[Fix gate]: Cinder policy change handling in tests
Cinder policies are made more granular and now we need
to adjust the patrole tests to handle those changed policies.
This commit introduces a new flag so that we test the old
policies in stable branches and new one in Xena onwards.
Change-Id: I4be60e3e92704f8e55d3acdb0e025078ae5b21f1
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 10c44c0..9ccc4d7 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -84,6 +84,9 @@
# TODO(gmann): Remove these once stable/victoria becomes EOL.
# These policies were removed in Wallaby.
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_wallaby False
+
+ # TODO(gmann): Remove these once stable/xena becomes EOL.
+ iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
fi
if [[ ${DEVSTACK_SERIES} == 'rocky' ]]; then
@@ -106,6 +109,9 @@
# TODO(gmann): Remove these once stable/victoria becomes EOL.
# These policies were removed in Wallaby.
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_wallaby False
+
+ # TODO(gmann): Remove these once stable/xena becomes EOL.
+ iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
fi
if [[ ${DEVSTACK_SERIES} == 'stein' ]]; then
@@ -123,6 +129,8 @@
# TODO(gmann): Remove these once stable/victoria becomes EOL.
# These policies were removed in Wallaby.
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_wallaby False
+ # TODO(gmann): Remove these once stable/xena becomes EOL.
+ iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
fi
if [[ ${DEVSTACK_SERIES} == 'train' ]]; then
@@ -132,6 +140,8 @@
# TODO(gmann): Remove these once stable/victoria becomes EOL.
# These policies were removed in Wallaby.
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_wallaby False
+ # TODO(gmann): Remove these once stable/xena becomes EOL.
+ iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
fi
if [[ ${DEVSTACK_SERIES} == 'ussuri' ]]; then
@@ -140,14 +150,21 @@
# TODO(gmann): Remove these once stable/victoria becomes EOL.
# These policies were removed in Wallaby.
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_wallaby False
+ # TODO(gmann): Remove these once stable/xena becomes EOL.
+ iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
fi
if [[ ${DEVSTACK_SERIES} == 'victoria' ]]; then
# TODO(gmann): Remove these once stable/victoria becomes EOL.
# These policies were removed in Wallaby.
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_wallaby False
+ # TODO(gmann): Remove these once stable/xena becomes EOL.
+ iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
fi
-
+ if [[ ${DEVSTACK_SERIES} == 'wallaby' ]]; then
+ # TODO(gmann): Remove these once stable/xena becomes EOL.
+ iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
+ fi
iniset $TEMPEST_CONFIG patrole rbac_test_roles $RBAC_TEST_ROLES
}
diff --git a/patrole_tempest_plugin/config.py b/patrole_tempest_plugin/config.py
index b01cf10..e6d2515 100644
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py
@@ -204,7 +204,12 @@
default=True,
help="""Are the Nova deprecated API policies available in the
cloud (e.g. os_compute_api:os-networks)? These policies were
-changed in Victoria.""")
+changed in Victoria."""),
+ cfg.BoolOpt('changed_cinder_policies_xena',
+ default=True,
+ help="""Are the Cinder API policies changed in the
+cloud (e.g. 'group:group_types_specs')? These policies were
+changed in Xena.""")
]
diff --git a/patrole_tempest_plugin/tests/api/volume/test_group_type_specs.py b/patrole_tempest_plugin/tests/api/volume/test_group_type_specs.py
index 03e7bc0..2d0ef69 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_group_type_specs.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_group_type_specs.py
@@ -13,11 +13,28 @@
# License for the specific language governing permissions and limitations
# under the License.
-from patrole_tempest_plugin.tests.api.volume import rbac_base
+from tempest import config
from tempest.lib import decorators
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
from patrole_tempest_plugin import rbac_rule_validation
+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_cinder_policies_xena:
+ _GROUP_SPEC_SHOW = "group:group_types_specs:get"
+ _GROUP_SPEC_LIST = "group:group_types_specs:get_all"
+ _GROUP_SPEC_CREATE = "group:group_types_specs:create"
+ _GROUP_SPEC_UPDATE = "group:group_types_specs:update"
+ _GROUP_SPEC_DELETE = "group:group_types_specs:delete"
+else:
+ _GROUP_SPEC_SHOW = "group:group_types_specs"
+ _GROUP_SPEC_LIST = "group:group_types_specs"
+ _GROUP_SPEC_CREATE = "group:group_types_specs"
+ _GROUP_SPEC_UPDATE = "group:group_types_specs"
+ _GROUP_SPEC_DELETE = "group:group_types_specs"
+
class GroupTypeSpecsRbacTest(rbac_base.BaseVolumeRbacTest):
_api_version = 3
@@ -27,7 +44,7 @@
@decorators.idempotent_id('b2859734-00ad-4a22-88ee-541698e90d12')
@rbac_rule_validation.action(
service="cinder",
- rules=["group:group_types_specs"]
+ rules=[_GROUP_SPEC_CREATE]
)
def test_group_type_specs_create(self):
# Create new group type
@@ -47,7 +64,7 @@
@decorators.idempotent_id('469d0253-aa13-423f-8264-231ac17effbf')
@rbac_rule_validation.action(
service="cinder",
- rules=["group:group_types_specs"]
+ rules=[_GROUP_SPEC_SHOW]
)
def test_group_type_specs_show(self):
group_type = self.create_group_type()
@@ -65,7 +82,7 @@
@decorators.idempotent_id('2e706a4e-dec9-46bf-9426-1c5b6f3ce102')
@rbac_rule_validation.action(
service="cinder",
- rules=["group:group_types_specs"]
+ rules=[_GROUP_SPEC_UPDATE]
)
def test_group_type_specs_update(self):
group_type = self.create_group_type()
@@ -81,7 +98,7 @@
@decorators.idempotent_id('fd5e332b-fb2c-4957-ace9-11d60ddd5472')
@rbac_rule_validation.action(
service="cinder",
- rules=["group:group_types_specs"]
+ rules=[_GROUP_SPEC_LIST]
)
def test_group_type_specs_list(self):
group_type = self.create_group_type()
@@ -92,7 +109,7 @@
@decorators.idempotent_id('d9639a07-e441-4576-baf6-7ec732b16572')
@rbac_rule_validation.action(
service="cinder",
- rules=["group:group_types_specs"]
+ rules=[_GROUP_SPEC_DELETE]
)
def test_group_type_specs_delete(self):
group_type = self.create_group_type()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
index 8f29393..9975410 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
@@ -14,6 +14,7 @@
# under the License.
from tempest.common import waiters
+from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
@@ -22,6 +23,17 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.volume import rbac_base
+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_cinder_policies_xena:
+ _GROUP_CREATE = "group:group_types:create"
+ _GROUP_UPDATE = "group:group_types:update"
+ _GROUP_DELETE = "group:group_types:delete"
+else:
+ _GROUP_CREATE = "group:group_types_manage"
+ _GROUP_UPDATE = "group:group_types_manage"
+ _GROUP_DELETE = "group:group_types_manage"
+
class BaseGroupRbacTest(rbac_base.BaseVolumeRbacTest):
@@ -166,7 +178,7 @@
@decorators.idempotent_id('2820f12c-4681-4c7f-b28d-e6925637dff6')
@rbac_rule_validation.action(
service="cinder",
- rules=["group:group_types_manage"])
+ rules=[_GROUP_CREATE])
def test_create_group_type(self):
with self.override_role():
self.create_group_type(ignore_notfound=True)
@@ -174,7 +186,7 @@
@decorators.idempotent_id('f77f8156-4fc9-4f02-be15-8930f748e10c')
@rbac_rule_validation.action(
service="cinder",
- rules=["group:group_types_manage"])
+ rules=[_GROUP_DELETE])
def test_delete_group_type(self):
group_type = self.create_group_type(ignore_notfound=True)
@@ -184,7 +196,7 @@
@decorators.idempotent_id('67929954-4551-4d22-b15a-27fb6e56b711')
@rbac_rule_validation.action(
service="cinder",
- rules=["group:group_types_manage"])
+ rules=[_GROUP_DELETE])
def test_update_group_type(self):
group_type = self.create_group_type()
update_params = {
diff --git a/patrole_tempest_plugin/tests/api/volume/test_quota_classes_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_quota_classes_rbac.py
index fb57cbc..f29fff1 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_quota_classes_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_quota_classes_rbac.py
@@ -14,12 +14,22 @@
# under the License.
from tempest.common import utils
+from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.volume import rbac_base
+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_cinder_policies_xena:
+ _QUOTA_SET_SHOW = "volume_extension:quota_classes:get"
+ _QUOTA_SET_UPDATE = "volume_extension:quota_classes:update"
+else:
+ _QUOTA_SET_SHOW = "volume_extension:quota_classes"
+ _QUOTA_SET_UPDATE = "volume_extension:quota_classes"
+
class QuotaClassesV3RbacTest(rbac_base.BaseVolumeRbacTest):
@@ -39,7 +49,7 @@
@decorators.idempotent_id('1a060def-2b43-4534-97f5-5eadbbe8c726')
@rbac_rule_validation.action(service="cinder",
- rules=["volume_extension:quota_classes"])
+ rules=[_QUOTA_SET_SHOW])
def test_show_quota_class_set(self):
with self.override_role():
self.quota_classes_client.show_quota_class_set(
@@ -47,7 +57,7 @@
@decorators.idempotent_id('72159478-23a7-4c75-989f-6bac609eca62')
@rbac_rule_validation.action(service="cinder",
- rules=["volume_extension:quota_classes"])
+ rules=[_QUOTA_SET_UPDATE])
def test_update_quota_class_set(self):
quota_class_set = self.quota_classes_client.show_quota_class_set(
self.quota_name)['quota_class_set']
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
index 98fed1e..d7ae6ee 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
@@ -23,6 +23,15 @@
CONF = config.CONF
+if CONF.policy_feature_enabled.changed_cinder_policies_xena:
+ _METADATA_SHOW = "volume_extension:volume_image_metadata:show"
+ _METADATA_SET = "volume_extension:volume_image_metadata:set"
+ _METADATA_REMOVE = "volume_extension:volume_image_metadata:remove"
+else:
+ _METADATA_SHOW = "volume_extension:volume_image_metadata"
+ _METADATA_SET = "volume_extension:volume_image_metadata"
+ _METADATA_REMOVE = "volume_extension:volume_image_metadata"
+
class VolumeMetadataV3RbacTest(rbac_base.BaseVolumeRbacTest):
@@ -99,7 +108,7 @@
@decorators.idempotent_id('39e8f82c-f1fc-4905-bf47-177ce2f71bb9')
@rbac_rule_validation.action(
service="cinder",
- rules=["volume_extension:volume_image_metadata"])
+ rules=[_METADATA_SET])
def test_list_volumes_details_image_metadata(self):
self.volumes_client.update_volume_image_metadata(
self.volume['id'], image_id=self.image_id)
@@ -117,7 +126,7 @@
@decorators.idempotent_id('53f94d52-0dd5-42cf-a3a4-59b35150b3d5')
@rbac_rule_validation.action(
service="cinder",
- rules=["volume_extension:volume_image_metadata"])
+ rules=[_METADATA_SHOW])
def test_show_volume_details_image_metadata(self):
self.volumes_client.update_volume_image_metadata(
self.volume['id'], image_id=self.image_id)
@@ -135,7 +144,7 @@
@decorators.idempotent_id('a9d9e825-5ea3-42e6-96f3-7ac4e97b2ed0')
@rbac_rule_validation.action(
service="cinder",
- rules=["volume_extension:volume_image_metadata"])
+ rules=[_METADATA_SET])
def test_update_volume_image_metadata(self):
with self.override_role():
self.volumes_client.update_volume_image_metadata(
@@ -146,7 +155,7 @@
@decorators.idempotent_id('a41c8eed-2051-4a25-b401-df036faacbdc')
@rbac_rule_validation.action(
service="cinder",
- rules=["volume_extension:volume_image_metadata"])
+ rules=[_METADATA_REMOVE])
def test_delete_volume_image_metadata(self):
self.volumes_client.update_volume_image_metadata(
self.volume['id'], image_id=self.image_id)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py
index 3fd0a15..d07a401 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py
@@ -14,12 +14,20 @@
# under the License.
from tempest.common import utils
+from tempest import config
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.volume import rbac_base
+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_cinder_policies_xena:
+ _TYPE_ACCESS_LIST = "volume_extension:volume_type_access:get_all_for_type"
+else:
+ _TYPE_ACCESS_LIST = "volume_extension:volume_type_access"
+
class VolumeTypesAccessRbacTest(rbac_base.BaseVolumeRbacTest):
@@ -52,7 +60,7 @@
@decorators.idempotent_id('af70e6ad-e931-419f-9200-8bcc284e4e47')
@rbac_rule_validation.action(
service="cinder",
- rules=["volume_extension:volume_type_access"])
+ rules=[_TYPE_ACCESS_LIST])
def test_list_type_access(self):
self._add_type_access()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_types_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_types_rbac.py
index 012fa91..46d2d55 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_types_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_rbac.py
@@ -13,18 +13,30 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest import config
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.volume import rbac_base
+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_cinder_policies_xena:
+ _TYPE_MANAGE_CREATE = "volume_extension:type_create"
+ _TYPE_MANAGE_UPDATE = "volume_extension:type_update"
+ _TYPE_MANAGE_DELETE = "volume_extension:type_delete"
+else:
+ _TYPE_MANAGE_CREATE = "volume_extension:types_manage"
+ _TYPE_MANAGE_UPDATE = "volume_extension:types_manage"
+ _TYPE_MANAGE_DELETE = "volume_extension:types_manage"
+
class VolumeTypesRbacTest(rbac_base.BaseVolumeRbacTest):
@decorators.idempotent_id('e2bbf968-d947-4a15-a4da-a98c3069731e')
@rbac_rule_validation.action(
service="cinder",
- rules=["volume_extension:types_manage"])
+ rules=[_TYPE_MANAGE_CREATE])
def test_create_volume_type(self):
with self.override_role():
self.create_volume_type()
@@ -32,7 +44,7 @@
@decorators.idempotent_id('2b74ac82-e03e-4801-86f3-d05c9acfd66b')
@rbac_rule_validation.action(
service="cinder",
- rules=["volume_extension:types_manage"])
+ rules=[_TYPE_MANAGE_UPDATE])
def test_update_volume_type(self):
volume_type = self.create_volume_type()
with self.override_role():
@@ -42,7 +54,7 @@
@decorators.idempotent_id('90aec0ef-4f9b-4170-be6b-a392c12540be')
@rbac_rule_validation.action(
service="cinder",
- rules=["volume_extension:types_manage"])
+ rules=[_TYPE_MANAGE_DELETE])
def test_delete_volume_type(self):
volume_type = self.create_volume_type()
with self.override_role():
diff --git a/releasenotes/notes/changed-cinder-policies-xena-feature-flag-4b799db683e2840f.yaml b/releasenotes/notes/changed-cinder-policies-xena-feature-flag-4b799db683e2840f.yaml
new file mode 100644
index 0000000..286c77f
--- /dev/null
+++ b/releasenotes/notes/changed-cinder-policies-xena-feature-flag-4b799db683e2840f.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - |
+ Added new feature flag called ``changed_cinder_policies_xena`` under
+ the configuration group ``[policy-feature-enabled]`` for testing Cinder
+ tests withe old and new policies.