9d57a')
- def test_show_server_diagnostics(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.show_server(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
index 499f58d..23dbf1b 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
@@ -38,6 +38,14 @@
super(VolumeRbacTest, cls).resource_setup()
cls.volume = cls.create_volume()
+ def _delete_snapshot(self, snapshot_id):
+ waiters.wait_for_volume_resource_status(
+ self.os_admin.snapshots_extensions_client, snapshot_id,
+ 'available')
+ self.snapshots_extensions_client.delete_snapshot(snapshot_id)
+ self.snapshots_extensions_client.wait_for_resource_deletion(
+ snapshot_id)
+
@decorators.idempotent_id('2402013e-a624-43e3-9518-44a5d1dbb32d')
@rbac_rule_validation.action(
service="nova",
@@ -87,8 +95,7 @@
snapshot = self.snapshots_extensions_client.create_snapshot(
self.volume['id'])['snapshot']
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.snapshots_extensions_client.delete_snapshot,
- snapshot['id'])
+ self._delete_snapshot, snapshot['id'])
@decorators.idempotent_id('e944e816-416c-11e7-a919-92ebcb67fe33')
@rbac_rule_validation.action(
@@ -105,8 +112,8 @@
def test_show_snapshot(self):
snapshot = self.snapshots_extensions_client.create_snapshot(
self.volume['id'])['snapshot']
- self.addCleanup(self.snapshots_extensions_client.delete_snapshot,
- snapshot['id'])
+ self.addCleanup(self._delete_snapshot, snapshot['id'])
+
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.snapshots_extensions_client.show_snapshot(snapshot['id'])
@@ -118,7 +125,7 @@
snapshot = self.snapshots_extensions_client.create_snapshot(
self.volume['id'])['snapshot']
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.snapshots_extensions_client.delete_snapshot,
- snapshot['id'])
+ self._delete_snapshot, snapshot['id'])
+
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.snapshots_extensions_client.delete_snapshot(snapshot['id'])
+ self._delete_snapshot(snapshot['id'])
diff --git a/patrole_tempest_plugin/tests/api/identity/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
index 6cb3d2f..a053614 100644
--- a/patrole_tempest_plugin/tests/api/identity/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
@@ -183,6 +183,7 @@
def resource_setup(cls):
super(BaseIdentityV2AdminRbacTest, cls).resource_setup()
cls.tenants = []
+ cls.tokens = []
@classmethod
def resource_cleanup(cls):
@@ -190,6 +191,10 @@
test_utils.call_and_ignore_notfound_exc(
cls.tenants_client.delete_tenant, tenant['id'])
+ for token in cls.tokens:
+ test_utils.call_and_ignore_notfound_exc(
+ cls.client.delete_token, token)
+
super(BaseIdentityV2AdminRbacTest, cls).resource_cleanup()
@classmethod
@@ -203,6 +208,15 @@
cls.tenants.append(tenant)
return tenant
+ @classmethod
+ def setup_test_token(cls, user_name, password, tenant_name):
+ """Set up a test token."""
+ token = cls.token_client.auth(user_name, password,
+ tenant_name)['token']
+ token_id = token['id']
+ cls.tokens.append(token_id)
+ return token_id
+
class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_tokens_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_tokens_rbac.py
new file mode 100644
index 0000000..25150dd
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_tokens_rbac.py
@@ -0,0 +1,72 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity import rbac_base
+
+
+class IdentityTokenV2RbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+
+ def _create_token(self):
+
+ user_name = self.client.auth_provider.credentials.username
+ tenant_name = self.client.auth_provider.credentials.tenant_name
+ password = self.client.auth_provider.credentials.password
+ token_id = self.setup_test_token(user_name, password,
+ tenant_name)
+ return token_id
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:validate_token")
+ @decorators.idempotent_id('71471202-4c4e-4a3d-9d41-57eb621bf3bb')
+ def test_validate_token(self):
+
+ """Validate token (get-token)
+
+ RBAC test for Identity v2 get token validation
+ """
+ token_id = self._create_token()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.client.show_token(token_id)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:revoke_token")
+ @decorators.idempotent_id('77338f66-0713-4f20-b11c-b0d750618276')
+ def test_revoke_token(self):
+
+ """Revoke token (delete-token)
+
+ RBAC test for Identity v2 delete token
+ """
+ token_id = self._create_token()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.client.delete_token(token_id)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:validate_token_head")
+ @decorators.idempotent_id('71471202-4c4e-4a3d-9d41-57eb621bf3ba')
+ def test_check_token_existence(self):
+
+ """Validate Token head
+
+ RBAC test for Identity v2 token head validation
+ """
+ token_id = self._create_token()
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.client.check_token_existence(token_id)
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_objects_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_objects_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_objects_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_image_namespace_objects_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_property_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_property_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_property_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_image_namespace_property_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_image_namespace_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_tags_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_tags_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_tags_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_image_namespace_tags_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_resource_types_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_resource_types_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_image_resource_types_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_image_resource_types_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py b/patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py b/patrole_tempest_plugin/tests/api/image/test_images_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_images_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v1/__init__.py b/patrole_tempest_plugin/tests/api/image/v1/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/patrole_tempest_plugin/tests/api/image/v1/__init__.py
+++ /dev/null
diff --git a/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py b/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py
deleted file mode 100644
index 8015277..0000000
--- a/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py
+++ /dev/null
@@ -1,79 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest import config
-from tempest.lib import decorators
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.image import rbac_base as base
-
-CONF = config.CONF
-
-
-class ImagesMemberRbacTest(base.BaseV1ImageRbacTest):
-
- credentials = ['primary', 'alt', 'admin']
-
- @classmethod
- def setup_clients(cls):
- super(ImagesMemberRbacTest, cls).setup_clients()
- cls.image_member_client = cls.os_primary.image_member_client
-
- @classmethod
- def resource_setup(cls):
- super(ImagesMemberRbacTest, cls).resource_setup()
- cls.alt_tenant_id = cls.os_alt.image_member_client.tenant_id
-
- @rbac_rule_validation.action(service="glance", rule="add_member")
- @decorators.idempotent_id('bda2bb78-e6ec-4b87-ba6d-1eaf1b28fa8b')
- def test_add_image_member(self):
- """Add image member
-
- RBAC test for the glance add_member policy
- """
- image = self.create_image()
- # Toggle role and add image member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.create_image_member(image['id'],
- self.alt_tenant_id)
-
- @rbac_rule_validation.action(service="glance", rule="delete_member")
- @decorators.idempotent_id('9beaf28c-62b7-4c30-bbe5-4283aed1201c')
- def test_delete_image_member(self):
- """Delete image member
-
- RBAC test for the glance delete_member policy
- """
- image = self.create_image()
- self.image_member_client.create_image_member(image['id'],
- self.alt_tenant_id)
- # Toggle role and delete image member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.delete_image_member(image['id'],
- self.alt_tenant_id)
-
- @rbac_rule_validation.action(service="glance", rule="get_members")
- @decorators.idempotent_id('a0fcd855-31ef-458c-97e0-14a448cdd6da')
- def test_list_image_members(self):
- """List image members
-
- RBAC test for the glance get_members policy
- """
- image = self.create_image()
- self.image_member_client.create_image_member(image['id'],
- self.alt_tenant_id)
- # Toggle role and delete image member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.list_image_members(image['id'])
diff --git a/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py b/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py
deleted file mode 100644
index a90790b..0000000
--- a/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py
+++ /dev/null
@@ -1,151 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import six
-
-from tempest import config
-from tempest.lib.common.utils import data_utils
-from tempest.lib import decorators
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.image import rbac_base
-
-CONF = config.CONF
-
-
-class BasicOperationsImagesRbacTest(rbac_base.BaseV1ImageRbacTest):
-
- @rbac_rule_validation.action(service="glance", rule="add_image")
- @decorators.idempotent_id('33248a04-6527-11e6-be0f-080027d0d606')
- def test_create_image(self):
- """Create Image Test
-
- RBAC test for the glance add_image policy.
- """
- properties = {'prop1': 'val1'}
- image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_image(name=image_name,
- container_format='bare',
- disk_format='raw',
- is_public=False,
- properties=properties)
-
- @rbac_rule_validation.action(service="glance", rule="delete_image")
- @decorators.idempotent_id('731c8c81-6c63-413b-a61a-050ce9ca16ad')
- def test_delete_image(self):
- """Delete Image Test
-
- RBAC test for the glance delete_image policy.
- """
- image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
- properties = {'prop1': 'val1'}
- body = self.create_image(name=image_name,
- container_format='bare',
- disk_format='raw',
- is_public=False,
- properties=properties)
- image_id = body['id']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.client.delete_image(image_id)
-
- @rbac_rule_validation.action(service="glance", rule="download_image")
- @decorators.idempotent_id('a22bf112-5a3a-419e-9cd6-9562d1a3a458')
- def test_download_image(self):
- """Download Image Test
-
- RBAC test for the glance download_image policy.
- """
- image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
- properties = {'prop1': 'val1'}
- body = self.create_image(name=image_name,
- container_format='bare',
- disk_format='raw',
- is_public=False,
- properties=properties)
- image_id = body['id']
- # Now try uploading an image file
- image_file = six.BytesIO(data_utils.random_bytes())
- self.client.update_image(image_id, data=image_file)
- # Toggle role and get created image
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.client.show_image(image_id)
-
- @rbac_rule_validation.action(service="glance", rule="get_image")
- @decorators.idempotent_id('110257aa-6fa3-4cc0-b8dd-d93d43acd45c')
- def test_get_image(self):
- """Get Image Test
-
- RBAC test for the glance get_image policy.
- """
- image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
- properties = {'prop1': 'val1'}
- body = self.create_image(name=image_name,
- container_format='bare',
- disk_format='raw',
- is_public=False,
- properties=properties)
- image_id = body['id']
- # Now try uploading an image file
- image_file = six.BytesIO(data_utils.random_bytes())
- self.client.update_image(image_id, data=image_file)
- # Toggle role and get created image
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.client.check_image(image_id)
-
- @rbac_rule_validation.action(service="glance", rule="get_images")
- @decorators.idempotent_id('37662238-0fe9-4dff-8d90-e02f31e7e3fb')
- def test_list_images(self):
- """Get Image Test
-
- RBAC test for the glance get_images policy.
- """
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.client.list_images()
-
- @rbac_rule_validation.action(service="glance", rule="modify_image")
- @decorators.idempotent_id('3a391a19-d756-4c96-a346-72cc02f6106e')
- def test_update_image(self):
- """Update Image Test
-
- RBAC test for the glance modify_image policy.
- """
- image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
- properties = {'prop1': 'val1'}
- body = self.create_image(name=image_name,
- container_format='bare',
- disk_format='raw',
- is_public=False,
- properties=properties)
- image_id = body.get('id')
- properties = {'prop1': 'val2'}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.client.update_image(image_id, headers=properties)
-
- @rbac_rule_validation.action(service="glance", rule="publicize_image")
- @decorators.idempotent_id('d5b1d09f-ba47-4d56-913e-4f38733a9a5c')
- def test_publicize_image(self):
- """Publicize Image Test
-
- RBAC test for the glance publicize_image policy.
- """
- image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
- properties = {'prop1': 'val1'}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_image(name=image_name,
- container_format='bare',
- disk_format='raw',
- is_public=True,
- properties=properties)
diff --git a/patrole_tempest_plugin/tests/api/image/v2/__init__.py b/patrole_tempest_plugin/tests/api/image/v2/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/patrole_tempest_plugin/tests/api/image/v2/__init__.py
+++ /dev/null
diff --git a/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
new file mode 100644
index 0000000..506dd5b
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
@@ -0,0 +1,237 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+
+class AgentsRbacTest(base.BaseNetworkRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(AgentsRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('agent', 'network'):
+ msg = "agent extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(AgentsRbacTest, cls).resource_setup()
+ agents = cls.agents_client.list_agents()['agents']
+ cls.agent = agents[0]
+
+ @decorators.idempotent_id('f88e38e0-ab52-4b97-8ffa-48a27f9d199b')
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_agent",
+ expected_error_code=404)
+ def test_show_agent(self):
+ """Show agent test.
+
+ RBAC test for the neutron get_agent policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.show_agent(self.agent['id'])
+
+ @decorators.idempotent_id('8ca68fdb-eaf6-4880-af82-ba0982949dec')
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_agent",
+ expected_error_code=404)
+ def test_update_agent(self):
+ """Update agent test.
+
+ RBAC test for the neutron update_agent policy
+ """
+ original_status = self.agent['admin_state_up']
+ agent_status = {'admin_state_up': original_status}
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.update_agent(agent_id=self.agent['id'],
+ agent=agent_status)
+
+
+class L3AgentSchedulerRbacTest(base.BaseNetworkRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(L3AgentSchedulerRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('l3_agent_scheduler', 'network'):
+ msg = "l3_agent_scheduler extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(L3AgentSchedulerRbacTest, cls).resource_setup()
+ cls.router = cls.create_router()
+ cls.agent = None
+
+ def setUp(self):
+ super(L3AgentSchedulerRbacTest, self).setUp()
+ if self.agent is not None:
+ return
+
+ # Find an agent and validate that it is correct.
+ agents = self.agents_client.list_agents()['agents']
+ agent = {'agent_type': None}
+ for a in agents:
+ if a['agent_type'] == 'L3 agent':
+ agent = a
+ break
+ self.assertEqual(agent['agent_type'], 'L3 agent', 'Could not find '
+ 'L3 agent in agent list though l3_agent_scheduler '
+ 'is enabled.')
+ self.agent = agent
+
+ @decorators.idempotent_id('5d2bbdbc-40a5-43d2-828a-84dc93fcc453')
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_l3-routers")
+ def test_list_routers_on_l3_agent(self):
+ """List routers on L3 agent test.
+
+ RBAC test for the neutron get_l3-routers policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.list_routers_on_l3_agent(self.agent['id'])
+
+ @decorators.idempotent_id('466b2a10-8747-4c09-855a-bd90a1c86ce7')
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_l3-router")
+ def test_create_router_on_l3_agent(self):
+ """Create router on L3 agent test.
+
+ RBAC test for the neutron create_l3-router policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.create_router_on_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.agents_client.delete_router_from_l3_agent,
+ self.agent['id'], router_id=self.router['id'])
+
+ @decorators.idempotent_id('8138cfc9-3e48-4a34-adf6-894077aa1be4')
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_l3-router")
+ def test_delete_router_from_l3_agent(self):
+ """Delete router from L3 agent test.
+
+ RBAC test for the neutron delete_l3-router policy
+ """
+ self.agents_client.create_router_on_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.agents_client.delete_router_from_l3_agent,
+ self.agent['id'], router_id=self.router['id'])
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.delete_router_from_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
+
+
+class DHCPAgentSchedulersRbacTest(base.BaseNetworkRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(DHCPAgentSchedulersRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('dhcp_agent_scheduler', 'network'):
+ msg = "dhcp_agent_scheduler extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(DHCPAgentSchedulersRbacTest, cls).resource_setup()
+ cls.agent = None
+
+ def setUp(self):
+ super(DHCPAgentSchedulersRbacTest, self).setUp()
+ if self.agent is not None:
+ return
+
+ # Find a DHCP agent and validate that it is correct.
+ agents = self.agents_client.list_agents()['agents']
+ agent = {'agent_type': None}
+ for a in agents:
+ if a['agent_type'] == 'DHCP agent':
+ agent = a
+ break
+ self.assertEqual(agent['agent_type'], 'DHCP agent', 'Could not find '
+ 'DHCP agent in agent list though dhcp_agent_scheduler'
+ ' is enabled.')
+ self.agent = agent
+
+ def _create_and_prepare_network_for_agent(self, agent_id):
+ """Create network and ensure it is not hosted by agent_id."""
+ network_id = self.create_network()['id']
+
+ if self._check_network_in_dhcp_agent(network_id, agent_id):
+ self.agents_client.delete_network_from_dhcp_agent(
+ agent_id=agent_id, network_id=network_id)
+
+ return network_id
+
+ def _check_network_in_dhcp_agent(self, network_id, agent_id):
+ networks = self.agents_client.list_networks_hosted_by_one_dhcp_agent(
+ agent_id)['networks'] or []
+ return network_id in [network['id'] for network in networks]
+
+ @decorators.idempotent_id('dc84087b-4c2a-4878-8ed0-40370e19da17')
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_dhcp-networks")
+ def test_list_networks_hosted_by_one_dhcp_agent(self):
+ """List networks hosted by one DHCP agent test.
+
+ RBAC test for the neutron get_dhcp-networks policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.list_networks_hosted_by_one_dhcp_agent(
+ self.agent['id'])
+
+ @decorators.idempotent_id('14e014ac-f355-46d3-b6d8-98f2c9ec1610')
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_dhcp-network")
+ def test_add_dhcp_agent_to_network(self):
+ """Add DHCP agent to network test.
+
+ RBAC test for the neutron create_dhcp-network policy
+ """
+ network_id = self._create_and_prepare_network_for_agent(
+ self.agent['id'])
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.add_dhcp_agent_to_network(
+ self.agent['id'], network_id=network_id)
+ # Clean up is not necessary and might result in 409 being raised.
+
+ @decorators.idempotent_id('937a4302-4b49-407d-9980-5843d7badc38')
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_dhcp-network")
+ def test_delete_network_from_dhcp_agent(self):
+ """Delete DHCP agent from network test.
+
+ RBAC test for the neutron delete_dhcp-network policy
+ """
+ network_id = self._create_and_prepare_network_for_agent(
+ self.agent['id'])
+ self.agents_client.add_dhcp_agent_to_network(
+ self.agent['id'], network_id=network_id)
+ # Clean up is not necessary and might result in 409 being raised.
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.delete_network_from_dhcp_agent(
+ self.agent['id'], network_id=network_id)
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
new file mode 100644
index 0000000..68f5156
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
@@ -0,0 +1,96 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+
+class SubnetsRbacTest(base.BaseNetworkRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(SubnetsRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('subnet_allocation', 'network'):
+ msg = "subnet_allocation extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(SubnetsRbacTest, cls).resource_setup()
+ cls.network = cls.create_network()
+ cls.subnet = cls.create_subnet(cls.network)
+
+ @decorators.idempotent_id('0481adeb-4301-44d5-851c-35910cc18a6b')
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_subnet")
+ def test_create_subnet(self):
+ """Create subnet.
+
+ RBAC test for the neutron "create_subnet" policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.create_subnet(self.network)
+
+ @decorators.idempotent_id('c02618e7-bb20-4abd-83c8-6eec2af08752')
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_subnet")
+ def test_show_subnet(self):
+ """Show subnet.
+
+ RBAC test for the neutron "get_subnet" policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.subnets_client.show_subnet(self.subnet['id'])
+
+ @decorators.idempotent_id('e2ddc415-5cab-43f4-9b61-166aed65d637')
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_subnet")
+ def test_list_subnets(self):
+ """List subnets.
+
+ RBAC test for the neutron "get_subnet" policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.subnets_client.list_subnets()
+
+ @decorators.idempotent_id('f36cd821-dd22-4bd0-b43d-110fc4b553eb')
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_subnet")
+ def test_update_subnet(self):
+ """Update subnet.
+
+ RBAC test for the neutron "update_subnet" policy
+ """
+ update_name = data_utils.rand_name(self.__class__.__name__ + '-Subnet')
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.subnets_client.update_subnet(self.subnet['id'], name=update_name)
+
+ @decorators.idempotent_id('bcfc7153-bbd1-43a4-a908-b3e1b0cde0dc')
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_subnet")
+ def test_delete_subnet(self):
+ """Delete subnet.
+
+ RBAC test for the neutron "delete_subnet" policy
+ """
+ subnet = self.create_subnet(self.network)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.subnets_client.delete_subnet(subnet['id'])
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
index afa83a6..7916c8c 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -29,16 +29,10 @@
class VolumesActionsRbacTest(rbac_base.BaseVolumeRbacTest):
- # TODO(felipemonteiro): "volume_extension:volume_actions:upload_public"
- # test can be created once volumes v3 client is created in Tempest.
-
@classmethod
def setup_clients(cls):
super(VolumesActionsRbacTest, cls).setup_clients()
- if CONF.image_feature_enabled.api_v1:
- cls.image_client = cls.os_primary.image_client
- elif CONF.image_feature_enabled.api_v2:
- cls.image_client = cls.os_primary.image_client_v2
+ cls.admin_image_client = cls.os_admin.image_client_v2
@classmethod
def resource_setup(cls):
@@ -90,6 +84,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._detach_volume()
+ @test.attr(type=["slow"])
@test.services('image')
@rbac_rule_validation.action(
service="cinder",
@@ -107,9 +102,10 @@
disk_format=CONF.volume.disk_format)['os-volume_upload_image']
image_id = body["image_id"]
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.image_client.delete_image,
+ self.admin_image_client.delete_image,
image_id)
- waiters.wait_for_image_status(self.image_client, image_id, 'active')
+ waiters.wait_for_image_status(self.admin_image_client, image_id,
+ 'active')
waiters.wait_for_volume_resource_status(self.os_admin.volumes_client,
self.volume['id'], 'available')
@@ -213,6 +209,41 @@
_api_version = 3
+class VolumesActionsV310RbacTest(rbac_base.BaseVolumeRbacTest):
+ _api_version = 3
+ min_microversion = '3.10'
+ max_microversion = 'latest'
+
+ @classmethod
+ def setup_clients(cls):
+ super(VolumesActionsV310RbacTest, cls).setup_clients()
+ cls.admin_image_client = cls.os_admin.image_client_v2
+
+ @test.attr(type=["slow"])
+ @test.services('image')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_actions:upload_public")
+ @decorators.idempotent_id('578a84dd-a6bd-4f97-a418-4a0c3c272c08')
+ def test_volume_upload_public(self):
+ # This also enforces "volume_extension:volume_actions:upload_image".
+ volume = self.create_volume()
+ image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ body = self.volumes_client.upload_volume(
+ volume['id'], image_name=image_name, visibility="public",
+ disk_format=CONF.volume.disk_format)['os-volume_upload_image']
+ image_id = body["image_id"]
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.admin_image_client.delete_image,
+ image_id)
+ waiters.wait_for_image_status(self.admin_image_client, image_id,
+ 'active')
+ waiters.wait_for_volume_resource_status(self.os_admin.volumes_client,
+ volume['id'], 'available')
+
+
class VolumesActionsV312RbacTest(rbac_base.BaseVolumeRbacTest):
_api_version = 3
min_microversion = '3.12'
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
index 9e93658..8c4185b 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
@@ -25,14 +25,6 @@
class VolumeMetadataRbacTest(rbac_base.BaseVolumeRbacTest):
@classmethod
- def setup_clients(cls):
- super(VolumeMetadataRbacTest, cls).setup_clients()
- if CONF.image_feature_enabled.api_v1:
- cls.image_client = cls.os_primary.image_client
- elif CONF.image_feature_enabled.api_v2:
- cls.image_client = cls.os_primary.image_client_v2
-
- @classmethod
def resource_setup(cls):
super(VolumeMetadataRbacTest, cls).resource_setup()
cls.volume = cls.create_volume()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py
new file mode 100644
index 0000000..8fd68a3
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py
@@ -0,0 +1,81 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+
+class VolumeTypesAccessRbacTest(rbac_base.BaseVolumeRbacTest):
+ _api_version = 3
+
+ @classmethod
+ def skip_checks(cls):
+ super(VolumeTypesAccessRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-volume-type-access', 'volume'):
+ msg = "os-volume-type-access extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(VolumeTypesAccessRbacTest, cls).resource_setup()
+ cls.vol_type = cls.create_volume_type(
+ **{'os-volume-type-access:is_public': False})
+ cls.project_id = cls.auth_provider.credentials.project_id
+
+ def _add_type_access(self, ignore_not_found=False):
+ self.volume_types_client.add_type_access(
+ self.vol_type['id'], project=self.project_id)
+
+ if ignore_not_found:
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.volume_types_client.remove_type_access,
+ self.vol_type['id'], project=self.project_id)
+ else:
+ self.addCleanup(self.volume_types_client.remove_type_access,
+ self.vol_type['id'], project=self.project_id)
+
+ @decorators.idempotent_id('af70e6ad-e931-419f-9200-8bcc284e4e47')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_type_access")
+ def test_list_type_access(self):
+ self._add_type_access()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.list_type_access(self.vol_type['id'])[
+ 'volume_type_access']
+
+ @decorators.idempotent_id('b462eeba-45d0-4d6e-945a-a1d27708d367')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_type_access:addProjectAccess")
+ def test_add_type_access(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self._add_type_access(ignore_not_found=True)
+
+ @decorators.idempotent_id('8f848aeb-636a-46f1-aeeb-e2a60e9d2bfe')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_type_access:removeProjectAccess")
+ def test_remove_type_access(self):
+ self._add_type_access(ignore_not_found=True)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.remove_type_access(
+ self.vol_type['id'], project=self.project_id)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
index 94199b5..97eaab7 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
@@ -13,21 +13,88 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
+from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.volume import rbac_base
class VolumeTypesExtraSpecsRbacTest(rbac_base.BaseVolumeRbacTest):
+ _api_version = 3
+
+ @classmethod
+ def skip_checks(cls):
+ super(VolumeTypesExtraSpecsRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-types-extra-specs', 'volume'):
+ msg = "os-types-extra-specs extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(VolumeTypesExtraSpecsRbacTest, cls).resource_setup()
+ cls.vol_type = cls.create_volume_type()
+ cls.spec_key = data_utils.rand_name(cls.__name__ + '-Spec')
+
+ def _create_volume_type_extra_specs(self, ignore_not_found=False):
+ extra_specs = {self.spec_key: "val1"}
+ self.volume_types_client.create_volume_type_extra_specs(
+ self.vol_type['id'], extra_specs)
+
+ if ignore_not_found:
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.volume_types_client.delete_volume_type_extra_specs,
+ self.vol_type['id'], self.spec_key)
+ else:
+ self.addCleanup(
+ self.volume_types_client.delete_volume_type_extra_specs,
+ self.vol_type['id'], self.spec_key)
+
+ @decorators.idempotent_id('76c36be2-2b6c-4acf-9aac-c9dc5c17cdbe')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:types_extra_specs")
+ def test_list_volume_types_extra_specs(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.list_volume_types_extra_specs(
+ self.vol_type['id'])['extra_specs']
@rbac_rule_validation.action(service="cinder",
rule="volume_extension:types_extra_specs")
@decorators.idempotent_id('eea40251-990b-49b0-99ae-10e4585b479b')
def test_create_volume_type_extra_specs(self):
- vol_type = self.create_volume_type()
- # List Volume types extra specs.
- extra_specs = {"spec1": "val1"}
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.volume_types_client.create_volume_type_extra_specs(
- vol_type['id'], extra_specs)
+ self._create_volume_type_extra_specs(ignore_not_found=True)
+
+ @decorators.idempotent_id('e2dcc9c6-2fef-431d-afaf-92b45bc76d1a')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:types_extra_specs")
+ def test_show_volume_type_extra_specs(self):
+ self._create_volume_type_extra_specs()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.show_volume_type_extra_specs(
+ self.vol_type['id'], self.spec_key)
+
+ @decorators.idempotent_id('93001912-f938-41c7-8787-62dc7010fd52')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:types_extra_specs")
+ def test_delete_volume_type_extra_specs(self):
+ self._create_volume_type_extra_specs(ignore_not_found=True)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.delete_volume_type_extra_specs(
+ self.vol_type['id'], self.spec_key)
+
+ @decorators.idempotent_id('0a444437-7402-4fbe-a18a-93af2ee00618')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:types_extra_specs")
+ def test_update_volume_type_extra_specs(self):
+ self._create_volume_type_extra_specs()
+ update_extra_specs = {self.spec_key: "val2"}
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.update_volume_type_extra_specs(
+ self.vol_type['id'], self.spec_key, update_extra_specs)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
index 25c8504..2861531 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
@@ -100,6 +100,8 @@
volume_id=self.volume['id'])['backup']
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.backups_client.delete_backup, backup['id'])
+ waiters.wait_for_volume_resource_status(self.os_admin.backups_client,
+ backup['id'], 'available')
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.backups_client.delete_backup(backup['id'])
diff --git a/releasenotes/notes/extra-volume-types-tests-2e4538bed7348be4.yaml b/releasenotes/notes/extra-volume-types-tests-2e4538bed7348be4.yaml
new file mode 100644
index 0000000..9be15fc
--- /dev/null
+++ b/releasenotes/notes/extra-volume-types-tests-2e4538bed7348be4.yaml
@@ -0,0 +1,10 @@
+---
+features:
+ - |
+ Added RBAC tests for volume type access and volume type extra specs
+ APIs, providing coverage for the following policy actions:
+
+ * "volume_extension:types_extra_specs"
+ * "volume_extension:volume_type_access"
+ * "volume_extension:volume_type_access:addProjectAccess"
+ * "volume_extension:volume_type_access:removeProjectAccess"
diff --git a/releasenotes/notes/glance-v1-api-deprecated-1aba7b6ae0b6e063.yaml b/releasenotes/notes/glance-v1-api-deprecated-1aba7b6ae0b6e063.yaml
new file mode 100644
index 0000000..dffd064
--- /dev/null
+++ b/releasenotes/notes/glance-v1-api-deprecated-1aba7b6ae0b6e063.yaml
@@ -0,0 +1,4 @@
+---
+deprecations:
+ - Glance v1 APIs are deprecated and v2 APIs are current. Glance v1 APIs are
+ removed from volume tests and Glance v1 RBAC tests are removed.
diff --git a/releasenotes/notes/lock-server-460767a02d15bb29.yaml b/releasenotes/notes/lock-server-460767a02d15bb29.yaml
new file mode 100644
index 0000000..7af7ff3
--- /dev/null
+++ b/releasenotes/notes/lock-server-460767a02d15bb29.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Adds tests for Nova's lock_server policies: lock,
+ unlock, and unlock_override.
diff --git a/releasenotes/notes/rbac-tests-for-network-agents-fbc899925b5948b1.yaml b/releasenotes/notes/rbac-tests-for-network-agents-fbc899925b5948b1.yaml
new file mode 100644
index 0000000..64deadc
--- /dev/null
+++ b/releasenotes/notes/rbac-tests-for-network-agents-fbc899925b5948b1.yaml
@@ -0,0 +1,14 @@
+---
+features:
+ - |
+ Implements RBAC tests for Tempest network agents_client, providing
+ coverage for the following policies:
+
+ * update_agent
+ * get_agent
+ * create_dhcp-network
+ * delete_dhcp-network
+ * get_dhcp-networks
+ * create_l3-router
+ * delete_l3-router
+ * get_l3-routers
diff --git a/releasenotes/notes/subnet-rbac-tests-6d3cf54e39a7b486.yaml b/releasenotes/notes/subnet-rbac-tests-6d3cf54e39a7b486.yaml
new file mode 100644
index 0000000..8d3d22a
--- /dev/null
+++ b/releasenotes/notes/subnet-rbac-tests-6d3cf54e39a7b486.yaml
@@ -0,0 +1,10 @@
+---
+features:
+ - |
+ Add RBAC tests for network subnet endpoints, providing coverage for the
+ following policy actions:
+
+ * create_subnet
+ * get_subnet
+ * update_subnet
+ * delete_subnet
diff --git a/releasenotes/notes/test_tokens_rbac-7f36919b786e9ffc.yaml b/releasenotes/notes/test_tokens_rbac-7f36919b786e9ffc.yaml
new file mode 100644
index 0000000..5ff448b
--- /dev/null
+++ b/releasenotes/notes/test_tokens_rbac-7f36919b786e9ffc.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Added RBAC test scenarios for the token-related admin v2 identity API.
diff --git a/releasenotes/notes/volume-upload-public-test-f8e741a838ae7607.yaml b/releasenotes/notes/volume-upload-public-test-f8e741a838ae7607.yaml
new file mode 100644
index 0000000..c8c0ecd
--- /dev/null
+++ b/releasenotes/notes/volume-upload-public-test-f8e741a838ae7607.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Add RBAC test to provide coverage for the following cinder policy:
+ "volume_extension:volume_actions:upload_public".