Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 4877f1d43259de39e9029aea90046351a0c3fb35^2..4877f1d43259de39e9029aea90046351a0c3fb35 / .
commit4877f1d43259de39e9029aea90046351a0c3fb35[log] [tgz]
authorZuul <zuul@review.openstack.org>Thu Nov 01 01:26:55 2018 +0000
committerGerrit Code Review <review@openstack.org>Thu Nov 01 01:26:55 2018 +0000
tree6cbc84c1769545c4e0384bef0025b90f68ba8f9e
parent7267fa45d904170d934ff3245fd5ff5d1a30bd80 [diff]
parent904a02bef8af64c2a6fb1e0aca67ea9db3f9883f [diff]
Merge "hacking: Add hacking rule for plugin rbac test class names"
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index a6259f4..502b68c 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh

@@ -27,10 +27,10 @@
         iniset $TEMPEST_CONFIG policy-feature-enabled volume_extension_volume_actions_reserve_policy False
         iniset $TEMPEST_CONFIG policy-feature-enabled volume_extension_volume_actions_unreserve_policy False
 
+        # TODO(cl566n): Remove these once stable/pike becomes EOL.
         # These policies were removed in Stein but are available in Pike.
         iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
-
-        # TODO(cl566n): Policies used by Patrole testing. Remove these once stable/pike becomes EOL.
+        iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
         iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
     fi
 
@@ -39,16 +39,17 @@
             RBAC_TEST_ROLE="Member"
         fi
 
+        # TODO(cl566n): Remove these once stable/queens becomes EOL.
         # These policies were removed in Stein but are available in Queens.
         iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
-
-        # TODO(cl566n): Policies used by Patrole testing. Remove these once stable/queens becomes EOL.
+        iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
         iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
     fi
 
     if [[ ${DEVSTACK_SERIES} == 'rocky' ]]; then
         # TODO(cl566n): Policies used by Patrole testing. Remove these once stable/rocky becomes EOL.
         iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
+        iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
     fi
 
     iniset $TEMPEST_CONFIG patrole rbac_test_role $RBAC_TEST_ROLE

diff --git a/patrole_tempest_plugin/config.py b/patrole_tempest_plugin/config.py
index 56a786b..dc0ed25 100644
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py

@@ -162,11 +162,16 @@
                 help="""Are the Nova API extension policies available in the
 cloud (e.g. os_compute_api:os-extended-availability-zone)? These policies were
 removed in Stein because Nova API extension concept was removed in Pike."""),
+    cfg.BoolOpt('removed_keystone_policies_stein',
+                default=True,
+                help="""Are the obsolete Keystone policies available in the
+cloud (e.g. identity:[create|update|get|delete]_credential)? These policies
+were removed in Stein."""),
     cfg.BoolOpt('added_cinder_policies_stein',
                 default=True,
-                help="""Are the Cinder API extension policies available in the
-cloud (e.g. [create|update|get|delete]_encryption_policy)? These policies are
-added in Stein.""")
+                help="""Are the Cinder Stein policies available in the cloud
+(e.g. [create|update|get|delete]_encryption_policy)? These policies are added
+in Stein.""")
 ]
 
 

diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 6db2199..b7ac8d9 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py

@@ -23,6 +23,7 @@
 from tempest import clients
 from tempest.common import credentials_factory as credentials
 from tempest import config
+from tempest.lib import exceptions as lib_exc
 
 from patrole_tempest_plugin import rbac_exceptions
 
@@ -50,10 +51,11 @@
         # Intialize the admin roles_client to perform role switching.
         admin_mgr = clients.Manager(
             credentials.get_configured_admin_credentials())
-        if test_obj.get_identity_version() == 'v3':
+        if CONF.identity_feature_enabled.api_v3:
             admin_roles_client = admin_mgr.roles_v3_client
         else:
-            admin_roles_client = admin_mgr.roles_client
+            raise lib_exc.InvalidConfiguration(
+                "Patrole role overriding only supports v3 identity API.")
 
         self.admin_roles_client = admin_roles_client
         self._override_role(test_obj, False)

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
index 977a830..26e34da 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py

@@ -13,13 +13,21 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import testtools
+
+from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators
 
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.identity import rbac_base
 
+CONF = config.CONF
 
+
+@testtools.skipIf(
+    CONF.policy_feature_enabled.removed_keystone_policies_stein,
+    "This policy is unavailable in Stein so cannot be tested.")
 class IdentityCredentialsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
 
     def _create_user_project_and_credential(self):

diff --git a/patrole_tempest_plugin/tests/unit/fixtures.py b/patrole_tempest_plugin/tests/unit/fixtures.py
index 4552224..aee36fa 100644
--- a/patrole_tempest_plugin/tests/unit/fixtures.py
+++ b/patrole_tempest_plugin/tests/unit/fixtures.py

@@ -69,12 +69,13 @@
         self.useFixture(ConfPatcher(rbac_test_role='member', group='patrole'))
         self.useFixture(ConfPatcher(
             admin_role='admin', auth_version='v3', group='identity'))
+        self.useFixture(ConfPatcher(
+            api_v3=True, group='identity-feature-enabled'))
 
         test_obj_kwargs = {
             'os_primary.credentials.user_id': self.USER_ID,
             'os_primary.credentials.tenant_id': self.PROJECT_ID,
             'os_primary.credentials.project_id': self.PROJECT_ID,
-            'get_identity_version.return_value': 'v3'
         }
         self.mock_test_obj = mock.Mock(
             __name__='patrole_unit_test', spec=test.BaseTestCase,

diff --git a/releasenotes/notes/deprecate-roles-client-in-rbac-utils-087eda0658d18fa9.yaml b/releasenotes/notes/deprecate-roles-client-in-rbac-utils-087eda0658d18fa9.yaml
new file mode 100644
index 0000000..c42da8a
--- /dev/null
+++ b/releasenotes/notes/deprecate-roles-client-in-rbac-utils-087eda0658d18fa9.yaml

@@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    Patrole will only support the v3 Tempest roles client for role
+    overriding operations. Support for the v2 version has been dropped
+    because the Keystone v2 API is slated for removal.

diff --git a/releasenotes/notes/removed-keystone-policies-stein-feature-flag-6cfebbf64ed525d7.yaml b/releasenotes/notes/removed-keystone-policies-stein-feature-flag-6cfebbf64ed525d7.yaml
new file mode 100644
index 0000000..3bed287
--- /dev/null
+++ b/releasenotes/notes/removed-keystone-policies-stein-feature-flag-6cfebbf64ed525d7.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Added new feature flag called ``removed_keystone_policies_stein`` under
+    the configuration group ``[policy-feature-enabled]`` for skipping Keystone
+    tests whose policies were removed in Stein. This feature flag is currently
+    applied to credentials-related policies, e.g.:
+    identity:[create|update|get|delete]_credential