Merge "Migrate to override_role for compute module (part 2)"
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index 82bc1a0..fc8b145 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -175,10 +175,10 @@
"OverPermission: Role %s was allowed to perform %s" %
(role, rule))
finally:
- # TODO(felipemonteiro): Remove the `switch_role` call below
- # once all the tests have migrated over to `override_role`.
- test_obj.rbac_utils.switch_role(test_obj,
- toggle_rbac_role=False)
+ # TODO(felipemonteiro): Remove the call below once all the
+ # tests have migrated over to `override_role` public method.
+ test_obj.rbac_utils._override_role(test_obj,
+ toggle_rbac_role=False)
if CONF.patrole_log.enable_reporting:
RBACLOG.info(
"[Service]: %s, [Test]: %s, [Rule]: %s, "
diff --git a/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
index cbe8d01..a046f96 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
@@ -45,8 +45,8 @@
service="nova", rule="os_compute_api:os-agents")
@decorators.idempotent_id('d1bc6d97-07f5-4f45-ac29-1c619a6a7e27')
def test_list_agents_rbac(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.list_agents()
+ with self.rbac_utils.override_role(self):
+ self.agents_client.list_agents()
@rbac_rule_validation.action(
service="nova",
@@ -56,8 +56,8 @@
params = {'hypervisor': 'kvm', 'os': 'win', 'architecture': 'x86',
'version': '7.0', 'url': 'xxx://xxxx/xxx/xxx',
'md5hash': 'add6bb58e139be103324d04d82d8f545'}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.agents_client.create_agent(**params)['agent']
+ with self.rbac_utils.override_role(self):
+ body = self.agents_client.create_agent(**params)['agent']
self.addCleanup(self.agents_client.delete_agent,
body['agent_id'])
@@ -74,13 +74,13 @@
body = self.agents_client.create_agent(**params)['agent']
self.addCleanup(self.agents_client.delete_agent,
body['agent_id'])
-
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
update_params = self._param_helper(
version='8.0',
url='xxx://xxxx/xxx/xxx2',
md5hash='add6bb58e139be103324d04d82d8f547')
- self.agents_client.update_agent(body['agent_id'], **update_params)
+
+ with self.rbac_utils.override_role(self):
+ self.agents_client.update_agent(body['agent_id'], **update_params)
@rbac_rule_validation.action(
service="nova",
@@ -96,5 +96,5 @@
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.agents_client.delete_agent,
body['agent_id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.delete_agent(body['agent_id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.delete_agent(body['agent_id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py
index 261fded..12ac058 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py
@@ -58,48 +58,49 @@
service="nova", rule="os_compute_api:os-aggregates:create")
@decorators.idempotent_id('ba754393-896e-434a-9704-452ff4a84f3f')
def test_create_aggregate_rbac(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_aggregate()
+ with self.rbac_utils.override_role(self):
+ self._create_aggregate()
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:show")
@decorators.idempotent_id('8fb0b749-b120-4727-b3fb-bcfa3fa6f55b')
def test_show_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.aggregates_client.show_aggregate(aggregate_id)
+ with self.rbac_utils.override_role(self):
+ self.aggregates_client.show_aggregate(aggregate_id)
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:index")
@decorators.idempotent_id('146284da-5dd6-4c97-b598-42b480f014c6')
def test_list_aggregate_rbac(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.aggregates_client.list_aggregates()['aggregates']
+ with self.rbac_utils.override_role(self):
+ self.aggregates_client.list_aggregates()
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:update")
@decorators.idempotent_id('c94e0d69-99b6-477e-b301-2cd0e9d0ad81')
def test_update_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
new_name = data_utils.rand_name(self.__class__.__name__ + '-aggregate')
- self.aggregates_client.update_aggregate(aggregate_id, name=new_name)
+ with self.rbac_utils.override_role(self):
+ self.aggregates_client.update_aggregate(aggregate_id,
+ name=new_name)
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:delete")
@decorators.idempotent_id('5a50c5a6-0f12-4405-a1ce-2288ae895ea6')
def test_delete_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.aggregates_client.delete_aggregate(aggregate_id)
+ with self.rbac_utils.override_role(self):
+ self.aggregates_client.delete_aggregate(aggregate_id)
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:add_host")
@decorators.idempotent_id('97e6e9df-5291-4faa-8147-755b2d1f1ce2')
def test_add_host_to_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._add_host_to_aggregate(aggregate_id)
+ with self.rbac_utils.override_role(self):
+ self._add_host_to_aggregate(aggregate_id)
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:remove_host")
@@ -107,8 +108,8 @@
def test_remove_host_from_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
host_name = self._add_host_to_aggregate(aggregate_id)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.aggregates_client.remove_host(aggregate_id, host=host_name)
+ with self.rbac_utils.override_role(self):
+ self.aggregates_client.remove_host(aggregate_id, host=host_name)
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:set_metadata")
@@ -117,7 +118,7 @@
aggregate_id = self._create_aggregate()
rand_key = data_utils.rand_name(self.__class__.__name__ + '-key')
rand_val = data_utils.rand_name(self.__class__.__name__ + '-val')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.aggregates_client.set_metadata(
- aggregate_id,
- metadata={rand_key: rand_val})
+ with self.rbac_utils.override_role(self):
+ self.aggregates_client.set_metadata(
+ aggregate_id,
+ metadata={rand_key: rand_val})
diff --git a/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
index 2a8a6ae..66dce5c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
@@ -32,12 +32,12 @@
"os-availability-zone:list")
@decorators.idempotent_id('cd34e7ea-d26e-4fa3-a8d0-f8883726ce3d')
def test_get_availability_zone_list_rbac(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.availability_zone_client.list_availability_zones()
+ with self.rbac_utils.override_role(self):
+ self.availability_zone_client.list_availability_zones()
@rbac_rule_validation.action(service="nova", rule="os_compute_api:"
"os-availability-zone:detail")
@decorators.idempotent_id('2f61c191-6ece-4f21-b487-39d749e3d38e')
def test_get_availability_zone_list_detail_rbac(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.availability_zone_client.list_availability_zones(detail=True)
+ with self.rbac_utils.override_role(self):
+ self.availability_zone_client.list_availability_zones(detail=True)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_fixed_ips_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_fixed_ips_rbac.py
index dd32187..f426cf3 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_fixed_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_fixed_ips_rbac.py
@@ -58,21 +58,21 @@
service="nova",
rule="os_compute_api:os-fixed-ips")
def test_show_fixed_ip_details(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.fixed_ips_client.show_fixed_ip(self.ip)
+ with self.rbac_utils.override_role(self):
+ self.fixed_ips_client.show_fixed_ip(self.ip)
@decorators.idempotent_id('f0314501-735d-4315-9856-959e01e82f0d')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-fixed-ips")
def test_set_reserve(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.fixed_ips_client.reserve_fixed_ip(self.ip, reserve="None")
+ with self.rbac_utils.override_role(self):
+ self.fixed_ips_client.reserve_fixed_ip(self.ip, reserve="None")
@decorators.idempotent_id('866a6fdc-a237-4502-9bf2-52fe82aba356')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-fixed-ips")
def test_set_unreserve(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.fixed_ips_client.reserve_fixed_ip(self.ip, unreserve="None")
+ with self.rbac_utils.override_role(self):
+ self.fixed_ips_client.reserve_fixed_ip(self.ip, unreserve="None")
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
index 7503962..976f18c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
@@ -41,9 +41,9 @@
def test_show_flavor_contains_is_public_key(self):
public_flavor_id = CONF.compute.flavor_ref
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.flavors_client.show_flavor(public_flavor_id)[
- 'flavor']
+ with self.rbac_utils.override_role(self):
+ body = self.flavors_client.show_flavor(public_flavor_id)[
+ 'flavor']
expected_attr = 'os-flavor-access:is_public'
if expected_attr not in body:
@@ -57,8 +57,8 @@
def test_list_flavors_details_contains_is_public_key(self):
expected_attr = 'os-flavor-access:is_public'
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- flavors = self.flavors_client.list_flavors(detail=True)['flavors']
+ with self.rbac_utils.override_role(self):
+ flavors = self.flavors_client.list_flavors(detail=True)['flavors']
# There should already be a public flavor available, namely
# `CONF.compute.flavor_ref`.
public_flavors = [f for f in flavors if expected_attr in f]
@@ -74,10 +74,9 @@
service="nova",
rule="os_compute_api:os-flavor-access:add_tenant_access")
def test_add_flavor_access(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.add_flavor_access(
- flavor_id=self.flavor_id, tenant_id=self.tenant_id)[
- 'flavor_access']
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.add_flavor_access(
+ flavor_id=self.flavor_id, tenant_id=self.tenant_id)
self.addCleanup(self.flavors_client.remove_flavor_access,
flavor_id=self.flavor_id, tenant_id=self.tenant_id)
@@ -92,9 +91,9 @@
self.flavors_client.remove_flavor_access,
flavor_id=self.flavor_id, tenant_id=self.tenant_id)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.remove_flavor_access(
- flavor_id=self.flavor_id, tenant_id=self.tenant_id)
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.remove_flavor_access(
+ flavor_id=self.flavor_id, tenant_id=self.tenant_id)
@decorators.idempotent_id('e1cf59fb-7f32-40a1-96b9-248ab23dd581')
@rbac_rule_validation.action(
@@ -104,10 +103,9 @@
# Add flavor access for os_primary so that it can access the flavor or
# else a NotFound is raised.
self.flavors_client.add_flavor_access(
- flavor_id=self.flavor_id, tenant_id=self.tenant_id)[
- 'flavor_access']
+ flavor_id=self.flavor_id, tenant_id=self.tenant_id)
self.addCleanup(self.flavors_client.remove_flavor_access,
flavor_id=self.flavor_id, tenant_id=self.tenant_id)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.list_flavor_access(self.flavor_id)
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.list_flavor_access(self.flavor_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
index 2d60e09..816492c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
@@ -53,16 +53,16 @@
rule="os_compute_api:os-flavor-extra-specs:show")
def test_show_flavor_extra_spec(self):
key = self._set_flavor_extra_spec()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.show_flavor_extra_spec(self.flavor['id'], key)[key]
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.show_flavor_extra_spec(self.flavor['id'], key)
@decorators.idempotent_id('fcffeca2-ed04-4e85-bf93-02fb5643f22b')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-flavor-extra-specs:create")
def test_set_flavor_extra_spec(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._set_flavor_extra_spec()
+ with self.rbac_utils.override_role(self):
+ self._set_flavor_extra_spec()
@decorators.idempotent_id('42b85279-6bfa-4f58-b7a2-258c284f03c5')
@rbac_rule_validation.action(
@@ -70,10 +70,10 @@
rule="os_compute_api:os-flavor-extra-specs:update")
def test_update_flavor_extra_spec(self):
key = self._set_flavor_extra_spec()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
update_val = data_utils.rand_name(self.__class__.__name__ + '-val')
- self.flavors_client.update_flavor_extra_spec(
- self.flavor['id'], key, **{key: update_val})[key]
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.update_flavor_extra_spec(
+ self.flavor['id'], key, **{key: update_val})
@decorators.idempotent_id('4b0e5471-e010-4c09-8965-80898e6760a3')
@rbac_rule_validation.action(
@@ -81,8 +81,8 @@
rule="os_compute_api:os-flavor-extra-specs:delete")
def test_unset_flavor_extra_spec(self):
key = self._set_flavor_extra_spec()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.unset_flavor_extra_spec(self.flavor['id'], key)
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.unset_flavor_extra_spec(self.flavor['id'], key)
@decorators.idempotent_id('02c3831a-3ce9-476e-a722-d805ac2da621')
@rbac_rule_validation.action(
@@ -90,6 +90,5 @@
rule="os_compute_api:os-flavor-extra-specs:index")
def test_list_flavor_extra_specs(self):
self._set_flavor_extra_spec()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.list_flavor_extra_specs(
- self.flavor['id'])['extra_specs']
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.list_flavor_extra_specs(self.flavor['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_manage_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_manage_rbac.py
index afe5013..f0f267c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_manage_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_manage_rbac.py
@@ -22,10 +22,6 @@
class FlavorManageRbacTest(rbac_base.BaseV2ComputeRbacTest):
- # Need admin to wait for resource deletion below to avoid test role
- # having to pass extra policies.
- credentials = ['primary', 'admin']
-
@classmethod
def skip_checks(cls):
super(FlavorManageRbacTest, cls).skip_checks()
@@ -38,8 +34,8 @@
service="nova",
rule="os_compute_api:os-flavor-manage:create")
def test_create_flavor_manage(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_flavor()
+ with self.rbac_utils.override_role(self):
+ self.create_flavor()
@decorators.idempotent_id('782e988e-061b-4c40-896f-a77c70c2b057')
@rbac_rule_validation.action(
@@ -48,6 +44,6 @@
def test_delete_flavor_manage(self):
flavor_id = self.create_flavor()['id']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.flavors_client.delete_flavor(flavor_id)
- self.os_admin.flavors_client.wait_for_resource_deletion(flavor_id)
+ with self.rbac_utils.override_role(self):
+ self.flavors_client.delete_flavor(flavor_id)
+ self.flavors_client.wait_for_resource_deletion(flavor_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
index b530cbf..fbc03cf 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
@@ -38,8 +38,8 @@
service="nova",
rule="os_compute_api:os-flavor-rxtx")
def test_list_flavors_details_rxtx(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- result = self.flavors_client.list_flavors(detail=True)['flavors']
+ with self.rbac_utils.override_role(self):
+ result = self.flavors_client.list_flavors(detail=True)['flavors']
if 'rxtx_factor' not in result[0]:
raise rbac_exceptions.RbacMalformedResponse(
attribute='rxtx_factor')
@@ -49,9 +49,9 @@
service="nova",
rule="os_compute_api:os-flavor-rxtx")
def test_get_flavor_rxtx(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- result = self.flavors_client.show_flavor(
- CONF.compute.flavor_ref)['flavor']
+ with self.rbac_utils.override_role(self):
+ result = self.flavors_client.show_flavor(
+ CONF.compute.flavor_ref)['flavor']
if 'rxtx_factor' not in result:
raise rbac_exceptions.RbacMalformedResponse(
attribute='rxtx_factor')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py
index 15891d7..7467130 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py
@@ -50,5 +50,5 @@
service="nova",
rule="os_compute_api:os-floating-ip-pools")
def test_list_floating_ip_pools(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.fip_pools_client.list_floating_ip_pools()['floating_ip_pools']
+ with self.rbac_utils.override_role(self):
+ self.fip_pools_client.list_floating_ip_pools()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py
index e149bf2..18a2196 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py
@@ -50,5 +50,5 @@
service="nova",
rule="os_compute_api:os-floating-ips-bulk")
def test_list_floating_ips_bulk(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.fip_bulk_client.list_floating_ips_bulk()['floating_ip_info']
+ with self.rbac_utils.override_role(self):
+ self.fip_bulk_client.list_floating_ips_bulk()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
index 8ab5a51..1045512 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
@@ -46,8 +46,8 @@
service="nova",
rule="os_compute_api:os-floating-ips")
def test_list_floating_ips(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.floating_ips_client.list_floating_ips()['floating_ips']
+ with self.rbac_utils.override_role(self):
+ self.floating_ips_client.list_floating_ips()
@decorators.idempotent_id('bebe52b3-5269-4e72-80c8-5a4a39c3bfa6')
@rbac_rule_validation.action(
@@ -58,17 +58,17 @@
pool=CONF.network.floating_network_name)['floating_ip']
self.addCleanup(
self.floating_ips_client.delete_floating_ip, body['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.floating_ips_client.show_floating_ip(body['id'])['floating_ip']
+ with self.rbac_utils.override_role(self):
+ self.floating_ips_client.show_floating_ip(body['id'])
@decorators.idempotent_id('2bfb8745-c329-4ee9-95f6-c165a1989dbf')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-floating-ips")
def test_create_floating_ips(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- body = self.floating_ips_client.create_floating_ip(
- pool=CONF.network.floating_network_name)['floating_ip']
+ with self.rbac_utils.override_role(self):
+ body = self.floating_ips_client.create_floating_ip(
+ pool=CONF.network.floating_network_name)['floating_ip']
self.addCleanup(
self.floating_ips_client.delete_floating_ip, body['id'])
@@ -82,5 +82,5 @@
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.floating_ips_client.delete_floating_ip, body['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.floating_ips_client.delete_floating_ip(body['id'])
+ with self.rbac_utils.override_role(self):
+ self.floating_ips_client.delete_floating_ip(body['id'])
diff --git a/patrole_tempest_plugin/tests/api/image/rbac_base.py b/patrole_tempest_plugin/tests/api/image/rbac_base.py
index dd4e5ed..ed69c3d 100644
--- a/patrole_tempest_plugin/tests/api/image/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/image/rbac_base.py
@@ -19,21 +19,6 @@
CONF = config.CONF
-class BaseV1ImageRbacTest(image_base.BaseV1ImageTest):
-
- @classmethod
- def skip_checks(cls):
- super(BaseV1ImageRbacTest, cls).skip_checks()
- if not CONF.patrole.enable_rbac:
- raise cls.skipException(
- "%s skipped as RBAC testing not enabled" % cls.__name__)
-
- @classmethod
- def setup_clients(cls):
- super(BaseV1ImageRbacTest, cls).setup_clients()
- cls.rbac_utils = rbac_utils.RbacUtils(cls)
-
-
class BaseV2ImageRbacTest(image_base.BaseV2ImageTest):
@classmethod
diff --git a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
index 2fb26f8..c55935f 100644
--- a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
@@ -106,9 +106,9 @@
self.create_port(**post_body)
@rbac_rule_validation.action(service="neutron",
- rule="create_port:fixed_ips")
+ rule="create_port:fixed_ips:ip_address")
@decorators.idempotent_id('2551e10d-006a-413c-925a-8c6f834c09ac')
- def test_create_port_fixed_ips(self):
+ def test_create_port_fixed_ips_ip_address(self):
ip_list = self._get_unused_ip_address()
fixed_ips = [{'ip_address': ip_list[0]},
@@ -269,9 +269,9 @@
mac_address=original_mac_address)
@rbac_rule_validation.action(service="neutron",
- rule="update_port:fixed_ips")
+ rule="update_port:fixed_ips:ip_address")
@decorators.idempotent_id('c091c825-532b-4c6f-a14f-affd3259c1c3')
- def test_update_port_fixed_ips(self):
+ def test_update_port_fixed_ips_ip_address(self):
# Pick an ip address within the allocation_pools range.
post_body = {'network': self.network}
diff --git a/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
index e1c0910..7f1010f 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
@@ -23,20 +23,17 @@
from patrole_tempest_plugin.tests.api.volume import rbac_base
-class GroupsV3RbacTest(rbac_base.BaseVolumeRbacTest):
- min_microversion = '3.14'
- max_microversion = 'latest'
-
+class BaseGroupRbacTest(rbac_base.BaseVolumeRbacTest):
credentials = ['primary', 'admin']
@classmethod
def setup_clients(cls):
- super(GroupsV3RbacTest, cls).setup_clients()
+ super(BaseGroupRbacTest, cls).setup_clients()
cls.admin_groups_client = cls.os_admin.groups_v3_client
cls.admin_volumes_client = cls.os_admin.volumes_v3_client
def setUp(self):
- super(GroupsV3RbacTest, self).setUp()
+ super(BaseGroupRbacTest, self).setUp()
self.volume_type_id = self.create_volume_type()['id']
self.group_type_id = self.create_group_type()['id']
@@ -65,6 +62,11 @@
self.admin_volumes_client.wait_for_resource_deletion(
vol['id'])
+
+class GroupsV3RbacTest(BaseGroupRbacTest):
+ min_microversion = '3.13'
+ max_microversion = 'latest'
+
@decorators.idempotent_id('43235328-66ae-424f-bc7f-f709c0ca268c')
@rbac_rule_validation.action(
service="cinder",
@@ -127,6 +129,27 @@
self._delete_group(group['id'])
+class GroupV320RbacTest(BaseGroupRbacTest):
+ _api_version = 3
+ min_microversion = '3.20'
+ max_microversion = 'latest'
+
+ @decorators.idempotent_id('b849c1d4-3215-4f9d-b1e6-0aeb4b2b65ac')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="group:reset_status")
+ def test_reset_group_status(self):
+ group = self._create_group(ignore_notfound=False,
+ group_type=self.group_type_id,
+ volume_types=[self.volume_type_id])
+ status = 'available'
+ with self.rbac_utils.override_role(self):
+ self.groups_client.reset_group_status(group['id'],
+ status)
+ waiters.wait_for_volume_resource_status(
+ self.groups_client, group['id'], status)
+
+
class GroupTypesV3RbacTest(rbac_base.BaseVolumeRbacTest):
min_microversion = '3.11'
max_microversion = 'latest'
diff --git a/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py
index 3ac59be..adfd397 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py
@@ -64,7 +64,8 @@
self.qos_client.show_qos(qos['id'])['qos_specs']
@rbac_rule_validation.action(service="cinder",
- rule="volume_extension:qos_specs_manage:get")
+ rule="volume_extension:"
+ "qos_specs_manage:get_all")
@decorators.idempotent_id('ff1e98f3-d456-40a9-96d4-c7e4a55dcffa')
def test_get_association_qos(self):
qos = self._create_test_qos_specs()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_snapshot_manage_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_snapshot_manage_rbac.py
new file mode 100644
index 0000000..c71a1e1
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshot_manage_rbac.py
@@ -0,0 +1,81 @@
+# Copyright 2017 NEC Corporation
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+from tempest.lib import exceptions as lib_exc
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class SnapshotManageRbacTest(rbac_base.BaseVolumeRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(SnapshotManageRbacTest, cls).skip_checks()
+ if not CONF.volume_feature_enabled.manage_snapshot:
+ raise cls.skipException("Manage snapshot tests are disabled")
+ if len(CONF.volume.manage_snapshot_ref) != 2:
+ msg = ("Manage snapshot ref is not correctly configured, "
+ "it should be a list of two elements")
+ raise lib_exc.InvalidConfiguration(msg)
+
+ @classmethod
+ def setup_clients(cls):
+ super(SnapshotManageRbacTest, cls).setup_clients()
+ cls.snapshot_manage_client = cls.os_primary.snapshot_manage_v2_client
+
+ @classmethod
+ def resource_setup(cls):
+ super(SnapshotManageRbacTest, cls).resource_setup()
+ cls.volume = cls.create_volume()
+ cls.snapshot = cls.create_snapshot(volume_id=cls.volume['id'])
+
+ @decorators.idempotent_id('bd7d62f2-e485-4626-87ef-03b7f19ee1d0')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="snapshot_extension:snapshot_manage")
+ def test_manage_snapshot_rbac(self):
+ name = data_utils.rand_name(self.__class__.__name__ +
+ '-Managed-Snapshot')
+ description = data_utils.rand_name(self.__class__.__name__ +
+ '-Managed-Snapshot-Description')
+ metadata = {"manage-snap-meta1": "value1",
+ "manage-snap-meta2": "value2",
+ "manage-snap-meta3": "value3"}
+ snapshot_ref = {
+ 'volume_id': self.volume['id'],
+ 'ref': {CONF.volume.manage_snapshot_ref[0]:
+ CONF.volume.manage_snapshot_ref[1] % self.snapshot['id']},
+ 'name': name,
+ 'description': description,
+ 'metadata': metadata
+ }
+ with self.rbac_utils.override_role(self):
+ self.snapshot_manage_client.manage_snapshot(**snapshot_ref)
+
+ @decorators.idempotent_id('4a2e8934-9c0b-434e-8f0b-e18b9aff126f')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="snapshot_extension:snapshot_unmanage")
+ def test_unmanage_snapshot_rbac(self):
+ with self.rbac_utils.override_role(self):
+ self.snapshots_client.unmanage_snapshot(self.snapshot['id'])
+ self.snapshots_client.wait_for_resource_deletion(
+ self.snapshot['id'])
diff --git a/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
index 96243d8..f7a4151 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.common import waiters
from tempest import config
from tempest.lib import decorators
@@ -37,15 +38,26 @@
cls.snapshot = cls.create_snapshot(volume_id=cls.volume['id'])
cls.snapshot_id = cls.snapshot['id']
+ def tearDown(self):
+ # Set snapshot's status to available after test
+ status = 'available'
+ self.snapshots_client.reset_snapshot_status(self.snapshot_id,
+ status)
+ waiters.wait_for_volume_resource_status(self.snapshots_client,
+ self.snapshot_id, status)
+ super(SnapshotsActionsV3RbacTest, self).tearDown()
+
@rbac_rule_validation.action(
service="cinder",
rule="volume_extension:snapshot_admin_actions:reset_status")
@decorators.idempotent_id('ea430145-34ef-408d-b678-95d5ae5f46eb')
def test_reset_snapshot_status(self):
status = 'error'
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.snapshots_client.reset_snapshot_status(self.snapshot['id'],
- status)
+ with self.rbac_utils.override_role(self):
+ self.snapshots_client.reset_snapshot_status(
+ self.snapshot['id'], status)
+ waiters.wait_for_volume_resource_status(
+ self.snapshots_client, self.snapshot['id'], status)
@rbac_rule_validation.action(
service="cinder",
@@ -57,3 +69,19 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.snapshots_client.force_delete_snapshot(temp_snapshot['id'])
self.snapshots_client.wait_for_resource_deletion(temp_snapshot['id'])
+
+ @decorators.idempotent_id('a95eab2a-c441-4609-9235-f7478627da88')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="snapshot_extension:snapshot_actions:update_snapshot_status")
+ def test_update_snapshot_status(self):
+ status = 'creating'
+ self.snapshots_client.reset_snapshot_status(
+ self.snapshot['id'], status)
+ waiters.wait_for_volume_resource_status(self.snapshots_client,
+ self.snapshot['id'], status)
+ with self.rbac_utils.override_role(self):
+ self.snapshots_client.update_snapshot_status(self.snapshot['id'],
+ status="creating")
+ waiters.wait_for_volume_resource_status(
+ self.snapshots_client, self.snapshot['id'], status)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_hosts_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_hosts_rbac.py
index 726f84e..9519cea 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_hosts_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_hosts_rbac.py
@@ -28,7 +28,6 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.volume_hosts_client.list_hosts()
- @decorators.skip_because(bug="1732808")
@decorators.idempotent_id('9ddf321e-788f-4787-b8cc-dfa59e264143')
@rbac_rule_validation.action(service="cinder",
rule="volume_extension:hosts")
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
index 9640dc6..a33ebe0 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
@@ -72,6 +72,13 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.transfers_client.list_volume_transfers()
+ @decorators.idempotent_id('e84e45b0-9872-40bf-bf44-971266161a86')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:get_all_transfers")
+ def test_list_volume_transfers_details(self):
+ with self.rbac_utils.override_role(self):
+ self.transfers_client.list_volume_transfers(detail=True)
+
@rbac_rule_validation.action(service="cinder",
rule="volume:accept_transfer")
@decorators.idempotent_id('987f2a11-d657-4984-a6c9-28f06c1cd014')