Merge "RBAC test for "dhcp_agent_scheduler" network policy"
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index c63ef90..ba04a30 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -81,7 +81,7 @@
LOG.info("As admin_only is True, only admin role should be "
"allowed to perform the API. Skipping oslo.policy "
"check for policy action {0}.".format(rule))
- allowed = CONF.rbac.rbac_test_role == CONF.identity.admin_role
+ allowed = test_obj.rbac_utils.is_admin
else:
allowed = _is_authorized(test_obj, service, rule,
extra_target_data)
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index fe2d99f..3bb2cbd 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -162,3 +162,11 @@
self.admin_role_id = admin_role_id
self.rbac_role_id = rbac_role_id
+
+ @property
+ def is_admin(self):
+ """Verifies whether the current test role equals the admin role.
+
+ :returns: True if ``rbac_test_role`` is the admin role.
+ """
+ return CONF.rbac.rbac_test_role == CONF.identity.admin_role
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
index 9a4363d..784045a 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
@@ -112,8 +112,7 @@
admin-scoped tenants, raise ``RbacActionFailed`` exception otherwise.
"""
tenants_client = self.os_admin.tenants_client if \
- CONF.identity.admin_role == CONF.rbac.rbac_test_role else \
- self.os_primary.tenants_client
+ self.rbac_utils.is_admin else self.os_primary.tenants_client
admin_tenant_id = self.os_admin.auth_provider.credentials.project_id
non_admin_tenant_id = self.auth_provider.credentials.project_id
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py b/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py
index 2f508bf..78ba9e5 100644
--- a/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py
@@ -184,6 +184,18 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._create_image(visibility='public')
+ @decorators.idempotent_id('0f2d8427-134a-4d3c-a102-5fcdf5443d09')
+ @rbac_rule_validation.action(service="glance",
+ rule="communitize_image")
+ def test_communitize_image(self):
+
+ """Communitize Image Test
+
+ RBAC test for the glance communitize_image policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self._create_image(visibility='community')
+
@rbac_rule_validation.action(service="glance",
rule="deactivate")
@decorators.idempotent_id('b488458c-65df-11e6-9947-080027824017')
diff --git a/releasenotes/notes/communitize-image-rbac-test-bdf1109e58a6c2e0.yaml b/releasenotes/notes/communitize-image-rbac-test-bdf1109e58a6c2e0.yaml
new file mode 100644
index 0000000..200cc58
--- /dev/null
+++ b/releasenotes/notes/communitize-image-rbac-test-bdf1109e58a6c2e0.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Add RBAC test for communitizing image, providing coverage for the policy
+ action "communitize_image".