Merge "docs: Update configuration docs"
diff --git a/patrole_tempest_plugin/rbac_exceptions.py b/patrole_tempest_plugin/rbac_exceptions.py
index aa3135e..5ccb216 100644
--- a/patrole_tempest_plugin/rbac_exceptions.py
+++ b/patrole_tempest_plugin/rbac_exceptions.py
@@ -16,25 +16,25 @@
from tempest.lib import exceptions
-class RbacActionFailed (exceptions.ClientRestClientException):
+class RbacActionFailed(exceptions.ClientRestClientException):
message = "Rbac action failed"
-class RbacResourceSetupFailed (exceptions.TempestException):
+class RbacResourceSetupFailed(exceptions.TempestException):
message = "Rbac resource setup failed"
-class RbacOverPermission (exceptions.TempestException):
+class RbacOverPermission(exceptions.TempestException):
message = "Action performed that should not be permitted"
-class RbacInvalidService (exceptions.TempestException):
+class RbacInvalidService(exceptions.TempestException):
message = "Attempted to test an invalid service"
-class RbacParsingException (exceptions.TempestException):
+class RbacParsingException(exceptions.TempestException):
message = "Attempted to test an invalid policy file or action"
-class RbacInvalidErrorCode (exceptions.TempestException):
+class RbacInvalidErrorCode(exceptions.TempestException):
message = "Unsupported error code passed in test"
diff --git a/patrole_tempest_plugin/tests/api/compute/test_config_drive_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_config_drive_rbac.py
deleted file mode 100644
index 794e0d2..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_config_drive_rbac.py
+++ /dev/null
@@ -1,48 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest.lib import decorators
-from tempest import test
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-
-class ConfigDriveRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def setup_clients(cls):
- super(ConfigDriveRbacTest, cls).setup_clients()
- cls.client = cls.servers_client
-
- @classmethod
- def skip_checks(cls):
- super(ConfigDriveRbacTest, cls).skip_checks()
- if not test.is_extension_enabled('os-config-drive', 'compute'):
- msg = "%s skipped as os-config-drive extension not enabled." \
- % cls.__name__
- raise cls.skipException(msg)
-
- @decorators.idempotent_id('55c62ef7-b72b-4970-acc6-05b0a4316e5d')
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-config-drive")
- def test_create_test_server_with_config_drive(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # NOTE(felipemonteiro): This policy action is always enforced,
- # regardless whether the config_drive flag is set to true or false.
- # However, it has been explicitly set to true below, in case that this
- # behavior ever changes in the future.
- self.create_test_server(config_drive=True)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
index ffbc530..b115ab5 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
@@ -155,7 +155,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._test_stop_server()
- @test.attr(type='slow')
+ @decorators.attr(type='slow')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:start")
@@ -165,7 +165,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._test_start_server()
- @test.attr(type='slow')
+ @decorators.attr(type='slow')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:resize")
@@ -176,7 +176,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._test_resize_server(self.flavor_ref_alt)
- @test.attr(type='slow')
+ @decorators.attr(type='slow')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:revert_resize")
@@ -188,7 +188,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._test_revert_resize_server()
- @test.attr(type='slow')
+ @decorators.attr(type='slow')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:confirm_resize")
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_migrations_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_migrations_rbac.py
index 842d8b1..a7f16a1 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_migrations_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_migrations_rbac.py
@@ -18,7 +18,6 @@
from tempest.common import waiters
from tempest import config
from tempest.lib import decorators
-from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base as base
@@ -63,7 +62,7 @@
if host_record['service'] == 'compute'
]
- @test.attr(type='slow')
+ @decorators.attr(type='slow')
@testtools.skipUnless(CONF.compute_feature_enabled.cold_migration,
'Cold migration not available.')
@rbac_rule_validation.action(
@@ -77,7 +76,7 @@
waiters.wait_for_server_status(self.admin_servers_client,
server['id'], 'VERIFY_RESIZE')
- @test.attr(type='slow')
+ @decorators.attr(type='slow')
@testtools.skipUnless(CONF.compute_feature_enabled.live_migration,
'Live migration feature is not enabled.')
@rbac_rule_validation.action(
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
index afa8c02..c1bf9f7 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
@@ -23,6 +23,7 @@
from tempest.lib import exceptions as lib_exc
from tempest import test
+from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base
@@ -84,7 +85,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.servers_client.inject_network_info(self.server_id)
- @test.attr(type=['slow'])
+ @decorators.attr(type=['slow'])
@test.requires_ext(extension='os-admin-actions', service='compute')
@rbac_rule_validation.action(
service="nova",
@@ -113,6 +114,33 @@
waiters.wait_for_server_status(
self.os_admin.servers_client, self.server_id, 'ACTIVE')
+ @test.requires_ext(extension='os-config-drive', service='compute')
+ @decorators.idempotent_id('2c82e819-382d-4d6f-87f0-a45954cbbc64')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-config-drive")
+ def test_list_servers_with_details_config_drive(self):
+ """Test list servers with config_drive property in response body."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ body = self.servers_client.list_servers(detail=True)['servers']
+ # If the first server contains "config_drive", then all the others do.
+ if 'config_drive' not in body[0]:
+ raise rbac_exceptions.RbacActionFailed(
+ '"config_drive" attribute not found in response body.')
+
+ @test.requires_ext(extension='os-config-drive', service='compute')
+ @decorators.idempotent_id('55c62ef7-b72b-4970-acc6-05b0a4316e5d')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-config-drive")
+ def test_show_server_config_drive(self):
+ """Test show server with config_drive property in response body."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ body = self.servers_client.show_server(self.server_id)['server']
+ if 'config_drive' not in body:
+ raise rbac_exceptions.RbacActionFailed(
+ '"config_drive" attribute not found in response body.')
+
@test.requires_ext(extension='os-deferred-delete', service='compute')
@decorators.idempotent_id('189bfed4-1e6d-475c-bb8c-d57e60895391')
@rbac_rule_validation.action(
@@ -394,3 +422,24 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.servers_client.add_fixed_ip(self.server['id'],
networkId=network_id)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-virtual-interfaces")
+ @decorators.idempotent_id('fc719ae3-0f73-4689-8378-1b841f0f2818')
+ def test_list_virtual_interfaces(self):
+ """Test list virtual interfaces, part of os-virtual-interfaces.
+
+ If Neutron is available, then call the API and expect it to fail
+ with a 400 BadRequest (policy enforcement is done before that happens).
+
+ For more information, see:
+ https://developer.openstack.org/api-ref/compute/#servers-virtual-interfaces-servers-os-virtual-interfaces-deprecated
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ if CONF.service_available.neutron:
+ msg = "Listing virtual interfaces is not supported by this cloud."
+ with self.assertRaisesRegex(lib_exc.BadRequest, msg):
+ self.servers_client.list_virtual_interfaces(self.server['id'])
+ else:
+ self.servers_client.list_virtual_interfaces(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
index c6ac1c5..f5d9dc0 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
@@ -219,7 +219,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.servers_client.list_security_groups_by_server(self.server['id'])
- @test.attr(type=["slow"])
+ @decorators.attr(type=["slow"])
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-security-groups")
@@ -233,7 +233,7 @@
self.servers_client.remove_security_group,
self.server['id'], name=sg_name)
- @test.attr(type=["slow"])
+ @decorators.attr(type=["slow"])
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-security-groups")
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_virtual_interfaces_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_virtual_interfaces_rbac.py
deleted file mode 100644
index 1480444..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_server_virtual_interfaces_rbac.py
+++ /dev/null
@@ -1,41 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest import config
-from tempest.lib import decorators
-from tempest.lib import exceptions
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base as base
-
-CONF = config.CONF
-
-
-class ServerVirtualInterfacesRbacTest(base.BaseV2ComputeRbacTest):
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-virtual-interfaces")
- @decorators.idempotent_id('fc719ae3-0f73-4689-8378-1b841f0f2818')
- def test_list_virtual_interfaces(self):
- server = self.create_test_server(wait_until='ACTIVE')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-
- if CONF.service_available.neutron:
- msg = "Listing virtual interfaces is not supported by this cloud."
- with self.assertRaisesRegex(exceptions.BadRequest, msg):
- self.servers_client.list_virtual_interfaces(server['id'])
- else:
- self.servers_client.list_virtual_interfaces(server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
index a401f24..943cb69 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
@@ -17,7 +17,6 @@
from tempest import config
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
-from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base
@@ -73,7 +72,7 @@
self.servers_client.show_volume_attachment(
self.server['id'], attachment['id'])
- @test.attr(type='slow')
+ @decorators.attr(type='slow')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-volumes-attachments:update")
diff --git a/patrole_tempest_plugin/tests/api/identity/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
index 1ed081e..e8c402e 100644
--- a/patrole_tempest_plugin/tests/api/identity/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
@@ -243,6 +243,7 @@
cls.trusts_client = cls.os_primary.trusts_client
cls.users_client = cls.os_primary.users_v3_client
cls.oauth_token_client = cls.os_primary.oauth_token_client
+ cls.token_client = cls.os_primary.token_v3_client
@classmethod
def resource_setup(cls):
@@ -254,6 +255,7 @@
cls.projects = []
cls.regions = []
cls.trusts = []
+ cls.tokens = []
@classmethod
def resource_cleanup(cls):
@@ -289,6 +291,10 @@
test_utils.call_and_ignore_notfound_exc(
cls.trusts_client.delete_trust, trust['id'])
+ for token in cls.tokens:
+ test_utils.call_and_ignore_notfound_exc(
+ cls.identity_client.delete_token, token)
+
super(BaseIdentityV3RbacTest, cls).resource_cleanup()
@classmethod
@@ -375,3 +381,12 @@
cls.trusts.append(trust)
return trust
+
+ @classmethod
+ def setup_test_token(cls, user_id, password):
+ """Set up a test token."""
+ token = cls.token_client.auth(user_id=user_id,
+ password=password).response
+ token_id = token['x-subject-token']
+ cls.tokens.append(token_id)
+ return token_id
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_groups_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_groups_rbac.py
index e7b73b6..00c9f55 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_groups_rbac.py
@@ -73,7 +73,7 @@
@decorators.idempotent_id('5c16368d-1485-4c28-9803-db3fa3510623')
@rbac_rule_validation.action(service="keystone",
- rule="identity:check_endpoint_group")
+ rule="identity:get_endpoint_group")
def test_check_endpoint_group(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.endpoint_groups_client.check_endpoint_group(
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py
new file mode 100644
index 0000000..1ab296a
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py
@@ -0,0 +1,100 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+from tempest.lib import exceptions as lib_exc
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity import rbac_base
+
+CONF = config.CONF
+
+
+class IdentityTokenV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
+
+ credentials = ['primary', 'admin', 'alt']
+
+ @classmethod
+ def skip_checks(cls):
+ super(IdentityTokenV3RbacTest, cls).skip_checks()
+ # In case of admin, the positive testcase would be used, hence
+ # skipping negative testcase
+ if CONF.rbac.rbac_test_role == CONF.identity.admin_role:
+ raise cls.skipException(
+ "Skipped as admin role doesn't require negative testing")
+
+ def _setup_alt_token(self):
+ return self.setup_test_token(
+ self.os_alt.auth_provider.credentials.user_id,
+ self.os_alt.auth_provider.credentials.password)
+
+ @decorators.idempotent_id('c83c8f1a-79cb-4dc4-b55f-c7d2bfd98b1e')
+ @test.attr(type=['negative'])
+ @rbac_rule_validation.action(
+ service="keystone",
+ rule="identity:validate_token",
+ extra_target_data={
+ "target.token.user_id":
+ "os_alt.auth_provider.credentials.user_id"
+ })
+ def test_show_token_negative(self):
+ # Explicit negative test for identity:validate_token policy action.
+ # Assert expected exception is Forbidden and then reraise it.
+ alt_token_id = self._setup_alt_token()
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ e = self.assertRaises(lib_exc.Forbidden,
+ self.identity_client.show_token,
+ alt_token_id)
+ raise e
+
+ @decorators.idempotent_id('2786a55d-a818-433a-af7a-41ebf72ab4da')
+ @test.attr(type=['negative'])
+ @rbac_rule_validation.action(
+ service="keystone",
+ rule="identity:revoke_token",
+ extra_target_data={
+ "target.token.user_id":
+ "os_alt.auth_provider.credentials.user_id"
+ })
+ def test_delete_token_negative(self):
+ # Explicit negative test for identity:revoke_token policy action.
+ # Assert expected exception is Forbidden and then reraise it.
+ alt_token_id = self._setup_alt_token()
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ e = self.assertRaises(lib_exc.Forbidden,
+ self.identity_client.delete_token,
+ alt_token_id)
+ raise e
+
+ @decorators.idempotent_id('1ea02ac0-9a96-44bd-bdc3-4dae3c10cc2e')
+ @test.attr(type=['negative'])
+ @rbac_rule_validation.action(
+ service="keystone",
+ rule="identity:check_token",
+ extra_target_data={
+ "target.token.user_id":
+ "os_alt.auth_provider.credentials.user_id"
+ })
+ def test_check_token_existence_negative(self):
+ # Explicit negative test for identity:check_token policy action.
+ # Assert expected exception is Forbidden and then reraise it.
+ alt_token_id = self._setup_alt_token()
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ e = self.assertRaises(lib_exc.Forbidden,
+ self.identity_client.check_token_existence,
+ alt_token_id)
+ raise e
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_rbac.py
new file mode 100644
index 0000000..e6d0dd1
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_rbac.py
@@ -0,0 +1,67 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity import rbac_base
+
+
+class IdentityTokenV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
+
+ @classmethod
+ def resource_setup(cls):
+ super(IdentityTokenV3RbacTest, cls).resource_setup()
+ cls.user_id = cls.os_primary.auth_provider.credentials.user_id
+ cls.password = cls.os_primary.auth_provider.credentials.password
+
+ @decorators.idempotent_id('201e2fe5-2023-4bce-9189-78b51520a91e')
+ @rbac_rule_validation.action(
+ service="keystone",
+ rule="identity:validate_token",
+ extra_target_data={
+ "target.token.user_id":
+ "os_primary.auth_provider.credentials.user_id"
+ })
+ def test_show_token(self):
+ token_id = self.setup_test_token(self.user_id, self.password)
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.identity_client.show_token(token_id)
+
+ @decorators.idempotent_id('42a299db-fe0a-4ea0-9824-0bfd13155886')
+ @rbac_rule_validation.action(
+ service="keystone",
+ rule="identity:revoke_token",
+ extra_target_data={
+ "target.token.user_id":
+ "os_primary.auth_provider.credentials.user_id"
+ })
+ def test_delete_token(self):
+ token_id = self.setup_test_token(self.user_id, self.password)
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.identity_client.delete_token(token_id)
+
+ @decorators.idempotent_id('3554d218-8cd6-4730-a1b2-0e22f9b78f45')
+ @rbac_rule_validation.action(
+ service="keystone",
+ rule="identity:check_token",
+ extra_target_data={
+ "target.token.user_id":
+ "os_primary.auth_provider.credentials.user_id"
+ })
+ def test_check_token_exsitence(self):
+ token_id = self.setup_test_token(self.user_id, self.password)
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.identity_client.check_token_existence(token_id)
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py
index c25af25..0532b2d 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py
@@ -16,7 +16,6 @@
from tempest import config
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
-from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity import rbac_base
@@ -77,7 +76,7 @@
trustee_user_id=self.trustee_user_id)
@decorators.idempotent_id('bd72d22a-6e11-4840-bd93-17b382e7f0e0')
- @test.attr(type=['negative'])
+ @decorators.attr(type=['negative'])
@rbac_rule_validation.action(
service="keystone",
rule="identity:create_trust",
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
index b379c5d..e8e3ef8 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -74,8 +74,8 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._attach_volume(server)
- @test.attr(type=["slow"])
@test.services('compute')
+ @decorators.attr(type='slow')
@rbac_rule_validation.action(service="cinder", rule="volume:detach")
@decorators.idempotent_id('5a042f6a-688b-42e6-a02e-fe5c47b89b07')
def test_detach_volume_from_instance(self):
@@ -85,7 +85,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._detach_volume()
- @test.attr(type=["slow"])
+ @decorators.attr(type=["slow"])
@test.services('image')
@rbac_rule_validation.action(
service="cinder",
@@ -224,7 +224,7 @@
cls.admin_image_client = cls.os_admin.image_client_v2
cls.admin_volumes_client = cls.os_admin.volumes_client_latest
- @test.attr(type=["slow"])
+ @decorators.attr(type=["slow"])
@test.services('image')
@rbac_rule_validation.action(
service="cinder",
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
index 97eaab7..210901c 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
@@ -54,23 +54,26 @@
self.vol_type['id'], self.spec_key)
@decorators.idempotent_id('76c36be2-2b6c-4acf-9aac-c9dc5c17cdbe')
- @rbac_rule_validation.action(service="cinder",
- rule="volume_extension:types_extra_specs")
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:types_extra_specs:index")
def test_list_volume_types_extra_specs(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.volume_types_client.list_volume_types_extra_specs(
self.vol_type['id'])['extra_specs']
- @rbac_rule_validation.action(service="cinder",
- rule="volume_extension:types_extra_specs")
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:types_extra_specs:create")
@decorators.idempotent_id('eea40251-990b-49b0-99ae-10e4585b479b')
def test_create_volume_type_extra_specs(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._create_volume_type_extra_specs(ignore_not_found=True)
@decorators.idempotent_id('e2dcc9c6-2fef-431d-afaf-92b45bc76d1a')
- @rbac_rule_validation.action(service="cinder",
- rule="volume_extension:types_extra_specs")
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:types_extra_specs:show")
def test_show_volume_type_extra_specs(self):
self._create_volume_type_extra_specs()
@@ -79,8 +82,9 @@
self.vol_type['id'], self.spec_key)
@decorators.idempotent_id('93001912-f938-41c7-8787-62dc7010fd52')
- @rbac_rule_validation.action(service="cinder",
- rule="volume_extension:types_extra_specs")
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:types_extra_specs:delete")
def test_delete_volume_type_extra_specs(self):
self._create_volume_type_extra_specs(ignore_not_found=True)
@@ -89,8 +93,9 @@
self.vol_type['id'], self.spec_key)
@decorators.idempotent_id('0a444437-7402-4fbe-a18a-93af2ee00618')
- @rbac_rule_validation.action(service="cinder",
- rule="volume_extension:types_extra_specs")
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:types_extra_specs:update")
def test_update_volume_type_extra_specs(self):
self._create_volume_type_extra_specs()
update_extra_specs = {self.spec_key: "val2"}
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
index e8949d6..01c1b08 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
@@ -21,7 +21,6 @@
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
-from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.volume import rbac_base
@@ -58,7 +57,7 @@
backup.update(changes)
return self._encode_backup(backup)
- @test.attr(type=["slow"])
+ @decorators.attr(type='slow')
@rbac_rule_validation.action(service="cinder",
rule="backup:create")
@decorators.idempotent_id('6887ec94-0bcf-4ab7-b30f-3808a4b5a2a5')
@@ -66,7 +65,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.create_backup(volume_id=self.volume['id'])
- @test.attr(type=["slow"])
+ @decorators.attr(type='slow')
@rbac_rule_validation.action(service="cinder",
rule="backup:get")
@decorators.idempotent_id('abd92bdd-b0fb-4dc4-9cfc-de9e968f8c8a')
@@ -103,7 +102,7 @@
waiters.wait_for_volume_resource_status(self.admin_backups_client,
backup['id'], 'error')
- @test.attr(type=["slow"])
+ @decorators.attr(type='slow')
@rbac_rule_validation.action(service="cinder",
rule="backup:restore")
@decorators.idempotent_id('9c794bf9-2446-4f41-8fe0-80b71e757f9d')
@@ -115,7 +114,7 @@
waiters.wait_for_volume_resource_status(
self.admin_backups_client, restore['backup_id'], 'available')
- @test.attr(type=["slow"])
+ @decorators.attr(type='slow')
@rbac_rule_validation.action(service="cinder",
rule="backup:delete")
@decorators.idempotent_id('d5d0c6a2-413d-437e-a73f-4bf2b41a20ed')
@@ -135,7 +134,7 @@
# Wait for deletion so error isn't thrown during clean up.
self.backups_client.wait_for_resource_deletion(backup['id'])
- @test.attr(type=["slow"])
+ @decorators.attr(type='slow')
@rbac_rule_validation.action(service="cinder",
rule="backup:backup-export")
@decorators.idempotent_id('e984ec8d-e8eb-485c-98bc-f1856020303c')
@@ -144,7 +143,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.backups_client.export_backup(backup['id'])['backup-record']
- @test.attr(type=["slow"])
+ @decorators.attr(type='slow')
@rbac_rule_validation.action(service="cinder",
rule="backup:backup-import")
@decorators.idempotent_id('1e70f039-4556-44cc-9cc1-edf2b7ed648b')
diff --git a/releasenotes/notes/test_tokens_rbac-63a93e507d079a03.yaml b/releasenotes/notes/test_tokens_rbac-63a93e507d079a03.yaml
new file mode 100644
index 0000000..da285eb
--- /dev/null
+++ b/releasenotes/notes/test_tokens_rbac-63a93e507d079a03.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Added RBAC test scenarios for the token-related v3 identity API
diff --git a/requirements.txt b/requirements.txt
index 126a3dc..cd6a577 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -7,5 +7,5 @@
oslo.log>=3.22.0 # Apache-2.0
oslo.config!=4.3.0,!=4.4.0,>=4.0.0 # Apache-2.0
oslo.policy>=1.23.0 # Apache-2.0
-tempest>=14.0.0 # Apache-2.0
+tempest>=16.1.0 # Apache-2.0
stevedore>=1.20.0 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index 3e03437..177d0fd 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -13,4 +13,4 @@
oslotest>=1.10.0 # Apache-2.0
oslo.policy>=1.23.0 # Apache-2.0
oslo.log>=3.22.0 # Apache-2.0
-tempest>=14.0.0 # Apache-2.0
+tempest>=16.1.0 # Apache-2.0