Merge "Migrate to override_role for image module (part 1)"
diff --git a/.gitignore b/.gitignore
index b77e7f3..350e0da 100644
--- a/.gitignore
+++ b/.gitignore
@@ -44,6 +44,7 @@
# Sphinx
doc/build
+doc/source/_static/patrole.conf.sample
# pbr generates these
AUTHORS
diff --git a/doc/source/framework/overview.rst b/doc/source/framework/overview.rst
index 1c9bf3b..d862770 100644
--- a/doc/source/framework/overview.rst
+++ b/doc/source/framework/overview.rst
@@ -7,32 +7,32 @@
RBAC testing validation is broken up into 3 stages:
- #. "Expected" stage. Determine whether the test should be able to succeed
- or fail based on the test role defined by ``[patrole] rbac_test_role``)
- and the policy action that the test enforces.
- #. "Actual" stage. Run the test by calling the API endpoint that enforces
- the expected policy action using the test role.
- #. Comparing the outputs from both stages for consistency. A "consistent"
- result is treated as a pass and an "inconsistent" result is treated
- as a failure. "Consistent" (or successful) cases include:
+#. "Expected" stage. Determine whether the test should be able to succeed
+ or fail based on the test role defined by ``[patrole] rbac_test_role``)
+ and the policy action that the test enforces.
+#. "Actual" stage. Run the test by calling the API endpoint that enforces
+ the expected policy action using the test role.
+#. Comparing the outputs from both stages for consistency. A "consistent"
+ result is treated as a pass and an "inconsistent" result is treated
+ as a failure. "Consistent" (or successful) cases include:
- * Expected result is ``True`` and the test passes.
- * Expected result is ``False`` and the test fails.
+ * Expected result is ``True`` and the test passes.
+ * Expected result is ``False`` and the test fails.
- For example, a 200 from the API call and a ``True`` result from
- ``oslo.policy`` or a 403 from the API call and a ``False`` result from
- ``oslo.policy`` are successful results.
+ For example, a 200 from the API call and a ``True`` result from
+ ``oslo.policy`` or a 403 from the API call and a ``False`` result from
+ ``oslo.policy`` are successful results.
- "Inconsistent" (or failing) cases include:
+ "Inconsistent" (or failing) cases include:
- * Expected result is ``False`` and the test passes. This results in an
- ``RbacOverPermission`` exception getting thrown.
- * Expected result is ``True`` and the test fails. This results in a
- ``Forbidden`` exception getting thrown.
+ * Expected result is ``False`` and the test passes. This results in an
+ ``RbacOverPermission`` exception getting thrown.
+ * Expected result is ``True`` and the test fails. This results in a
+ ``Forbidden`` exception getting thrown.
- For example, a 200 from the API call and a ``False`` result from
- ``oslo.policy`` or a 403 from the API call and a ``True`` result from
- ``oslo.policy`` are failing results.
+ For example, a 200 from the API call and a ``False`` result from
+ ``oslo.policy`` or a 403 from the API call and a ``True`` result from
+ ``oslo.policy`` are failing results.
-------------------------------
The RBAC Rule Validation Module
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index fc8b145..75d1baa 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -43,15 +43,15 @@
A decorator which allows for positive and negative RBAC testing. Given:
- * an OpenStack service,
- * a policy action (``rule``) enforced by that service, and
- * the test role defined by ``[patrole] rbac_test_role``
+ * an OpenStack service,
+ * a policy action (``rule``) enforced by that service, and
+ * the test role defined by ``[patrole] rbac_test_role``
determines whether the test role has sufficient permissions to perform an
API call that enforces the ``rule``.
This decorator should only be applied to an instance or subclass of
- ``tempest.test.BaseTestCase``.
+ ``tempest.test.BaseTestCase``.
The result from ``_is_authorized`` is used to determine the *expected*
test result. The *actual* test result is determined by running the
@@ -306,14 +306,14 @@
Before being formatted, "extra_target_data" is a dictionary that maps a
policy string like "trust.trustor_user_id" to a nested list of
``tempest.test.BaseTestCase`` attributes. For example, the attribute list
- in:
+ in::
- "trust.trustor_user_id": "os.auth_provider.credentials.user_id"
+ "trust.trustor_user_id": "os.auth_provider.credentials.user_id"
is parsed by iteratively calling ``getattr`` until the value of "user_id"
- is resolved. The resulting dictionary returns:
+ is resolved. The resulting dictionary returns::
- "trust.trustor_user_id": "the user_id of the `os_primary` credential"
+ "trust.trustor_user_id": "the user_id of the `os_primary` credential"
:param test_obj: An instance or subclass of ``tempest.test.BaseTestCase``.
:param extra_target_data: Dictionary, keyed with ``oslo.policy`` generic
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 4ef0f80..51d1d25 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -68,8 +68,9 @@
"""Override the role used by ``os_primary`` Tempest credentials.
Temporarily change the role used by ``os_primary`` credentials to:
- * ``[patrole] rbac_test_role`` before test execution
- * ``[identity] admin_role`` after test execution
+
+ * ``[patrole] rbac_test_role`` before test execution
+ * ``[identity] admin_role`` after test execution
Automatically switches to admin role after test execution.
@@ -111,8 +112,9 @@
"""Switch the role used by `os_primary` Tempest credentials.
Switch the role used by `os_primary` credentials to:
- * admin if `toggle_rbac_role` is False
- * `CONF.patrole.rbac_test_role` if `toggle_rbac_role` is True
+
+ * admin if `toggle_rbac_role` is False
+ * `CONF.patrole.rbac_test_role` if `toggle_rbac_role` is True
:param test_obj: test object of type tempest.lib.base.BaseTestCase
:param toggle_rbac_role: role to switch `os_primary` Tempest creds to
diff --git a/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
index fb747d6..6b03ebe 100644
--- a/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
@@ -45,8 +45,8 @@
RBAC test for the neutron get_agent policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.show_agent(self.agent['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.show_agent(self.agent['id'])
@decorators.idempotent_id('8ca68fdb-eaf6-4880-af82-ba0982949dec')
@rbac_rule_validation.action(service="neutron",
@@ -60,9 +60,9 @@
original_status = self.agent['admin_state_up']
agent_status = {'admin_state_up': original_status}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.update_agent(agent_id=self.agent['id'],
- agent=agent_status)
+ with self.rbac_utils.override_role(self):
+ self.agents_client.update_agent(agent_id=self.agent['id'],
+ agent=agent_status)
class L3AgentSchedulerRbacTest(base.BaseNetworkRbacTest):
@@ -105,8 +105,8 @@
RBAC test for the neutron get_l3-routers policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.list_routers_on_l3_agent(self.agent['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.list_routers_on_l3_agent(self.agent['id'])
@decorators.idempotent_id('466b2a10-8747-4c09-855a-bd90a1c86ce7')
@rbac_rule_validation.action(service="neutron",
@@ -116,9 +116,9 @@
RBAC test for the neutron create_l3-router policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.create_router_on_l3_agent(
- self.agent['id'], router_id=self.router['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.create_router_on_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.agents_client.delete_router_from_l3_agent,
@@ -139,9 +139,9 @@
self.agents_client.delete_router_from_l3_agent,
self.agent['id'], router_id=self.router['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.delete_router_from_l3_agent(
- self.agent['id'], router_id=self.router['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.delete_router_from_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
class DHCPAgentSchedulersRbacTest(base.BaseNetworkRbacTest):
@@ -198,9 +198,9 @@
RBAC test for the neutron get_dhcp-networks policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.list_networks_hosted_by_one_dhcp_agent(
- self.agent['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.list_networks_hosted_by_one_dhcp_agent(
+ self.agent['id'])
@decorators.idempotent_id('14e014ac-f355-46d3-b6d8-98f2c9ec1610')
@rbac_rule_validation.action(service="neutron",
@@ -213,9 +213,9 @@
network_id = self._create_and_prepare_network_for_agent(
self.agent['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.add_dhcp_agent_to_network(
- self.agent['id'], network_id=network_id)
+ with self.rbac_utils.override_role(self):
+ self.agents_client.add_dhcp_agent_to_network(
+ self.agent['id'], network_id=network_id)
# Clean up is not necessary and might result in 409 being raised.
@decorators.idempotent_id('937a4302-4b49-407d-9980-5843d7badc38')
@@ -232,6 +232,6 @@
self.agent['id'], network_id=network_id)
# Clean up is not necessary and might result in 409 being raised.
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.delete_network_from_dhcp_agent(
- self.agent['id'], network_id=network_id)
+ with self.rbac_utils.override_role(self):
+ self.agents_client.delete_network_from_dhcp_agent(
+ self.agent['id'], network_id=network_id)
diff --git a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
index dc674d1..20e4aa7 100644
--- a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
@@ -70,8 +70,8 @@
RBAC test for the neutron create_floatingip policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_floatingip()
+ with self.rbac_utils.override_role(self):
+ self._create_floatingip()
@rbac_rule_validation.action(service="neutron",
rule="create_floatingip:floating_ip_address")
@@ -83,8 +83,8 @@
"""
fip = str(netaddr.IPAddress(self.cidr) + 10)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_floatingip(floating_ip_address=fip)
+ with self.rbac_utils.override_role(self):
+ self._create_floatingip(floating_ip_address=fip)
@rbac_rule_validation.action(service="neutron",
rule="update_floatingip")
@@ -95,11 +95,10 @@
RBAC test for the neutron update_floatingip policy
"""
floating_ip = self._create_floatingip()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-
- # Associate floating IP to the other port
- self.floating_ips_client.update_floatingip(
- floating_ip['id'], port_id=None)
+ with self.rbac_utils.override_role(self):
+ # Associate floating IP to the other port
+ self.floating_ips_client.update_floatingip(
+ floating_ip['id'], port_id=None)
@rbac_rule_validation.action(service="neutron",
rule="get_floatingip",
@@ -111,9 +110,9 @@
RBAC test for the neutron get_floatingip policy
"""
floating_ip = self._create_floatingip()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Show floating IP
- self.floating_ips_client.show_floatingip(floating_ip['id'])
+ with self.rbac_utils.override_role(self):
+ # Show floating IP
+ self.floating_ips_client.show_floatingip(floating_ip['id'])
@rbac_rule_validation.action(service="neutron",
rule="delete_floatingip",
@@ -125,6 +124,6 @@
RBAC test for the neutron delete_floatingip policy
"""
floating_ip = self._create_floatingip()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Delete the floating IP
- self.floating_ips_client.delete_floatingip(floating_ip['id'])
+ with self.rbac_utils.override_role(self):
+ # Delete the floating IP
+ self.floating_ips_client.delete_floatingip(floating_ip['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
index fff2ada..ab85745 100644
--- a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
@@ -63,8 +63,8 @@
RBAC test for the neutron create_router policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router()
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router()
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -77,8 +77,8 @@
RBAC test for the neutron create_router:ha policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router(ha=True)
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router(ha=True)
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -91,8 +91,8 @@
RBAC test for the neutron create_router:distributed policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router(distributed=True)
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router(distributed=True)
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -111,9 +111,9 @@
external_gateway_info = {'network_id': self.network['id'],
'enable_snat': True}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router(
- name=name, external_gateway_info=external_gateway_info)
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router(
+ name=name, external_gateway_info=external_gateway_info)
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -136,9 +136,9 @@
'enable_snat': False, # Default is True.
'external_fixed_ips': [external_fixed_ips]}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router(
- name=name, external_gateway_info=external_gateway_info)
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router(
+ name=name, external_gateway_info=external_gateway_info)
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -151,9 +151,9 @@
RBAC test for the neutron get_router policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
# Prevent other policies from being enforced by using barebones fields.
- self.routers_client.show_router(self.router['id'], fields=['id'])
+ with self.rbac_utils.override_role(self):
+ self.routers_client.show_router(self.router['id'], fields=['id'])
@decorators.idempotent_id('3ed26ea2-b419-410c-b4b5-576c1edafa06')
@utils.requires_ext(extension='dvr', service='network')
@@ -167,9 +167,9 @@
router = self.routers_client.create_router(distributed=True)['router']
self.addCleanup(self.routers_client.delete_router, router['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- retrieved_fields = self.routers_client.show_router(
- router['id'], fields=['distributed'])['router']
+ with self.rbac_utils.override_role(self):
+ retrieved_fields = self.routers_client.show_router(
+ router['id'], fields=['distributed'])['router']
# Rather than throwing a 403, the field is not present, so raise exc.
if 'distributed' not in retrieved_fields:
@@ -188,9 +188,9 @@
router = self.routers_client.create_router(ha=True)['router']
self.addCleanup(self.routers_client.delete_router, router['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- retrieved_fields = self.routers_client.show_router(
- router['id'], fields=['ha'])['router']
+ with self.rbac_utils.override_role(self):
+ retrieved_fields = self.routers_client.show_router(
+ router['id'], fields=['ha'])['router']
# Rather than throwing a 403, the field is not present, so raise exc.
if 'ha' not in retrieved_fields:
@@ -207,8 +207,8 @@
"""
new_name = data_utils.rand_name(
self.__class__.__name__ + '-new-router-name')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(self.router['id'], name=new_name)
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(self.router['id'], name=new_name)
@rbac_rule_validation.action(
service="neutron", rule="update_router:external_gateway_info")
@@ -219,9 +219,9 @@
RBAC test for the neutron
update_router:external_gateway_info policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(self.router['id'],
- external_gateway_info={})
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(self.router['id'],
+ external_gateway_info={})
@rbac_rule_validation.action(
service="neutron",
@@ -233,10 +233,10 @@
RBAC test for the neutron
update_router:external_gateway_info:network_id policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(
- self.router['id'],
- external_gateway_info={'network_id': self.network['id']})
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(
+ self.router['id'],
+ external_gateway_info={'network_id': self.network['id']})
self.addCleanup(
self.routers_client.update_router,
self.router['id'],
@@ -253,11 +253,11 @@
RBAC test for the neutron
update_router:external_gateway_info:enable_snat policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(
- self.router['id'],
- external_gateway_info={'network_id': self.network['id'],
- 'enable_snat': True})
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(
+ self.router['id'],
+ external_gateway_info={'network_id': self.network['id'],
+ 'enable_snat': True})
self.addCleanup(
self.routers_client.update_router,
self.router['id'],
@@ -279,10 +279,10 @@
external_gateway_info = {'network_id': self.network['id'],
'external_fixed_ips': [external_fixed_ips]}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(
- self.router['id'],
- external_gateway_info=external_gateway_info)
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(
+ self.router['id'],
+ external_gateway_info=external_gateway_info)
self.addCleanup(
self.routers_client.update_router,
self.router['id'],
@@ -297,8 +297,8 @@
RBAC test for the neutron update_router:ha policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(self.router['id'], ha=True)
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(self.router['id'], ha=True)
self.addCleanup(self.routers_client.update_router, self.router['id'],
ha=False)
@@ -311,8 +311,9 @@
RBAC test for the neutron update_router:distributed policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(self.router['id'], distributed=True)
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(self.router['id'],
+ distributed=True)
self.addCleanup(self.routers_client.update_router, self.router['id'],
distributed=False)
@@ -325,8 +326,8 @@
RBAC test for the neutron delete_router policy
"""
router = self.create_router()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.delete_router(router['id'])
+ with self.rbac_utils.override_role(self):
+ self.routers_client.delete_router(router['id'])
@rbac_rule_validation.action(service="neutron",
rule="add_router_interface")
@@ -340,9 +341,9 @@
subnet = self.create_subnet(network)
router = self.create_router()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.add_router_interface(
- router['id'], subnet_id=subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.routers_client.add_router_interface(
+ router['id'], subnet_id=subnet['id'])
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.routers_client.remove_router_interface,
@@ -369,7 +370,7 @@
router['id'],
subnet_id=subnet['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.remove_router_interface(
- router['id'],
- subnet_id=subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.routers_client.remove_router_interface(
+ router['id'],
+ subnet_id=subnet['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py
index e111ae8..fd85444 100644
--- a/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py
@@ -25,5 +25,5 @@
rule="get_service_provider")
@decorators.idempotent_id('15f573b7-474a-4b37-8629-7fac86553ce5')
def test_list_service_providers(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.service_providers_client.list_service_providers()
+ with self.rbac_utils.override_role(self):
+ self.service_providers_client.list_service_providers()
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
index 9231c15..fe14c92 100644
--- a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
@@ -60,8 +60,8 @@
RBAC test for the neutron create_subnetpool policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_subnetpool()
+ with self.rbac_utils.override_role(self):
+ self._create_subnetpool()
@rbac_rule_validation.action(service="neutron",
rule="create_subnetpool:shared")
@@ -71,8 +71,8 @@
RBAC test for the neutron create_subnetpool:shared policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_subnetpool(shared=True)
+ with self.rbac_utils.override_role(self):
+ self._create_subnetpool(shared=True)
@rbac_rule_validation.action(service="neutron",
rule="get_subnetpool",
@@ -84,8 +84,8 @@
RBAC test for the neutron get_subnetpool policy
"""
subnetpool = self._create_subnetpool()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.show_subnetpool(subnetpool['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.show_subnetpool(subnetpool['id'])
@rbac_rule_validation.action(service="neutron",
rule="update_subnetpool")
@@ -96,9 +96,9 @@
RBAC test for the neutron update_subnetpool policy
"""
subnetpool = self._create_subnetpool()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.update_subnetpool(subnetpool['id'],
- min_prefixlen=24)
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.update_subnetpool(subnetpool['id'],
+ min_prefixlen=24)
@decorators.idempotent_id('a16f4e5c-0675-415f-b636-00af00638693')
@rbac_rule_validation.action(service="neutron",
@@ -117,9 +117,9 @@
default_pool = self._create_subnetpool(is_default=True)
original_desc = default_pool['description']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.update_subnetpool(
- default_pool['id'], description=original_desc, is_default=True)
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.update_subnetpool(
+ default_pool['id'], description=original_desc, is_default=True)
@rbac_rule_validation.action(service="neutron",
rule="delete_subnetpool")
@@ -130,5 +130,5 @@
RBAC test for the neutron delete_subnetpool policy
"""
subnetpool = self._create_subnetpool()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.delete_subnetpool(subnetpool['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.delete_subnetpool(subnetpool['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
index 23f11cf..bc36c21 100644
--- a/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
@@ -44,8 +44,8 @@
RBAC test for the neutron "create_subnet" policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_subnet(self.network)
+ with self.rbac_utils.override_role(self):
+ self.create_subnet(self.network)
@decorators.idempotent_id('c02618e7-bb20-4abd-83c8-6eec2af08752')
@rbac_rule_validation.action(service="neutron",
@@ -55,8 +55,8 @@
RBAC test for the neutron "get_subnet" policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.show_subnet(self.subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.show_subnet(self.subnet['id'])
@decorators.idempotent_id('e2ddc415-5cab-43f4-9b61-166aed65d637')
@rbac_rule_validation.action(service="neutron",
@@ -66,8 +66,8 @@
RBAC test for the neutron "get_subnet" policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.list_subnets()
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.list_subnets()
@decorators.idempotent_id('f36cd821-dd22-4bd0-b43d-110fc4b553eb')
@rbac_rule_validation.action(service="neutron",
@@ -79,8 +79,9 @@
"""
update_name = data_utils.rand_name(self.__class__.__name__ + '-Subnet')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.update_subnet(self.subnet['id'], name=update_name)
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.update_subnet(self.subnet['id'],
+ name=update_name)
@decorators.idempotent_id('bcfc7153-bbd1-43a4-a908-b3e1b0cde0dc')
@rbac_rule_validation.action(service="neutron",
@@ -92,5 +93,5 @@
"""
subnet = self.create_subnet(self.network)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.delete_subnet(subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.delete_subnet(subnet['id'])