Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 1c4066a5a84275ff9b5b5f69b17a2c9fac843a04^! / .
commit1c4066a5a84275ff9b5b5f69b17a2c9fac843a04[log] [tgz]
authorFelipe Monteiro <felipe.monteiro@att.com>Tue Nov 07 03:30:56 2017 +0000
committerFelipe Monteiro <felipe.monteiro@att.com>Tue Nov 07 05:35:14 2017 +0000
tree12a8b9ab81f422fbf7e31805c45b1f6c78e63307
parent38f344bb525a45e9bc299de522d4e687f1076c2f [diff]
Correct policy action for reserve/unreserve volume actions

This PS corrects the policy action for reserve and unreserve
volume actions. There are a few policy actions that currently
have the wrong name. This PS is a pre-requsite for removing
strict_policy_enforce Patrole configuration option in order
to avoid false positives (e.g. a non-existent policy action
being validated against an API).

The os-reserve volume actions actually enforces
"volume_extension:volume_actions:reserve" and os-unreserve
actually enforces "volume_extension:volume_actions:reserve" [0].

[0] https://github.com/openstack/cinder/blob/ae7355c1f8d5d137bfb8bdf7b521ff5519cc20f8/cinder/policies/volume_actions.py#L197

Change-Id: Ib1b68cbde992b57619e877e0a4fe2f1948fdd6c1

diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
index 466fb0c..c3f0cfe 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py

@@ -141,15 +141,17 @@
                                                 bootable=True)
 
     @decorators.idempotent_id('41566922-75a1-4484-99c7-9c8782ee99ac')
-    @rbac_rule_validation.action(service="cinder",
-                                 rule="volume:reserve_volume")
+    @rbac_rule_validation.action(
+        service="cinder",
+        rule="volume_extension:volume_actions:reserve")
     def test_volume_reserve(self):
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
         self.volumes_client.reserve_volume(self.volume['id'])
 
     @decorators.idempotent_id('e5fa9564-77d9-4e57-b0c0-3e0ae4d08535')
-    @rbac_rule_validation.action(service="cinder",
-                                 rule="volume:unreserve_volume")
+    @rbac_rule_validation.action(
+        service="cinder",
+        rule="volume_extension:volume_actions:unreserve")
     def test_volume_unreserve(self):
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
         self.volumes_client.unreserve_volume(self.volume['id'])