Merge "Implement RbacUtilsMixin for base RBAC classes"
diff --git a/.gitignore b/.gitignore
index b77e7f3..350e0da 100644
--- a/.gitignore
+++ b/.gitignore
@@ -44,6 +44,7 @@
# Sphinx
doc/build
+doc/source/_static/patrole.conf.sample
# pbr generates these
AUTHORS
diff --git a/.zuul.yaml b/.zuul.yaml
index 636acb9..94b8669 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -31,50 +31,50 @@
- openstack/tempest
- job:
- name: tempest-patrole-admin
+ name: patrole-admin
parent: patrole-base
- run: playbooks/legacy/tempest-patrole-admin/run.yaml
- post-run: playbooks/legacy/tempest-patrole-admin/post.yaml
+ run: playbooks/legacy/patrole-admin/run.yaml
+ post-run: playbooks/legacy/patrole-admin/post.yaml
- job:
- name: tempest-patrole-member
+ name: patrole-member
parent: patrole-base
- run: playbooks/legacy/tempest-patrole-member/run.yaml
- post-run: playbooks/legacy/tempest-patrole-member/post.yaml
+ run: playbooks/legacy/patrole-member/run.yaml
+ post-run: playbooks/legacy/patrole-member/post.yaml
- job:
- name: tempest-patrole-multinode-admin
+ name: patrole-multinode-admin
parent: patrole-base-multinode
- run: playbooks/legacy/tempest-patrole-multinode-admin/run.yaml
- post-run: playbooks/legacy/tempest-patrole-multinode-admin/post.yaml
+ run: playbooks/legacy/patrole-multinode-admin/run.yaml
+ post-run: playbooks/legacy/patrole-multinode-admin/post.yaml
voting: false
nodeset: legacy-ubuntu-xenial-2-node
- job:
- name: tempest-patrole-multinode-member
+ name: patrole-multinode-member
parent: patrole-base-multinode
- run: playbooks/legacy/tempest-patrole-multinode-member/run.yaml
- post-run: playbooks/legacy/tempest-patrole-multinode-member/post.yaml
+ run: playbooks/legacy/patrole-multinode-member/run.yaml
+ post-run: playbooks/legacy/patrole-multinode-member/post.yaml
voting: false
nodeset: legacy-ubuntu-xenial-2-node
- job:
- name: tempest-patrole-py35-member
+ name: patrole-py35-member
parent: patrole-base
- run: playbooks/legacy/tempest-patrole-py35-member/run.yaml
- post-run: playbooks/legacy/tempest-patrole-py35-member/post.yaml
+ run: playbooks/legacy/patrole-py35-member/run.yaml
+ post-run: playbooks/legacy/patrole-py35-member/post.yaml
- project:
name: openstack/patrole
check:
jobs:
- - tempest-patrole-admin
- - tempest-patrole-member
- - tempest-patrole-py35-member
- - tempest-patrole-multinode-admin
- - tempest-patrole-multinode-member
+ - patrole-admin
+ - patrole-member
+ - patrole-py35-member
+ - patrole-multinode-admin
+ - patrole-multinode-member
gate:
jobs:
- - tempest-patrole-admin
- - tempest-patrole-member
- - tempest-patrole-py35-member
+ - patrole-admin
+ - patrole-member
+ - patrole-py35-member
diff --git a/doc/source/framework/overview.rst b/doc/source/framework/overview.rst
index 1c9bf3b..d862770 100644
--- a/doc/source/framework/overview.rst
+++ b/doc/source/framework/overview.rst
@@ -7,32 +7,32 @@
RBAC testing validation is broken up into 3 stages:
- #. "Expected" stage. Determine whether the test should be able to succeed
- or fail based on the test role defined by ``[patrole] rbac_test_role``)
- and the policy action that the test enforces.
- #. "Actual" stage. Run the test by calling the API endpoint that enforces
- the expected policy action using the test role.
- #. Comparing the outputs from both stages for consistency. A "consistent"
- result is treated as a pass and an "inconsistent" result is treated
- as a failure. "Consistent" (or successful) cases include:
+#. "Expected" stage. Determine whether the test should be able to succeed
+ or fail based on the test role defined by ``[patrole] rbac_test_role``)
+ and the policy action that the test enforces.
+#. "Actual" stage. Run the test by calling the API endpoint that enforces
+ the expected policy action using the test role.
+#. Comparing the outputs from both stages for consistency. A "consistent"
+ result is treated as a pass and an "inconsistent" result is treated
+ as a failure. "Consistent" (or successful) cases include:
- * Expected result is ``True`` and the test passes.
- * Expected result is ``False`` and the test fails.
+ * Expected result is ``True`` and the test passes.
+ * Expected result is ``False`` and the test fails.
- For example, a 200 from the API call and a ``True`` result from
- ``oslo.policy`` or a 403 from the API call and a ``False`` result from
- ``oslo.policy`` are successful results.
+ For example, a 200 from the API call and a ``True`` result from
+ ``oslo.policy`` or a 403 from the API call and a ``False`` result from
+ ``oslo.policy`` are successful results.
- "Inconsistent" (or failing) cases include:
+ "Inconsistent" (or failing) cases include:
- * Expected result is ``False`` and the test passes. This results in an
- ``RbacOverPermission`` exception getting thrown.
- * Expected result is ``True`` and the test fails. This results in a
- ``Forbidden`` exception getting thrown.
+ * Expected result is ``False`` and the test passes. This results in an
+ ``RbacOverPermission`` exception getting thrown.
+ * Expected result is ``True`` and the test fails. This results in a
+ ``Forbidden`` exception getting thrown.
- For example, a 200 from the API call and a ``False`` result from
- ``oslo.policy`` or a 403 from the API call and a ``True`` result from
- ``oslo.policy`` are failing results.
+ For example, a 200 from the API call and a ``False`` result from
+ ``oslo.policy`` or a 403 from the API call and a ``True`` result from
+ ``oslo.policy`` are failing results.
-------------------------------
The RBAC Rule Validation Module
diff --git a/doc/source/framework/rbac_utils.rst b/doc/source/framework/rbac_utils.rst
index 0f000ff..69ba045 100644
--- a/doc/source/framework/rbac_utils.rst
+++ b/doc/source/framework/rbac_utils.rst
@@ -1,7 +1,7 @@
.. _rbac-utils:
-The RBAC Utils Module
-=====================
+RBAC Utils Module
+=================
Overview
--------
@@ -30,10 +30,10 @@
#. Setup: Admin role is used automatically. The primary credentials are
overridden with the admin role.
-#. Test execution: ``[patrole] rbac_test_role`` is used manually via a call
- to ``rbac_utils.switch_role(self, toggle_rbac_role=True)``. Everything that
- is executed after this call, until the end of the test, uses the primary
- credentials overridden with the ``rbac_test_role``.
+#. Test execution: ``[patrole] rbac_test_role`` is used manually via the
+ call to ``with rbac_utils.override_role(self)``. Everything that
+ is executed within this contextmanager uses the primary
+ credentials overridden with the ``[patrole] rbac_test_role``.
#. Teardown: Admin role is used automatically. The primary credentials have
been overridden with the admin role.
@@ -64,26 +64,90 @@
"Test execution" here means calling the API endpoint that enforces the policy
action expected by the ``rbac_rule_validation`` decorator. Test execution
should be performed *only after* calling
-``rbac_utils.switch_role(self, toggle_rbac_role=True)``.
+``with rbac_utils.override_role(self)``.
Immediately after that call, the API endpoint that enforces the policy should
be called.
+Examples
+^^^^^^^^
+
+Always use the contextmanager before calling the API that enforces the
+expected policy action.
+
Example::
- # Always apply the RBAC decorator to the test.
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-aggregates:show")
def test_show_aggregate_rbac(self):
- # Do test setup before the switch_role call.
+ # Do test setup before the ``override_role`` call.
aggregate_id = self._create_aggregate()
- # Call the switch_role method so that the primary credentials have
- # the test role needed for test execution.
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Call the endpoint that enforces the expected policy action, described
- # by the "rule" kwarg in the decorator above.
- self.aggregates_client.show_aggregate(aggregate_id)
+ # Call the ``override_role`` method so that the primary credentials
+ # have the test role needed for test execution.
+ with self.rbac_utils.override_role(self):
+ self.aggregates_client.show_aggregate(aggregate_id)
+
+When using a waiter, do the wait outside the contextmanager. "Waiting" always
+entails executing a ``GET`` request to the server, until the state of the
+returned resource matches a desired state. These ``GET`` requests enforce
+a different policy than the one expected. This is undesirable because
+Patrole should only test policies in isolation from one another.
+
+Otherwise, the test result will be tainted, because instead of only the
+expected policy getting enforced with the ``os_primary`` role, at least
+two policies get enforced.
+
+Example using waiter::
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-password")
+ def test_change_server_password(self):
+ original_password = self.servers_client.show_password(
+ self.server['id'])
+ self.addCleanup(self.servers_client.change_password, self.server['id'],
+ adminPass=original_password)
+
+ with self.rbac_utils.override_role(self):
+ self.servers_client.change_password(
+ self.server['id'], adminPass=data_utils.rand_password())
+ # Call the waiter outside the ``override_role`` contextmanager, so that
+ # it is executed with admin role.
+ waiters.wait_for_server_status(
+ self.servers_client, self.server['id'], 'ACTIVE')
+
+Below is an example of a method that enforces multiple policies getting
+called inside the contextmanager. The ``_complex_setup_method`` below
+performs the correct API that enforces the expected policy -- in this
+case ``self.resources_client.create_resource`` -- but then proceeds to
+use a waiter.
+
+Incorrect::
+
+ def _complex_setup_method(self):
+ resource = self.resources_client.create_resource(
+ **kwargs)['resource']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self._delete_resource, resource)
+ waiters.wait_for_resource_status(
+ self.resources_client, resource['id'], 'available')
+ return resource
+
+ @rbac_rule_validation.action(
+ service="example-service",
+ rule="example-rule")
+ def test_change_server_password(self):
+ # Never call a helper function inside the contextmanager that calls a
+ # bunch of APIs. Only call the API that enforces the policy action
+ # contained in the decorator above.
+ with self.rbac_utils.override_role(self):
+ self._complex_setup_method()
+
+To fix this test, see the "Example using waiter" section above. It is
+recommended to re-implement the logic in a helper method inside a test such
+that only the relevant API is called inside the contextmanager, with
+everything extraneous outside.
Test Cleanup
------------
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index 82bc1a0..75d1baa 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -43,15 +43,15 @@
A decorator which allows for positive and negative RBAC testing. Given:
- * an OpenStack service,
- * a policy action (``rule``) enforced by that service, and
- * the test role defined by ``[patrole] rbac_test_role``
+ * an OpenStack service,
+ * a policy action (``rule``) enforced by that service, and
+ * the test role defined by ``[patrole] rbac_test_role``
determines whether the test role has sufficient permissions to perform an
API call that enforces the ``rule``.
This decorator should only be applied to an instance or subclass of
- ``tempest.test.BaseTestCase``.
+ ``tempest.test.BaseTestCase``.
The result from ``_is_authorized`` is used to determine the *expected*
test result. The *actual* test result is determined by running the
@@ -175,10 +175,10 @@
"OverPermission: Role %s was allowed to perform %s" %
(role, rule))
finally:
- # TODO(felipemonteiro): Remove the `switch_role` call below
- # once all the tests have migrated over to `override_role`.
- test_obj.rbac_utils.switch_role(test_obj,
- toggle_rbac_role=False)
+ # TODO(felipemonteiro): Remove the call below once all the
+ # tests have migrated over to `override_role` public method.
+ test_obj.rbac_utils._override_role(test_obj,
+ toggle_rbac_role=False)
if CONF.patrole_log.enable_reporting:
RBACLOG.info(
"[Service]: %s, [Test]: %s, [Rule]: %s, "
@@ -306,14 +306,14 @@
Before being formatted, "extra_target_data" is a dictionary that maps a
policy string like "trust.trustor_user_id" to a nested list of
``tempest.test.BaseTestCase`` attributes. For example, the attribute list
- in:
+ in::
- "trust.trustor_user_id": "os.auth_provider.credentials.user_id"
+ "trust.trustor_user_id": "os.auth_provider.credentials.user_id"
is parsed by iteratively calling ``getattr`` until the value of "user_id"
- is resolved. The resulting dictionary returns:
+ is resolved. The resulting dictionary returns::
- "trust.trustor_user_id": "the user_id of the `os_primary` credential"
+ "trust.trustor_user_id": "the user_id of the `os_primary` credential"
:param test_obj: An instance or subclass of ``tempest.test.BaseTestCase``.
:param extra_target_data: Dictionary, keyed with ``oslo.policy`` generic
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 753c915..49cb5e1 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -68,8 +68,9 @@
"""Override the role used by ``os_primary`` Tempest credentials.
Temporarily change the role used by ``os_primary`` credentials to:
- * ``[patrole] rbac_test_role`` before test execution
- * ``[identity] admin_role`` after test execution
+
+ * ``[patrole] rbac_test_role`` before test execution
+ * ``[identity] admin_role`` after test execution
Automatically switches to admin role after test execution.
@@ -111,8 +112,9 @@
"""Switch the role used by `os_primary` Tempest credentials.
Switch the role used by `os_primary` credentials to:
- * admin if `toggle_rbac_role` is False
- * `CONF.patrole.rbac_test_role` if `toggle_rbac_role` is True
+
+ * admin if `toggle_rbac_role` is False
+ * `CONF.patrole.rbac_test_role` if `toggle_rbac_role` is True
:param test_obj: instance of :py:class:`tempest.test.BaseTestCase`
:param toggle_rbac_role: role to switch `os_primary` Tempest creds to
diff --git a/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
index cbe8d01..a046f96 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
@@ -45,8 +45,8 @@
service="nova", rule="os_compute_api:os-agents")
@decorators.idempotent_id('d1bc6d97-07f5-4f45-ac29-1c619a6a7e27')
def test_list_agents_rbac(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.list_agents()
+ with self.rbac_utils.override_role(self):
+ self.agents_client.list_agents()
@rbac_rule_validation.action(
service="nova",
@@ -56,8 +56,8 @@
params = {'hypervisor': 'kvm', 'os': 'win', 'architecture': 'x86',
'version': '7.0', 'url': 'xxx://xxxx/xxx/xxx',
'md5hash': 'add6bb58e139be103324d04d82d8f545'}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.agents_client.create_agent(**params)['agent']
+ with self.rbac_utils.override_role(self):
+ body = self.agents_client.create_agent(**params)['agent']
self.addCleanup(self.agents_client.delete_agent,
body['agent_id'])
@@ -74,13 +74,13 @@
body = self.agents_client.create_agent(**params)['agent']
self.addCleanup(self.agents_client.delete_agent,
body['agent_id'])
-
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
update_params = self._param_helper(
version='8.0',
url='xxx://xxxx/xxx/xxx2',
md5hash='add6bb58e139be103324d04d82d8f547')
- self.agents_client.update_agent(body['agent_id'], **update_params)
+
+ with self.rbac_utils.override_role(self):
+ self.agents_client.update_agent(body['agent_id'], **update_params)
@rbac_rule_validation.action(
service="nova",
@@ -96,5 +96,5 @@
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.agents_client.delete_agent,
body['agent_id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.delete_agent(body['agent_id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.delete_agent(body['agent_id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py
index 261fded..12ac058 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py
@@ -58,48 +58,49 @@
service="nova", rule="os_compute_api:os-aggregates:create")
@decorators.idempotent_id('ba754393-896e-434a-9704-452ff4a84f3f')
def test_create_aggregate_rbac(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_aggregate()
+ with self.rbac_utils.override_role(self):
+ self._create_aggregate()
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:show")
@decorators.idempotent_id('8fb0b749-b120-4727-b3fb-bcfa3fa6f55b')
def test_show_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.aggregates_client.show_aggregate(aggregate_id)
+ with self.rbac_utils.override_role(self):
+ self.aggregates_client.show_aggregate(aggregate_id)
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:index")
@decorators.idempotent_id('146284da-5dd6-4c97-b598-42b480f014c6')
def test_list_aggregate_rbac(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.aggregates_client.list_aggregates()['aggregates']
+ with self.rbac_utils.override_role(self):
+ self.aggregates_client.list_aggregates()
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:update")
@decorators.idempotent_id('c94e0d69-99b6-477e-b301-2cd0e9d0ad81')
def test_update_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
new_name = data_utils.rand_name(self.__class__.__name__ + '-aggregate')
- self.aggregates_client.update_aggregate(aggregate_id, name=new_name)
+ with self.rbac_utils.override_role(self):
+ self.aggregates_client.update_aggregate(aggregate_id,
+ name=new_name)
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:delete")
@decorators.idempotent_id('5a50c5a6-0f12-4405-a1ce-2288ae895ea6')
def test_delete_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.aggregates_client.delete_aggregate(aggregate_id)
+ with self.rbac_utils.override_role(self):
+ self.aggregates_client.delete_aggregate(aggregate_id)
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:add_host")
@decorators.idempotent_id('97e6e9df-5291-4faa-8147-755b2d1f1ce2')
def test_add_host_to_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._add_host_to_aggregate(aggregate_id)
+ with self.rbac_utils.override_role(self):
+ self._add_host_to_aggregate(aggregate_id)
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:remove_host")
@@ -107,8 +108,8 @@
def test_remove_host_from_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
host_name = self._add_host_to_aggregate(aggregate_id)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.aggregates_client.remove_host(aggregate_id, host=host_name)
+ with self.rbac_utils.override_role(self):
+ self.aggregates_client.remove_host(aggregate_id, host=host_name)
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:set_metadata")
@@ -117,7 +118,7 @@
aggregate_id = self._create_aggregate()
rand_key = data_utils.rand_name(self.__class__.__name__ + '-key')
rand_val = data_utils.rand_name(self.__class__.__name__ + '-val')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.aggregates_client.set_metadata(
- aggregate_id,
- metadata={rand_key: rand_val})
+ with self.rbac_utils.override_role(self):
+ self.aggregates_client.set_metadata(
+ aggregate_id,
+ metadata={rand_key: rand_val})
diff --git a/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
index 2a8a6ae..66dce5c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
@@ -32,12 +32,12 @@
"os-availability-zone:list")
@decorators.idempotent_id('cd34e7ea-d26e-4fa3-a8d0-f8883726ce3d')
def test_get_availability_zone_list_rbac(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.availability_zone_client.list_availability_zones()
+ with self.rbac_utils.override_role(self):
+ self.availability_zone_client.list_availability_zones()
@rbac_rule_validation.action(service="nova", rule="os_compute_api:"
"os-availability-zone:detail")
@decorators.idempotent_id('2f61c191-6ece-4f21-b487-39d749e3d38e')
def test_get_availability_zone_list_detail_rbac(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.availability_zone_client.list_availability_zones(detail=True)
+ with self.rbac_utils.override_role(self):
+ self.availability_zone_client.list_availability_zones(detail=True)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_fixed_ips_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_fixed_ips_rbac.py
index dd32187..f426cf3 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_fixed_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_fixed_ips_rbac.py
@@ -58,21 +58,21 @@
service="nova",
rule="os_compute_api:os-fixed-ips")
def test_show_fixed_ip_details(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.fixed_ips_client.show_fixed_ip(self.ip)
+ with self.rbac_utils.override_role(self):
+ self.fixed_ips_client.show_fixed_ip(self.ip)
@decorators.idempotent_id('f0314501-735d-4315-9856-959e01e82f0d')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-fixed-ips")
def test_set_reserve(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.fixed_ips_client.reserve_fixed_ip(self.ip, reserve="None")
+ with self.rbac_utils.override_role(self):
+ self.fixed_ips_client.reserve_fixed_ip(self.ip, reserve="None")
@decorators.idempotent_id('866a6fdc-a237-4502-9bf2-52fe82aba356')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-fixed-ips")
def test_set_unreserve(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.fixed_ips_client.reserve_fixed_ip(self.ip, unreserve="None")
+ with self.rbac_utils.override_role(self):
+ self.fixed_ips_client.reserve_fixed_ip(self.ip, unreserve="None")
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
index 7503962..976f18c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
@@ -41,9 +41,9 @@
def test_show_flavor_contains_is_public_key(self):
public_flavor_id = CONF.compute.flavor_ref
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.flavors_client.show_flavor(public_flavor_id)[
- 'flavor']
+ with self.rbac_utils.override_role(self):
+ body = self.flavors_client.show_flavor(public_flavor_id)[
+ 'flavor']
expected_attr = 'os-flavor-access:is_public'
if expected_attr not in body:
@@ -57,8 +57,8 @@
def test_list_flavors_details_contains_is_public_key(self):
expected_attr = 'os-flavor-access:is_public'
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- flavors = self.flavors_client.list_flavors(detail=True)['flavors']
+ with self.rbac_utils.override_role(self):
+ flavors = self.flavors_client.list_flavors(detail=True)['flavors']
# There should already be a public flavor available, namely
# `CONF.compute.flavor_ref`.
public_flavors = [f for f in flavors if expected_attr in f]
@@ -74,10 +74,9 @@
service="nova",
rule="os_compute_api:os-flavor-access:add_tenant_access")
def test_add_flavor_access(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.add_flavor_access(
- flavor_id=self.flavor_id, tenant_id=self.tenant_id)[
- 'flavor_access']
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.add_flavor_access(
+ flavor_id=self.flavor_id, tenant_id=self.tenant_id)
self.addCleanup(self.flavors_client.remove_flavor_access,
flavor_id=self.flavor_id, tenant_id=self.tenant_id)
@@ -92,9 +91,9 @@
self.flavors_client.remove_flavor_access,
flavor_id=self.flavor_id, tenant_id=self.tenant_id)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.remove_flavor_access(
- flavor_id=self.flavor_id, tenant_id=self.tenant_id)
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.remove_flavor_access(
+ flavor_id=self.flavor_id, tenant_id=self.tenant_id)
@decorators.idempotent_id('e1cf59fb-7f32-40a1-96b9-248ab23dd581')
@rbac_rule_validation.action(
@@ -104,10 +103,9 @@
# Add flavor access for os_primary so that it can access the flavor or
# else a NotFound is raised.
self.flavors_client.add_flavor_access(
- flavor_id=self.flavor_id, tenant_id=self.tenant_id)[
- 'flavor_access']
+ flavor_id=self.flavor_id, tenant_id=self.tenant_id)
self.addCleanup(self.flavors_client.remove_flavor_access,
flavor_id=self.flavor_id, tenant_id=self.tenant_id)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.list_flavor_access(self.flavor_id)
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.list_flavor_access(self.flavor_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
index 2d60e09..816492c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
@@ -53,16 +53,16 @@
rule="os_compute_api:os-flavor-extra-specs:show")
def test_show_flavor_extra_spec(self):
key = self._set_flavor_extra_spec()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.show_flavor_extra_spec(self.flavor['id'], key)[key]
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.show_flavor_extra_spec(self.flavor['id'], key)
@decorators.idempotent_id('fcffeca2-ed04-4e85-bf93-02fb5643f22b')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-flavor-extra-specs:create")
def test_set_flavor_extra_spec(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._set_flavor_extra_spec()
+ with self.rbac_utils.override_role(self):
+ self._set_flavor_extra_spec()
@decorators.idempotent_id('42b85279-6bfa-4f58-b7a2-258c284f03c5')
@rbac_rule_validation.action(
@@ -70,10 +70,10 @@
rule="os_compute_api:os-flavor-extra-specs:update")
def test_update_flavor_extra_spec(self):
key = self._set_flavor_extra_spec()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
update_val = data_utils.rand_name(self.__class__.__name__ + '-val')
- self.flavors_client.update_flavor_extra_spec(
- self.flavor['id'], key, **{key: update_val})[key]
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.update_flavor_extra_spec(
+ self.flavor['id'], key, **{key: update_val})
@decorators.idempotent_id('4b0e5471-e010-4c09-8965-80898e6760a3')
@rbac_rule_validation.action(
@@ -81,8 +81,8 @@
rule="os_compute_api:os-flavor-extra-specs:delete")
def test_unset_flavor_extra_spec(self):
key = self._set_flavor_extra_spec()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.unset_flavor_extra_spec(self.flavor['id'], key)
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.unset_flavor_extra_spec(self.flavor['id'], key)
@decorators.idempotent_id('02c3831a-3ce9-476e-a722-d805ac2da621')
@rbac_rule_validation.action(
@@ -90,6 +90,5 @@
rule="os_compute_api:os-flavor-extra-specs:index")
def test_list_flavor_extra_specs(self):
self._set_flavor_extra_spec()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.list_flavor_extra_specs(
- self.flavor['id'])['extra_specs']
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.list_flavor_extra_specs(self.flavor['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_manage_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_manage_rbac.py
index afe5013..f0f267c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_manage_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_manage_rbac.py
@@ -22,10 +22,6 @@
class FlavorManageRbacTest(rbac_base.BaseV2ComputeRbacTest):
- # Need admin to wait for resource deletion below to avoid test role
- # having to pass extra policies.
- credentials = ['primary', 'admin']
-
@classmethod
def skip_checks(cls):
super(FlavorManageRbacTest, cls).skip_checks()
@@ -38,8 +34,8 @@
service="nova",
rule="os_compute_api:os-flavor-manage:create")
def test_create_flavor_manage(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_flavor()
+ with self.rbac_utils.override_role(self):
+ self.create_flavor()
@decorators.idempotent_id('782e988e-061b-4c40-896f-a77c70c2b057')
@rbac_rule_validation.action(
@@ -48,6 +44,6 @@
def test_delete_flavor_manage(self):
flavor_id = self.create_flavor()['id']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.delete_flavor(flavor_id)
- self.os_admin.flavors_client.wait_for_resource_deletion(flavor_id)
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.delete_flavor(flavor_id)
+ self.flavors_client.wait_for_resource_deletion(flavor_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
index b530cbf..fbc03cf 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
@@ -38,8 +38,8 @@
service="nova",
rule="os_compute_api:os-flavor-rxtx")
def test_list_flavors_details_rxtx(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- result = self.flavors_client.list_flavors(detail=True)['flavors']
+ with self.rbac_utils.override_role(self):
+ result = self.flavors_client.list_flavors(detail=True)['flavors']
if 'rxtx_factor' not in result[0]:
raise rbac_exceptions.RbacMalformedResponse(
attribute='rxtx_factor')
@@ -49,9 +49,9 @@
service="nova",
rule="os_compute_api:os-flavor-rxtx")
def test_get_flavor_rxtx(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- result = self.flavors_client.show_flavor(
- CONF.compute.flavor_ref)['flavor']
+ with self.rbac_utils.override_role(self):
+ result = self.flavors_client.show_flavor(
+ CONF.compute.flavor_ref)['flavor']
if 'rxtx_factor' not in result:
raise rbac_exceptions.RbacMalformedResponse(
attribute='rxtx_factor')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py
index 15891d7..7467130 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py
@@ -50,5 +50,5 @@
service="nova",
rule="os_compute_api:os-floating-ip-pools")
def test_list_floating_ip_pools(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.fip_pools_client.list_floating_ip_pools()['floating_ip_pools']
+ with self.rbac_utils.override_role(self):
+ self.fip_pools_client.list_floating_ip_pools()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py
index e149bf2..18a2196 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py
@@ -50,5 +50,5 @@
service="nova",
rule="os_compute_api:os-floating-ips-bulk")
def test_list_floating_ips_bulk(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.fip_bulk_client.list_floating_ips_bulk()['floating_ip_info']
+ with self.rbac_utils.override_role(self):
+ self.fip_bulk_client.list_floating_ips_bulk()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
index 8ab5a51..1045512 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
@@ -46,8 +46,8 @@
service="nova",
rule="os_compute_api:os-floating-ips")
def test_list_floating_ips(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.floating_ips_client.list_floating_ips()['floating_ips']
+ with self.rbac_utils.override_role(self):
+ self.floating_ips_client.list_floating_ips()
@decorators.idempotent_id('bebe52b3-5269-4e72-80c8-5a4a39c3bfa6')
@rbac_rule_validation.action(
@@ -58,17 +58,17 @@
pool=CONF.network.floating_network_name)['floating_ip']
self.addCleanup(
self.floating_ips_client.delete_floating_ip, body['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.floating_ips_client.show_floating_ip(body['id'])['floating_ip']
+ with self.rbac_utils.override_role(self):
+ self.floating_ips_client.show_floating_ip(body['id'])
@decorators.idempotent_id('2bfb8745-c329-4ee9-95f6-c165a1989dbf')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-floating-ips")
def test_create_floating_ips(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.floating_ips_client.create_floating_ip(
- pool=CONF.network.floating_network_name)['floating_ip']
+ with self.rbac_utils.override_role(self):
+ body = self.floating_ips_client.create_floating_ip(
+ pool=CONF.network.floating_network_name)['floating_ip']
self.addCleanup(
self.floating_ips_client.delete_floating_ip, body['id'])
@@ -82,5 +82,5 @@
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.floating_ips_client.delete_floating_ip, body['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.floating_ips_client.delete_floating_ip(body['id'])
+ with self.rbac_utils.override_role(self):
+ self.floating_ips_client.delete_floating_ip(body['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
index f10744c..67d0468 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
@@ -34,5 +34,5 @@
service="nova",
rule="os_compute_api:os-hosts")
def test_list_hosts(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.hosts_client.list_hosts()['hosts']
+ with self.rbac_utils.override_role(self):
+ self.hosts_client.list_hosts()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py
index c07ab24..cb1515f 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py
@@ -41,58 +41,56 @@
service="nova",
rule="os_compute_api:os-hypervisors")
def test_list_hypervisors(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.hypervisor_client.list_hypervisors()['hypervisors']
+ with self.rbac_utils.override_role(self):
+ self.hypervisor_client.list_hypervisors()
@decorators.idempotent_id('36b95c7d-1085-487a-a674-b7c1ca35f520')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-hypervisors")
def test_list_hypervisors_with_details(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.hypervisor_client.list_hypervisors(detail=True)['hypervisors']
+ with self.rbac_utils.override_role(self):
+ self.hypervisor_client.list_hypervisors(detail=True)
@decorators.idempotent_id('8a7f6f9e-34a6-4480-8875-bba566c3a581')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-hypervisors")
def test_show_hypervisor(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.hypervisor_client.show_hypervisor(
- self.hypervisor['id'])['hypervisor']
+ with self.rbac_utils.override_role(self):
+ self.hypervisor_client.show_hypervisor(self.hypervisor['id'])
@decorators.idempotent_id('b86f03cf-2e79-4d88-9eea-62f761591413')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-hypervisors")
def test_list_servers_on_hypervisor(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.hypervisor_client.list_servers_on_hypervisor(
- self.hypervisor['hypervisor_hostname'])['hypervisors']
+ with self.rbac_utils.override_role(self):
+ self.hypervisor_client.list_servers_on_hypervisor(
+ self.hypervisor['hypervisor_hostname'])
@decorators.idempotent_id('ca0e465c-6365-4a7f-ae58-6f8ddbca06c2')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-hypervisors")
def test_show_hypervisor_statistics(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.hypervisor_client.\
- show_hypervisor_statistics()['hypervisor_statistics']
+ with self.rbac_utils.override_role(self):
+ self.hypervisor_client.show_hypervisor_statistics()
@decorators.idempotent_id('109b37c5-91ba-4da5-b2a2-d7618d84406d')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-hypervisors")
def test_show_hypervisor_uptime(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.hypervisor_client.show_hypervisor_uptime(
- self.hypervisor['id'])['hypervisor']
+ with self.rbac_utils.override_role(self):
+ self.hypervisor_client.show_hypervisor_uptime(
+ self.hypervisor['id'])
@decorators.idempotent_id('3dbc71c1-8f04-4674-a67c-dcb2fd99b1b4')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-hypervisors")
def test_search_hypervisor(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.hypervisor_client.search_hypervisor(
- self.hypervisor['hypervisor_hostname'])['hypervisors']
+ with self.rbac_utils.override_role(self):
+ self.hypervisor_client.search_hypervisor(
+ self.hypervisor['hypervisor_hostname'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
index 0ba1282..9fb326e 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
@@ -78,24 +78,24 @@
service="glance",
rule="get_images")
def test_list_images(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.compute_images_client.list_images()
+ with self.rbac_utils.override_role(self):
+ self.compute_images_client.list_images()
@decorators.idempotent_id('4365ae0f-15ee-4b54-a527-1679faaed140')
@rbac_rule_validation.action(
service="glance",
rule="get_images")
def test_list_images_with_details(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.compute_images_client.list_images(detail=True)
+ with self.rbac_utils.override_role(self):
+ self.compute_images_client.list_images(detail=True)
@decorators.idempotent_id('886dfcae-51bf-4610-9e52-82d7189524c2')
@rbac_rule_validation.action(
service="glance",
rule="get_image")
def test_show_image_details(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.compute_images_client.show_image(self.image['id'])
+ with self.rbac_utils.override_role(self):
+ self.compute_images_client.show_image(self.image['id'])
@decorators.idempotent_id('dbe09d4c-e615-48cb-b908-a06a0f410a8e')
@rbac_rule_validation.action(
@@ -107,17 +107,17 @@
self.addCleanup(self.compute_images_client.delete_image_metadata_item,
self.image['id'], key='foo')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.compute_images_client.show_image_metadata_item(self.image['id'],
- key='foo')
+ with self.rbac_utils.override_role(self):
+ self.compute_images_client.show_image_metadata_item(
+ self.image['id'], key='foo')
@decorators.idempotent_id('59f66079-d564-47e8-81b0-03c2e84d339e')
@rbac_rule_validation.action(
service="glance",
rule="get_image")
def test_list_image_metadata(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.compute_images_client.list_image_metadata(self.image['id'])
+ with self.rbac_utils.override_role(self):
+ self.compute_images_client.list_image_metadata(self.image['id'])
@decorators.idempotent_id('5888c7aa-0803-46d4-a3fb-5d4729465cd5')
@rbac_rule_validation.action(
@@ -129,20 +129,20 @@
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.glance_image_client.delete_image, image['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.compute_images_client.delete_image(image['id'])
+ with self.rbac_utils.override_role(self):
+ self.compute_images_client.delete_image(image['id'])
@decorators.idempotent_id('575604aa-909f-4b1b-a5a5-cfae1f63044b')
@rbac_rule_validation.action(
service="glance",
rule="modify_image")
def test_create_image_metadata(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # NOTE(felipemonteiro): Although the name of the client function
- # appears wrong, it's actually correct: update_image_metadata does an
- # http post.
- self.compute_images_client.update_image_metadata(self.image['id'],
- meta={'foo': 'bar'})
+ with self.rbac_utils.override_role(self):
+ # NOTE(felipemonteiro): Although the name of the client function
+ # appears wrong, it's actually correct: update_image_metadata does
+ # an http post.
+ self.compute_images_client.update_image_metadata(
+ self.image['id'], meta={'foo': 'bar'})
self.addCleanup(self.compute_images_client.delete_image_metadata_item,
self.image['id'], key='foo')
@@ -151,9 +151,9 @@
service="glance",
rule="modify_image")
def test_update_image_metadata(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.compute_images_client.set_image_metadata(self.image['id'],
- meta={'foo': 'bar'})
+ with self.rbac_utils.override_role(self):
+ self.compute_images_client.set_image_metadata(self.image['id'],
+ meta={'foo': 'bar'})
self.addCleanup(self.compute_images_client.delete_image_metadata_item,
self.image['id'], key='foo')
@@ -162,9 +162,9 @@
service="glance",
rule="modify_image")
def test_update_image_metadata_item(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.compute_images_client.set_image_metadata_item(
- self.image['id'], meta={'foo': 'bar'}, key='foo')
+ with self.rbac_utils.override_role(self):
+ self.compute_images_client.set_image_metadata_item(
+ self.image['id'], meta={'foo': 'bar'}, key='foo')
self.addCleanup(self.compute_images_client.delete_image_metadata_item,
self.image['id'], key='foo')
@@ -179,9 +179,9 @@
self.compute_images_client.delete_image_metadata_item,
self.image['id'], key='foo')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.compute_images_client.delete_image_metadata_item(self.image['id'],
- key='foo')
+ with self.rbac_utils.override_role(self):
+ self.compute_images_client.delete_image_metadata_item(
+ self.image['id'], key='foo')
class ImageSizeRbacTest(rbac_base.BaseV2ComputeRbacTest):
@@ -202,13 +202,13 @@
service="nova",
rule="os_compute_api:image-size")
def test_list_images(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.compute_images_client.list_images()
+ with self.rbac_utils.override_role(self):
+ self.compute_images_client.list_images()
@decorators.idempotent_id('08342c7d-297d-42ee-b398-90fce2443792')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:image-size")
def test_list_images_with_details(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.compute_images_client.list_images(detail=True)
+ with self.rbac_utils.override_role(self):
+ self.compute_images_client.list_images(detail=True)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py
index 5fc4c3b..347b7df 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py
@@ -38,9 +38,9 @@
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-instance-usage-audit-log")
def test_list_instance_usage_audit_logs(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.instance_usages_audit_log_client.list_instance_usage_audit_logs()
- ["instance_usage_audit_logs"]
+ with self.rbac_utils.override_role(self):
+ (self.instance_usages_audit_log_client
+ .list_instance_usage_audit_logs())
@decorators.idempotent_id('ded8bfbd-5d90-4a58-aee0-d31231bf3c9b')
@rbac_rule_validation.action(
@@ -48,7 +48,7 @@
def test_show_instance_usage_audit_log(self):
now = datetime.datetime.now()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.instance_usages_audit_log_client.show_instance_usage_audit_log(
- urllib.quote(now.strftime("%Y-%m-%d %H:%M:%S")))[
- "instance_usage_audit_log"]
+ with self.rbac_utils.override_role(self):
+ (self.instance_usages_audit_log_client.
+ show_instance_usage_audit_log(
+ urllib.quote(now.strftime("%Y-%m-%d %H:%M:%S"))))
diff --git a/patrole_tempest_plugin/tests/api/compute/test_keypairs_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_keypairs_rbac.py
index 8e434fc..b359ad2 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_keypairs_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_keypairs_rbac.py
@@ -36,8 +36,8 @@
service="nova",
rule="os_compute_api:os-keypairs:create")
def test_create_keypair(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_keypair()
+ with self.rbac_utils.override_role(self):
+ self._create_keypair()
@decorators.idempotent_id('85a5eb99-40ec-4e77-9358-bee2cdf9d7df')
@rbac_rule_validation.action(
@@ -45,8 +45,8 @@
rule="os_compute_api:os-keypairs:show")
def test_show_keypair(self):
kp_name = self._create_keypair()['keypair']['name']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.keypairs_client.show_keypair(kp_name)
+ with self.rbac_utils.override_role(self):
+ self.keypairs_client.show_keypair(kp_name)
@decorators.idempotent_id('6bff9f1c-b809-43c1-8d63-61fbd19d49d3')
@rbac_rule_validation.action(
@@ -54,13 +54,13 @@
rule="os_compute_api:os-keypairs:delete")
def test_delete_keypair(self):
kp_name = self._create_keypair()['keypair']['name']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.keypairs_client.delete_keypair(kp_name)
+ with self.rbac_utils.override_role(self):
+ self.keypairs_client.delete_keypair(kp_name)
@decorators.idempotent_id('6bb31346-ff7f-4b10-978e-170ac5fcfa3e')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-keypairs:index")
def test_index_keypair(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.keypairs_client.list_keypairs()
+ with self.rbac_utils.override_role(self):
+ self.keypairs_client.list_keypairs()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py
index ad2c5ba..9442a5a 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py
@@ -31,5 +31,5 @@
rule="os_compute_api:limits")
@decorators.idempotent_id('3fb60f83-9a5f-4fdd-89d9-26c3710844a1')
def test_show_limits(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.limits_client.show_limits()
+ with self.rbac_utils.override_role(self):
+ self.limits_client.show_limits()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py
index 1bf46a1..1597a04 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py
@@ -34,5 +34,5 @@
service="nova",
rule="os_compute_api:os-migrations:index")
def test_list_services(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.migrations_client.list_migrations()['migrations']
+ with self.rbac_utils.override_role(self):
+ self.migrations_client.list_migrations()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_quota_class_sets_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_quota_class_sets_rbac.py
index 162c003..2f86763 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_quota_class_sets_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_quota_class_sets_rbac.py
@@ -59,9 +59,8 @@
service="nova",
rule="os_compute_api:os-quota-class-sets:show")
def test_show_quota_class_set(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.quota_classes_client.show_quota_class_set('default')[
- 'quota_class_set']
+ with self.rbac_utils.override_role(self):
+ self.quota_classes_client.show_quota_class_set('default')
@decorators.idempotent_id('81889e69-efd2-4e96-bb4c-ee3b646b9755')
@rbac_rule_validation.action(
@@ -75,6 +74,6 @@
for quota, default in quota_class_set.items():
quota_class_set[quota] = default + 100
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.quota_classes_client.update_quota_class_set(
- self.project_id, **quota_class_set)['quota_class_set']
+ with self.rbac_utils.override_role(self):
+ self.quota_classes_client.update_quota_class_set(
+ self.project_id, **quota_class_set)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_quota_sets_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_quota_sets_rbac.py
index 6052150..ec4511a 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_quota_sets_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_quota_sets_rbac.py
@@ -59,10 +59,10 @@
default_quota_set.pop('id')
new_quota_set = {'injected_file_content_bytes': 20480}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.quotas_client.update_quota_set(self.tenant_id,
- force=True,
- **new_quota_set)['quota_set']
+ with self.rbac_utils.override_role(self):
+ self.quotas_client.update_quota_set(self.tenant_id,
+ force=True,
+ **new_quota_set)
self.addCleanup(self.quotas_client.update_quota_set, self.tenant_id,
**default_quota_set)
@@ -71,16 +71,16 @@
service="nova",
rule="os_compute_api:os-quota-sets:defaults")
def test_show_default_quota_set(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.quotas_client.show_default_quota_set(self.tenant_id)['quota_set']
+ with self.rbac_utils.override_role(self):
+ self.quotas_client.show_default_quota_set(self.tenant_id)
@decorators.idempotent_id('e8169ac4-c402-4864-894e-aba74e3a459c')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-quota-sets:show")
def test_show_quota_set(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.quotas_client.show_quota_set(self.tenant_id)['quota_set']
+ with self.rbac_utils.override_role(self):
+ self.quotas_client.show_quota_set(self.tenant_id)
@decorators.idempotent_id('4e240644-bf61-4872-9c32-8289ee2fdbbd')
@rbac_rule_validation.action(
@@ -94,14 +94,14 @@
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.projects_client.delete_project, project_id)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.quotas_client.delete_quota_set(project_id)
+ with self.rbac_utils.override_role(self):
+ self.quotas_client.delete_quota_set(project_id)
@decorators.idempotent_id('ac9184b6-f3b3-4e17-a632-4b92c6500f86')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-quota-sets:detail")
def test_show_quota_set_details(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.quotas_client.show_quota_set(self.tenant_id,
- detail=True)['quota_set']
+ with self.rbac_utils.override_role(self):
+ self.quotas_client.show_quota_set(self.tenant_id,
+ detail=True)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
index 43d48c9..fa89a79 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
@@ -58,8 +58,9 @@
rule="os_compute_api:os-security-groups")
@decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520')
def test_list_security_groups_by_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.list_security_groups_by_server(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.list_security_groups_by_server(
+ self.server['id'])
@rbac_rule_validation.action(
service="nova",
@@ -68,8 +69,9 @@
def test_create_security_group_for_server(self):
sg_name = self.create_security_group()['name']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.add_security_group(self.server['id'], name=sg_name)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.add_security_group(self.server['id'],
+ name=sg_name)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.servers_client.remove_security_group,
self.server['id'], name=sg_name)
@@ -86,9 +88,9 @@
self.servers_client.remove_security_group,
self.server['id'], name=sg_name)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.remove_security_group(
- self.server['id'], name=sg_name)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.remove_security_group(
+ self.server['id'], name=sg_name)
class SecurityGroupsRbacMaxV235Test(rbac_base.BaseV2ComputeRbacTest):
@@ -117,16 +119,16 @@
rule="os_compute_api:os-security-groups")
@decorators.idempotent_id('4ac58e49-48c1-4fca-a6c3-3f95fb99eb77')
def test_list_security_groups(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.security_groups_client.list_security_groups()
+ with self.rbac_utils.override_role(self):
+ self.security_groups_client.list_security_groups()
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-security-groups")
@decorators.idempotent_id('e8fe7f5a-69ee-412d-81d3-a8c7a488b54d')
def test_create_security_groups(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_security_group()['id']
+ with self.rbac_utils.override_role(self):
+ self.create_security_group()['id']
@rbac_rule_validation.action(
service="nova",
@@ -134,8 +136,8 @@
@decorators.idempotent_id('59127e8e-302d-11e7-93ae-92361f002671')
def test_delete_security_groups(self):
sec_group_id = self.create_security_group()['id']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.security_groups_client.delete_security_group(sec_group_id)
+ with self.rbac_utils.override_role(self):
+ self.security_groups_client.delete_security_group(sec_group_id)
@rbac_rule_validation.action(
service="nova",
@@ -146,10 +148,9 @@
new_name = data_utils.rand_name()
new_desc = data_utils.rand_name()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.security_groups_client.update_security_group(sec_group_id,
- name=new_name,
- description=new_desc)
+ with self.rbac_utils.override_role(self):
+ self.security_groups_client.update_security_group(
+ sec_group_id, name=new_name, description=new_desc)
@rbac_rule_validation.action(
service="nova",
@@ -157,5 +158,5 @@
@decorators.idempotent_id('6edc0320-302d-11e7-93ae-92361f002671')
def test_show_security_groups(self):
sec_group_id = self.create_security_group()['id']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.security_groups_client.show_security_group(sec_group_id)
+ with self.rbac_utils.override_role(self):
+ self.security_groups_client.show_security_group(sec_group_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
index 2bc267b..adb5a6c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
@@ -33,8 +33,6 @@
class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
- credentials = ['primary', 'admin']
-
@classmethod
def resource_setup(cls):
super(ServerActionsRbacTest, cls).resource_setup()
@@ -60,17 +58,17 @@
def _stop_server(self):
self.servers_client.stop_server(self.server_id)
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server_id, 'SHUTOFF')
+ self.servers_client, self.server_id, 'SHUTOFF')
def _resize_server(self, flavor):
self.servers_client.resize_server(self.server_id, flavor)
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server_id, 'VERIFY_RESIZE')
+ self.servers_client, self.server_id, 'VERIFY_RESIZE')
def _confirm_resize_server(self):
self.servers_client.confirm_resize_server(self.server_id)
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server_id, 'ACTIVE')
+ self.servers_client, self.server_id, 'ACTIVE')
def _shelve_server(self):
self.servers_client.shelve_server(self.server_id)
@@ -79,13 +77,13 @@
self.server_id)
offload_time = CONF.compute.shelved_offload_time
if offload_time >= 0:
- waiters.wait_for_server_status(self.os_admin.servers_client,
+ waiters.wait_for_server_status(self.servers_client,
self.server_id,
'SHELVED_OFFLOADED',
extra_timeout=offload_time)
else:
- waiters.wait_for_server_status(self.os_admin.servers_client,
- self.server_id, 'SHELVED')
+ waiters.wait_for_server_status(self.servers_client, self.server_id,
+ 'SHELVED')
def _pause_server(self):
self.servers_client.pause_server(self.server_id)
@@ -93,7 +91,7 @@
self.servers_client.unpause_server,
self.server_id)
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server_id, 'PAUSED')
+ self.servers_client, self.server_id, 'PAUSED')
def _cleanup_server_actions(self, function, server_id, **kwargs):
server = self.servers_client.show_server(server_id)['server']
@@ -107,8 +105,8 @@
service="nova",
rule="os_compute_api:os-pause-server:pause")
def test_pause_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._pause_server()
+ with self.rbac_utils.override_role(self):
+ self._pause_server()
@decorators.idempotent_id('087008cf-82fa-4eeb-ae8b-32c4126456ad')
@testtools.skipUnless(CONF.compute_feature_enabled.pause,
@@ -118,18 +116,18 @@
rule="os_compute_api:os-pause-server:unpause")
def test_unpause_server(self):
self._pause_server()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.unpause_server(self.server_id)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.unpause_server(self.server_id)
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server_id, 'ACTIVE')
+ self.servers_client, self.server_id, 'ACTIVE')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:stop")
@decorators.idempotent_id('ab4a17d2-166f-4a6d-9944-f17baa576cf2')
def test_stop_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._stop_server()
+ with self.rbac_utils.override_role(self):
+ self._stop_server()
@decorators.attr(type='slow')
@rbac_rule_validation.action(
@@ -139,10 +137,10 @@
def test_start_server(self):
self._stop_server()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.start_server(self.server_id)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.start_server(self.server_id)
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server_id, 'ACTIVE')
+ self.servers_client, self.server_id, 'ACTIVE')
@decorators.attr(type='slow')
@rbac_rule_validation.action(
@@ -152,8 +150,8 @@
@testtools.skipUnless(CONF.compute_feature_enabled.resize,
'Resize is not available.')
def test_resize_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._resize_server(self.flavor_ref_alt)
+ with self.rbac_utils.override_role(self):
+ self._resize_server(self.flavor_ref_alt)
@decorators.attr(type='slow')
@rbac_rule_validation.action(
@@ -165,10 +163,10 @@
def test_revert_resize_server(self):
self._resize_server(self.flavor_ref_alt)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.revert_resize_server(self.server_id)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.revert_resize_server(self.server_id)
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server_id, 'ACTIVE')
+ self.servers_client, self.server_id, 'ACTIVE')
@decorators.attr(type='slow')
@rbac_rule_validation.action(
@@ -182,68 +180,68 @@
self.addCleanup(self._confirm_resize_server)
self.addCleanup(self._resize_server, self.flavor_ref)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._confirm_resize_server()
+ with self.rbac_utils.override_role(self):
+ self._confirm_resize_server()
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:rebuild")
@decorators.idempotent_id('54b1a30b-c96c-472c-9c83-ccaf6ec7e20b')
def test_rebuild_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.rebuild_server(self.server_id, self.image_ref)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.rebuild_server(self.server_id, self.image_ref)
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server_id, 'ACTIVE')
+ self.servers_client, self.server_id, 'ACTIVE')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:reboot")
@decorators.idempotent_id('19f27856-56e1-44f8-8615-7257f6b85cbb')
def test_reboot_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.reboot_server(self.server_id, type='HARD')
+ with self.rbac_utils.override_role(self):
+ self.servers_client.reboot_server(self.server_id, type='HARD')
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server_id, 'ACTIVE')
+ self.servers_client, self.server_id, 'ACTIVE')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:index")
@decorators.idempotent_id('631f0d86-7607-4198-8312-9da2f05464a4')
def test_server_index(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.list_servers(minimal=True)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.list_servers(minimal=True)
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:detail")
@decorators.idempotent_id('96093480-3ce5-4a8b-b569-aed870379c24')
def test_server_detail(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.list_servers(detail=True)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.list_servers(detail=True)
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:detail:get_all_tenants")
@decorators.idempotent_id('a9e5a1c0-acfe-49a2-b2b1-fd8b19d61f71')
def test_server_detail_all_tenants(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.list_servers(detail=True, all_tenants=1)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.list_servers(detail=True, all_tenants=1)
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:index:get_all_tenants")
@decorators.idempotent_id('4b93ba56-69e6-41f5-82c4-84a5c4c42091')
def test_server_index_all_tenants(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.list_servers(minimal=True, all_tenants=1)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.list_servers(minimal=True, all_tenants=1)
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:show")
@decorators.idempotent_id('eaaf4f51-31b5-497f-8f0f-f527e5f70b83')
def test_show_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.show_server(self.server_id)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.show_server(self.server_id)
@utils.services('image')
@rbac_rule_validation.action(
@@ -251,10 +249,9 @@
rule="os_compute_api:servers:create_image")
@decorators.idempotent_id('ba0ac859-99f4-4055-b5e0-e0905a44d331')
def test_create_image(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-
- # This function will also call show image
- self.create_image_from_server(self.server_id, wait_until='ACTIVE')
+ with self.rbac_utils.override_role(self):
+ # This function will also call show image
+ self.create_image_from_server(self.server_id, wait_until='ACTIVE')
@utils.services('image', 'volume')
@rbac_rule_validation.action(
@@ -267,12 +264,11 @@
# this test.
server = self.create_test_server(volume_backed=True,
wait_until='ACTIVE')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-
- # This function will also call show image.
- image = self.create_image_from_server(server['id'],
- wait_until='ACTIVE',
- wait_for_server=False)
+ with self.rbac_utils.override_role(self):
+ # This function will also call show image.
+ image = self.create_image_from_server(server['id'],
+ wait_until='ACTIVE',
+ wait_for_server=False)
self.addCleanup(self.compute_images_client.wait_for_resource_deletion,
image['id'])
self.addCleanup(
@@ -289,9 +285,9 @@
def test_create_backup(self):
# Prioritize glance v2 over v1 for deleting/waiting for image status.
if CONF.image_feature_enabled.api_v2:
- glance_admin_client = self.os_admin.image_client_v2
+ glance_client = self.os_primary.image_client_v2
elif CONF.image_feature_enabled.api_v1:
- glance_admin_client = self.os_admin.image_client
+ glance_client = self.os_primary.image_client
else:
raise lib_exc.InvalidConfiguration(
'Either api_v1 or api_v2 must be True in '
@@ -299,10 +295,10 @@
backup_name = data_utils.rand_name(self.__class__.__name__ + '-Backup')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- resp = self.servers_client.create_backup(
- self.server_id, backup_type='daily', rotation=1,
- name=backup_name).response
+ with self.rbac_utils.override_role(self):
+ resp = self.servers_client.create_backup(
+ self.server_id, backup_type='daily', rotation=1,
+ name=backup_name).response
# Prior to microversion 2.45, image ID must be parsed from location
# header. With microversion 2.45+, image_id is returned.
@@ -312,11 +308,9 @@
else:
image_id = data_utils.parse_image_id(resp['location'])
- # Use admin credentials to wait since waiting involves show, which is
- # a different policy.
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- glance_admin_client.delete_image, image_id)
- waiters.wait_for_image_status(glance_admin_client, image_id, 'active')
+ glance_client.delete_image, image_id)
+ waiters.wait_for_image_status(glance_client, image_id, 'active')
@decorators.attr(type='slow')
@decorators.idempotent_id('0b70c527-af75-4bed-9ccf-4f1310a8b60f')
@@ -324,8 +318,8 @@
service="nova",
rule="os_compute_api:os-shelve:shelve")
def test_shelve_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._shelve_server()
+ with self.rbac_utils.override_role(self):
+ self._shelve_server()
@decorators.attr(type='slow')
@decorators.idempotent_id('4b6e849a-9182-49ff-9257-e97e751b475e')
@@ -334,10 +328,10 @@
rule="os_compute_api:os-shelve:unshelve")
def test_unshelve_server(self):
self._shelve_server()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.unshelve_server(self.server_id)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.unshelve_server(self.server_id)
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server_id, 'ACTIVE')
+ self.servers_client, self.server_id, 'ACTIVE')
class ServerActionsV214RbacTest(rbac_base.BaseV2ComputeRbacTest):
@@ -361,12 +355,12 @@
# NOTE(felipemonteiro): Because evacuating a server is a risky action
# to test in the gates, a 404 is coerced using a fake host. However,
# the policy check is done before the 404 is thrown.
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.assertRaisesRegex(lib_exc.NotFound,
- "Compute host %s not found." % fake_host_name,
- self.servers_client.evacuate_server,
- self.server_id,
- host=fake_host_name)
+ with self.rbac_utils.override_role(self):
+ self.assertRaisesRegex(
+ lib_exc.NotFound,
+ "Compute host %s not found." % fake_host_name,
+ self.servers_client.evacuate_server, self.server_id,
+ host=fake_host_name)
class ServerActionsV216RbacTest(rbac_base.BaseV2ComputeRbacTest):
@@ -387,8 +381,8 @@
rule="os_compute_api:servers:show:host_status")
@decorators.idempotent_id('736da575-86f8-4b2a-9902-dd37dc9a409b')
def test_show_server_host_status(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- server = self.servers_client.show_server(self.server_id)['server']
+ with self.rbac_utils.override_role(self):
+ server = self.servers_client.show_server(self.server_id)['server']
if 'host_status' not in server:
raise rbac_exceptions.RbacMalformedResponse(
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_consoles_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_consoles_rbac.py
index 7744263..fa2f359 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_consoles_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_consoles_rbac.py
@@ -40,8 +40,8 @@
rule="os_compute_api:os-console-output")
@decorators.idempotent_id('90fd80f6-456c-11e7-a919-92ebcb67fe33')
def test_get_console_output(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.get_console_output(self.server_id)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.get_console_output(self.server_id)
class ServerConsolesMaxV25RbacTest(rbac_base.BaseV2ComputeRbacTest):
@@ -64,8 +64,8 @@
rule="os_compute_api:os-remote-consoles")
@decorators.idempotent_id('b0a72c02-9b15-4dcb-b186-efe8753370ab')
def test_get_vnc_console_output(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.get_vnc_console(self.server_id, type="novnc")
+ with self.rbac_utils.override_role(self):
+ self.servers_client.get_vnc_console(self.server_id, type="novnc")
class ServerConsolesV26RbacTest(rbac_base.BaseV2ComputeRbacTest):
@@ -89,6 +89,6 @@
rule="os_compute_api:os-remote-consoles")
@decorators.idempotent_id('879597de-87e0-4da9-a60a-28c8088dc508')
def test_get_remote_console_output(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.get_remote_console(self.server_id,
- "novnc", "vnc")
+ with self.rbac_utils.override_role(self):
+ self.servers_client.get_remote_console(self.server_id,
+ "novnc", "vnc")
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py
index be24569..1674b1a 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py
@@ -34,8 +34,8 @@
rule="os_compute_api:os-server-groups:create")
@decorators.idempotent_id('7f3eae94-6130-47e9-81ac-34009f55be2f')
def test_create_server_group(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_test_server_group()
+ with self.rbac_utils.override_role(self):
+ self.create_test_server_group()
@rbac_rule_validation.action(
service="nova",
@@ -43,16 +43,16 @@
@decorators.idempotent_id('832d9be3-632e-47b2-93d2-5897db43e3e2')
def test_delete_server_group(self):
server_group = self.create_test_server_group()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.server_groups_client.delete_server_group(server_group['id'])
+ with self.rbac_utils.override_role(self):
+ self.server_groups_client.delete_server_group(server_group['id'])
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-server-groups:index")
@decorators.idempotent_id('5eccd67f-5945-483b-b1c8-de851ebfc1c1')
def test_list_server_groups(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.server_groups_client.list_server_groups()
+ with self.rbac_utils.override_role(self):
+ self.server_groups_client.list_server_groups()
@rbac_rule_validation.action(
service="nova",
@@ -60,5 +60,5 @@
@decorators.idempotent_id('62534e3f-7e99-4a3d-a08e-33e056460cf2')
def test_show_server_group(self):
server_group = self.create_test_server_group()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.server_groups_client.show_server_group(server_group['id'])
+ with self.rbac_utils.override_role(self):
+ self.server_groups_client.show_server_group(server_group['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_metadata_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_metadata_rbac.py
index ac2dcb0..05b1758 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_metadata_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_metadata_rbac.py
@@ -37,51 +37,48 @@
service="nova",
rule="os_compute_api:server-metadata:index")
def test_list_server_metadata(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.list_server_metadata(self.server['id'])['metadata']
+ with self.rbac_utils.override_role(self):
+ self.servers_client.list_server_metadata(self.server['id'])
@decorators.idempotent_id('6e76748b-2417-4fa2-b41a-c0cc4bff356b')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:server-metadata:update_all")
def test_set_server_metadata(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.set_server_metadata(self.server['id'], {})[
- 'metadata']
+ with self.rbac_utils.override_role(self):
+ self.servers_client.set_server_metadata(self.server['id'], {})
@decorators.idempotent_id('1060bac4-fe16-4a77-be64-d8e482a06eab')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:server-metadata:create")
def test_update_server_metadata(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.update_server_metadata(self.server['id'], {})[
- 'metadata']
+ with self.rbac_utils.override_role(self):
+ self.servers_client.update_server_metadata(self.server['id'], {})
@decorators.idempotent_id('93dd8323-d3fa-48d1-8bd6-91c1b62fc341')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:server-metadata:show")
def test_show_server_metadata_item(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.show_server_metadata_item(
- self.server['id'], 'default_key')['meta']
+ with self.rbac_utils.override_role(self):
+ self.servers_client.show_server_metadata_item(
+ self.server['id'], 'default_key')
@decorators.idempotent_id('79511293-4bd7-447d-ba7e-634d0f4da70c')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:server-metadata:update")
def test_set_server_metadata_item(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.set_server_metadata_item(
- self.server['id'], 'default_key', {'default_key': 'value2'})[
- 'meta']
+ with self.rbac_utils.override_role(self):
+ self.servers_client.set_server_metadata_item(
+ self.server['id'], 'default_key', {'default_key': 'value2'})
@decorators.idempotent_id('feec5064-678d-40bc-a88f-c856e18d1e31')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:server-metadata:delete")
def test_delete_server_metadata_item(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.delete_server_metadata_item(
- self.server['id'], 'delete_key')
+ with self.rbac_utils.override_role(self):
+ self.servers_client.delete_server_metadata_item(
+ self.server['id'], 'delete_key')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_migrations_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_migrations_rbac.py
index 1913159..a867b81 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_migrations_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_migrations_rbac.py
@@ -30,8 +30,6 @@
max_microversion = 'latest'
block_migration = 'auto'
- credentials = ['primary', 'admin']
-
@classmethod
def skip_checks(cls):
super(MigrateServerV225RbacTest, cls).skip_checks()
@@ -39,11 +37,6 @@
raise cls.skipException(
"Less than 2 compute nodes, skipping migration tests.")
- @classmethod
- def setup_clients(cls):
- super(MigrateServerV225RbacTest, cls).setup_clients()
- cls.admin_servers_client = cls.os_admin.servers_client
-
def _get_server_details(self, server_id):
body = self.servers_client.show_server(server_id)['server']
return body
@@ -73,9 +66,9 @@
@decorators.idempotent_id('c6f1607c-9fed-4c00-807e-9ba675b98b1b')
def test_cold_migration(self):
server = self.create_test_server(wait_until="ACTIVE")
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.migrate_server(server['id'])
- waiters.wait_for_server_status(self.admin_servers_client,
+ with self.rbac_utils.override_role(self):
+ self.servers_client.migrate_server(server['id'])
+ waiters.wait_for_server_status(self.servers_client,
server['id'], 'VERIFY_RESIZE')
@decorators.attr(type='slow')
@@ -91,8 +84,9 @@
actual_host = self._get_host_for_server(server_id)
target_host = self._get_host_other_than(actual_host)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.live_migrate_server(
- server_id, host=target_host, block_migration=self.block_migration)
- waiters.wait_for_server_status(self.admin_servers_client,
+ with self.rbac_utils.override_role(self):
+ self.servers_client.live_migrate_server(
+ server_id, host=target_host,
+ block_migration=self.block_migration)
+ waiters.wait_for_server_status(self.servers_client,
server_id, "ACTIVE")
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
index 48df4a3..fabcb4c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
@@ -83,8 +83,8 @@
@decorators.idempotent_id('ae84dd0b-f364-462e-b565-3457f9c019ef')
def test_reset_server_state(self):
"""Test reset server state, part of os-admin-actions."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.reset_state(self.server['id'], state='error')
+ with self.rbac_utils.override_role(self):
+ self.servers_client.reset_state(self.server['id'], state='error')
self.addCleanup(self.servers_client.reset_state, self.server['id'],
state='active')
@@ -95,8 +95,8 @@
@decorators.idempotent_id('ce48c340-51c1-4cff-9b6e-0cc5ef008630')
def test_inject_network_info(self):
"""Test inject network info, part of os-admin-actions."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.inject_network_info(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.inject_network_info(self.server['id'])
@utils.requires_ext(extension='os-admin-actions', service='compute')
@rbac_rule_validation.action(
@@ -105,8 +105,8 @@
@decorators.idempotent_id('2911a242-15c4-4fcb-80d5-80a8930661b0')
def test_reset_network(self):
"""Test reset network, part of os-admin-actions."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.reset_network(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.reset_network(self.server['id'])
@testtools.skipUnless(CONF.compute_feature_enabled.change_password,
'Change password not available.')
@@ -119,13 +119,13 @@
original_password = self.servers_client.show_password(
self.server['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.change_password(
- self.server['id'], adminPass=data_utils.rand_password())
+ with self.rbac_utils.override_role(self):
+ self.servers_client.change_password(
+ self.server['id'], adminPass=data_utils.rand_password())
self.addCleanup(self.servers_client.change_password, self.server['id'],
adminPass=original_password)
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server['id'], 'ACTIVE')
+ self.servers_client, self.server['id'], 'ACTIVE')
@utils.requires_ext(extension='os-config-drive', service='compute')
@decorators.idempotent_id('2c82e819-382d-4d6f-87f0-a45954cbbc64')
@@ -134,8 +134,8 @@
rule="os_compute_api:os-config-drive")
def test_list_servers_with_details_config_drive(self):
"""Test list servers with config_drive property in response body."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.servers_client.list_servers(detail=True)['servers']
+ with self.rbac_utils.override_role(self):
+ body = self.servers_client.list_servers(detail=True)['servers']
expected_attr = 'config_drive'
# If the first server contains "config_drive", then all the others do.
if expected_attr not in body[0]:
@@ -149,9 +149,8 @@
rule="os_compute_api:os-config-drive")
def test_show_server_config_drive(self):
"""Test show server with config_drive property in response body."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-
- body = self.servers_client.show_server(self.server['id'])['server']
+ with self.rbac_utils.override_role(self):
+ body = self.servers_client.show_server(self.server['id'])['server']
expected_attr = 'config_drive'
if expected_attr not in body:
raise rbac_exceptions.RbacMalformedResponse(
@@ -164,9 +163,9 @@
rule="os_compute_api:os-deferred-delete")
def test_force_delete_server(self):
"""Test force delete server, part of os-deferred-delete."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Force-deleting a server enforces os-deferred-delete.
- self.servers_client.force_delete_server(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ # Force-deleting a server enforces os-deferred-delete.
+ self.servers_client.force_delete_server(self.server['id'])
@decorators.idempotent_id('d873740a-7b10-40a9-943d-7cc18115370e')
@utils.requires_ext(extension='OS-EXT-AZ', service='compute')
@@ -177,8 +176,8 @@
"""Test list servers OS-EXT-AZ:availability_zone attr in resp body."""
expected_attr = 'OS-EXT-AZ:availability_zone'
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.servers_client.list_servers(detail=True)['servers']
+ with self.rbac_utils.override_role(self):
+ body = self.servers_client.list_servers(detail=True)['servers']
# If the first server contains `expected_attr`, then all the others do.
if expected_attr not in body[0]:
raise rbac_exceptions.RbacMalformedResponse(
@@ -193,8 +192,8 @@
"""Test show server OS-EXT-AZ:availability_zone attr in resp body."""
expected_attr = 'OS-EXT-AZ:availability_zone'
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.servers_client.show_server(self.server['id'])['server']
+ with self.rbac_utils.override_role(self):
+ body = self.servers_client.show_server(self.server['id'])['server']
if expected_attr not in body:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
@@ -208,8 +207,8 @@
"""Test list servers with details, with extended server attributes in
response body.
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.servers_client.list_servers(detail=True)['servers']
+ with self.rbac_utils.override_role(self):
+ body = self.servers_client.list_servers(detail=True)['servers']
# NOTE(felipemonteiro): The attributes included below should be
# returned by all microversions. We don't include tests for other
@@ -230,8 +229,8 @@
"""Test show server with extended server attributes in response
body.
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.servers_client.show_server(self.server['id'])['server']
+ with self.rbac_utils.override_role(self):
+ body = self.servers_client.show_server(self.server['id'])['server']
# NOTE(felipemonteiro): The attributes included below should be
# returned by all microversions. We don't include tests for other
@@ -250,8 +249,8 @@
rule="os_compute_api:os-extended-status")
def test_list_servers_extended_status(self):
"""Test list servers with extended properties in response body."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.servers_client.list_servers(detail=True)['servers']
+ with self.rbac_utils.override_role(self):
+ body = self.servers_client.list_servers(detail=True)['servers']
expected_attrs = ('OS-EXT-STS:task_state', 'OS-EXT-STS:vm_state',
'OS-EXT-STS:power_state')
@@ -267,8 +266,8 @@
rule="os_compute_api:os-extended-status")
def test_show_server_extended_status(self):
"""Test show server with extended properties in response body."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.servers_client.show_server(self.server['id'])['server']
+ with self.rbac_utils.override_role(self):
+ body = self.servers_client.show_server(self.server['id'])['server']
expected_attrs = ('OS-EXT-STS:task_state', 'OS-EXT-STS:vm_state',
'OS-EXT-STS:power_state')
@@ -288,8 +287,8 @@
"""
expected_attr = 'os-extended-volumes:volumes_attached'
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.servers_client.list_servers(detail=True)['servers']
+ with self.rbac_utils.override_role(self):
+ body = self.servers_client.list_servers(detail=True)['servers']
if expected_attr not in body[0]:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
@@ -305,8 +304,8 @@
"""
expected_attr = 'os-extended-volumes:volumes_attached'
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.servers_client.show_server(self.server['id'])['server']
+ with self.rbac_utils.override_role(self):
+ body = self.servers_client.show_server(self.server['id'])['server']
if expected_attr not in body:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
@@ -318,8 +317,8 @@
rule="os_compute_api:os-instance-actions")
def test_list_instance_actions(self):
"""Test list instance actions, part of os-instance-actions."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.list_instance_actions(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.list_instance_actions(self.server['id'])
@utils.requires_ext(extension='os-instance-actions', service='compute')
@decorators.idempotent_id('eb04c439-4215-4029-9ccb-5b3c041bfc25')
@@ -334,9 +333,9 @@
# NOTE: "os_compute_api:os-instance-actions" is also enforced.
request_id = self.server.response['x-compute-request-id']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- instance_action = self.servers_client.show_instance_action(
- self.server['id'], request_id)['instanceAction']
+ with self.rbac_utils.override_role(self):
+ instance_action = self.servers_client.show_instance_action(
+ self.server['id'], request_id)['instanceAction']
if 'events' not in instance_action:
raise rbac_exceptions.RbacMalformedResponse(
@@ -352,9 +351,9 @@
rule="os_compute_api:os-keypairs")
@decorators.idempotent_id('81e6fa34-c06b-42ca-b195-82bf8699b940')
def test_show_server_keypair(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- result =\
- self.servers_client.show_server(self.server['id'])['server']
+ with self.rbac_utils.override_role(self):
+ result = self.servers_client.show_server(self.server['id'])[
+ 'server']
if 'key_name' not in result:
raise rbac_exceptions.RbacMalformedResponse(
attribute='key_name')
@@ -364,8 +363,8 @@
rule="os_compute_api:os-keypairs")
@decorators.idempotent_id('41ca4280-ec59-4b80-a9b1-6bc6366faf39')
def test_list_servers_keypairs(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- result = self.servers_client.list_servers(detail=True)['servers']
+ with self.rbac_utils.override_role(self):
+ result = self.servers_client.list_servers(detail=True)['servers']
if 'key_name' not in result[0]:
raise rbac_exceptions.RbacMalformedResponse(
attribute='key_name')
@@ -376,8 +375,8 @@
@decorators.idempotent_id('b81e10fb-1864-498f-8c1d-5175c6fec5fb')
def test_lock_server(self):
"""Test lock server, part of os-lock-server."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.lock_server(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.lock_server(self.server['id'])
self.addCleanup(self.servers_client.unlock_server, self.server['id'])
@rbac_rule_validation.action(
@@ -389,8 +388,8 @@
self.servers_client.lock_server(self.server['id'])
self.addCleanup(self.servers_client.unlock_server, self.server['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.unlock_server(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.unlock_server(self.server['id'])
@rbac_rule_validation.action(
service="nova",
@@ -406,8 +405,8 @@
self.os_admin.servers_client.lock_server(self.server['id'])
self.addCleanup(self.servers_client.unlock_server, self.server['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.unlock_server(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.unlock_server(self.server['id'])
@utils.requires_ext(extension='os-rescue', service='compute')
@rbac_rule_validation.action(
@@ -416,8 +415,8 @@
@decorators.idempotent_id('fbbb2afc-ed0e-4552-887d-ac00fb5d436e')
def test_rescue_server(self):
"""Test rescue server, part of os-rescue."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.rescue_server(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.rescue_server(self.server['id'])
@decorators.idempotent_id('ac2d956f-d6a3-4184-b814-b44d05c9574c')
@utils.requires_ext(extension='os-rescue', service='compute')
@@ -428,10 +427,10 @@
"""Test unrescue server, part of os-rescue."""
self.servers_client.rescue_server(self.server['id'])
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server['id'], 'RESCUE')
+ self.servers_client, self.server['id'], 'RESCUE')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.unrescue_server(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.unrescue_server(self.server['id'])
# `setUp` will wait for the server to reach 'ACTIVE' for next test.
@utils.requires_ext(extension='os-server-diagnostics', service='compute')
@@ -441,8 +440,8 @@
@decorators.idempotent_id('5dabfcc4-bedb-417b-8247-b3ee7c5c0f3e')
def test_show_server_diagnostics(self):
"""Test show server diagnostics, part of os-server-diagnostics."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.show_server_diagnostics(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.show_server_diagnostics(self.server['id'])
@utils.requires_ext(extension='os-server-password', service='compute')
@decorators.idempotent_id('aaf43f78-c178-4581-ac18-14afd3f1f6ba')
@@ -451,8 +450,8 @@
rule="os_compute_api:os-server-password")
def test_delete_server_password(self):
"""Test delete server password, part of os-server-password."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.delete_password(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.delete_password(self.server['id'])
@utils.requires_ext(extension='os-server-password', service='compute')
@rbac_rule_validation.action(
@@ -461,8 +460,8 @@
@decorators.idempotent_id('f677971a-7d20-493c-977f-6ff0a74b5b2c')
def test_get_server_password(self):
"""Test show server password, part of os-server-password."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.show_password(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.show_password(self.server['id'])
@utils.requires_ext(extension='OS-SRV-USG', service='compute')
@rbac_rule_validation.action(
@@ -475,8 +474,8 @@
TODO(felipemonteiro): Once multiple policy testing is supported, this
test can be combined with the generic test for showing a server.
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.show_server(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.show_server(self.server['id'])
@utils.requires_ext(extension='os-simple-tenant-usage', service='compute')
@rbac_rule_validation.action(
@@ -485,8 +484,8 @@
@decorators.idempotent_id('2aef094f-0452-4df6-a66a-0ec22a92b16e')
def test_list_simple_tenant_usages(self):
"""Test list tenant usages, part of os-simple-tenant-usage."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.tenant_usages_client.list_tenant_usages()
+ with self.rbac_utils.override_role(self):
+ self.tenant_usages_client.list_tenant_usages()
@utils.requires_ext(extension='os-simple-tenant-usage', service='compute')
@rbac_rule_validation.action(
@@ -497,8 +496,8 @@
"""Test show tenant usage, part of os-simple-tenant-usage."""
tenant_id = self.os_primary.credentials.tenant_id
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.tenant_usages_client.show_tenant_usage(tenant_id=tenant_id)
+ with self.rbac_utils.override_role(self):
+ self.tenant_usages_client.show_tenant_usage(tenant_id=tenant_id)
@testtools.skipUnless(CONF.compute_feature_enabled.suspend,
"Suspend compute feature is not available.")
@@ -508,11 +507,11 @@
rule="os_compute_api:os-suspend-server:suspend")
def test_suspend_server(self):
"""Test suspend server, part of os-suspend-server."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.suspend_server(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.suspend_server(self.server['id'])
self.addCleanup(self.servers_client.resume_server, self.server['id'])
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server['id'], 'SUSPENDED')
+ self.servers_client, self.server['id'], 'SUSPENDED')
@testtools.skipUnless(CONF.compute_feature_enabled.suspend,
"Suspend compute feature is not available.")
@@ -524,12 +523,12 @@
"""Test resume server, part of os-suspend-server."""
self.servers_client.suspend_server(self.server['id'])
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server['id'], 'SUSPENDED')
+ self.servers_client, self.server['id'], 'SUSPENDED')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.resume_server(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.resume_server(self.server['id'])
waiters.wait_for_server_status(
- self.os_admin.servers_client, self.server['id'], 'ACTIVE')
+ self.servers_client, self.server['id'], 'ACTIVE')
class MiscPolicyActionsNetworkRbacTest(rbac_base.BaseV2ComputeRbacTest):
@@ -541,8 +540,6 @@
* tests that require network resources
"""
- credentials = ['primary', 'admin']
-
@classmethod
def skip_checks(cls):
super(MiscPolicyActionsNetworkRbacTest, cls).skip_checks()
@@ -565,7 +562,7 @@
interface = self.interfaces_client.create_interface(
self.server['id'])['interfaceAttachment']
waiters.wait_for_interface_status(
- self.os_admin.interfaces_client, self.server['id'],
+ self.interfaces_client, self.server['id'],
interface['port_id'], 'ACTIVE')
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
@@ -582,9 +579,8 @@
rule="os_compute_api:os-attach-interfaces")
def test_list_interfaces(self):
"""Test list interfaces, part of os-attach-interfaces."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.interfaces_client.list_interfaces(
- self.server['id'])['interfaceAttachments']
+ with self.rbac_utils.override_role(self):
+ self.interfaces_client.list_interfaces(self.server['id'])
@decorators.idempotent_id('1b9cf7db-dc50-48a2-8eb9-8c25af5e934a')
@testtools.skipUnless(CONF.compute_feature_enabled.interface_attach,
@@ -596,9 +592,9 @@
def test_show_interface(self):
"""Test show interfaces, part of os-attach-interfaces."""
interface = self._attach_interface_to_server()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.interfaces_client.show_interface(
- self.server['id'], interface['port_id'])['interfaceAttachment']
+ with self.rbac_utils.override_role(self):
+ self.interfaces_client.show_interface(
+ self.server['id'], interface['port_id'])
@testtools.skipUnless(CONF.compute_feature_enabled.interface_attach,
"Interface attachment is not available.")
@@ -609,8 +605,16 @@
rule="os_compute_api:os-attach-interfaces:create")
def test_create_interface(self):
"""Test create interface, part of os-attach-interfaces."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._attach_interface_to_server()
+ with self.rbac_utils.override_role(self):
+ interface = self.interfaces_client.create_interface(
+ self.server['id'])['interfaceAttachment']
+ waiters.wait_for_interface_status(
+ self.interfaces_client, self.server['id'],
+ interface['port_id'], 'ACTIVE')
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.interfaces_client.delete_interface,
+ self.server['id'], interface['port_id'])
@testtools.skipUnless(CONF.compute_feature_enabled.interface_attach,
"Interface attachment is not available.")
@@ -623,9 +627,9 @@
"""Test delete interface, part of os-attach-interfaces."""
interface = self._attach_interface_to_server()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.interfaces_client.delete_interface(self.server['id'],
- interface['port_id'])
+ with self.rbac_utils.override_role(self):
+ self.interfaces_client.delete_interface(self.server['id'],
+ interface['port_id'])
@decorators.idempotent_id('6886d360-0d86-4760-b1a3-882d81fbebcc')
@utils.requires_ext(extension='os-ips', service='compute')
@@ -634,8 +638,8 @@
rule="os_compute_api:ips:index")
def test_list_addresses(self):
"""Test list server addresses, part of ips policy family."""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.list_addresses(self.server['id'])['addresses']
+ with self.rbac_utils.override_role(self):
+ self.servers_client.list_addresses(self.server['id'])
@decorators.idempotent_id('fa43e7e5-0db9-48eb-9c6b-c11eb766b8e4')
@utils.requires_ext(extension='os-ips', service='compute')
@@ -648,9 +652,9 @@
'addresses']
address = next(iter(addresses))
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.list_addresses_by_network(
- self.server['id'], address)[address]
+ with self.rbac_utils.override_role(self):
+ self.servers_client.list_addresses_by_network(
+ self.server['id'], address)
@testtools.skipUnless(CONF.compute_feature_enabled.interface_attach,
"Interface attachment is not available.")
@@ -668,9 +672,9 @@
network_id = self.interfaces_client.create_interface(
self.server['id'])['interfaceAttachment']['net_id']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.add_fixed_ip(self.server['id'],
- networkId=network_id)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.add_fixed_ip(self.server['id'],
+ networkId=network_id)
@rbac_rule_validation.action(
service="nova",
@@ -685,10 +689,12 @@
For more information, see:
https://developer.openstack.org/api-ref/compute/#servers-virtual-interfaces-servers-os-virtual-interfaces-deprecated
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- if CONF.service_available.neutron:
- msg = "Listing virtual interfaces is not supported by this cloud."
- with self.assertRaisesRegex(lib_exc.BadRequest, msg):
+ with self.rbac_utils.override_role(self):
+ if CONF.service_available.neutron:
+ msg = ("Listing virtual interfaces is not supported by this "
+ "cloud.")
+ with self.assertRaisesRegex(lib_exc.BadRequest, msg):
+ self.servers_client.list_virtual_interfaces(
+ self.server['id'])
+ else:
self.servers_client.list_virtual_interfaces(self.server['id'])
- else:
- self.servers_client.list_virtual_interfaces(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
index 0fe92a9..b95ebd5 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
@@ -33,15 +33,12 @@
class ComputeServersRbacTest(base.BaseV2ComputeRbacTest):
- credentials = ['primary', 'admin']
-
@classmethod
def setup_clients(cls):
super(ComputeServersRbacTest, cls).setup_clients()
cls.networks_client = cls.os_primary.networks_client
cls.ports_client = cls.os_primary.ports_client
cls.subnets_client = cls.os_primary.subnets_client
- cls.admin_servers_client = cls.os_admin.servers_client
@classmethod
def resource_setup(cls):
@@ -53,8 +50,8 @@
rule="os_compute_api:servers:create")
@decorators.idempotent_id('4f34c73a-6ddc-4677-976f-71320fa855bd')
def test_create_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_test_server(wait_until='ACTIVE')
+ with self.rbac_utils.override_role(self):
+ self.create_test_server(wait_until='ACTIVE')
@rbac_rule_validation.action(
service="nova",
@@ -72,9 +69,9 @@
host = list(hosts[0].keys())[0]
availability_zone = 'nova:' + host
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_test_server(wait_until='ACTIVE',
- availability_zone=availability_zone)
+ with self.rbac_utils.override_role(self):
+ self.create_test_server(wait_until='ACTIVE',
+ availability_zone=availability_zone)
@utils.services('volume')
@rbac_rule_validation.action(
@@ -97,10 +94,10 @@
'delete_on_termination': True}]
device_mapping = {'block_device_mapping_v2': bd_map_v2}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Use image_id='' to avoid using the default image in tempest.conf.
- server = self.create_test_server(name=server_name, image_id='',
- **device_mapping)
+ with self.rbac_utils.override_role(self):
+ # Use image_id='' to avoid using the default image in tempest.conf.
+ server = self.create_test_server(name=server_name, image_id='',
+ **device_mapping)
# Delete the server and wait for the volume to become available to
# avoid clean up errors.
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
@@ -140,9 +137,9 @@
network = _create_network_resources()
network_id = {'uuid': network['id']}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- server = self.create_test_server(wait_until='ACTIVE',
- networks=[network_id])
+ with self.rbac_utils.override_role(self):
+ server = self.create_test_server(wait_until='ACTIVE',
+ networks=[network_id])
self.addCleanup(waiters.wait_for_server_termination,
self.servers_client, server['id'])
self.addCleanup(self.servers_client.delete_server, server['id'])
@@ -154,10 +151,10 @@
def test_delete_server(self):
server = self.create_test_server(wait_until='ACTIVE')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.delete_server(server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.delete_server(server['id'])
waiters.wait_for_server_termination(
- self.admin_servers_client, server['id'])
+ self.servers_client, server['id'])
@rbac_rule_validation.action(
service="nova",
@@ -165,13 +162,14 @@
@decorators.idempotent_id('077b17cb-5621-43b9-8adf-5725f0d7a863')
def test_update_server(self):
new_name = data_utils.rand_name(self.__class__.__name__ + '-server')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- try:
- self.servers_client.update_server(self.server['id'], name=new_name)
- waiters.wait_for_server_status(self.admin_servers_client,
- self.server['id'], 'ACTIVE')
- except exceptions.ServerFault as e:
- # Some other policy may have blocked it.
- LOG.info("ServerFault exception caught. Some other policy "
- "blocked updating of server")
- raise rbac_exceptions.RbacConflictingPolicies(e)
+ with self.rbac_utils.override_role(self):
+ try:
+ self.servers_client.update_server(self.server['id'],
+ name=new_name)
+ waiters.wait_for_server_status(self.servers_client,
+ self.server['id'], 'ACTIVE')
+ except exceptions.ServerFault as e:
+ # Some other policy may have blocked it.
+ LOG.info("ServerFault exception caught. Some other policy "
+ "blocked updating of server")
+ raise rbac_exceptions.RbacConflictingPolicies(e)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_tags_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_tags_rbac.py
index 0f49095..70e7da9 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_tags_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_tags_rbac.py
@@ -49,8 +49,8 @@
service="nova",
rule="os_compute_api:os-server-tags:index")
def test_list_tags(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.list_tags(self.server['id'])['tags']
+ with self.rbac_utils.override_role(self):
+ self.servers_client.list_tags(self.server['id'])
@decorators.idempotent_id('9297c99e-94eb-429f-93cf-9b1838e33622')
@rbac_rule_validation.action(
@@ -58,16 +58,17 @@
rule="os_compute_api:os-server-tags:show")
def test_check_tag_existence(self):
tag_name = self._add_tag_to_server()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.check_tag_existence(self.server['id'], tag_name)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.check_tag_existence(self.server['id'],
+ tag_name)
@decorators.idempotent_id('0d84ee94-d3ca-4635-8edf-b7f67ab8e4a3')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-server-tags:update")
def test_update_tag(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._add_tag_to_server()
+ with self.rbac_utils.override_role(self):
+ self._add_tag_to_server()
@decorators.idempotent_id('115c2694-00aa-41ee-99f6-9eab4040c182')
@rbac_rule_validation.action(
@@ -75,23 +76,23 @@
rule="os_compute_api:os-server-tags:delete")
def test_delete_tag(self):
tag_name = self._add_tag_to_server()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.delete_tag(self.server['id'], tag_name)
+ with self.rbac_utils.override_role(self):
+ self.servers_client.delete_tag(self.server['id'], tag_name)
@decorators.idempotent_id('a8e19b87-6580-4bc8-9933-e62561ff667d')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-server-tags:update_all")
def test_update_all_tags(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
new_tag_name = data_utils.rand_name(self.__class__.__name__ + '-tag')
- self.servers_client.update_all_tags(self.server['id'],
- [new_tag_name])['tags']
+ with self.rbac_utils.override_role(self):
+ self.servers_client.update_all_tags(self.server['id'],
+ [new_tag_name])
@decorators.idempotent_id('89d51936-e333-42f9-a045-132a4865ba1a')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-server-tags:delete_all")
def test_delete_all_tags(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.delete_all_tags(self.server['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.delete_all_tags(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
index 65d9edb..ed0c7a2 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
@@ -49,17 +49,16 @@
rule="os_compute_api:os-volumes-attachments:index")
@decorators.idempotent_id('529b668b-6edb-41d5-8886-d7dbd0614678')
def test_list_volume_attachments(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.list_volume_attachments(self.server['id'])[
- 'volumeAttachments']
+ with self.rbac_utils.override_role(self):
+ self.servers_client.list_volume_attachments(self.server['id'])
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-volumes-attachments:create")
@decorators.idempotent_id('21c2c3fd-fbe8-41b1-8ef8-115ec47d54c1')
def test_create_volume_attachment(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.attach_volume(self.server, self.volume)
+ with self.rbac_utils.override_role(self):
+ self.attach_volume(self.server, self.volume)
@rbac_rule_validation.action(
service="nova",
@@ -68,9 +67,9 @@
def test_show_volume_attachment(self):
attachment = self.attach_volume(self.server, self.volume)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.show_volume_attachment(
- self.server['id'], attachment['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.show_volume_attachment(
+ self.server['id'], attachment['id'])
@decorators.attr(type='slow')
@rbac_rule_validation.action(
@@ -81,9 +80,9 @@
attachment = self.attach_volume(self.server, self.volume)
alt_volume = self.create_volume()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.update_attached_volume(
- self.server['id'], attachment['id'], volumeId=alt_volume['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.update_attached_volume(
+ self.server['id'], attachment['id'], volumeId=alt_volume['id'])
waiters.wait_for_volume_resource_status(self.volumes_client,
alt_volume['id'], 'in-use')
# On teardown detach the volume and wait for it to be available. This
@@ -105,7 +104,8 @@
def test_delete_volume_attachment(self):
self.attach_volume(self.server, self.volume)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.detach_volume(self.server['id'], self.volume['id'])
+ with self.rbac_utils.override_role(self):
+ self.servers_client.detach_volume(self.server['id'],
+ self.volume['id'])
waiters.wait_for_volume_resource_status(self.volumes_client,
self.volume['id'], 'available')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
index 316da00..183d990 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
@@ -34,5 +34,5 @@
rule="os_compute_api:os-services")
@decorators.idempotent_id('7472261b-9c6d-453a-bcb3-aecaa29ad281')
def test_list_services(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.services_client.list_services()['services']
+ with self.rbac_utils.override_role(self):
+ self.services_client.list_services()['services']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
index 830e19a..19c7e33 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
@@ -57,5 +57,5 @@
service="nova",
rule="os_compute_api:os-tenant-networks")
def test_list_show_tenant_networks(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.tenant_networks_client.list_tenant_networks()['networks']
+ with self.rbac_utils.override_role(self):
+ self.tenant_networks_client.list_tenant_networks()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
index b2c8e79..b07fb3f 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
@@ -14,6 +14,7 @@
# under the License.
from tempest.common import waiters
+from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
@@ -33,12 +34,15 @@
# https://developer.openstack.org/api-ref/compute/#volume-extension-os-volumes-os-snapshots-deprecated
max_microversion = '2.35'
- credentials = ['primary', 'admin']
-
@classmethod
- def setup_clients(cls):
- super(VolumeRbacTest, cls).setup_clients()
- cls.admin_volumes_client = cls.os_admin.volumes_client_latest
+ def skip_checks(cls):
+ super(VolumeRbacTest, cls).skip_checks()
+ if not CONF.service_available.cinder:
+ skip_msg = ("%s skipped as Cinder is not available" % cls.__name__)
+ raise cls.skipException(skip_msg)
+ if not CONF.volume_feature_enabled.snapshot:
+ skip_msg = ("Cinder volume snapshots are disabled")
+ raise cls.skipException(skip_msg)
@classmethod
def resource_setup(cls):
@@ -47,10 +51,10 @@
def _delete_snapshot(self, snapshot_id):
waiters.wait_for_volume_resource_status(
- self.os_admin.snapshots_extensions_client, snapshot_id,
+ self.snapshots_extensions_client, snapshot_id,
'available')
self.snapshots_extensions_client.delete_snapshot(snapshot_id)
- self.os_admin.snapshots_extensions_client.wait_for_resource_deletion(
+ self.snapshots_extensions_client.wait_for_resource_deletion(
snapshot_id)
@decorators.idempotent_id('2402013e-a624-43e3-9518-44a5d1dbb32d')
@@ -58,12 +62,10 @@
service="nova",
rule="os_compute_api:os-volumes")
def test_create_volume(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- volume = self.volumes_extensions_client.create_volume(
- size=CONF.volume.volume_size)['volume']
- # Use the admin volumes client to wait, because waiting involves
- # calling show API action which enforces a different policy.
- waiters.wait_for_volume_resource_status(self.admin_volumes_client,
+ with self.rbac_utils.override_role(self):
+ volume = self.volumes_extensions_client.create_volume(
+ size=CONF.volume.volume_size)['volume']
+ waiters.wait_for_volume_resource_status(self.volumes_client,
volume['id'], 'available')
# Use non-deprecated volumes_client for deletion.
self.addCleanup(self.volumes_client.delete_volume, volume['id'])
@@ -73,16 +75,16 @@
service="nova",
rule="os_compute_api:os-volumes")
def test_list_volumes(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.volumes_extensions_client.list_volumes()
+ with self.rbac_utils.override_role(self):
+ self.volumes_extensions_client.list_volumes()
@decorators.idempotent_id('4ba0a820-040f-488b-86bb-be2e920ea12c')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-volumes")
def test_show_volume(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.volumes_extensions_client.show_volume(self.volume['id'])
+ with self.rbac_utils.override_role(self):
+ self.volumes_extensions_client.show_volume(self.volume['id'])
@decorators.idempotent_id('6e7870f2-1bb2-4b58-96f8-6782071ef327')
@rbac_rule_validation.action(
@@ -90,17 +92,18 @@
rule="os_compute_api:os-volumes")
def test_delete_volume(self):
volume = self.create_volume()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.volumes_extensions_client.delete_volume(volume['id'])
+ with self.rbac_utils.override_role(self):
+ self.volumes_extensions_client.delete_volume(volume['id'])
@decorators.idempotent_id('0c3eaa4f-69d6-4a13-9dda-19585f36b1c1')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-volumes")
def test_create_snapshot(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- snapshot = self.snapshots_extensions_client.create_snapshot(
- self.volume['id'])['snapshot']
+ s_name = data_utils.rand_name(self.__class__.__name__ + '-Snapshot')
+ with self.rbac_utils.override_role(self):
+ snapshot = self.snapshots_extensions_client.create_snapshot(
+ volume_id=self.volume['id'], display_name=s_name)['snapshot']
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self._delete_snapshot, snapshot['id'])
@@ -109,30 +112,37 @@
service="nova",
rule="os_compute_api:os-volumes")
def test_list_snapshots(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.snapshots_extensions_client.list_snapshots()
+ with self.rbac_utils.override_role(self):
+ self.snapshots_extensions_client.list_snapshots()
@decorators.idempotent_id('19c2e6bd-585b-472f-a8d7-71ea9299c655')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-volumes")
def test_show_snapshot(self):
+ s_name = data_utils.rand_name(self.__class__.__name__ + '-Snapshot')
snapshot = self.snapshots_extensions_client.create_snapshot(
- self.volume['id'])['snapshot']
+ volume_id=self.volume['id'], display_name=s_name)['snapshot']
self.addCleanup(self._delete_snapshot, snapshot['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.snapshots_extensions_client.show_snapshot(snapshot['id'])
+ with self.rbac_utils.override_role(self):
+ self.snapshots_extensions_client.show_snapshot(snapshot['id'])
@decorators.idempotent_id('f4f5635c-416c-11e7-a919-92ebcb67fe33')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-volumes")
def test_delete_snapshot(self):
+ s_name = data_utils.rand_name(self.__class__.__name__ + '-Snapshot')
snapshot = self.snapshots_extensions_client.create_snapshot(
- self.volume['id'])['snapshot']
+ volume_id=self.volume['id'], display_name=s_name)['snapshot']
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self._delete_snapshot, snapshot['id'])
+ waiters.wait_for_volume_resource_status(
+ self.snapshots_extensions_client, snapshot['id'],
+ 'available')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._delete_snapshot(snapshot['id'])
+ with self.rbac_utils.override_role(self):
+ self.snapshots_extensions_client.delete_snapshot(snapshot['id'])
+ self.snapshots_extensions_client.wait_for_resource_deletion(
+ snapshot['id'])
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_auth_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_auth_rbac.py
index 6a26f2b..8393696 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_auth_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_auth_rbac.py
@@ -34,12 +34,12 @@
@rbac_rule_validation.action(service="keystone",
rule="identity:get_auth_projects")
def test_list_auth_projects(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.identity_client.list_auth_projects()['projects']
+ with self.rbac_utils.override_role(self):
+ self.identity_client.list_auth_projects()
@decorators.idempotent_id('6a40af0d-7265-4657-b6b2-87a2828e263e')
@rbac_rule_validation.action(service="keystone",
rule="identity:get_auth_domains")
def test_list_auth_domain(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.identity_client.list_auth_domains()
+ with self.rbac_utils.override_role(self):
+ self.identity_client.list_auth_domains()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
index 995c3b0..af6feb6 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
@@ -34,8 +34,8 @@
def test_create_credential(self):
project = self.setup_test_project()
user = self.setup_test_user(project_id=project['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.setup_test_credential(user=user)
+ with self.rbac_utils.override_role(self):
+ self.setup_test_credential(user=user)
@rbac_rule_validation.action(service="keystone",
rule="identity:update_credential")
@@ -45,13 +45,13 @@
new_keys = [data_utils.rand_uuid_hex(),
data_utils.rand_uuid_hex()]
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.creds_client.update_credential(
- credential['id'],
- credential=credential,
- access_key=new_keys[0],
- secret_key=new_keys[1],
- project_id=credential['project_id'])['credential']
+ with self.rbac_utils.override_role(self):
+ self.creds_client.update_credential(
+ credential['id'],
+ credential=credential,
+ access_key=new_keys[0],
+ secret_key=new_keys[1],
+ project_id=credential['project_id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_credential")
@@ -59,8 +59,8 @@
def test_delete_credential(self):
credential = self._create_user_project_and_credential()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.creds_client.delete_credential(credential['id'])
+ with self.rbac_utils.override_role(self):
+ self.creds_client.delete_credential(credential['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_credential")
@@ -68,12 +68,12 @@
def test_show_credential(self):
credential = self._create_user_project_and_credential()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.creds_client.show_credential(credential['id'])
+ with self.rbac_utils.override_role(self):
+ self.creds_client.show_credential(credential['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_credentials")
@decorators.idempotent_id('3de303e2-12a7-4811-805a-f18906472038')
def test_list_credentials(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.creds_client.list_credentials()
+ with self.rbac_utils.override_role(self):
+ self.creds_client.list_credentials()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_domain_configuration_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_domain_configuration_rbac.py
index 31f962a..8db8906 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_domain_configuration_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_domain_configuration_rbac.py
@@ -56,31 +56,31 @@
rule="identity:create_domain_config")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd115')
def test_create_domain_config(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_domain_config(self.domain_id)
+ with self.rbac_utils.override_role(self):
+ self._create_domain_config(self.domain_id)
@rbac_rule_validation.action(service="keystone",
rule="identity:get_domain_config")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd118')
def test_show_domain_config(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domain_config_client.show_domain_config(self.domain_id)['config']
+ with self.rbac_utils.override_role(self):
+ self.domain_config_client.show_domain_config(self.domain_id)
@decorators.idempotent_id('1b539f95-4991-4e09-960f-fa771e1007d7')
@rbac_rule_validation.action(service="keystone",
rule="identity:get_domain_config")
def test_show_domain_group_config(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domain_config_client.show_domain_group_config(
- self.domain_id, 'identity')['config']
+ with self.rbac_utils.override_role(self):
+ self.domain_config_client.show_domain_group_config(
+ self.domain_id, 'identity')
@decorators.idempotent_id('590c774d-a294-44f8-866e-aac9f4ab3809')
@rbac_rule_validation.action(service="keystone",
rule="identity:get_domain_config")
def test_show_domain_group_option_config(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domain_config_client.show_domain_group_option_config(
- self.domain_id, 'identity', 'driver')['config']
+ with self.rbac_utils.override_role(self):
+ self.domain_config_client.show_domain_group_option_config(
+ self.domain_id, 'identity', 'driver')
@decorators.idempotent_id('21053885-1ce3-4167-b5e3-e470253481da')
@rbac_rule_validation.action(
@@ -89,77 +89,76 @@
def test_show_security_compliance_domain_config(self):
# The "security_compliance" group can only be shown for the default
# domain.
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domain_config_client.show_domain_group_config(
- CONF.identity.default_domain_id, 'security_compliance')
+ with self.rbac_utils.override_role(self):
+ self.domain_config_client.show_domain_group_config(
+ CONF.identity.default_domain_id, 'security_compliance')
@decorators.idempotent_id('d1addd10-9ae4-4360-9961-47324fd22f23')
@rbac_rule_validation.action(service="keystone",
rule="identity:get_domain_config_default")
def test_show_default_config_settings(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domain_config_client.show_default_config_settings()['config']
+ with self.rbac_utils.override_role(self):
+ self.domain_config_client.show_default_config_settings()
@decorators.idempotent_id('63183377-251f-4622-81f0-6b58a8a285c9')
@rbac_rule_validation.action(service="keystone",
rule="identity:get_domain_config_default")
def test_show_default_group_config(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domain_config_client.show_default_group_config('identity')[
- 'config']
+ with self.rbac_utils.override_role(self):
+ self.domain_config_client.show_default_group_config('identity')
@decorators.idempotent_id('6440e9c1-e8da-474d-9118-89996fffe5f8')
@rbac_rule_validation.action(service="keystone",
rule="identity:get_domain_config_default")
def test_show_default_group_option(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domain_config_client.show_default_group_option('identity',
- 'driver')['config']
+ with self.rbac_utils.override_role(self):
+ self.domain_config_client.show_default_group_option('identity',
+ 'driver')
@rbac_rule_validation.action(service="keystone",
rule="identity:update_domain_config")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd116')
def test_update_domain_config(self):
updated_config = {'ldap': {'url': data_utils.rand_url()}}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domain_config_client.update_domain_config(
- self.domain_id, **updated_config)['config']
+ with self.rbac_utils.override_role(self):
+ self.domain_config_client.update_domain_config(
+ self.domain_id, **updated_config)
@decorators.idempotent_id('6e32bf96-dbe9-4ac8-b814-0e79fa948285')
@rbac_rule_validation.action(service="keystone",
rule="identity:update_domain_config")
def test_update_domain_group_config(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domain_config_client.update_domain_group_config(
- self.domain_id, 'identity', identity=self.identity)['config']
+ with self.rbac_utils.override_role(self):
+ self.domain_config_client.update_domain_group_config(
+ self.domain_id, 'identity', identity=self.identity)
@decorators.idempotent_id('d2c510da-a077-4c67-9522-27745ef2812b')
@rbac_rule_validation.action(service="keystone",
rule="identity:update_domain_config")
def test_update_domain_group_option_config(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domain_config_client.update_domain_group_option_config(
- self.domain_id, 'identity', 'driver', driver='ldap')['config']
+ with self.rbac_utils.override_role(self):
+ self.domain_config_client.update_domain_group_option_config(
+ self.domain_id, 'identity', 'driver', driver='ldap')
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_domain_config")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd117')
def test_delete_domain_config(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domain_config_client.delete_domain_config(self.domain_id)
+ with self.rbac_utils.override_role(self):
+ self.domain_config_client.delete_domain_config(self.domain_id)
@decorators.idempotent_id('f479694b-df02-4d5a-88b6-c8b52f9341eb')
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_domain_config")
def test_delete_domain_group_config(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domain_config_client.delete_domain_group_config(self.domain_id,
- 'identity')
+ with self.rbac_utils.override_role(self):
+ self.domain_config_client.delete_domain_group_config(
+ self.domain_id, 'identity')
@decorators.idempotent_id('f594bde3-31c9-414f-922d-0ddafdc0ca40')
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_domain_config")
def test_delete_domain_group_option_config(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domain_config_client.delete_domain_group_option_config(
- self.domain_id, 'identity', 'driver')
+ with self.rbac_utils.override_role(self):
+ self.domain_config_client.delete_domain_group_option_config(
+ self.domain_id, 'identity', 'driver')
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_domains_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_domains_rbac.py
index a8cd022..3837051 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_domains_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_domains_rbac.py
@@ -26,8 +26,8 @@
rule="identity:create_domain")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd110')
def test_create_domain(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.setup_test_domain()
+ with self.rbac_utils.override_role(self):
+ self.setup_test_domain()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_domain")
@@ -36,10 +36,10 @@
domain = self.setup_test_domain()
new_domain_name = data_utils.rand_name(
self.__class__.__name__ + '-test_update_domain')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domains_client.update_domain(domain['id'],
- domain=domain,
- name=new_domain_name)
+ with self.rbac_utils.override_role(self):
+ self.domains_client.update_domain(domain['id'],
+ domain=domain,
+ name=new_domain_name)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_domain")
@@ -50,20 +50,20 @@
self.domains_client.update_domain(domain['id'],
domain=domain,
enabled=False)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domains_client.delete_domain(domain['id'])
+ with self.rbac_utils.override_role(self):
+ self.domains_client.delete_domain(domain['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_domain")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd113')
def test_show_domain(self):
domain = self.setup_test_domain()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domains_client.show_domain(domain['id'])
+ with self.rbac_utils.override_role(self):
+ self.domains_client.show_domain(domain['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_domains")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd114')
def test_list_domains(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.domains_client.list_domains()
+ with self.rbac_utils.override_role(self):
+ self.domains_client.list_domains()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
index 2659bae..ad1fd9b 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
@@ -27,8 +27,8 @@
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd127')
def test_create_endpoint(self):
service = self.setup_test_service()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.setup_test_endpoint(service=service)
+ with self.rbac_utils.override_role(self):
+ self.setup_test_endpoint(service=service)
@rbac_rule_validation.action(service="keystone",
rule="identity:update_endpoint")
@@ -37,10 +37,10 @@
endpoint = self.setup_test_endpoint()
new_url = data_utils.rand_url()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.endpoints_client.update_endpoint(
- endpoint["id"],
- url=new_url)
+ with self.rbac_utils.override_role(self):
+ self.endpoints_client.update_endpoint(
+ endpoint["id"],
+ url=new_url)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_endpoint")
@@ -48,8 +48,8 @@
def test_delete_endpoint(self):
endpoint = self.setup_test_endpoint()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.endpoints_client.delete_endpoint(endpoint['id'])
+ with self.rbac_utils.override_role(self):
+ self.endpoints_client.delete_endpoint(endpoint['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_endpoint")
@@ -57,12 +57,12 @@
def test_show_endpoint(self):
endpoint = self.setup_test_endpoint()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.endpoints_client.show_endpoint(endpoint['id'])
+ with self.rbac_utils.override_role(self):
+ self.endpoints_client.show_endpoint(endpoint['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_endpoints")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd131')
def test_list_endpoints(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.endpoints_client.list_endpoints()
+ with self.rbac_utils.override_role(self):
+ self.endpoints_client.list_endpoints()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_groups_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_groups_rbac.py
index 00c9f55..6e58289 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_groups_rbac.py
@@ -61,31 +61,31 @@
rule="identity:create_endpoint_group")
@decorators.idempotent_id('b4765906-52ec-477b-b441-a8508ced68e3')
def test_create_endpoint_group(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_endpoint_group(ignore_not_found=True)
+ with self.rbac_utils.override_role(self):
+ self._create_endpoint_group(ignore_not_found=True)
@rbac_rule_validation.action(service="keystone",
rule="identity:list_endpoint_groups")
@decorators.idempotent_id('089aa3a7-ba1f-4f70-a1cf-f298a845058a')
def test_list_endpoint_groups(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.endpoint_groups_client.list_endpoint_groups()['endpoint_groups']
+ with self.rbac_utils.override_role(self):
+ self.endpoint_groups_client.list_endpoint_groups()
@decorators.idempotent_id('5c16368d-1485-4c28-9803-db3fa3510623')
@rbac_rule_validation.action(service="keystone",
rule="identity:get_endpoint_group")
def test_check_endpoint_group(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.endpoint_groups_client.check_endpoint_group(
- self.endpoint_group_id)
+ with self.rbac_utils.override_role(self):
+ self.endpoint_groups_client.check_endpoint_group(
+ self.endpoint_group_id)
@rbac_rule_validation.action(service="keystone",
rule="identity:get_endpoint_group")
@decorators.idempotent_id('bd2b6fb8-661f-4255-84b2-50fea4a1dc61')
def test_show_endpoint_group(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.endpoint_groups_client.show_endpoint_group(
- self.endpoint_group_id)['endpoint_group']
+ with self.rbac_utils.override_role(self):
+ self.endpoint_groups_client.show_endpoint_group(
+ self.endpoint_group_id)
@rbac_rule_validation.action(service="keystone",
rule="identity:update_endpoint_group")
@@ -94,9 +94,9 @@
updated_name = data_utils.rand_name(
self.__class__.__name__ + '-EPFilterGroup')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.endpoint_groups_client.update_endpoint_group(
- self.endpoint_group_id, name=updated_name)['endpoint_group']
+ with self.rbac_utils.override_role(self):
+ self.endpoint_groups_client.update_endpoint_group(
+ self.endpoint_group_id, name=updated_name)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_endpoint_group")
@@ -104,5 +104,6 @@
def test_delete_endpoint_group(self):
endpoint_group_id = self._create_endpoint_group(ignore_not_found=True)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.endpoint_groups_client.delete_endpoint_group(endpoint_group_id)
+ with self.rbac_utils.override_role(self):
+ self.endpoint_groups_client.delete_endpoint_group(
+ endpoint_group_id)
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_projects_rbac.py
index 7a4f2d7..1045b9b 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_projects_rbac.py
@@ -48,17 +48,17 @@
@decorators.idempotent_id('9199ec13-816d-4efe-b8b1-e1cd026b9747')
def test_add_endpoint_to_project(self):
# Adding endpoints to projects
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._add_endpoint_to_project(ignore_not_found=True)
+ with self.rbac_utils.override_role(self):
+ self._add_endpoint_to_project(ignore_not_found=True)
@rbac_rule_validation.action(
service="keystone",
rule="identity:list_projects_for_endpoint")
@decorators.idempotent_id('f53dca42-ec8a-48e9-924b-0bbe6c99727f')
def test_list_projects_for_endpoint(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.endpoint_filter_client.list_projects_for_endpoint(
- self.endpoint['id'])
+ with self.rbac_utils.override_role(self):
+ self.endpoint_filter_client.list_projects_for_endpoint(
+ self.endpoint['id'])
@rbac_rule_validation.action(
service="keystone",
@@ -66,18 +66,18 @@
@decorators.idempotent_id('0c1425eb-833c-4aa1-a21d-52ffa41fdc6a')
def test_check_endpoint_in_project(self):
self._add_endpoint_to_project()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.endpoint_filter_client.check_endpoint_in_project(
- self.project['id'], self.endpoint['id'])
+ with self.rbac_utils.override_role(self):
+ self.endpoint_filter_client.check_endpoint_in_project(
+ self.project['id'], self.endpoint['id'])
@rbac_rule_validation.action(
service="keystone",
rule="identity:list_endpoints_for_project")
@decorators.idempotent_id('5d86c659-c6ad-41e0-854e-3823e95c7cc2')
def test_list_endpoints_in_project(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.endpoint_filter_client.list_endpoints_in_project(
- self.project['id'])
+ with self.rbac_utils.override_role(self):
+ self.endpoint_filter_client.list_endpoints_in_project(
+ self.project['id'])
@rbac_rule_validation.action(
service="keystone",
@@ -85,6 +85,6 @@
@decorators.idempotent_id('b4e21c10-4f47-427b-9b8a-f5b5601adfda')
def test_remove_endpoint_from_project(self):
self._add_endpoint_to_project(ignore_not_found=True)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.endpoint_filter_client.delete_endpoint_from_project(
- self.project['id'], self.endpoint['id'])
+ with self.rbac_utils.override_role(self):
+ self.endpoint_filter_client.delete_endpoint_from_project(
+ self.project['id'], self.endpoint['id'])
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
index 0fc29b7..06148d9 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
@@ -33,8 +33,8 @@
rule="identity:create_group")
@decorators.idempotent_id('88377f51-9074-4d64-a22f-f8931d048c9a')
def test_create_group(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.setup_test_group()
+ with self.rbac_utils.override_role(self):
+ self.setup_test_group()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_group")
@@ -44,9 +44,8 @@
new_group_name = data_utils.rand_name(
self.__class__.__name__ + '-group')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.groups_client.update_group(group['id'],
- name=new_group_name)
+ with self.rbac_utils.override_role(self):
+ self.groups_client.update_group(group['id'], name=new_group_name)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_group")
@@ -54,8 +53,8 @@
def test_delete_group(self):
group = self.setup_test_group()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.groups_client.delete_group(group['id'])
+ with self.rbac_utils.override_role(self):
+ self.groups_client.delete_group(group['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_group")
@@ -63,15 +62,15 @@
def test_show_group(self):
group = self.setup_test_group()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.groups_client.show_group(group['id'])
+ with self.rbac_utils.override_role(self):
+ self.groups_client.show_group(group['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_groups")
@decorators.idempotent_id('c4d0f76b-735f-4fd0-868b-0006bc420ff4')
def test_list_groups(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.groups_client.list_groups()
+ with self.rbac_utils.override_role(self):
+ self.groups_client.list_groups()
@rbac_rule_validation.action(service="keystone",
rule="identity:add_user_to_group")
@@ -80,8 +79,8 @@
group = self.setup_test_group()
user = self.setup_test_user()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.groups_client.add_group_user(group['id'], user['id'])
+ with self.rbac_utils.override_role(self):
+ self.groups_client.add_group_user(group['id'], user['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:remove_user_from_group")
@@ -89,8 +88,8 @@
def test_remove_user_group(self):
group_id, user_id = self._create_user_and_add_to_new_group()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.groups_client.delete_group_user(group_id, user_id)
+ with self.rbac_utils.override_role(self):
+ self.groups_client.delete_group_user(group_id, user_id)
@rbac_rule_validation.action(service="keystone",
rule="identity:list_users_in_group")
@@ -98,8 +97,8 @@
def test_list_user_group(self):
group = self.setup_test_group()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.groups_client.list_group_users(group['id'])
+ with self.rbac_utils.override_role(self):
+ self.groups_client.list_group_users(group['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:check_user_in_group")
@@ -107,5 +106,5 @@
def test_check_user_group(self):
group_id, user_id = self._create_user_and_add_to_new_group()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.groups_client.check_group_user_existence(group_id, user_id)
+ with self.rbac_utils.override_role(self):
+ self.groups_client.check_group_user_existence(group_id, user_id)
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py
index d3e17f1..f591e15 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py
@@ -37,8 +37,8 @@
rule="identity:create_consumer")
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d970')
def test_create_consumer(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_consumer()
+ with self.rbac_utils.override_role(self):
+ self._create_consumer()
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_consumer")
@@ -46,8 +46,8 @@
def test_delete_consumer(self):
consumer = self._create_consumer()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.consumers_client.delete_consumer(consumer['id'])
+ with self.rbac_utils.override_role(self):
+ self.consumers_client.delete_consumer(consumer['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:update_consumer")
@@ -57,9 +57,9 @@
updated_description = data_utils.rand_name(
self.__class__.__name__ + '-IdentityConsumer')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.consumers_client.update_consumer(consumer['id'],
- updated_description)
+ with self.rbac_utils.override_role(self):
+ self.consumers_client.update_consumer(consumer['id'],
+ updated_description)
@rbac_rule_validation.action(service="keystone",
rule="identity:get_consumer")
@@ -67,12 +67,12 @@
def test_show_consumer(self):
consumer = self._create_consumer()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.consumers_client.show_consumer(consumer['id'])
+ with self.rbac_utils.override_role(self):
+ self.consumers_client.show_consumer(consumer['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_consumers")
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d975')
def test_list_consumers(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.consumers_client.list_consumers()
+ with self.rbac_utils.override_role(self):
+ self.consumers_client.list_consumers()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_tokens_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_tokens_rbac.py
index 0853d12..13731d5 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_tokens_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_tokens_rbac.py
@@ -85,10 +85,10 @@
def test_authorize_request_token(self):
_, request_token = self._create_consumer_and_request_token()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.oauth_token_client.authorize_request_token(
- request_token['oauth_token'],
- self.role_ids)
+ with self.rbac_utils.override_role(self):
+ self.oauth_token_client.authorize_request_token(
+ request_token['oauth_token'],
+ self.role_ids)
@rbac_rule_validation.action(service="keystone",
rule="identity:get_access_token")
@@ -96,9 +96,9 @@
def test_get_access_token(self):
access_token = self._create_access_token()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.oauth_token_client.get_access_token(self.user_id,
- access_token)
+ with self.rbac_utils.override_role(self):
+ self.oauth_token_client.get_access_token(self.user_id,
+ access_token)
@rbac_rule_validation.action(service="keystone",
rule="identity:get_access_token_role")
@@ -106,16 +106,16 @@
def test_get_access_token_role(self):
access_token = self._create_access_token()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.oauth_token_client.get_access_token_role(
- self.user_id, access_token, self.role_ids[0])
+ with self.rbac_utils.override_role(self):
+ self.oauth_token_client.get_access_token_role(
+ self.user_id, access_token, self.role_ids[0])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_access_tokens")
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d979')
def test_list_access_tokens(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.oauth_token_client.list_access_tokens(self.user_id)
+ with self.rbac_utils.override_role(self):
+ self.oauth_token_client.list_access_tokens(self.user_id)
@rbac_rule_validation.action(service="keystone",
rule="identity:list_access_token_roles")
@@ -123,9 +123,9 @@
def test_list_access_token_roles(self):
access_token = self._create_access_token()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.oauth_token_client.list_access_token_roles(
- self.user_id, access_token)
+ with self.rbac_utils.override_role(self):
+ self.oauth_token_client.list_access_token_roles(
+ self.user_id, access_token)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_access_token")
@@ -133,6 +133,6 @@
def test_revoke_access_token(self):
access_token = self._create_access_token()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.oauth_token_client.revoke_access_token(
- self.user_id, access_token)
+ with self.rbac_utils.override_role(self):
+ self.oauth_token_client.revoke_access_token(
+ self.user_id, access_token)
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
index 3e03ac0..a8c10ca 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
@@ -26,8 +26,8 @@
rule="identity:create_policy")
@decorators.idempotent_id('de2f7ecb-fbf0-41f3-abf4-b97b5e082fd5')
def test_create_policy(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.setup_test_policy()
+ with self.rbac_utils.override_role(self):
+ self.setup_test_policy()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_policy")
@@ -37,9 +37,9 @@
updated_policy_type = data_utils.rand_name(
self.__class__.__name__ + '-policy_type')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.policies_client.update_policy(policy['id'],
- type=updated_policy_type)
+ with self.rbac_utils.override_role(self):
+ self.policies_client.update_policy(policy['id'],
+ type=updated_policy_type)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_policy")
@@ -47,8 +47,8 @@
def test_delete_policy(self):
policy = self.setup_test_policy()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.policies_client.delete_policy(policy['id'])
+ with self.rbac_utils.override_role(self):
+ self.policies_client.delete_policy(policy['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_policy")
@@ -56,12 +56,12 @@
def test_show_policy(self):
policy = self.setup_test_policy()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.policies_client.show_policy(policy['id'])
+ with self.rbac_utils.override_role(self):
+ self.policies_client.show_policy(policy['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_policies")
@decorators.idempotent_id('35a56161-4054-4237-8a78-7ce805dce202')
def test_list_policies(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.policies_client.list_policies()['policies']
+ with self.rbac_utils.override_role(self):
+ self.policies_client.list_policies()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
index 51086ae..0b394b4 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
@@ -26,8 +26,8 @@
rule="identity:create_project")
@decorators.idempotent_id('0f148510-63bf-11e6-1564-080044d0d904')
def test_create_project(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.setup_test_project()
+ with self.rbac_utils.override_role(self):
+ self.setup_test_project()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_project")
@@ -37,9 +37,9 @@
new_desc = data_utils.rand_name(
self.__class__.__name__ + '-description')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.projects_client.update_project(project['id'],
- description=new_desc)
+ with self.rbac_utils.override_role(self):
+ self.projects_client.update_project(project['id'],
+ description=new_desc)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_project")
@@ -47,8 +47,8 @@
def test_delete_project(self):
project = self.setup_test_project()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.projects_client.delete_project(project['id'])
+ with self.rbac_utils.override_role(self):
+ self.projects_client.delete_project(project['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_project")
@@ -56,12 +56,12 @@
def test_show_project(self):
project = self.setup_test_project()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.projects_client.show_project(project['id'])
+ with self.rbac_utils.override_role(self):
+ self.projects_client.show_project(project['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_projects")
@decorators.idempotent_id('0f148510-63bf-11e6-1564-080044d0d908')
def test_list_projects(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.projects_client.list_projects()
+ with self.rbac_utils.override_role(self):
+ self.projects_client.list_projects()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py
index 55a2f77..14b9de5 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py
@@ -26,8 +26,8 @@
rule="identity:create_region")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd119')
def test_create_region(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.setup_test_region()
+ with self.rbac_utils.override_role(self):
+ self.setup_test_region()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_region")
@@ -37,9 +37,9 @@
new_description = data_utils.rand_name(
self.__class__.__name__ + '-test_update_region')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.regions_client.update_region(region['id'],
- description=new_description)
+ with self.rbac_utils.override_role(self):
+ self.regions_client.update_region(region['id'],
+ description=new_description)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_region")
@@ -47,8 +47,8 @@
def test_delete_region(self):
region = self.setup_test_region()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.regions_client.delete_region(region['id'])
+ with self.rbac_utils.override_role(self):
+ self.regions_client.delete_region(region['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_region")
@@ -56,12 +56,12 @@
def test_show_region(self):
region = self.setup_test_region()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.regions_client.show_region(region['id'])
+ with self.rbac_utils.override_role(self):
+ self.regions_client.show_region(region['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_regions")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd123')
def test_list_regions(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.regions_client.list_regions()
+ with self.rbac_utils.override_role(self):
+ self.regions_client.list_regions()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_role_assignments_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_role_assignments_rbac.py
index c1d0369..90cf255 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_role_assignments_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_role_assignments_rbac.py
@@ -25,9 +25,8 @@
@rbac_rule_validation.action(service="keystone",
rule="identity:list_role_assignments")
def test_list_role_assignments(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.role_assignments_client.\
- list_role_assignments()['role_assignments']
+ with self.rbac_utils.override_role(self):
+ self.role_assignments_client.list_role_assignments()
@decorators.idempotent_id('36c7a990-857e-415c-8717-38d7200a9894')
@rbac_rule_validation.action(
@@ -36,7 +35,7 @@
def test_list_role_assignments_for_tree(self):
project = self.setup_test_project()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.role_assignments_client.list_role_assignments(
- include_subtree=True,
- **{'scope.project.id': project['id']})['role_assignments']
+ with self.rbac_utils.override_role(self):
+ self.role_assignments_client.list_role_assignments(
+ include_subtree=True,
+ **{'scope.project.id': project['id']})
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
index 22b03f5..099c702 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
@@ -37,8 +37,8 @@
rule="identity:create_role")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d904')
def test_create_role(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.setup_test_role()
+ with self.rbac_utils.override_role(self):
+ self.setup_test_role()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_role")
@@ -47,9 +47,9 @@
new_role_name = data_utils.rand_name(
self.__class__.__name__ + '-test_update_role')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.update_role(self.role['id'],
- name=new_role_name)
+ with self.rbac_utils.override_role(self):
+ self.roles_client.update_role(self.role['id'],
+ name=new_role_name)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_role")
@@ -57,32 +57,32 @@
def test_delete_role(self):
role = self.setup_test_role()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.delete_role(role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.delete_role(role['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_role")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d907')
def test_show_role(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.show_role(self.role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.show_role(self.role['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_roles")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d908')
def test_list_roles(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.list_roles()
+ with self.rbac_utils.override_role(self):
+ self.roles_client.list_roles()
@rbac_rule_validation.action(service="keystone",
rule="identity:create_grant")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d909')
def test_create_user_role_on_project(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.create_user_role_on_project(
- self.project['id'],
- self.user['id'],
- self.role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.create_user_role_on_project(
+ self.project['id'],
+ self.user['id'],
+ self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_project,
self.project['id'],
@@ -93,11 +93,11 @@
rule="identity:create_grant")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90c')
def test_create_group_role_on_project(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.create_group_role_on_project(
- self.project['id'],
- self.group['id'],
- self.role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.create_group_role_on_project(
+ self.project['id'],
+ self.group['id'],
+ self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_group_on_project,
self.project['id'],
@@ -108,11 +108,11 @@
rule="identity:create_grant")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90f')
def test_create_user_role_on_domain(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.create_user_role_on_domain(
- self.domain['id'],
- self.user['id'],
- self.role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.create_user_role_on_domain(
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_domain,
self.domain['id'],
@@ -123,11 +123,11 @@
rule="identity:create_grant")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d912')
def test_create_group_role_on_domain(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.create_group_role_on_domain(
- self.domain['id'],
- self.group['id'],
- self.role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.create_group_role_on_domain(
+ self.domain['id'],
+ self.group['id'],
+ self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_group_on_domain,
self.domain['id'],
@@ -148,11 +148,11 @@
self.user['id'],
self.role['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.check_user_role_existence_on_project(
- self.project['id'],
- self.user['id'],
- self.role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.check_user_role_existence_on_project(
+ self.project['id'],
+ self.user['id'],
+ self.role['id'])
@decorators.idempotent_id('92f8e67d-85bf-407d-9814-edd5664abc47')
@rbac_rule_validation.action(service="keystone",
@@ -168,11 +168,11 @@
self.user['id'],
self.role['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.check_user_role_existence_on_domain(
- self.domain['id'],
- self.user['id'],
- self.role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.check_user_role_existence_on_domain(
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
@decorators.idempotent_id('8738d3d2-8c84-4423-b36c-7c59eaa08b73')
@rbac_rule_validation.action(service="keystone",
@@ -188,11 +188,11 @@
self.group['id'],
self.role['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.check_role_from_group_on_project_existence(
- self.project['id'],
- self.group['id'],
- self.role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.check_role_from_group_on_project_existence(
+ self.project['id'],
+ self.group['id'],
+ self.role['id'])
@decorators.idempotent_id('e7d73bd0-cf5e-4c0c-9c93-cf53e23232d6')
@rbac_rule_validation.action(service="keystone",
@@ -208,11 +208,11 @@
self.group['id'],
self.role['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.check_role_from_group_on_domain_existence(
- self.domain['id'],
- self.group['id'],
- self.role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.check_role_from_group_on_domain_existence(
+ self.domain['id'],
+ self.group['id'],
+ self.role['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:revoke_grant")
@@ -228,11 +228,11 @@
self.user['id'],
self.role['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.delete_role_from_user_on_project(
- self.project['id'],
- self.user['id'],
- self.role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.delete_role_from_user_on_project(
+ self.project['id'],
+ self.user['id'],
+ self.role['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:revoke_grant")
@@ -248,11 +248,11 @@
self.group['id'],
self.role['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.delete_role_from_group_on_project(
- self.project['id'],
- self.group['id'],
- self.role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.delete_role_from_group_on_project(
+ self.project['id'],
+ self.group['id'],
+ self.role['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:revoke_grant")
@@ -268,11 +268,11 @@
self.user['id'],
self.role['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.delete_role_from_user_on_domain(
- self.domain['id'],
- self.user['id'],
- self.role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.delete_role_from_user_on_domain(
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:revoke_grant")
@@ -288,55 +288,55 @@
self.group['id'],
self.role['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.delete_role_from_group_on_domain(
- self.domain['id'],
- self.group['id'],
- self.role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.delete_role_from_group_on_domain(
+ self.domain['id'],
+ self.group['id'],
+ self.role['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_grants")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90b')
def test_list_user_roles_on_project(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.list_user_roles_on_project(
- self.project['id'],
- self.user['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.list_user_roles_on_project(
+ self.project['id'],
+ self.user['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_grants")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90e')
def test_list_group_roles_on_project(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.list_group_roles_on_project(
- self.project['id'],
- self.group['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.list_group_roles_on_project(
+ self.project['id'],
+ self.group['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_grants")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d911')
def test_list_user_roles_on_domain(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.list_user_roles_on_domain(
- self.domain['id'],
- self.user['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.list_user_roles_on_domain(
+ self.domain['id'],
+ self.user['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_grants")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d914')
def test_list_group_roles_on_domain(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.list_group_roles_on_domain(
- self.domain['id'],
- self.group['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.list_group_roles_on_domain(
+ self.domain['id'],
+ self.group['id'])
@decorators.idempotent_id('2aef3eaa-8156-4962-a01d-c9bb0e499e15')
@rbac_rule_validation.action(service="keystone",
rule="identity:create_implied_role")
def test_create_role_inference_rule(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.create_role_inference_rule(
- self.role['id'], self.implies_role['id'])['role_inference']
+ with self.rbac_utils.override_role(self):
+ self.roles_client.create_role_inference_rule(
+ self.role['id'], self.implies_role['id'])
self.addCleanup(self.roles_client.delete_role_inference_rule,
self.role['id'], self.implies_role['id'])
@@ -349,17 +349,16 @@
self.addCleanup(self.roles_client.delete_role_inference_rule,
self.role['id'], self.implies_role['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.show_role_inference_rule(
- self.role['id'], self.implies_role['id'])['role_inference']
+ with self.rbac_utils.override_role(self):
+ self.roles_client.show_role_inference_rule(
+ self.role['id'], self.implies_role['id'])
@decorators.idempotent_id('f7bb39bf-0b06-468e-a8b0-60a4fb1f258d')
@rbac_rule_validation.action(service="keystone",
rule="identity:list_implied_roles")
def test_list_role_inferences_rules(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.list_role_inferences_rules(self.role['id'])[
- 'role_inference']
+ with self.rbac_utils.override_role(self):
+ self.roles_client.list_role_inferences_rules(self.role['id'])
@decorators.idempotent_id('eca2d502-09bb-45cd-9773-bce2e7bcddd1')
@rbac_rule_validation.action(service="keystone",
@@ -370,9 +369,9 @@
self.addCleanup(self.roles_client.delete_role_inference_rule,
self.role['id'], self.implies_role['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.check_role_inference_rule(
- self.role['id'], self.implies_role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.check_role_inference_rule(
+ self.role['id'], self.implies_role['id'])
@decorators.idempotent_id('13a5db1e-dd4a-4ca1-81ec-d5452aaaf54b')
@rbac_rule_validation.action(service="keystone",
@@ -384,13 +383,13 @@
self.roles_client.delete_role_inference_rule,
self.role['id'], self.implies_role['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.delete_role_inference_rule(
- self.role['id'], self.implies_role['id'])
+ with self.rbac_utils.override_role(self):
+ self.roles_client.delete_role_inference_rule(
+ self.role['id'], self.implies_role['id'])
@decorators.idempotent_id('05869f2b-4dd4-425a-905e-eec9a6f06374')
@rbac_rule_validation.action(service="keystone",
rule="identity:list_role_inference_rules")
def test_list_all_role_inference_rules(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.list_all_role_inference_rules()['role_inferences']
+ with self.rbac_utils.override_role(self):
+ self.roles_client.list_all_role_inference_rules()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
index 44ce1a1..6ab17ff 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
@@ -26,8 +26,8 @@
rule="identity:create_service")
@decorators.idempotent_id('9a4bb317-f0bb-4005-8df0-4b672885b7c8')
def test_create_service(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.setup_test_service()
+ with self.rbac_utils.override_role(self):
+ self.setup_test_service()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_service")
@@ -36,11 +36,11 @@
service = self.setup_test_service()
new_name = data_utils.rand_name(self.__class__.__name__ + '-service')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.services_client.update_service(service['id'],
- service=service,
- name=new_name,
- type=service['type'])
+ with self.rbac_utils.override_role(self):
+ self.services_client.update_service(service['id'],
+ service=service,
+ name=new_name,
+ type=service['type'])
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_service")
@@ -48,8 +48,8 @@
def test_delete_service(self):
service = self.setup_test_service()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.services_client.delete_service(service['id'])
+ with self.rbac_utils.override_role(self):
+ self.services_client.delete_service(service['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_service")
@@ -57,12 +57,12 @@
def test_show_service(self):
service = self.setup_test_service()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.services_client.show_service(service['id'])
+ with self.rbac_utils.override_role(self):
+ self.services_client.show_service(service['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_services")
@decorators.idempotent_id('706e6bea-3385-4718-919c-0b5121395806')
def test_list_services(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.services_client.list_services()
+ with self.rbac_utils.override_role(self):
+ self.services_client.list_services()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py
index 18e5bf1..00d522c 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py
@@ -55,11 +55,11 @@
# Explicit negative test for identity:validate_token policy action.
# Assert expected exception is Forbidden and then reraise it.
alt_token_id = self._setup_alt_token()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- e = self.assertRaises(lib_exc.Forbidden,
- self.identity_client.show_token,
- alt_token_id)
- raise e
+ with self.rbac_utils.override_role(self):
+ e = self.assertRaises(lib_exc.Forbidden,
+ self.identity_client.show_token,
+ alt_token_id)
+ raise e
@decorators.idempotent_id('2786a55d-a818-433a-af7a-41ebf72ab4da')
@decorators.attr(type=['negative'])
@@ -74,11 +74,11 @@
# Explicit negative test for identity:revoke_token policy action.
# Assert expected exception is Forbidden and then reraise it.
alt_token_id = self._setup_alt_token()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- e = self.assertRaises(lib_exc.Forbidden,
- self.identity_client.delete_token,
- alt_token_id)
- raise e
+ with self.rbac_utils.override_role(self):
+ e = self.assertRaises(lib_exc.Forbidden,
+ self.identity_client.delete_token,
+ alt_token_id)
+ raise e
@decorators.idempotent_id('1ea02ac0-9a96-44bd-bdc3-4dae3c10cc2e')
@decorators.attr(type=['negative'])
@@ -93,8 +93,8 @@
# Explicit negative test for identity:check_token policy action.
# Assert expected exception is Forbidden and then reraise it.
alt_token_id = self._setup_alt_token()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- e = self.assertRaises(lib_exc.Forbidden,
- self.identity_client.check_token_existence,
- alt_token_id)
- raise e
+ with self.rbac_utils.override_role(self):
+ e = self.assertRaises(lib_exc.Forbidden,
+ self.identity_client.check_token_existence,
+ alt_token_id)
+ raise e
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_rbac.py
index e6d0dd1..23ee768 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_rbac.py
@@ -37,8 +37,8 @@
})
def test_show_token(self):
token_id = self.setup_test_token(self.user_id, self.password)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.identity_client.show_token(token_id)
+ with self.rbac_utils.override_role(self):
+ self.identity_client.show_token(token_id)
@decorators.idempotent_id('42a299db-fe0a-4ea0-9824-0bfd13155886')
@rbac_rule_validation.action(
@@ -50,8 +50,8 @@
})
def test_delete_token(self):
token_id = self.setup_test_token(self.user_id, self.password)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.identity_client.delete_token(token_id)
+ with self.rbac_utils.override_role(self):
+ self.identity_client.delete_token(token_id)
@decorators.idempotent_id('3554d218-8cd6-4730-a1b2-0e22f9b78f45')
@rbac_rule_validation.action(
@@ -63,5 +63,5 @@
})
def test_check_token_exsitence(self):
token_id = self.setup_test_token(self.user_id, self.password)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.identity_client.check_token_existence(token_id)
+ with self.rbac_utils.override_role(self):
+ self.identity_client.check_token_existence(token_id)
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py
index 3639520..91dbb53 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py
@@ -70,9 +70,9 @@
"trust.trustor_user_id": "os_primary.credentials.user_id"
})
def test_create_trust(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.setup_test_trust(trustor_user_id=self.trustor_user_id,
- trustee_user_id=self.trustee_user_id)
+ with self.rbac_utils.override_role(self):
+ self.setup_test_trust(trustor_user_id=self.trustor_user_id,
+ trustee_user_id=self.trustee_user_id)
@decorators.idempotent_id('bd72d22a-6e11-4840-bd93-17b382e7f0e0')
@decorators.attr(type=['negative'])
@@ -85,11 +85,11 @@
def test_create_trust_negative(self):
# Explicit negative test for identity:create_trust policy action.
# Assert expected exception is Forbidden and then reraise it.
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- e = self.assertRaises(lib_exc.Forbidden, self.setup_test_trust,
- trustor_user_id=self.unauthorized_user_id,
- trustee_user_id=self.trustee_user_id)
- raise e
+ with self.rbac_utils.override_role(self):
+ e = self.assertRaises(lib_exc.Forbidden, self.setup_test_trust,
+ trustor_user_id=self.unauthorized_user_id,
+ trustee_user_id=self.trustee_user_id)
+ raise e
@decorators.idempotent_id('d9a6fd06-08f6-462c-a86c-ce009adf1230')
@rbac_rule_validation.action(
@@ -99,39 +99,39 @@
trust = self.setup_test_trust(trustor_user_id=self.trustor_user_id,
trustee_user_id=self.trustee_user_id)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.trusts_client.delete_trust(trust['id'])
+ with self.rbac_utils.override_role(self):
+ self.trusts_client.delete_trust(trust['id'])
@decorators.idempotent_id('f2e32896-bf66-4f4e-89cf-e7fba0ef1f38')
@rbac_rule_validation.action(
service="keystone",
rule="identity:list_trusts")
def test_list_trusts(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.trusts_client.list_trusts(
- trustor_user_id=self.trustor_user_id)['trusts']
+ with self.rbac_utils.override_role(self):
+ self.trusts_client.list_trusts(
+ trustor_user_id=self.trustor_user_id)
@decorators.idempotent_id('3c9ff92f-a73e-4f9b-8865-e017f38c70f5')
@rbac_rule_validation.action(
service="keystone",
rule="identity:list_roles_for_trust")
def test_list_roles_for_trust(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.trusts_client.list_trust_roles(self.trust['id'])['roles']
+ with self.rbac_utils.override_role(self):
+ self.trusts_client.list_trust_roles(self.trust['id'])
@decorators.idempotent_id('3bb4f97b-cecd-4c7d-ad10-b88ee6c5d573')
@rbac_rule_validation.action(
service="keystone",
rule="identity:get_role_for_trust")
def test_show_trust_role(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.trusts_client.show_trust_role(
- self.trust['id'], self.delegated_role_id)['role']
+ with self.rbac_utils.override_role(self):
+ self.trusts_client.show_trust_role(
+ self.trust['id'], self.delegated_role_id)
@decorators.idempotent_id('0184e0fb-641e-4b52-ab73-81c1ce6ca5c1')
@rbac_rule_validation.action(
service="keystone",
rule="identity:get_trust")
def test_show_trust(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.trusts_client.show_trust(self.trust['id'])
+ with self.rbac_utils.override_role(self):
+ self.trusts_client.show_trust(self.trust['id'])
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
index 5812f9e..bd97535 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
@@ -31,8 +31,8 @@
rule="identity:create_user")
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d904')
def test_create_user(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.setup_test_user()
+ with self.rbac_utils.override_role(self):
+ self.setup_test_user()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_user")
@@ -42,10 +42,10 @@
new_email = data_utils.rand_name(
self.__class__.__name__ + '-user_email')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.users_client.update_user(user['id'],
- name=user['name'],
- email=new_email)
+ with self.rbac_utils.override_role(self):
+ self.users_client.update_user(user['id'],
+ name=user['name'],
+ email=new_email)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_user")
@@ -53,33 +53,33 @@
def test_delete_user(self):
user = self.setup_test_user()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.users_client.delete_user(user['id'])
+ with self.rbac_utils.override_role(self):
+ self.users_client.delete_user(user['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_users")
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d907')
def test_list_users(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.users_client.list_users()
+ with self.rbac_utils.override_role(self):
+ self.users_client.list_users()
@rbac_rule_validation.action(service="keystone",
rule="identity:get_user")
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d908')
def test_show_own_user(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.users_client.show_user(self.default_user_id)
+ with self.rbac_utils.override_role(self):
+ self.users_client.show_user(self.default_user_id)
@rbac_rule_validation.action(service="keystone",
rule="identity:list_groups_for_user")
@decorators.idempotent_id('bd5946d4-46d2-423d-a800-a3e7aabc18b3')
def test_list_own_user_group(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.users_client.list_user_groups(self.default_user_id)
+ with self.rbac_utils.override_role(self):
+ self.users_client.list_user_groups(self.default_user_id)
@rbac_rule_validation.action(service="keystone",
rule="identity:list_user_projects")
@decorators.idempotent_id('0f148510-63bf-11e6-1564-080044d0d909')
def test_list_own_user_projects(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.users_client.list_user_projects(self.default_user_id)
+ with self.rbac_utils.override_role(self):
+ self.users_client.list_user_projects(self.default_user_id)
diff --git a/patrole_tempest_plugin/tests/api/image/test_image_namespace_objects_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_objects_rbac.py
index 74c64e1..3ad5c74 100644
--- a/patrole_tempest_plugin/tests/api/image/test_image_namespace_objects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/test_image_namespace_objects_rbac.py
@@ -32,14 +32,14 @@
RBAC test for the glance add_metadef_object policy
"""
namespace = self.create_namespace()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
# create a md object, it will be cleaned automatically after
# cleanup of namespace
object_name = data_utils.rand_name(
self.__class__.__name__ + '-test-object')
- self.namespace_objects_client.create_namespace_object(
- namespace['namespace'],
- name=object_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_objects_client.create_namespace_object(
+ namespace['namespace'],
+ name=object_name)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.namespace_objects_client.delete_namespace_object,
namespace['namespace'], object_name)
@@ -53,10 +53,10 @@
RBAC test for the glance get_metadef_objects policy
"""
namespace = self.create_namespace()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # list md objects
- self.namespace_objects_client.list_namespace_objects(
- namespace['namespace'])
+ with self.rbac_utils.override_role(self):
+ # list md objects
+ self.namespace_objects_client.list_namespace_objects(
+ namespace['namespace'])
@rbac_rule_validation.action(service="glance",
rule="modify_metadef_object")
@@ -77,10 +77,10 @@
namespace['namespace'], object_name)
# Toggle role and modify object
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
new_name = "Object New Name"
- self.namespace_objects_client.update_namespace_object(
- namespace['namespace'], object_name, name=new_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_objects_client.update_namespace_object(
+ namespace['namespace'], object_name, name=new_name)
@rbac_rule_validation.action(service="glance",
rule="get_metadef_object")
@@ -100,7 +100,7 @@
self.namespace_objects_client.delete_namespace_object,
namespace['namespace'], object_name)
# Toggle role and get object
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespace_objects_client.show_namespace_object(
- namespace['namespace'],
- object_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_objects_client.show_namespace_object(
+ namespace['namespace'],
+ object_name)
diff --git a/patrole_tempest_plugin/tests/api/image/test_image_namespace_property_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_property_rbac.py
index 93c50c4..75cf66d 100644
--- a/patrole_tempest_plugin/tests/api/image/test_image_namespace_property_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/test_image_namespace_property_rbac.py
@@ -37,12 +37,12 @@
RBAC test for the glance add_metadef_property policy
"""
namespace = self.create_namespace()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
property_name = data_utils.rand_name(
self.__class__.__name__ + '-test-ns-property')
- self.namespace_properties_client.create_namespace_property(
- namespace=namespace['namespace'], type="string",
- title=property_name, name=self.resource_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_properties_client.create_namespace_property(
+ namespace=namespace['namespace'], type="string",
+ title=property_name, name=self.resource_name)
@rbac_rule_validation.action(service="glance",
rule="get_metadef_properties")
@@ -53,9 +53,9 @@
RBAC test for the glance get_metadef_properties policy
"""
namespace = self.create_namespace()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespace_properties_client.list_namespace_properties(
- namespace=namespace['namespace'])
+ with self.rbac_utils.override_role(self):
+ self.namespace_properties_client.list_namespace_properties(
+ namespace=namespace['namespace'])
@rbac_rule_validation.action(service="glance",
rule="get_metadef_property")
@@ -72,9 +72,9 @@
namespace=namespace['namespace'], type="string",
title=property_name, name=self.resource_name)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespace_properties_client.show_namespace_properties(
- namespace['namespace'], self.resource_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_properties_client.show_namespace_properties(
+ namespace['namespace'], self.resource_name)
@rbac_rule_validation.action(service="glance",
rule="modify_metadef_property")
@@ -91,7 +91,7 @@
namespace=namespace['namespace'], type="string",
title=property_name, name=self.resource_name)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespace_properties_client.update_namespace_properties(
- namespace['namespace'], self.resource_name, type="string",
- title=property_name, name=self.resource_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_properties_client.update_namespace_properties(
+ namespace['namespace'], self.resource_name, type="string",
+ title=property_name, name=self.resource_name)
diff --git a/patrole_tempest_plugin/tests/api/image/test_image_resource_types_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_resource_types_rbac.py
index 701e345..7b03158 100644
--- a/patrole_tempest_plugin/tests/api/image/test_image_resource_types_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/test_image_resource_types_rbac.py
@@ -43,8 +43,8 @@
RBAC test for the glance list_metadef_resource_type policy.
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.resource_types_client.list_resource_types()
+ with self.rbac_utils.override_role(self):
+ self.resource_types_client.list_resource_types()
@rbac_rule_validation.action(service="glance",
rule="get_metadef_resource_type")
@@ -54,15 +54,15 @@
RBAC test for the glance get_metadef_resource_type policy.
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.resource_types_client.list_resource_type_association(
- self.namespace_name)
+ with self.rbac_utils.override_role(self):
+ self.resource_types_client.list_resource_type_association(
+ self.namespace_name)
@rbac_rule_validation.action(service="glance",
rule="add_metadef_resource_type_association")
@decorators.idempotent_id('ef9fbc60-3e28-4164-a25c-d30d892f7939')
def test_add_metadef_resource_type(self):
type_name = data_utils.rand_name()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.resource_types_client.create_resource_type_association(
- self.namespace_name, name=type_name)
+ with self.rbac_utils.override_role(self):
+ self.resource_types_client.create_resource_type_association(
+ self.namespace_name, name=type_name)
diff --git a/patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py b/patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py
index 59c4aaf..952c41f 100644
--- a/patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py
@@ -46,9 +46,9 @@
"""
image_id = self.create_image()['id']
# Toggle role and add image member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.create_image_member(image_id,
- member=self.alt_tenant_id)
+ with self.rbac_utils.override_role(self):
+ self.image_member_client.create_image_member(
+ image_id, member=self.alt_tenant_id)
@rbac_rule_validation.action(service="glance",
rule="delete_member")
@@ -63,9 +63,9 @@
self.image_member_client.create_image_member(image_id,
member=self.alt_tenant_id)
# Toggle role and delete image member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.delete_image_member(image_id,
- self.alt_tenant_id)
+ with self.rbac_utils.override_role(self):
+ self.image_member_client.delete_image_member(image_id,
+ self.alt_tenant_id)
@rbac_rule_validation.action(service="glance",
rule="get_member",
@@ -83,10 +83,9 @@
member=self.alt_tenant_id)
# Toggle role and get image member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.show_image_member(
- image_id,
- self.alt_tenant_id)
+ with self.rbac_utils.override_role(self):
+ self.image_member_client.show_image_member(image_id,
+ self.alt_tenant_id)
@rbac_rule_validation.action(service="glance",
rule="modify_member")
@@ -105,10 +104,10 @@
image_id, self.tenant_id,
status='accepted')
# Toggle role and update member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.update_image_member(
- image_id, self.tenant_id,
- status='pending')
+ with self.rbac_utils.override_role(self):
+ self.image_member_client.update_image_member(
+ image_id, self.tenant_id,
+ status='pending')
@rbac_rule_validation.action(service="glance",
rule="get_members")
@@ -123,5 +122,5 @@
self.image_member_client.create_image_member(image_id,
member=self.alt_tenant_id)
# Toggle role and list image members
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.list_image_members(image_id)
+ with self.rbac_utils.override_role(self):
+ self.image_member_client.list_image_members(image_id)
diff --git a/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
index fb747d6..6b03ebe 100644
--- a/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
@@ -45,8 +45,8 @@
RBAC test for the neutron get_agent policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.show_agent(self.agent['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.show_agent(self.agent['id'])
@decorators.idempotent_id('8ca68fdb-eaf6-4880-af82-ba0982949dec')
@rbac_rule_validation.action(service="neutron",
@@ -60,9 +60,9 @@
original_status = self.agent['admin_state_up']
agent_status = {'admin_state_up': original_status}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.update_agent(agent_id=self.agent['id'],
- agent=agent_status)
+ with self.rbac_utils.override_role(self):
+ self.agents_client.update_agent(agent_id=self.agent['id'],
+ agent=agent_status)
class L3AgentSchedulerRbacTest(base.BaseNetworkRbacTest):
@@ -105,8 +105,8 @@
RBAC test for the neutron get_l3-routers policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.list_routers_on_l3_agent(self.agent['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.list_routers_on_l3_agent(self.agent['id'])
@decorators.idempotent_id('466b2a10-8747-4c09-855a-bd90a1c86ce7')
@rbac_rule_validation.action(service="neutron",
@@ -116,9 +116,9 @@
RBAC test for the neutron create_l3-router policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.create_router_on_l3_agent(
- self.agent['id'], router_id=self.router['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.create_router_on_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.agents_client.delete_router_from_l3_agent,
@@ -139,9 +139,9 @@
self.agents_client.delete_router_from_l3_agent,
self.agent['id'], router_id=self.router['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.delete_router_from_l3_agent(
- self.agent['id'], router_id=self.router['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.delete_router_from_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
class DHCPAgentSchedulersRbacTest(base.BaseNetworkRbacTest):
@@ -198,9 +198,9 @@
RBAC test for the neutron get_dhcp-networks policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.list_networks_hosted_by_one_dhcp_agent(
- self.agent['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.list_networks_hosted_by_one_dhcp_agent(
+ self.agent['id'])
@decorators.idempotent_id('14e014ac-f355-46d3-b6d8-98f2c9ec1610')
@rbac_rule_validation.action(service="neutron",
@@ -213,9 +213,9 @@
network_id = self._create_and_prepare_network_for_agent(
self.agent['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.add_dhcp_agent_to_network(
- self.agent['id'], network_id=network_id)
+ with self.rbac_utils.override_role(self):
+ self.agents_client.add_dhcp_agent_to_network(
+ self.agent['id'], network_id=network_id)
# Clean up is not necessary and might result in 409 being raised.
@decorators.idempotent_id('937a4302-4b49-407d-9980-5843d7badc38')
@@ -232,6 +232,6 @@
self.agent['id'], network_id=network_id)
# Clean up is not necessary and might result in 409 being raised.
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.delete_network_from_dhcp_agent(
- self.agent['id'], network_id=network_id)
+ with self.rbac_utils.override_role(self):
+ self.agents_client.delete_network_from_dhcp_agent(
+ self.agent['id'], network_id=network_id)
diff --git a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
index dc674d1..20e4aa7 100644
--- a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
@@ -70,8 +70,8 @@
RBAC test for the neutron create_floatingip policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_floatingip()
+ with self.rbac_utils.override_role(self):
+ self._create_floatingip()
@rbac_rule_validation.action(service="neutron",
rule="create_floatingip:floating_ip_address")
@@ -83,8 +83,8 @@
"""
fip = str(netaddr.IPAddress(self.cidr) + 10)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_floatingip(floating_ip_address=fip)
+ with self.rbac_utils.override_role(self):
+ self._create_floatingip(floating_ip_address=fip)
@rbac_rule_validation.action(service="neutron",
rule="update_floatingip")
@@ -95,11 +95,10 @@
RBAC test for the neutron update_floatingip policy
"""
floating_ip = self._create_floatingip()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-
- # Associate floating IP to the other port
- self.floating_ips_client.update_floatingip(
- floating_ip['id'], port_id=None)
+ with self.rbac_utils.override_role(self):
+ # Associate floating IP to the other port
+ self.floating_ips_client.update_floatingip(
+ floating_ip['id'], port_id=None)
@rbac_rule_validation.action(service="neutron",
rule="get_floatingip",
@@ -111,9 +110,9 @@
RBAC test for the neutron get_floatingip policy
"""
floating_ip = self._create_floatingip()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Show floating IP
- self.floating_ips_client.show_floatingip(floating_ip['id'])
+ with self.rbac_utils.override_role(self):
+ # Show floating IP
+ self.floating_ips_client.show_floatingip(floating_ip['id'])
@rbac_rule_validation.action(service="neutron",
rule="delete_floatingip",
@@ -125,6 +124,6 @@
RBAC test for the neutron delete_floatingip policy
"""
floating_ip = self._create_floatingip()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Delete the floating IP
- self.floating_ips_client.delete_floatingip(floating_ip['id'])
+ with self.rbac_utils.override_role(self):
+ # Delete the floating IP
+ self.floating_ips_client.delete_floatingip(floating_ip['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py b/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
index 64df7c5..abd7326 100644
--- a/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
@@ -54,8 +54,8 @@
RBAC test for the neutron "create_metering_label" policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_metering_label()
+ with self.rbac_utils.override_role(self):
+ self._create_metering_label()
@rbac_rule_validation.action(service="neutron",
rule="get_metering_label",
@@ -67,8 +67,8 @@
RBAC test for the neutron "get_metering_label" policy
"""
label = self._create_metering_label()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.metering_labels_client.show_metering_label(label['id'])
+ with self.rbac_utils.override_role(self):
+ self.metering_labels_client.show_metering_label(label['id'])
@rbac_rule_validation.action(service="neutron",
rule="delete_metering_label",
@@ -80,5 +80,5 @@
RBAC test for the neutron "delete_metering_label" policy
"""
label = self._create_metering_label()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.metering_labels_client.delete_metering_label(label['id'])
+ with self.rbac_utils.override_role(self):
+ self.metering_labels_client.delete_metering_label(label['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
index 2fb26f8..c55935f 100644
--- a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
@@ -106,9 +106,9 @@
self.create_port(**post_body)
@rbac_rule_validation.action(service="neutron",
- rule="create_port:fixed_ips")
+ rule="create_port:fixed_ips:ip_address")
@decorators.idempotent_id('2551e10d-006a-413c-925a-8c6f834c09ac')
- def test_create_port_fixed_ips(self):
+ def test_create_port_fixed_ips_ip_address(self):
ip_list = self._get_unused_ip_address()
fixed_ips = [{'ip_address': ip_list[0]},
@@ -269,9 +269,9 @@
mac_address=original_mac_address)
@rbac_rule_validation.action(service="neutron",
- rule="update_port:fixed_ips")
+ rule="update_port:fixed_ips:ip_address")
@decorators.idempotent_id('c091c825-532b-4c6f-a14f-affd3259c1c3')
- def test_update_port_fixed_ips(self):
+ def test_update_port_fixed_ips_ip_address(self):
# Pick an ip address within the allocation_pools range.
post_body = {'network': self.network}
diff --git a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
index fff2ada..ab85745 100644
--- a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
@@ -63,8 +63,8 @@
RBAC test for the neutron create_router policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router()
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router()
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -77,8 +77,8 @@
RBAC test for the neutron create_router:ha policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router(ha=True)
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router(ha=True)
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -91,8 +91,8 @@
RBAC test for the neutron create_router:distributed policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router(distributed=True)
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router(distributed=True)
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -111,9 +111,9 @@
external_gateway_info = {'network_id': self.network['id'],
'enable_snat': True}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router(
- name=name, external_gateway_info=external_gateway_info)
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router(
+ name=name, external_gateway_info=external_gateway_info)
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -136,9 +136,9 @@
'enable_snat': False, # Default is True.
'external_fixed_ips': [external_fixed_ips]}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router(
- name=name, external_gateway_info=external_gateway_info)
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router(
+ name=name, external_gateway_info=external_gateway_info)
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -151,9 +151,9 @@
RBAC test for the neutron get_router policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
# Prevent other policies from being enforced by using barebones fields.
- self.routers_client.show_router(self.router['id'], fields=['id'])
+ with self.rbac_utils.override_role(self):
+ self.routers_client.show_router(self.router['id'], fields=['id'])
@decorators.idempotent_id('3ed26ea2-b419-410c-b4b5-576c1edafa06')
@utils.requires_ext(extension='dvr', service='network')
@@ -167,9 +167,9 @@
router = self.routers_client.create_router(distributed=True)['router']
self.addCleanup(self.routers_client.delete_router, router['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- retrieved_fields = self.routers_client.show_router(
- router['id'], fields=['distributed'])['router']
+ with self.rbac_utils.override_role(self):
+ retrieved_fields = self.routers_client.show_router(
+ router['id'], fields=['distributed'])['router']
# Rather than throwing a 403, the field is not present, so raise exc.
if 'distributed' not in retrieved_fields:
@@ -188,9 +188,9 @@
router = self.routers_client.create_router(ha=True)['router']
self.addCleanup(self.routers_client.delete_router, router['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- retrieved_fields = self.routers_client.show_router(
- router['id'], fields=['ha'])['router']
+ with self.rbac_utils.override_role(self):
+ retrieved_fields = self.routers_client.show_router(
+ router['id'], fields=['ha'])['router']
# Rather than throwing a 403, the field is not present, so raise exc.
if 'ha' not in retrieved_fields:
@@ -207,8 +207,8 @@
"""
new_name = data_utils.rand_name(
self.__class__.__name__ + '-new-router-name')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(self.router['id'], name=new_name)
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(self.router['id'], name=new_name)
@rbac_rule_validation.action(
service="neutron", rule="update_router:external_gateway_info")
@@ -219,9 +219,9 @@
RBAC test for the neutron
update_router:external_gateway_info policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(self.router['id'],
- external_gateway_info={})
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(self.router['id'],
+ external_gateway_info={})
@rbac_rule_validation.action(
service="neutron",
@@ -233,10 +233,10 @@
RBAC test for the neutron
update_router:external_gateway_info:network_id policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(
- self.router['id'],
- external_gateway_info={'network_id': self.network['id']})
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(
+ self.router['id'],
+ external_gateway_info={'network_id': self.network['id']})
self.addCleanup(
self.routers_client.update_router,
self.router['id'],
@@ -253,11 +253,11 @@
RBAC test for the neutron
update_router:external_gateway_info:enable_snat policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(
- self.router['id'],
- external_gateway_info={'network_id': self.network['id'],
- 'enable_snat': True})
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(
+ self.router['id'],
+ external_gateway_info={'network_id': self.network['id'],
+ 'enable_snat': True})
self.addCleanup(
self.routers_client.update_router,
self.router['id'],
@@ -279,10 +279,10 @@
external_gateway_info = {'network_id': self.network['id'],
'external_fixed_ips': [external_fixed_ips]}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(
- self.router['id'],
- external_gateway_info=external_gateway_info)
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(
+ self.router['id'],
+ external_gateway_info=external_gateway_info)
self.addCleanup(
self.routers_client.update_router,
self.router['id'],
@@ -297,8 +297,8 @@
RBAC test for the neutron update_router:ha policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(self.router['id'], ha=True)
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(self.router['id'], ha=True)
self.addCleanup(self.routers_client.update_router, self.router['id'],
ha=False)
@@ -311,8 +311,9 @@
RBAC test for the neutron update_router:distributed policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(self.router['id'], distributed=True)
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(self.router['id'],
+ distributed=True)
self.addCleanup(self.routers_client.update_router, self.router['id'],
distributed=False)
@@ -325,8 +326,8 @@
RBAC test for the neutron delete_router policy
"""
router = self.create_router()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.delete_router(router['id'])
+ with self.rbac_utils.override_role(self):
+ self.routers_client.delete_router(router['id'])
@rbac_rule_validation.action(service="neutron",
rule="add_router_interface")
@@ -340,9 +341,9 @@
subnet = self.create_subnet(network)
router = self.create_router()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.add_router_interface(
- router['id'], subnet_id=subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.routers_client.add_router_interface(
+ router['id'], subnet_id=subnet['id'])
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.routers_client.remove_router_interface,
@@ -369,7 +370,7 @@
router['id'],
subnet_id=subnet['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.remove_router_interface(
- router['id'],
- subnet_id=subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.routers_client.remove_router_interface(
+ router['id'],
+ subnet_id=subnet['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py
index e111ae8..fd85444 100644
--- a/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py
@@ -25,5 +25,5 @@
rule="get_service_provider")
@decorators.idempotent_id('15f573b7-474a-4b37-8629-7fac86553ce5')
def test_list_service_providers(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.service_providers_client.list_service_providers()
+ with self.rbac_utils.override_role(self):
+ self.service_providers_client.list_service_providers()
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
index 9231c15..fe14c92 100644
--- a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
@@ -60,8 +60,8 @@
RBAC test for the neutron create_subnetpool policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_subnetpool()
+ with self.rbac_utils.override_role(self):
+ self._create_subnetpool()
@rbac_rule_validation.action(service="neutron",
rule="create_subnetpool:shared")
@@ -71,8 +71,8 @@
RBAC test for the neutron create_subnetpool:shared policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_subnetpool(shared=True)
+ with self.rbac_utils.override_role(self):
+ self._create_subnetpool(shared=True)
@rbac_rule_validation.action(service="neutron",
rule="get_subnetpool",
@@ -84,8 +84,8 @@
RBAC test for the neutron get_subnetpool policy
"""
subnetpool = self._create_subnetpool()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.show_subnetpool(subnetpool['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.show_subnetpool(subnetpool['id'])
@rbac_rule_validation.action(service="neutron",
rule="update_subnetpool")
@@ -96,9 +96,9 @@
RBAC test for the neutron update_subnetpool policy
"""
subnetpool = self._create_subnetpool()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.update_subnetpool(subnetpool['id'],
- min_prefixlen=24)
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.update_subnetpool(subnetpool['id'],
+ min_prefixlen=24)
@decorators.idempotent_id('a16f4e5c-0675-415f-b636-00af00638693')
@rbac_rule_validation.action(service="neutron",
@@ -117,9 +117,9 @@
default_pool = self._create_subnetpool(is_default=True)
original_desc = default_pool['description']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.update_subnetpool(
- default_pool['id'], description=original_desc, is_default=True)
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.update_subnetpool(
+ default_pool['id'], description=original_desc, is_default=True)
@rbac_rule_validation.action(service="neutron",
rule="delete_subnetpool")
@@ -130,5 +130,5 @@
RBAC test for the neutron delete_subnetpool policy
"""
subnetpool = self._create_subnetpool()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.delete_subnetpool(subnetpool['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.delete_subnetpool(subnetpool['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
index 23f11cf..bc36c21 100644
--- a/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
@@ -44,8 +44,8 @@
RBAC test for the neutron "create_subnet" policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_subnet(self.network)
+ with self.rbac_utils.override_role(self):
+ self.create_subnet(self.network)
@decorators.idempotent_id('c02618e7-bb20-4abd-83c8-6eec2af08752')
@rbac_rule_validation.action(service="neutron",
@@ -55,8 +55,8 @@
RBAC test for the neutron "get_subnet" policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.show_subnet(self.subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.show_subnet(self.subnet['id'])
@decorators.idempotent_id('e2ddc415-5cab-43f4-9b61-166aed65d637')
@rbac_rule_validation.action(service="neutron",
@@ -66,8 +66,8 @@
RBAC test for the neutron "get_subnet" policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.list_subnets()
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.list_subnets()
@decorators.idempotent_id('f36cd821-dd22-4bd0-b43d-110fc4b553eb')
@rbac_rule_validation.action(service="neutron",
@@ -79,8 +79,9 @@
"""
update_name = data_utils.rand_name(self.__class__.__name__ + '-Subnet')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.update_subnet(self.subnet['id'], name=update_name)
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.update_subnet(self.subnet['id'],
+ name=update_name)
@decorators.idempotent_id('bcfc7153-bbd1-43a4-a908-b3e1b0cde0dc')
@rbac_rule_validation.action(service="neutron",
@@ -92,5 +93,5 @@
"""
subnet = self.create_subnet(self.network)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.delete_subnet(subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.delete_subnet(subnet['id'])
diff --git a/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
index e1c0910..7f1010f 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
@@ -23,20 +23,17 @@
from patrole_tempest_plugin.tests.api.volume import rbac_base
-class GroupsV3RbacTest(rbac_base.BaseVolumeRbacTest):
- min_microversion = '3.14'
- max_microversion = 'latest'
-
+class BaseGroupRbacTest(rbac_base.BaseVolumeRbacTest):
credentials = ['primary', 'admin']
@classmethod
def setup_clients(cls):
- super(GroupsV3RbacTest, cls).setup_clients()
+ super(BaseGroupRbacTest, cls).setup_clients()
cls.admin_groups_client = cls.os_admin.groups_v3_client
cls.admin_volumes_client = cls.os_admin.volumes_v3_client
def setUp(self):
- super(GroupsV3RbacTest, self).setUp()
+ super(BaseGroupRbacTest, self).setUp()
self.volume_type_id = self.create_volume_type()['id']
self.group_type_id = self.create_group_type()['id']
@@ -65,6 +62,11 @@
self.admin_volumes_client.wait_for_resource_deletion(
vol['id'])
+
+class GroupsV3RbacTest(BaseGroupRbacTest):
+ min_microversion = '3.13'
+ max_microversion = 'latest'
+
@decorators.idempotent_id('43235328-66ae-424f-bc7f-f709c0ca268c')
@rbac_rule_validation.action(
service="cinder",
@@ -127,6 +129,27 @@
self._delete_group(group['id'])
+class GroupV320RbacTest(BaseGroupRbacTest):
+ _api_version = 3
+ min_microversion = '3.20'
+ max_microversion = 'latest'
+
+ @decorators.idempotent_id('b849c1d4-3215-4f9d-b1e6-0aeb4b2b65ac')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="group:reset_status")
+ def test_reset_group_status(self):
+ group = self._create_group(ignore_notfound=False,
+ group_type=self.group_type_id,
+ volume_types=[self.volume_type_id])
+ status = 'available'
+ with self.rbac_utils.override_role(self):
+ self.groups_client.reset_group_status(group['id'],
+ status)
+ waiters.wait_for_volume_resource_status(
+ self.groups_client, group['id'], status)
+
+
class GroupTypesV3RbacTest(rbac_base.BaseVolumeRbacTest):
min_microversion = '3.11'
max_microversion = 'latest'
diff --git a/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py
index 3ac59be..adfd397 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py
@@ -64,7 +64,8 @@
self.qos_client.show_qos(qos['id'])['qos_specs']
@rbac_rule_validation.action(service="cinder",
- rule="volume_extension:qos_specs_manage:get")
+ rule="volume_extension:"
+ "qos_specs_manage:get_all")
@decorators.idempotent_id('ff1e98f3-d456-40a9-96d4-c7e4a55dcffa')
def test_get_association_qos(self):
qos = self._create_test_qos_specs()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_snapshot_manage_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_snapshot_manage_rbac.py
new file mode 100644
index 0000000..c71a1e1
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshot_manage_rbac.py
@@ -0,0 +1,81 @@
+# Copyright 2017 NEC Corporation
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+from tempest.lib import exceptions as lib_exc
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class SnapshotManageRbacTest(rbac_base.BaseVolumeRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(SnapshotManageRbacTest, cls).skip_checks()
+ if not CONF.volume_feature_enabled.manage_snapshot:
+ raise cls.skipException("Manage snapshot tests are disabled")
+ if len(CONF.volume.manage_snapshot_ref) != 2:
+ msg = ("Manage snapshot ref is not correctly configured, "
+ "it should be a list of two elements")
+ raise lib_exc.InvalidConfiguration(msg)
+
+ @classmethod
+ def setup_clients(cls):
+ super(SnapshotManageRbacTest, cls).setup_clients()
+ cls.snapshot_manage_client = cls.os_primary.snapshot_manage_v2_client
+
+ @classmethod
+ def resource_setup(cls):
+ super(SnapshotManageRbacTest, cls).resource_setup()
+ cls.volume = cls.create_volume()
+ cls.snapshot = cls.create_snapshot(volume_id=cls.volume['id'])
+
+ @decorators.idempotent_id('bd7d62f2-e485-4626-87ef-03b7f19ee1d0')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="snapshot_extension:snapshot_manage")
+ def test_manage_snapshot_rbac(self):
+ name = data_utils.rand_name(self.__class__.__name__ +
+ '-Managed-Snapshot')
+ description = data_utils.rand_name(self.__class__.__name__ +
+ '-Managed-Snapshot-Description')
+ metadata = {"manage-snap-meta1": "value1",
+ "manage-snap-meta2": "value2",
+ "manage-snap-meta3": "value3"}
+ snapshot_ref = {
+ 'volume_id': self.volume['id'],
+ 'ref': {CONF.volume.manage_snapshot_ref[0]:
+ CONF.volume.manage_snapshot_ref[1] % self.snapshot['id']},
+ 'name': name,
+ 'description': description,
+ 'metadata': metadata
+ }
+ with self.rbac_utils.override_role(self):
+ self.snapshot_manage_client.manage_snapshot(**snapshot_ref)
+
+ @decorators.idempotent_id('4a2e8934-9c0b-434e-8f0b-e18b9aff126f')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="snapshot_extension:snapshot_unmanage")
+ def test_unmanage_snapshot_rbac(self):
+ with self.rbac_utils.override_role(self):
+ self.snapshots_client.unmanage_snapshot(self.snapshot['id'])
+ self.snapshots_client.wait_for_resource_deletion(
+ self.snapshot['id'])
diff --git a/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
index 96243d8..f7a4151 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.common import waiters
from tempest import config
from tempest.lib import decorators
@@ -37,15 +38,26 @@
cls.snapshot = cls.create_snapshot(volume_id=cls.volume['id'])
cls.snapshot_id = cls.snapshot['id']
+ def tearDown(self):
+ # Set snapshot's status to available after test
+ status = 'available'
+ self.snapshots_client.reset_snapshot_status(self.snapshot_id,
+ status)
+ waiters.wait_for_volume_resource_status(self.snapshots_client,
+ self.snapshot_id, status)
+ super(SnapshotsActionsV3RbacTest, self).tearDown()
+
@rbac_rule_validation.action(
service="cinder",
rule="volume_extension:snapshot_admin_actions:reset_status")
@decorators.idempotent_id('ea430145-34ef-408d-b678-95d5ae5f46eb')
def test_reset_snapshot_status(self):
status = 'error'
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.snapshots_client.reset_snapshot_status(self.snapshot['id'],
- status)
+ with self.rbac_utils.override_role(self):
+ self.snapshots_client.reset_snapshot_status(
+ self.snapshot['id'], status)
+ waiters.wait_for_volume_resource_status(
+ self.snapshots_client, self.snapshot['id'], status)
@rbac_rule_validation.action(
service="cinder",
@@ -57,3 +69,19 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.snapshots_client.force_delete_snapshot(temp_snapshot['id'])
self.snapshots_client.wait_for_resource_deletion(temp_snapshot['id'])
+
+ @decorators.idempotent_id('a95eab2a-c441-4609-9235-f7478627da88')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="snapshot_extension:snapshot_actions:update_snapshot_status")
+ def test_update_snapshot_status(self):
+ status = 'creating'
+ self.snapshots_client.reset_snapshot_status(
+ self.snapshot['id'], status)
+ waiters.wait_for_volume_resource_status(self.snapshots_client,
+ self.snapshot['id'], status)
+ with self.rbac_utils.override_role(self):
+ self.snapshots_client.update_snapshot_status(self.snapshot['id'],
+ status="creating")
+ waiters.wait_for_volume_resource_status(
+ self.snapshots_client, self.snapshot['id'], status)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_hosts_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_hosts_rbac.py
index 726f84e..9519cea 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_hosts_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_hosts_rbac.py
@@ -28,7 +28,6 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.volume_hosts_client.list_hosts()
- @decorators.skip_because(bug="1732808")
@decorators.idempotent_id('9ddf321e-788f-4787-b8cc-dfa59e264143')
@rbac_rule_validation.action(service="cinder",
rule="volume_extension:hosts")
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
index 9640dc6..a33ebe0 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
@@ -72,6 +72,13 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.transfers_client.list_volume_transfers()
+ @decorators.idempotent_id('e84e45b0-9872-40bf-bf44-971266161a86')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:get_all_transfers")
+ def test_list_volume_transfers_details(self):
+ with self.rbac_utils.override_role(self):
+ self.transfers_client.list_volume_transfers(detail=True)
+
@rbac_rule_validation.action(service="cinder",
rule="volume:accept_transfer")
@decorators.idempotent_id('987f2a11-d657-4984-a6c9-28f06c1cd014')
diff --git a/playbooks/legacy/tempest-patrole-admin/post.yaml b/playbooks/legacy/patrole-admin/post.yaml
similarity index 100%
rename from playbooks/legacy/tempest-patrole-admin/post.yaml
rename to playbooks/legacy/patrole-admin/post.yaml
diff --git a/playbooks/legacy/tempest-patrole-admin/run.yaml b/playbooks/legacy/patrole-admin/run.yaml
similarity index 100%
rename from playbooks/legacy/tempest-patrole-admin/run.yaml
rename to playbooks/legacy/patrole-admin/run.yaml
diff --git a/playbooks/legacy/tempest-patrole-member/post.yaml b/playbooks/legacy/patrole-member/post.yaml
similarity index 100%
rename from playbooks/legacy/tempest-patrole-member/post.yaml
rename to playbooks/legacy/patrole-member/post.yaml
diff --git a/playbooks/legacy/tempest-patrole-member/run.yaml b/playbooks/legacy/patrole-member/run.yaml
similarity index 100%
rename from playbooks/legacy/tempest-patrole-member/run.yaml
rename to playbooks/legacy/patrole-member/run.yaml
diff --git a/playbooks/legacy/tempest-patrole-multinode-admin/post.yaml b/playbooks/legacy/patrole-multinode-admin/post.yaml
similarity index 100%
rename from playbooks/legacy/tempest-patrole-multinode-admin/post.yaml
rename to playbooks/legacy/patrole-multinode-admin/post.yaml
diff --git a/playbooks/legacy/tempest-patrole-multinode-admin/run.yaml b/playbooks/legacy/patrole-multinode-admin/run.yaml
similarity index 100%
rename from playbooks/legacy/tempest-patrole-multinode-admin/run.yaml
rename to playbooks/legacy/patrole-multinode-admin/run.yaml
diff --git a/playbooks/legacy/tempest-patrole-multinode-member/post.yaml b/playbooks/legacy/patrole-multinode-member/post.yaml
similarity index 100%
rename from playbooks/legacy/tempest-patrole-multinode-member/post.yaml
rename to playbooks/legacy/patrole-multinode-member/post.yaml
diff --git a/playbooks/legacy/tempest-patrole-multinode-member/run.yaml b/playbooks/legacy/patrole-multinode-member/run.yaml
similarity index 100%
rename from playbooks/legacy/tempest-patrole-multinode-member/run.yaml
rename to playbooks/legacy/patrole-multinode-member/run.yaml
diff --git a/playbooks/legacy/tempest-patrole-py35-member/post.yaml b/playbooks/legacy/patrole-py35-member/post.yaml
similarity index 100%
rename from playbooks/legacy/tempest-patrole-py35-member/post.yaml
rename to playbooks/legacy/patrole-py35-member/post.yaml
diff --git a/playbooks/legacy/tempest-patrole-py35-member/run.yaml b/playbooks/legacy/patrole-py35-member/run.yaml
similarity index 100%
rename from playbooks/legacy/tempest-patrole-py35-member/run.yaml
rename to playbooks/legacy/patrole-py35-member/run.yaml