Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 18120de2820617e233e6d283f71ac40c8620bd5d^! / .
commit18120de2820617e233e6d283f71ac40c8620bd5d[log] [tgz]
authorFelipe Monteiro <felipe.monteiro@att.com>Fri Mar 17 02:03:22 2017 +0000
committerFelipe Monteiro <felipe.monteiro@att.com>Fri Mar 17 02:03:22 2017 +0000
treea5cc051bb8a694b27b1bec1f2517649efcaa234a
parente83a257b06a79ff3fc8f8d857f3a7e24728ca118 [diff]
Fixes instance actions compute rbac test failing for Member role.

Currently, test_get_instance_action is failing with an over
permission error with Member role [0]. Even though
the policy action os-instance-actions:events has rule
admin_api (is_admin:True) [1], Nova still allows the
API call (servers_client.show_instance_actions) to be
performed.

This can be seen in the nova controller code [2]:
InstanceActionsController.show enforces
os_compute_api:os-instance-actions (which allows
Member to get some instance action info), then
tries to do os_compute_api:os-instance-actions:events,
but fails, which is not a fatal error; instead,
the response body is not populated with "events"
info.

This patch adds a check for "events" in the response
body to the test: if "events" is not found,
then an RbacActionFailed exception is raised.

[0] http://logs.openstack.org/99/446799/1/check/gate-tempest-dsvm-patrole-member-ubuntu-xenial-nv/6072e55/console.html
[1] https://github.com/openstack/nova/blob/master/nova/policies/instance_actions.py
[2] https://github.com/openstack/nova/blob/4f91ed3a547965ed96a22520edcfb783e7936e95/nova/api/openstack/compute/instance_actions.py

Change-Id: Iecae5aafaa51eb28f06d34556027be8b0bb46708
Partial-Bug: #1670553

diff --git a/patrole_tempest_plugin/tests/api/compute/test_instance_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_instance_actions_rbac.py
index 2903342..dcf3c90 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_instance_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_instance_actions_rbac.py

@@ -16,6 +16,7 @@
 from tempest.lib import decorators
 from tempest import test
 
+from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.compute import rbac_base
 
@@ -54,5 +55,7 @@
         rule="os_compute_api:os-instance-actions:events")
     def test_get_instance_action(self):
         self.rbac_utils.switch_role(self, switchToRbacRole=True)
-        self.client.show_instance_action(
+        instance_action = self.client.show_instance_action(
             self.server['id'], self.request_id)['instanceAction']
+        if 'events' not in instance_action:
+            raise rbac_exceptions.RbacActionFailed