Add vol extra specs/type access RBAC tests
Added RBAC tests for volume type access API and additional tests for
volume type extra specs API (there was only 1 test for this API
before this patch), providing coverage for the following policy actions:
* "volume_extension:types_extra_specs"
* "volume_extension:volume_type_access"
* "volume_extension:volume_type_access:addProjectAccess"
* "volume_extension:volume_type_access:removeProjectAccess"
Change-Id: I99628d26fb594967a49d30319921b9b60f0b5eaf
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py
new file mode 100644
index 0000000..8fd68a3
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py
@@ -0,0 +1,81 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+
+class VolumeTypesAccessRbacTest(rbac_base.BaseVolumeRbacTest):
+ _api_version = 3
+
+ @classmethod
+ def skip_checks(cls):
+ super(VolumeTypesAccessRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-volume-type-access', 'volume'):
+ msg = "os-volume-type-access extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(VolumeTypesAccessRbacTest, cls).resource_setup()
+ cls.vol_type = cls.create_volume_type(
+ **{'os-volume-type-access:is_public': False})
+ cls.project_id = cls.auth_provider.credentials.project_id
+
+ def _add_type_access(self, ignore_not_found=False):
+ self.volume_types_client.add_type_access(
+ self.vol_type['id'], project=self.project_id)
+
+ if ignore_not_found:
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.volume_types_client.remove_type_access,
+ self.vol_type['id'], project=self.project_id)
+ else:
+ self.addCleanup(self.volume_types_client.remove_type_access,
+ self.vol_type['id'], project=self.project_id)
+
+ @decorators.idempotent_id('af70e6ad-e931-419f-9200-8bcc284e4e47')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_type_access")
+ def test_list_type_access(self):
+ self._add_type_access()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.list_type_access(self.vol_type['id'])[
+ 'volume_type_access']
+
+ @decorators.idempotent_id('b462eeba-45d0-4d6e-945a-a1d27708d367')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_type_access:addProjectAccess")
+ def test_add_type_access(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self._add_type_access(ignore_not_found=True)
+
+ @decorators.idempotent_id('8f848aeb-636a-46f1-aeeb-e2a60e9d2bfe')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_type_access:removeProjectAccess")
+ def test_remove_type_access(self):
+ self._add_type_access(ignore_not_found=True)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.remove_type_access(
+ self.vol_type['id'], project=self.project_id)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
index 94199b5..97eaab7 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
@@ -13,21 +13,88 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
+from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.volume import rbac_base
class VolumeTypesExtraSpecsRbacTest(rbac_base.BaseVolumeRbacTest):
+ _api_version = 3
+
+ @classmethod
+ def skip_checks(cls):
+ super(VolumeTypesExtraSpecsRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-types-extra-specs', 'volume'):
+ msg = "os-types-extra-specs extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(VolumeTypesExtraSpecsRbacTest, cls).resource_setup()
+ cls.vol_type = cls.create_volume_type()
+ cls.spec_key = data_utils.rand_name(cls.__name__ + '-Spec')
+
+ def _create_volume_type_extra_specs(self, ignore_not_found=False):
+ extra_specs = {self.spec_key: "val1"}
+ self.volume_types_client.create_volume_type_extra_specs(
+ self.vol_type['id'], extra_specs)
+
+ if ignore_not_found:
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.volume_types_client.delete_volume_type_extra_specs,
+ self.vol_type['id'], self.spec_key)
+ else:
+ self.addCleanup(
+ self.volume_types_client.delete_volume_type_extra_specs,
+ self.vol_type['id'], self.spec_key)
+
+ @decorators.idempotent_id('76c36be2-2b6c-4acf-9aac-c9dc5c17cdbe')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:types_extra_specs")
+ def test_list_volume_types_extra_specs(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.list_volume_types_extra_specs(
+ self.vol_type['id'])['extra_specs']
@rbac_rule_validation.action(service="cinder",
rule="volume_extension:types_extra_specs")
@decorators.idempotent_id('eea40251-990b-49b0-99ae-10e4585b479b')
def test_create_volume_type_extra_specs(self):
- vol_type = self.create_volume_type()
- # List Volume types extra specs.
- extra_specs = {"spec1": "val1"}
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.volume_types_client.create_volume_type_extra_specs(
- vol_type['id'], extra_specs)
+ self._create_volume_type_extra_specs(ignore_not_found=True)
+
+ @decorators.idempotent_id('e2dcc9c6-2fef-431d-afaf-92b45bc76d1a')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:types_extra_specs")
+ def test_show_volume_type_extra_specs(self):
+ self._create_volume_type_extra_specs()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.show_volume_type_extra_specs(
+ self.vol_type['id'], self.spec_key)
+
+ @decorators.idempotent_id('93001912-f938-41c7-8787-62dc7010fd52')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:types_extra_specs")
+ def test_delete_volume_type_extra_specs(self):
+ self._create_volume_type_extra_specs(ignore_not_found=True)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.delete_volume_type_extra_specs(
+ self.vol_type['id'], self.spec_key)
+
+ @decorators.idempotent_id('0a444437-7402-4fbe-a18a-93af2ee00618')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:types_extra_specs")
+ def test_update_volume_type_extra_specs(self):
+ self._create_volume_type_extra_specs()
+ update_extra_specs = {self.spec_key: "val2"}
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.update_volume_type_extra_specs(
+ self.vol_type['id'], self.spec_key, update_extra_specs)
diff --git a/releasenotes/notes/extra-volume-types-tests-2e4538bed7348be4.yaml b/releasenotes/notes/extra-volume-types-tests-2e4538bed7348be4.yaml
new file mode 100644
index 0000000..9be15fc
--- /dev/null
+++ b/releasenotes/notes/extra-volume-types-tests-2e4538bed7348be4.yaml
@@ -0,0 +1,10 @@
+---
+features:
+ - |
+ Added RBAC tests for volume type access and volume type extra specs
+ APIs, providing coverage for the following policy actions:
+
+ * "volume_extension:types_extra_specs"
+ * "volume_extension:volume_type_access"
+ * "volume_extension:volume_type_access:addProjectAccess"
+ * "volume_extension:volume_type_access:removeProjectAccess"