Merge "Users RBAC test for Keystone API v2 users"
diff --git a/contrib/pre_test_hook.sh b/contrib/pre_test_hook.sh
new file mode 100755
index 0000000..65d1801
--- /dev/null
+++ b/contrib/pre_test_hook.sh
@@ -0,0 +1,39 @@
+#!/bin/bash -xe
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# This script is executed inside post_test_hook function in devstack gate.
+# First argument ($1) expects 'rbac-role' as value for setting appropriate
+# tempest rbac option 'rbac_test_role'.
+
+sudo chown -R jenkins:stack $BASE/new/tempest
+sudo chown -R jenkins:stack $BASE/data/tempest
+
+# Import devstack function 'iniset'
+source $BASE/new/devstack/functions
+
+export TEMPEST_CONFIG=${TEMPEST_CONFIG:-$BASE/new/tempest/etc/tempest.conf}
+
+# First argument is expected to contain value equal either to 'admin' or
+# 'member' (both lower-case).
+RBAC_ROLE=$1
+
+if [[ "$RBAC_ROLE" == "member" ]]; then
+ $RBAC_ROLE = "Member"
+fi
+
+# Set rbac_flag=True under [rbac] section in tempest.conf
+iniset $TEMPEST_CONFIG rbac rbac_flag True
+
+# Set rbac_test_role=$RBAC_ROLE under [rbac] section in tempest.conf
+iniset $TEMPEST_CONFIG rbac rbac_test_role $RBAC_ROLE
diff --git a/patrole_tempest_plugin/rbac_auth.py b/patrole_tempest_plugin/rbac_auth.py
index 1afc7ae..e4e35b1 100644
--- a/patrole_tempest_plugin/rbac_auth.py
+++ b/patrole_tempest_plugin/rbac_auth.py
@@ -15,15 +15,15 @@
from oslo_log import log as logging
-from patrole_tempest_plugin import rbac_role_converter
+from patrole_tempest_plugin import rbac_policy_parser
LOG = logging.getLogger(__name__)
class RbacAuthority(object):
- def __init__(self, tenant_id, service=None):
- self.converter = rbac_role_converter.RbacPolicyConverter(tenant_id,
- service)
+ def __init__(self, tenant_id, user_id, service=None):
+ self.converter = rbac_policy_parser.RbacPolicyParser(
+ tenant_id, user_id, service)
def get_permission(self, rule_name, role):
try:
diff --git a/patrole_tempest_plugin/rbac_role_converter.py b/patrole_tempest_plugin/rbac_policy_parser.py
similarity index 92%
rename from patrole_tempest_plugin/rbac_role_converter.py
rename to patrole_tempest_plugin/rbac_policy_parser.py
index bc6e006..045a9f8 100644
--- a/patrole_tempest_plugin/rbac_role_converter.py
+++ b/patrole_tempest_plugin/rbac_policy_parser.py
@@ -19,15 +19,13 @@
from oslo_log import log as logging
from oslo_policy import generator
from oslo_policy import policy
-from tempest import config
from patrole_tempest_plugin import rbac_exceptions
-CONF = config.CONF
LOG = logging.getLogger(__name__)
-class RbacPolicyConverter(object):
+class RbacPolicyParser(object):
"""A class for parsing policy rules into lists of allowed roles.
RBAC testing requires that each rule in a policy file be broken up into
@@ -37,8 +35,8 @@
each role, whether a given rule is allowed using oslo policy.
"""
- def __init__(self, tenant_id, service, path=None):
- """Initialization of Policy Converter.
+ def __init__(self, tenant_id, user_id, service=None, path=None):
+ """Initialization of Rbac Policy Parser.
Parses a policy file to create a dictionary, mapping policy actions to
roles. If a policy file does not exist, checks whether the policy file
@@ -55,12 +53,13 @@
prioritized.
:param tenant_id: type uuid
+ :param user_id: type uuid
:param service: type string
:param path: type string
"""
service = service.lower().strip()
if path is None:
- self.path = '/etc/{0}/policy.json'.format(service)
+ self.path = os.path.join('/etc', service, 'policy.json')
else:
self.path = path
@@ -85,6 +84,7 @@
self.rules = policy.Rules.load(policy_data, "default")
self.tenant_id = tenant_id
+ self.user_id = user_id
def allowed(self, rule_name, role):
is_admin_context = self._is_admin_context(role)
@@ -117,7 +117,8 @@
}
],
"project_id": self.tenant_id,
- "tenant_id": self.tenant_id
+ "tenant_id": self.tenant_id,
+ "user_id": self.user_id
}
}
return access_token
@@ -148,7 +149,8 @@
target = {"project_id": access_data['project_id'],
"tenant_id": access_data['project_id'],
- "network:tenant_id": access_data['project_id']}
+ "network:tenant_id": access_data['project_id'],
+ "user_id": access_data['user_id']}
result = self._try_rule(apply_rule, target, access_data, o)
return result
@@ -161,5 +163,5 @@
LOG.debug("{0} not found in policy file.".format(apply_rule))
return False
except Exception as e:
- LOG.debug("Exception: {0} for rule: {1}.".format(e, rule))
+ LOG.debug("Exception: {0} for rule: {1}.".format(e, apply_rule))
return False
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index 4b85187..36784b7 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -30,12 +30,13 @@
def wrapper(*args, **kwargs):
try:
tenant_id = args[0].auth_provider.credentials.tenant_id
+ user_id = args[0].auth_provider.credentials.user_id
except (IndexError, AttributeError) as e:
- msg = ("{0}: tenant_id not found in "
+ msg = ("{0}: tenant_id/user_id not found in "
"cls.auth_provider.credentials".format(e))
LOG.error(msg)
raise rbac_exceptions.RbacResourceSetupFailed(msg)
- authority = rbac_auth.RbacAuthority(tenant_id, service)
+ authority = rbac_auth.RbacAuthority(tenant_id, user_id, service)
allowed = authority.get_permission(rule, CONF.rbac.rbac_test_role)
try:
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 48d5b4c..69c6ccd 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -13,19 +13,19 @@
# License for the specific language governing permissions and limitations
# under the License.
-import json
import six
import time
-import urllib3
+
+from tempest.common import credentials_factory
+from tempest import config
+from tempest.test import BaseTestCase
from oslo_log import log as logging
-from tempest import config
-from patrole_tempest_plugin import rbac_exceptions as rbac_exc
+from patrole_tempest_plugin import rbac_exceptions
-LOG = logging.getLogger(__name__)
CONF = config.CONF
-http = urllib3.PoolManager()
+LOG = logging.getLogger(__name__)
class Singleton(type):
@@ -40,89 +40,65 @@
@six.add_metaclass(Singleton)
class RbacUtils(object):
- def __init__(self):
- RbacUtils.dictionary = {}
- @staticmethod
- def get_roles(caller):
- admin_role_id = None
- rbac_role_id = None
+ def __init__(cls):
+ creds_provider = credentials_factory.get_credentials_provider(
+ name=__name__,
+ force_tenant_isolation=True,
+ identity_version=BaseTestCase.get_identity_version())
- if bool(RbacUtils.dictionary) is False:
- admin_token = caller.admin_client.token
- headers = {'X-Auth-Token': admin_token,
- "Content-Type": "application/json"}
- url_to_get_role = CONF.identity.uri_v3 + '/roles/'
- response = http.request('GET', url_to_get_role, headers=headers)
- if response.status != 200:
- raise rbac_exc.RbacResourceSetupFailed('Unable to'
- ' retrieve roles')
- data = response.data
- roles = json.loads(data)
- for item in roles['roles']:
- if item['name'] == CONF.rbac.rbac_test_role:
- rbac_role_id = item['id']
- if item['name'] == 'admin':
- admin_role_id = item['id']
+ cls.creds_client = creds_provider.creds_client
+ cls.available_roles = cls.creds_client.roles_client.list_roles()
+ cls.admin_role_id = cls.rbac_role_id = None
+ for item in cls.available_roles['roles']:
+ if item['name'] == CONF.rbac.rbac_test_role:
+ cls.rbac_role_id = item['id']
+ if item['name'] == 'admin':
+ cls.admin_role_id = item['id']
- RbacUtils.dictionary.update({'admin_role_id': admin_role_id,
- 'rbac_role_id': rbac_role_id})
-
- return RbacUtils.dictionary
-
- @staticmethod
- def delete_all_roles(self, base_url, headers):
- # Find the current role
- response = http.request('GET', base_url, headers=headers)
- if response.status != 200:
- raise rbac_exc.RbacResourceSetupFailed('Unable to retrieve'
- ' user role')
- data = response.data
- roles = json.loads(data)
- for item in roles['roles']:
- url = base_url + item['id']
- response = http.request('DELETE', url, headers=headers)
- self.assertEqual(204, response.status)
-
- @staticmethod
- def switch_role(self, switchToRbacRole=None):
+ def switch_role(cls, test_obj, switchToRbacRole=None):
LOG.debug('Switching role to: %s', switchToRbacRole)
- if switchToRbacRole is None:
- return
+ # Check if admin and rbac roles exist.
+ if not cls.admin_role_id or not cls.rbac_role_id:
+ msg = ("Defined 'rbac_role' or 'admin' role does not exist"
+ " in the system.")
+ raise rbac_exceptions.RbacResourceSetupFailed(msg)
- roles = rbac_utils.get_roles(self)
- rbac_role_id = roles.get('rbac_role_id')
- admin_role_id = roles.get('admin_role_id')
+ if not isinstance(switchToRbacRole, bool):
+ msg = ("Wrong value for parameter 'switchToRbacRole' is passed."
+ " It should be either 'True' or 'False'.")
+ raise rbac_exceptions.RbacResourceSetupFailed(msg)
try:
- user_id = self.auth_provider.credentials.user_id
- project_id = self.auth_provider.credentials.tenant_id
- admin_token = self.admin_client.token
+ user_id = test_obj.auth_provider.credentials.user_id
+ project_id = test_obj.auth_provider.credentials.tenant_id
- headers = {'X-Auth-Token': admin_token,
- "Content-Type": "application/json"}
- base_url = (CONF.identity.uri_v3 + '/projects/' + project_id +
- '/users/' + user_id + '/roles/')
-
- rbac_utils.delete_all_roles(self, base_url, headers)
+ cls._clear_user_roles(user_id, project_id)
if switchToRbacRole:
- url = base_url + rbac_role_id
- response = http.request('PUT', url, headers=headers)
- self.assertEqual(204, response.status)
+ cls.creds_client.roles_client.create_user_role_on_project(
+ project_id, user_id, cls.rbac_role_id)
else:
- url = base_url + admin_role_id
- response = http.request('PUT', url, headers=headers)
- self.assertEqual(204, response.status)
+ cls.creds_client.roles_client.create_user_role_on_project(
+ project_id, user_id, cls.admin_role_id)
except Exception as exp:
LOG.error(exp)
raise
- finally:
- self.auth_provider.clear_auth()
- # Sleep to avoid 401 errors caused by rounding
- # In timing of fernet token creation
- time.sleep(1)
- self.auth_provider.set_auth()
-rbac_utils = RbacUtils()
+ finally:
+ test_obj.auth_provider.clear_auth()
+ # Sleep to avoid 401 errors caused by rounding
+ # In timing of fernet token creation
+ time.sleep(1)
+ test_obj.auth_provider.set_auth()
+
+ def _clear_user_roles(cls, user_id, tenant_id):
+ roles = cls.creds_client.roles_client.list_user_roles_on_project(
+ tenant_id, user_id)['roles']
+
+ for role in roles:
+ cls.creds_client.roles_client.delete_role_from_user_on_project(
+ tenant_id, user_id, role['id'])
+
+rbac_utils = RbacUtils
diff --git a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py
index 953f518..7d057c5 100644
--- a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py
@@ -20,7 +20,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
@@ -30,7 +29,7 @@
class PasswordAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(PasswordAdminRbacTest, self).tearDown()
@classmethod
@@ -56,7 +55,7 @@
service="nova", rule="os_compute_api:os-admin-password")
@decorators.idempotent_id('908a7d59-3a66-441c-94cf-38e57ed14956')
def test_change_server_password(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.change_password(
self.server_id,
adminPass=data_utils.rand_password())
@@ -65,5 +64,5 @@
service="nova", rule="os_compute_api:os-admin-password:discoverable")
@decorators.idempotent_id('379fce8a-f1ff-11e6-bc64-92361f002671')
def test_admin_password_discoverable(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.extensions_client.show_extension('os-admin-password')
diff --git a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py
index c49ba82..888f9a4 100644
--- a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
@@ -27,7 +26,7 @@
class ServersAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(ServersAdminRbacTest, self).tearDown()
@classmethod
@@ -52,7 +51,7 @@
rule="os_compute_api:os-admin-actions:reset_state")
@decorators.idempotent_id('ae84dd0b-f364-462e-b565-3457f9c019ef')
def test_reset_server_state(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.reset_state(self.server_id, state='error')
self.addCleanup(self.client.reset_state,
self.server_id,
@@ -63,7 +62,7 @@
rule="os_compute_api:os-admin-actions:inject_network_info")
@decorators.idempotent_id('ce48c340-51c1-4cff-9b6e-0cc5ef008630')
def test_inject_network_info(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.inject_network_info(self.server_id)
@rbac_rule_validation.action(
@@ -71,7 +70,7 @@
rule="os_compute_api:os-admin-actions:reset_network")
@decorators.idempotent_id('2911a242-15c4-4fcb-80d5-80a8930661b0')
def test_reset_network(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.reset_network(self.server_id)
@rbac_rule_validation.action(
@@ -79,5 +78,5 @@
rule="os_compute_api:os-admin-actions:discoverable")
@decorators.idempotent_id('e9d2991f-a05e-4116-881b-e2a82bb173cf')
def test_admin_actions_discoverable(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.extensions_client.show_extension('os-admin-actions')
diff --git a/patrole_tempest_plugin/tests/api/compute/rbac_base.py b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
index 6fd8f30..8292a1b 100644
--- a/patrole_tempest_plugin/tests/api/compute/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
@@ -17,11 +17,13 @@
from tempest.api.compute import base as compute_base
from tempest import config
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+
CONF = config.CONF
class BaseV2ComputeRbacTest(compute_base.BaseV2ComputeTest):
- credentials = ['primary', 'admin']
+ credentials = ['admin']
@classmethod
def skip_checks(cls):
@@ -29,20 +31,23 @@
if not CONF.rbac.rbac_flag:
raise cls.skipException(
'%s skipped as RBAC flag not enabled' % cls.__name__)
- if 'admin' not in CONF.auth.tempest_roles:
- raise cls.skipException(
- "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_credentials(cls):
+ super(BaseV2ComputeRbacTest, cls).setup_credentials()
+ cls.os = cls.os_adm
@classmethod
def setup_clients(cls):
super(BaseV2ComputeRbacTest, cls).setup_clients()
cls.admin_client = cls.os_admin.agents_client
cls.auth_provider = cls.os.auth_provider
+ cls.rbac_utils = rbac_utils()
class BaseV2ComputeAdminRbacTest(compute_base.BaseV2ComputeAdminTest):
- credentials = ['primary', 'admin']
+ credentials = ['admin']
@classmethod
def skip_checks(cls):
@@ -50,15 +55,18 @@
if not CONF.rbac.rbac_flag:
raise cls.skipException(
'%s skipped as RBAC flag not enabled' % cls.__name__)
- if 'admin' not in CONF.auth.tempest_roles:
- raise cls.skipException(
- "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_credentials(cls):
+ super(BaseV2ComputeAdminRbacTest, cls).setup_credentials()
+ cls.os = cls.os_adm
@classmethod
def setup_clients(cls):
super(BaseV2ComputeAdminRbacTest, cls).setup_clients()
cls.admin_client = cls.os_admin.agents_client
cls.auth_provider = cls.os.auth_provider
+ cls.rbac_utils = rbac_utils()
@classmethod
def resource_setup(cls):
diff --git a/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
index 356782c..dbb285f 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -26,7 +25,7 @@
class AgentsRbacTest(rbac_base.BaseV2ComputeRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(AgentsRbacTest, self).tearDown()
@classmethod
@@ -40,5 +39,5 @@
service="nova", rule="os_compute_api:os-agents")
@decorators.idempotent_id('d1bc6d97-07f5-4f45-ac29-1c619a6a7e27')
def test_list_agents_rbac(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.agents_client.list_agents()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py
index b1e1b11..f7a8b7a 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -28,7 +27,7 @@
class AggregatesRbacTest(rbac_base.BaseV2ComputeRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(AggregatesRbacTest, self).tearDown()
@classmethod
@@ -65,7 +64,7 @@
service="nova", rule="os_compute_api:os-aggregates:create")
@decorators.idempotent_id('ba754393-896e-434a-9704-452ff4a84f3f')
def test_create_aggregate_rbac(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_aggregate()
@rbac_rule_validation.action(
@@ -73,14 +72,14 @@
@decorators.idempotent_id('8fb0b749-b120-4727-b3fb-bcfa3fa6f55b')
def test_show_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.aggregates_client.show_aggregate(aggregate_id)
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-aggregates:index")
@decorators.idempotent_id('146284da-5dd6-4c97-b598-42b480f014c6')
def test_list_aggregate_rbac(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.aggregates_client.list_aggregates()['aggregates']
@rbac_rule_validation.action(
@@ -88,7 +87,7 @@
@decorators.idempotent_id('c94e0d69-99b6-477e-b301-2cd0e9d0ad81')
def test_update_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
new_name = data_utils.rand_name('aggregate')
self.aggregates_client.update_aggregate(aggregate_id, name=new_name)
@@ -97,7 +96,7 @@
@decorators.idempotent_id('5a50c5a6-0f12-4405-a1ce-2288ae895ea6')
def test_delete_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.aggregates_client.delete_aggregate(aggregate_id)
@rbac_rule_validation.action(
@@ -105,7 +104,7 @@
@decorators.idempotent_id('97e6e9df-5291-4faa-8147-755b2d1f1ce2')
def test_add_host_to_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._add_host_to_aggregate(aggregate_id)
@rbac_rule_validation.action(
@@ -114,7 +113,7 @@
def test_remove_host_from_aggregate_rbac(self):
aggregate_id = self._create_aggregate()
host_name = self._add_host_to_aggregate(aggregate_id)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.aggregates_client.remove_host(aggregate_id, host=host_name)
@rbac_rule_validation.action(
@@ -124,7 +123,7 @@
aggregate_id = self._create_aggregate()
rand_key = data_utils.rand_name('key')
rand_val = data_utils.rand_name('val')
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.aggregates_client.set_metadata(
aggregate_id,
metadata={rand_key: rand_val})
diff --git a/patrole_tempest_plugin/tests/api/compute/test_assisted_volume_snapshot_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_assisted_volume_snapshot_rbac.py
new file mode 100644
index 0000000..724d07b
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_assisted_volume_snapshot_rbac.py
@@ -0,0 +1,78 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+
+
+class AssistedVolumeSnapshotRbacTest(rbac_base.BaseV2ComputeRbacTest):
+ """Assisted volume snapshot tests.
+
+ Test class for create and delete
+ """
+
+ @classmethod
+ def setup_clients(cls):
+ """Setup clients."""
+ super(AssistedVolumeSnapshotRbacTest, cls).setup_clients()
+ cls.client = cls.servers_client
+
+ def tearDown(self):
+ """Cleanup and reset RBAC role."""
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(AssistedVolumeSnapshotRbacTest, self).tearDown()
+
+ def _create_and_attach(self):
+ self.server = self.create_test_server(wait_until='ACTIVE')
+ self.volume = self.create_volume()
+ self.attachment = self.attach_volume(
+ self.server, self.volume)
+
+ @decorators.skip_because(bug="1668407")
+ @decorators.idempotent_id('74f64957-912d-4537-983b-cea4a31c5c9f')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-assisted-volume-snapshots:create")
+ def test_assisted_volume_snapshot_create(self):
+ """Create Role Test.
+
+ RBAC test for assisted volume snapshot role-create
+ """
+ self._create_and_attach()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.assisted_volume_snapshot_client.\
+ create_volume_attachments(self.volume['id'],
+ data_utils.rand_uuid())
+
+ @decorators.skip_because(bug="1668407")
+ @decorators.idempotent_id('01323040-c5df-4e15-8b1a-3df98fa7d998')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-assisted-volume-snapshots:delete")
+ def test_assisted_volume_snapshot_delete(self):
+ """Delete Role Test.
+
+ RBAC test for assisted volume snapshot role-delete
+ """
+ self._create_and_attach()
+ snapshot_id = data_utils.rand_uuid()
+ self.assisted_volume_snapshot_client.\
+ create_volume_attachments(self.volume['id'], snapshot_id)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.assisted_volume_snapshot_client.\
+ delete_volume_attachments(snapshot_id, self.volume['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_attach_interfaces_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_attach_interfaces_rbac.py
index 6243c6a..84215c3 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_attach_interfaces_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_attach_interfaces_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -57,7 +56,7 @@
cls.server = cls.create_test_server(wait_until='ACTIVE')
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(AttachInterfacesRbacTest, self).tearDown()
def _attach_interface_to_server(self):
@@ -77,7 +76,7 @@
service="nova",
rule="os_compute_api:os-attach-interfaces")
def test_list_interfaces(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_interfaces(self.server['id'])['interfaceAttachments']
@decorators.idempotent_id('d2d3a24d-4738-4bce-a287-36d664746cde')
@@ -85,7 +84,7 @@
service="nova",
rule="os_compute_api:os-attach-interfaces:create")
def test_create_interface(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._attach_interface_to_server()
@decorators.idempotent_id('55b05692-ed44-4608-a84c-cd4219c82799')
@@ -94,5 +93,5 @@
rule="os_compute_api:os-attach-interfaces:delete")
def test_delete_interface(self):
interface = self._attach_interface_to_server()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.delete_interface(self.server['id'], interface['port_id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
index 8465add..cb46951 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
@@ -15,7 +15,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -24,7 +23,7 @@
class NovaAvailabilityZoneRbacTest(rbac_base.BaseV2ComputeRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(NovaAvailabilityZoneRbacTest, self).tearDown()
@classmethod
@@ -38,12 +37,12 @@
"os-availability-zone:list")
@decorators.idempotent_id('cd34e7ea-d26e-4fa3-a8d0-f8883726ce3d')
def test_get_availability_zone_list_rbac(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.os.availability_zone_client.list_availability_zones()
@rbac_rule_validation.action(service="nova", rule="os_compute_api:"
"os-availability-zone:detail")
@decorators.idempotent_id('2f61c191-6ece-4f21-b487-39d749e3d38e')
def test_get_availability_zone_list_detail_rbac(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.os.availability_zone_client.list_availability_zones(detail=True)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_config_drive_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_config_drive_rbac.py
new file mode 100644
index 0000000..5e993dc
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_config_drive_rbac.py
@@ -0,0 +1,52 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+
+class ConfigDriveRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ @classmethod
+ def setup_clients(cls):
+ super(ConfigDriveRbacTest, cls).setup_clients()
+ cls.client = cls.servers_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(ConfigDriveRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-config-drive', 'compute'):
+ msg = "%s skipped as os-config-drive extension not enabled." \
+ % cls.__name__
+ raise cls.skipException(msg)
+
+ def tearDown(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(ConfigDriveRbacTest, self).tearDown()
+
+ @decorators.idempotent_id('55c62ef7-b72b-4970-acc6-05b0a4316e5d')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-config-drive")
+ def test_create_test_server_with_config_drive(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ # NOTE(felipemonteiro): This policy action is always enforced,
+ # regardless whether the config_drive flag is set to true or false.
+ # However, it has been explicitly set to true below, in case that this
+ # behavior ever changes in the future.
+ self.create_test_server(config_drive=True)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_deferred_delete_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_deferred_delete_rbac.py
index 587d479..618a41c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_deferred_delete_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_deferred_delete_rbac.py
@@ -16,7 +16,6 @@
from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
@@ -41,14 +40,14 @@
cls.server = cls.create_test_server(wait_until='ACTIVE')
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(DeferredDeleteRbacTest, self).tearDown()
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-deferred-delete")
def test_force_delete_server(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Force-deleting a server enforces os-deferred-delete according to the
# following API: https://github.com/openstack/nova/blob/master/nova/api
# /openstack/compute/deferred_delete.py
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
index 32ec91a..62e8d14 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
@@ -22,7 +22,6 @@
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -50,7 +49,7 @@
cls.tenant_id = cls.auth_provider.credentials.tenant_id
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(FlavorAccessAdminRbacTest, self).tearDown()
@decorators.idempotent_id('a2bd3740-765d-4c95-ac98-9e027378c75e')
@@ -58,7 +57,7 @@
service="nova",
rule="os_compute_api:os-flavor-access")
def test_list_flavor_access(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
try:
self.client.list_flavor_access(self.flavor_id)
except exceptions.NotFound as e:
@@ -72,7 +71,7 @@
service="nova",
rule="os_compute_api:os-flavor-access:add_tenant_access")
def test_add_flavor_access(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.add_flavor_access(
flavor_id=self.flavor_id, tenant_id=self.tenant_id)
self.addCleanup(self.client.remove_flavor_access,
@@ -88,6 +87,6 @@
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.client.remove_flavor_access,
flavor_id=self.flavor_id, tenant_id=self.tenant_id)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.remove_flavor_access(
flavor_id=self.flavor_id, tenant_id=self.tenant_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
index f658627..505cfa9 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
@@ -19,7 +19,6 @@
from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
@@ -49,7 +48,7 @@
super(FlavorExtraSpecsAdminRbacTest, cls).resource_cleanup()
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(FlavorExtraSpecsAdminRbacTest, self).tearDown()
def _set_flavor_extra_spec(self):
@@ -69,7 +68,7 @@
rule="os_compute_api:os-flavor-extra-specs:show")
def test_show_flavor_extra_spec(self):
key = self._set_flavor_extra_spec()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_flavor_extra_spec(self.flavor['id'], key)[key]
@decorators.idempotent_id('fcffeca2-ed04-4e85-bf93-02fb5643f22b')
@@ -77,7 +76,7 @@
service="nova",
rule="os_compute_api:os-flavor-extra-specs:create")
def test_set_flavor_extra_spec(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._set_flavor_extra_spec()
@decorators.idempotent_id('42b85279-6bfa-4f58-b7a2-258c284f03c5')
@@ -86,7 +85,7 @@
rule="os_compute_api:os-flavor-extra-specs:update")
def test_update_flavor_extra_spec(self):
key = self._set_flavor_extra_spec()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
update_val = data_utils.rand_name('val')
self.client.update_flavor_extra_spec(self.flavor['id'], key,
**{key: update_val})[key]
@@ -97,7 +96,7 @@
rule="os_compute_api:os-flavor-extra-specs:delete")
def test_unset_flavor_extra_spec(self):
key = self._set_flavor_extra_spec()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.unset_flavor_extra_spec(self.flavor['id'], key)
@decorators.idempotent_id('02c3831a-3ce9-476e-a722-d805ac2da621')
@@ -106,5 +105,5 @@
rule="os_compute_api:os-flavor-extra-specs:index")
def test_list_flavor_extra_specs(self):
self._set_flavor_extra_spec()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_flavor_extra_specs(self.flavor['id'])['extra_specs']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py
index 4a55d80..602dc5a 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py
@@ -18,7 +18,6 @@
from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -45,7 +44,7 @@
raise cls.skipException(msg)
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(FloatingIpPoolsRbacTest, self).tearDown()
@decorators.idempotent_id('c1a17153-b25d-4444-a721-5897d7737482')
@@ -53,5 +52,5 @@
service="nova",
rule="os_compute_api:os-floating-ip-pools")
def test_list_floating_ip_pools(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_floating_ip_pools()['floating_ip_pools']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py
index ccd3873..e4d1963 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py
@@ -18,7 +18,6 @@
from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -45,7 +44,7 @@
raise cls.skipException(msg)
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(FloatingIpsBulkRbacTest, self).tearDown()
@decorators.idempotent_id('3b5c8a02-005d-4256-8a95-6fa2f389c6cf')
@@ -53,5 +52,5 @@
service="nova",
rule="os_compute_api:os-floating-ips-bulk")
def test_list_floating_ips_bulk(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_floating_ips_bulk()['floating_ip_info']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
index ea5a346..6738539 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
@@ -18,7 +18,6 @@
from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -45,7 +44,7 @@
raise cls.skipException(msg)
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(FloatingIpsRbacTest, self).tearDown()
@decorators.idempotent_id('ac1b3053-f755-4cda-85a0-30e88b88d7ba')
@@ -53,5 +52,5 @@
service="nova",
rule="os_compute_api:os-floating-ips")
def test_list_floating_ips(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_floating_ips()['floating_ips']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
index d74a78e..1fca217 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -38,7 +37,7 @@
'%s skipped as no compute extensions enabled' % cls.__name__)
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(HostsAdminRbacTest, self).tearDown()
@decorators.idempotent_id('035b7935-2fae-4218-8d37-27fa83097494')
@@ -46,5 +45,5 @@
service="nova",
rule="os_compute_api:os-hosts")
def test_list_hosts(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_hosts()['hosts']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py
index e495b7d..a572cda 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py
@@ -13,15 +13,12 @@
# License for the specific language governing permissions and limitations
# under the License.
-from tempest import config
from tempest.lib import decorators
+from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
-CONF = config.CONF
-
class HypervisorAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
@@ -33,12 +30,13 @@
@classmethod
def skip_checks(cls):
super(HypervisorAdminRbacTest, cls).skip_checks()
- if not CONF.compute_feature_enabled.api_extensions:
- raise cls.skipException(
- '%s skipped as no compute extensions enabled' % cls.__name__)
+ if not test.is_extension_enabled('os-hypervisors', 'compute'):
+ msg = "%s skipped as os-hypervisors extension not enabled." \
+ % cls.__name__
+ raise cls.skipException(msg)
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(HypervisorAdminRbacTest, self).tearDown()
@decorators.idempotent_id('17bbeb9a-e73e-445f-a771-c794448ef562')
@@ -46,4 +44,5 @@
service="nova",
rule="os_compute_api:os-hypervisors")
def test_list_hypervisors(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_hypervisors()['hypervisors']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_instance_actions.py b/patrole_tempest_plugin/tests/api/compute/test_instance_actions.py
index 5bcb18e..a1f12d6 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_instance_actions.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_instance_actions.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -44,7 +43,7 @@
cls.request_id = cls.server.response['x-compute-request-id']
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(InstanceActionsRbacTest, self).tearDown()
@decorators.idempotent_id('9d1b131d-407e-4fa3-8eef-eb2c4526f1da')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py
index b37f74f..aba5b7d 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py
@@ -17,7 +17,6 @@
from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
@@ -38,13 +37,13 @@
cls.client = cls.instance_usages_audit_log_client
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(InstanceUsagesAuditLogAdminRbacTest, self).tearDown()
@decorators.idempotent_id('c80246c0-5c13-4ab0-97ba-91551cd53dc1')
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-instance-usage-audit-log")
def test_list_instance_usage_audit_logs(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_instance_usage_audit_logs()
["instance_usage_audit_logs"]
diff --git a/patrole_tempest_plugin/tests/api/compute/test_ips_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_ips_rbac.py
index cbe66f6..a7b2f6a 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_ips_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -51,7 +50,7 @@
cls.server = cls.create_test_server(wait_until='ACTIVE')
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(IpsRbacTest, self).tearDown()
@decorators.idempotent_id('6886d360-0d86-4760-b1a3-882d81fbebcc')
@@ -59,7 +58,7 @@
service="nova",
rule="os_compute_api:ips:index")
def test_list_addresses(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_addresses(self.server['id'])['addresses']
@decorators.idempotent_id('fa43e7e5-0db9-48eb-9c6b-c11eb766b8e4')
@@ -69,6 +68,6 @@
def test_list_addresses_by_network(self):
addresses = self.client.list_addresses(self.server['id'])['addresses']
address = next(iter(addresses))
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_addresses_by_network(
self.server['id'], address)[address]
diff --git a/patrole_tempest_plugin/tests/api/compute/test_keypairs_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_keypairs_rbac.py
new file mode 100644
index 0000000..d4d9306
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_keypairs_rbac.py
@@ -0,0 +1,75 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+
+class KeypairsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ @classmethod
+ def setup_clients(cls):
+ super(KeypairsRbacTest, cls).setup_clients()
+ cls.client = cls.keypairs_client
+
+ def tearDown(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(KeypairsRbacTest, self).tearDown()
+
+ def _create_keypair(self):
+ key_name = data_utils.rand_name('key')
+ keypair = self.client.create_keypair(name=key_name)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.client.delete_keypair,
+ key_name)
+ return keypair
+
+ @decorators.idempotent_id('16e0ae81-e05f-48cd-b253-cf31ab0732f0')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-keypairs:create")
+ def test_create_keypair(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_keypair()
+
+ @decorators.idempotent_id('85a5eb99-40ec-4e77-9358-bee2cdf9d7df')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-keypairs:show")
+ def test_show_keypair(self):
+ kp_name = self._create_keypair()['keypair']['name']
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.show_keypair(kp_name)
+
+ @decorators.idempotent_id('6bff9f1c-b809-43c1-8d63-61fbd19d49d3')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-keypairs:delete")
+ def test_delete_keypair(self):
+ kp_name = self._create_keypair()['keypair']['name']
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.delete_keypair(kp_name)
+
+ @decorators.idempotent_id('6bb31346-ff7f-4b10-978e-170ac5fcfa3e')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-keypairs:index")
+ def test_index_keypair(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_keypairs()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py
index ae52fe5..5b0d9b6 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py
@@ -15,7 +15,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -24,7 +23,7 @@
class LimitsRbacTest(rbac_base.BaseV2ComputeRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(LimitsRbacTest, self).tearDown()
@classmethod
@@ -43,5 +42,5 @@
rule="os_compute_api:limits")
@decorators.idempotent_id('3fb60f83-9a5f-4fdd-89d9-26c3710844a1')
def test_show_limits(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_limits()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py
index 4825f82..9ccd35b 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -38,7 +37,7 @@
'%s skipped as no compute extensions enabled' % cls.__name__)
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(MigrationsAdminRbacTest, self).tearDown()
@decorators.idempotent_id('5795231c-3729-448c-a072-9a225db1a328')
@@ -46,5 +45,5 @@
service="nova",
rule="os_compute_api:os-migrations:index")
def test_list_services(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_migrations()['migrations']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_rescue_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_rescue_rbac.py
index 88997b2..09a020f 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_rescue_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_rescue_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -43,7 +42,7 @@
cls.server = cls.create_test_server(wait_until='ACTIVE')
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(RescueRbacTest, self).tearDown()
@rbac_rule_validation.action(
@@ -51,5 +50,5 @@
rule="os_compute_api:os-rescue")
@decorators.idempotent_id('fbbb2afc-ed0e-4552-887d-ac00fb5d436e')
def test_rescue_server(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.rescue_server(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
index 7cbf012..255c48b 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
@@ -16,14 +16,13 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
class SecurityGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(SecurityGroupsRbacTest, self).tearDown()
@rbac_rule_validation.action(
@@ -31,5 +30,5 @@
rule="os_compute_api:os-security-groups")
@decorators.idempotent_id('4ac58e49-48c1-4fca-a6c3-3f95fb99eb77')
def test_server_security_groups(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.security_groups_client.list_security_groups()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
new file mode 100644
index 0000000..c4b44e7
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
@@ -0,0 +1,80 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.common import waiters
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ def tearDown(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(ServerActionsRbacTest, self).tearDown()
+
+ @classmethod
+ def setup_clients(cls):
+ super(ServerActionsRbacTest, cls).setup_clients()
+ cls.client = cls.servers_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(ServerActionsRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+ if not CONF.compute_feature_enabled.interface_attach:
+ raise cls.skipException(
+ '%s skipped as interface attachment is not available'
+ % cls.__name__)
+
+ @classmethod
+ def resource_setup(cls):
+ cls.set_validation_resources()
+ super(ServerActionsRbacTest, cls).resource_setup()
+ cls.server_id = cls.create_test_server(wait_until='ACTIVE',
+ validatable=True)['id']
+
+ def _test_start_server(self):
+ self.client.start_server(self.server_id)
+ waiters.wait_for_server_status(self.client, self.server_id,
+ 'ACTIVE')
+
+ def _test_stop_server(self):
+ self.client.stop_server(self.server_id)
+ waiters.wait_for_server_status(self.client, self.server_id,
+ 'SHUTOFF')
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:servers:stop")
+ @decorators.idempotent_id('ab4a17d2-166f-4a6d-9944-f17baa576cf2')
+ def test_stop_server(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._test_stop_server()
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:servers:start")
+ @decorators.idempotent_id('8876bfa9-4d10-406e-a335-a57e451abb12')
+ def test_start_server(self):
+ self._test_stop_server()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._test_start_server()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_diagnostics_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_diagnostics_rbac.py
index 390dae5..ecce552 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_diagnostics_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_diagnostics_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -43,7 +42,7 @@
cls.server = cls.create_test_server(wait_until='ACTIVE')
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(ServerDiagnosticsRbacTest, self).tearDown()
@rbac_rule_validation.action(
@@ -51,5 +50,5 @@
rule="os_compute_api:os-server-diagnostics")
@decorators.idempotent_id('5dabfcc4-bedb-417b-8247-b3ee7c5c0f3e')
def test_show_server_diagnostics(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_server_diagnostics(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py
index 8e47b59..2a108cd 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -43,7 +42,7 @@
cls.server = cls.create_test_server(wait_until='ACTIVE')
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(ServerGroupsRbacTest, self).tearDown()
@rbac_rule_validation.action(
@@ -51,7 +50,7 @@
rule="os_compute_api:os-server-groups:create")
@decorators.idempotent_id('7f3eae94-6130-47e9-81ac-34009f55be2f')
def test_create_server_group(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.create_test_server_group()
@rbac_rule_validation.action(
@@ -60,7 +59,7 @@
@decorators.idempotent_id('832d9be3-632e-47b2-93d2-5897db43e3e2')
def test_delete_server_group(self):
server_group = self.create_test_server_group()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.delete_server_group(server_group['id'])
@rbac_rule_validation.action(
@@ -68,7 +67,7 @@
rule="os_compute_api:os-server-groups:index")
@decorators.idempotent_id('5eccd67f-5945-483b-b1c8-de851ebfc1c1')
def test_list_server_groups(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_server_groups()
@rbac_rule_validation.action(
@@ -77,5 +76,5 @@
@decorators.idempotent_id('62534e3f-7e99-4a3d-a08e-33e056460cf2')
def test_show_server_group(self):
server_group = self.create_test_server_group()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_server_group(server_group['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py
new file mode 100644
index 0000000..45b42bf
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py
@@ -0,0 +1,53 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+
+class ServerPasswordRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ @classmethod
+ def setup_clients(cls):
+ super(ServerPasswordRbacTest, cls).setup_clients()
+ cls.client = cls.servers_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(ServerPasswordRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-server-password', 'compute'):
+ msg = "%s skipped as os-server-password extension not enabled." \
+ % cls.__name__
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(ServerPasswordRbacTest, cls).resource_setup()
+ cls.server = cls.create_test_server()
+
+ def tearDown(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(ServerPasswordRbacTest, self).tearDown()
+
+ @decorators.idempotent_id('43ad7995-2f12-41cd-8ef1-bae9ffc36818')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-password")
+ def test_delete_password(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.delete_password(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_tags_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_tags_rbac.py
new file mode 100644
index 0000000..14f0638
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_tags_rbac.py
@@ -0,0 +1,105 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+
+class ServerTagsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ min_microversion = '2.26'
+ max_microversion = 'latest'
+
+ @classmethod
+ def skip_checks(cls):
+ super(ServerTagsRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-server-tags', 'compute'):
+ msg = "os-server-tags extension is not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def setup_clients(cls):
+ super(ServerTagsRbacTest, cls).setup_clients()
+ cls.client = cls.servers_client
+
+ @classmethod
+ def resource_setup(cls):
+ super(ServerTagsRbacTest, cls).resource_setup()
+ cls.server = cls.create_test_server(wait_until='ACTIVE')
+
+ def tearDown(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(ServerTagsRbacTest, self).tearDown()
+
+ def _add_tag_to_server(self):
+ tag_name = data_utils.rand_name('tag')
+ self.client.update_tag(self.server['id'], tag_name)
+ self.addCleanup(self.client.delete_all_tags, self.server['id'])
+ return tag_name
+
+ @decorators.idempotent_id('99e73dd3-adec-4044-b46c-84bdded35d09')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-tags:index")
+ def test_list_tags(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_tags(self.server['id'])['tags']
+
+ @decorators.idempotent_id('9297c99e-94eb-429f-93cf-9b1838e33622')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-tags:show")
+ def test_check_tag_existence(self):
+ tag_name = self._add_tag_to_server()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.check_tag_existence(self.server['id'], tag_name)
+
+ @decorators.idempotent_id('0d84ee94-d3ca-4635-8edf-b7f67ab8e4a3')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-tags:update")
+ def test_update_tag(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._add_tag_to_server()
+
+ @decorators.idempotent_id('115c2694-00aa-41ee-99f6-9eab4040c182')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-tags:delete")
+ def test_delete_tag(self):
+ tag_name = self._add_tag_to_server()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.delete_tag(self.server['id'], tag_name)
+
+ @decorators.idempotent_id('a8e19b87-6580-4bc8-9933-e62561ff667d')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-tags:update_all")
+ def test_update_all_tags(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ new_tag_name = data_utils.rand_name('tag')
+ self.client.update_all_tags(self.server['id'], [new_tag_name])['tags']
+
+ @decorators.idempotent_id('89d51936-e333-42f9-a045-132a4865ba1a')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-tags:delete_all")
+ def test_delete_all_tags(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.delete_all_tags(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_usage_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_usage_rbac.py
index 486a023..ea1341b 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_usage_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_usage_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -43,7 +42,7 @@
cls.server = cls.create_test_server(wait_until='ACTIVE')
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(ServerUsageRbacTest, self).tearDown()
@rbac_rule_validation.action(
@@ -51,5 +50,5 @@
rule="os_compute_api:os-server-usage")
@decorators.idempotent_id('f0437ead-b9fb-462a-9f3d-ce53fac9d57a')
def test_show_server_diagnostics(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_server(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
index d5897d3..8f96110 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -52,7 +51,7 @@
super(ServerVolumeAttachmentRbacTest, cls).resource_cleanup()
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(ServerVolumeAttachmentRbacTest, self).tearDown()
def _create_and_attach(self):
@@ -83,7 +82,7 @@
rule="os_compute_api:os-volumes-attachments:index")
@decorators.idempotent_id('529b668b-6edb-41d5-8886-d7dbd0614678')
def test_list_volume_attachments(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_volume_attachments(self.server['id'])
['volumeAttachments']
@@ -93,7 +92,7 @@
@decorators.idempotent_id('21c2c3fd-fbe8-41b1-8ef8-115ec47d54c1')
def test_create_volume_attachment(self):
self.volume = self.create_volume()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._attach(self.server, self.volume)
@rbac_rule_validation.action(
@@ -102,7 +101,7 @@
@decorators.idempotent_id('997df9c2-6e54-47b6-ab74-e4fdb500f385')
def test_show_volume_attachment(self):
self._create_and_attach()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_volume_attachment(
self.server['id'], self.attachment['id'])
@@ -113,7 +112,7 @@
def test_update_volume_attachment(self):
self._create_and_attach()
self.volume = self.create_volume()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.update_attached_volume(
self.server['id'], self.attachment['id'],
volumeId=self.volume['id'])
@@ -127,5 +126,5 @@
@decorators.idempotent_id('12b03e90-d087-46af-9c4d-507d021c4984')
def test_delete_volume_attachment(self):
self._create_and_attach()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._detach(self.server['id'], self.volume['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
index a2f6409..379b177 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -38,7 +37,7 @@
'%s skipped as no compute extensions enabled' % cls.__name__)
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(ServicesAdminRbacTest, self).tearDown()
@rbac_rule_validation.action(
@@ -46,5 +45,5 @@
rule="os_compute_api:os-services")
@decorators.idempotent_id('7472261b-9c6d-453a-bcb3-aecaa29ad281')
def test_list_services(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_services()['services']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_simple_tenant_usage_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_simple_tenant_usage_rbac.py
index eb7a91f..f042f00 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_simple_tenant_usage_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_simple_tenant_usage_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = config.CONF
@@ -26,7 +25,7 @@
class SimpleTenantUsageRbacTest(rbac_base.BaseV2ComputeRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(SimpleTenantUsageRbacTest, self).tearDown()
@classmethod
@@ -46,7 +45,7 @@
rule="os_compute_api:os-simple-tenant-usage:list")
@decorators.idempotent_id('2aef094f-0452-4df6-a66a-0ec22a92b16e')
def test_simple_tenant_usage_list(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_tenant_usages()
@rbac_rule_validation.action(
@@ -58,5 +57,5 @@
# the validation method in the API call throws an error.
self.create_test_server(wait_until='ACTIVE')['id']
tenant_id = self.auth_provider.credentials.tenant_id
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_tenant_usage(tenant_id=tenant_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_suspend_server_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_suspend_server_rbac.py
new file mode 100644
index 0000000..3cb5ac1
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_suspend_server_rbac.py
@@ -0,0 +1,81 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.common import waiters
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class SuspendServerRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ @classmethod
+ def setup_clients(cls):
+ super(SuspendServerRbacTest, cls).setup_clients()
+ cls.client = cls.servers_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(SuspendServerRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.suspend:
+ msg = "%s skipped as suspend compute feature is not available." \
+ % cls.__name__
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(SuspendServerRbacTest, cls).resource_setup()
+ cls.server = cls.create_test_server(wait_until='ACTIVE')
+
+ def tearDown(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
+
+ # Guarantee that the server is active during each test run.
+ vm_state = self.client.show_server(self.server['id'])['server'][
+ 'OS-EXT-STS:vm_state'].upper()
+ if vm_state != 'ACTIVE':
+ self.client.resume_server(self.server['id'])
+ waiters.wait_for_server_status(self.client, self.server['id'],
+ 'ACTIVE')
+
+ super(SuspendServerRbacTest, self).tearDown()
+
+ @decorators.idempotent_id('b775930f-237c-431c-83ae-d33ed1b9700b')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-suspend-server:suspend")
+ def test_suspend_server(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.suspend_server(self.server['id'])
+ waiters.wait_for_server_status(self.client, self.server['id'],
+ 'SUSPENDED')
+
+ @decorators.idempotent_id('4d90bd02-11f8-45b1-a8a1-534665584675')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-suspend-server:resume")
+ def test_resume_server(self):
+ self.client.suspend_server(self.server['id'])
+ waiters.wait_for_server_status(self.client, self.server['id'],
+ 'SUSPENDED')
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.resume_server(self.server['id'])
+ waiters.wait_for_server_status(self.client,
+ self.server['id'],
+ 'ACTIVE')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
index 1bb5100..b5ecd55 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
@@ -19,7 +19,6 @@
from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
CONF = cfg.CONF
@@ -53,7 +52,7 @@
super(TenantNetworksRbacTest, cls).setup_credentials()
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(TenantNetworksRbacTest, self).tearDown()
@decorators.idempotent_id('42b39ba1-14aa-4799-9518-34367d0da67a')
@@ -61,5 +60,5 @@
service="nova",
rule="os_compute_api:os-tenant-networks")
def test_list_show_tenant_networks(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_tenant_networks()['networks']
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
index e379873..0155800 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
@@ -18,12 +18,14 @@
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+
CONF = config.CONF
class BaseIdentityV2AdminRbacTest(base.BaseIdentityV2AdminTest):
- credentials = ['primary', 'admin']
+ credentials = ['admin']
@classmethod
def skip_checks(cls):
@@ -31,15 +33,20 @@
if not CONF.rbac.rbac_flag:
raise cls.skipException(
"%s skipped as RBAC Flag not enabled" % cls.__name__)
- if 'admin' not in CONF.auth.tempest_roles:
- raise cls.skipException(
- "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_credentials(cls):
+ super(BaseIdentityV2AdminRbacTest, cls).setup_credentials()
+ cls.os = cls.os_adm
@classmethod
def setup_clients(cls):
super(BaseIdentityV2AdminRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
cls.admin_client = cls.os_adm.identity_client
+ cls.tenants_client = cls.os.tenants_client
+ cls.users_client = cls.os.users_client
+ cls.rbac_utils = rbac_utils()
def _create_service(self):
name = data_utils.rand_name('service')
@@ -52,3 +59,30 @@
self.services_client.delete_service,
self.service['OS-KSADM:service']['id'])
return self.service
+
+ def _create_user(self, name=None, email=None, password=None, **kwargs):
+ """Set up a test user."""
+ if name is None:
+ name = data_utils.rand_name('test_user')
+ if email is None:
+ email = name + '@testmail.tm'
+ if password is None:
+ password = data_utils.rand_password()
+ user = self.users_client.create_user(
+ name=name, email=email, password=password, **kwargs)['user']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.users_client.delete_user,
+ user['id'])
+ return user
+
+ def _create_tenant(self):
+ """Set up a test tenant."""
+ name = data_utils.rand_name('test_tenant')
+ tenant = self.projects_client.create_tenant(
+ name=name,
+ description=data_utils.rand_name('desc'))['tenant']
+ # Delete the tenant at the end of the test
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.tenants_client.delete_tenant,
+ tenant['id'])
+ return tenant
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
index b448976..060da39 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
CONF = config.CONF
@@ -41,7 +40,7 @@
cls.internal_url = data_utils.rand_url()
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(IdentityEndpointsV2AdminRbacTest, self).tearDown()
def _create_endpoint(self):
@@ -68,7 +67,7 @@
RBAC test for Identity Admin 2.0 create_endpoint
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_endpoint()
@rbac_rule_validation.action(service="keystone",
@@ -82,7 +81,7 @@
"""
endpoint = self._create_endpoint()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.endpoints_client.delete_endpoint(endpoint['endpoint']['id'])
@rbac_rule_validation.action(service="keystone",
@@ -95,5 +94,5 @@
RBAC test for Identity Admin 2.0 list_endpoint
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.endpoints_client.list_endpoints()
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
index 0c2eb96..9bfb241 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
@@ -14,12 +14,9 @@
# under the License.
from tempest import config
-from tempest.lib.common.utils import data_utils
-from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
CONF = config.CONF
@@ -28,21 +25,9 @@
class IdentityProjectV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(IdentityProjectV2AdminRbacTest, self).tearDown()
- @classmethod
- def setup_clients(cls):
- super(IdentityProjectV2AdminRbacTest, cls).setup_clients()
- cls.tenants_client = cls.os.tenants_client
-
- def _create_tenant(self, name):
- self.tenant = self.tenants_client.create_tenant(name=name)
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.tenants_client.delete_tenant,
- self.tenant['tenant']['id'])
- return self.tenant
-
@rbac_rule_validation.action(service="keystone",
rule="identity:create_project")
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d904')
@@ -53,9 +38,8 @@
RBAC test for Identity 2.0 create_tenant
"""
- tenant_name = data_utils.rand_name('test_create_project')
- rbac_utils.switch_role(self, switchToRbacRole=True)
- self._create_tenant(tenant_name)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_tenant()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_project")
@@ -66,12 +50,10 @@
RBAC test for Identity 2.0 update_tenant
"""
+ tenant = self._create_tenant()
- tenant_name = data_utils.rand_name('test_update_project')
- tenant = self._create_tenant(tenant_name)
-
- rbac_utils.switch_role(self, switchToRbacRole=True)
- self.tenants_client.update_tenant(tenant['tenant']['id'],
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.tenants_client.update_tenant(tenant['id'],
description="Changed description")
@rbac_rule_validation.action(service="keystone",
@@ -83,12 +65,10 @@
RBAC test for Identity 2.0 delete_tenant
"""
+ tenant = self._create_tenant()
- tenant_name = data_utils.rand_name('test_delete_project')
- tenant = self._create_tenant(tenant_name)
-
- rbac_utils.switch_role(self, switchToRbacRole=True)
- self.tenants_client.delete_tenant(tenant['tenant']['id'])
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.tenants_client.delete_tenant(tenant['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_project")
@@ -100,11 +80,10 @@
RBAC test for Identity 2.0 show_tenant
"""
- tenant_name = data_utils.rand_name('test_get_project')
- tenant = self._create_tenant(tenant_name)
+ tenant = self._create_tenant()
- rbac_utils.switch_role(self, switchToRbacRole=True)
- self.tenants_client.show_tenant(tenant['tenant']['id'])
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.tenants_client.show_tenant(tenant['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_projects")
@@ -115,8 +94,7 @@
RBAC test for Identity 2.0 list_tenants
"""
-
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.tenants_client.list_tenants()
@rbac_rule_validation.action(service="keystone",
@@ -128,9 +106,7 @@
RBAC test for Identity 2.0 list_tenant_users
"""
+ tenant = self._create_tenant()
- tenant_name = data_utils.rand_name('test_list_users_for_tenant')
- tenant = self._create_tenant(tenant_name)
-
- rbac_utils.switch_role(self, switchToRbacRole=True)
- self.tenants_client.list_tenant_users(tenant['tenant']['id'])
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.tenants_client.list_tenant_users(tenant['id'])
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
new file mode 100644
index 0000000..aa9170a
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
@@ -0,0 +1,156 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
+
+CONF = config.CONF
+
+
+class IdentityRoleV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(IdentityRoleV2AdminRbacTest, self).tearDown()
+
+ @classmethod
+ def setup_clients(cls):
+ super(IdentityRoleV2AdminRbacTest, cls).setup_clients()
+ cls.roles_client = cls.os.roles_client
+
+ def _create_role(self):
+ role = self.roles_client.create_role(
+ name=data_utils.rand_name('test_role'))['role']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role, role['id'])
+ return role
+
+ def _create_tenant_user_role(self):
+ role = self._create_role()
+ tenant = self._create_tenant()
+ user = self._create_user(tenantid=tenant['id'])
+ return tenant, user, role
+
+ def _create_role_on_project(self, tenant, user, role):
+ self.roles_client.create_user_role_on_project(
+ tenant['id'], user['id'], role['id'])
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_project,
+ tenant['id'], user['id'], role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_role")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d904')
+ def test_create_role(self):
+
+ """Create Role Test
+
+ RBAC test for Identity Admin 2.0 role-create
+ """
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_role()
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:delete_role")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d905')
+ def test_delete_role(self):
+
+ """Delete Role Test
+
+ RBAC test for Identity Admin 2.0 role-delete
+ """
+ role = self._create_role()
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.delete_role(role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_role")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d906')
+ def test_show_role(self):
+
+ """Get Role Test
+
+ RBAC test for Identity Admin 2.0
+ """
+ role = self._create_role()
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.show_role(role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_roles")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d907')
+ def test_list_roles(self):
+
+ """List Roles Test
+
+ RBAC test for Identity Admin 2.0 role-list
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.list_roles()
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:add_role_to_user")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d908')
+ def test_create_role_on_project(self):
+
+ """Assign User Role Test
+
+ RBAC test for Identity Admin 2.0 create_user_role_on_project
+ """
+ tenant, user, role = self._create_tenant_user_role()
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_role_on_project(tenant, user, role)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:remove_role_from_user")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d909')
+ def test_delete_role_from_user_on_project(self):
+
+ """Remove User Roles Test
+
+ RBAC test for Identity Admin 2.0 delete_role_from_user_on_project
+ """
+ tenant, user, role = self._create_tenant_user_role()
+ self._create_role_on_project(tenant, user, role)
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.delete_role_from_user_on_project(
+ tenant['id'], user['id'], role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_user_roles")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d90a')
+ def test_list_user_roles_on_project(self):
+
+ """List User Roles Test
+
+ RBAC test for Identity Admin 2.0 list_user_roles_on_project
+ """
+ tenant = self._create_tenant()
+ user = self._create_user(tenantid=tenant['id'])
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.list_user_roles_on_project(
+ tenant['id'], user['id'])
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
index 93f20ef..cb0ee90 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
CONF = config.CONF
@@ -26,7 +25,7 @@
class IdentityServicesV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(IdentityServicesV2AdminRbacTest, self).tearDown()
@classmethod
@@ -42,7 +41,7 @@
RBAC test for Identity Admin 2.0 create_service
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_service()
@rbac_rule_validation.action(service="keystone",
@@ -55,7 +54,7 @@
"""
service_id = self._create_service()['OS-KSADM:service']['id']
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.services_client.delete_service(service_id)
@rbac_rule_validation.action(service="keystone",
@@ -68,7 +67,7 @@
"""
service_id = self._create_service()['OS-KSADM:service']['id']
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.services_client.show_service(service_id)
@rbac_rule_validation.action(service="keystone",
@@ -79,5 +78,5 @@
RBAC test for Identity Admin 2.0 list_service
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.services_client.list_services()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
index 0dc4a05..c7872b3 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
@@ -18,12 +18,14 @@
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+
CONF = config.CONF
class BaseIdentityV3RbacAdminTest(base.BaseIdentityV3AdminTest):
- credentials = ['primary', 'admin']
+ credentials = ['admin']
@classmethod
def skip_checks(cls):
@@ -31,9 +33,11 @@
if not CONF.rbac.rbac_flag:
raise cls.skipException(
"%s skipped as RBAC Flag not enabled" % cls.__name__)
- if CONF.auth.tempest_roles != ['admin']:
- raise cls.skipException(
- "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_credentials(cls):
+ super(BaseIdentityV3RbacAdminTest, cls).setup_credentials()
+ cls.os = cls.os_adm
@classmethod
def setup_clients(cls):
@@ -45,6 +49,7 @@
cls.endpoints_client = cls.os.endpoints_v3_client
cls.groups_client = cls.os.groups_client
cls.policies_client = cls.os.policies_client
+ cls.rbac_utils = rbac_utils()
def _create_service(self):
"""Creates a service for test."""
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
index 3428e7f..d51fecb 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
@@ -15,10 +15,9 @@
from tempest.common.utils import data_utils
from tempest.lib.common.utils import test_utils
-from tempest import test
+from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
@@ -27,7 +26,7 @@
def tearDown(self):
"""Reverts user back to admin for cleanup."""
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(IdentityCredentialsV3AdminRbacTest, self).tearDown()
def _create_credential(self):
@@ -52,18 +51,18 @@
@rbac_rule_validation.action(service="keystone",
rule="identity:create_credential")
- @test.idempotent_id('c1ab6d34-c59f-4ae1-bae9-bb3c1089b48e')
+ @decorators.idempotent_id('c1ab6d34-c59f-4ae1-bae9-bb3c1089b48e')
def test_create_credential(self):
"""Create a Credential.
RBAC test for Keystone: identity:create_credential
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_credential()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_credential")
- @test.idempotent_id('cfb05ce3-bffb-496e-a3c2-9515d730da63')
+ @decorators.idempotent_id('cfb05ce3-bffb-496e-a3c2-9515d730da63')
def test_update_credential(self):
"""Update a Credential.
@@ -74,7 +73,7 @@
new_keys = [data_utils.rand_name('NewAccess'),
data_utils.rand_name('NewSecret')]
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.creds_client \
.update_credential(credential['id'],
credential=credential,
@@ -84,7 +83,7 @@
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_credential")
- @test.idempotent_id('87ab42af-8d41-401b-90df-21e72919fcde')
+ @decorators.idempotent_id('87ab42af-8d41-401b-90df-21e72919fcde')
def test_delete_credential(self):
"""Delete a Credential.
@@ -92,12 +91,12 @@
"""
_, credential = self._create_credential()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.creds_client.delete_credential(credential['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_credential")
- @test.idempotent_id('1b6eeae6-f1e8-4cdf-8903-1c002b1fc271')
+ @decorators.idempotent_id('1b6eeae6-f1e8-4cdf-8903-1c002b1fc271')
def test_show_credential(self):
"""Show/Get a Credential.
@@ -105,16 +104,16 @@
"""
_, credential = self._create_credential()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.creds_client.show_credential(credential['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_credentials")
- @test.idempotent_id('3de303e2-12a7-4811-805a-f18906472038')
+ @decorators.idempotent_id('3de303e2-12a7-4811-805a-f18906472038')
def test_list_credentials(self):
"""List all Credentials.
RBAC test for Keystone: identity:list_credentials
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.creds_client.list_credentials()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
index b60c3e8..11b0064 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
CONF = config.CONF
@@ -43,7 +42,7 @@
def tearDown(self):
"""Reverts user back to admin for cleanup."""
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(IdentityEndpointsV3AdminRbacTest, self).tearDown()
@rbac_rule_validation.action(service="keystone",
@@ -54,7 +53,7 @@
RBAC test for Keystone: identity:create_endpoint
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_endpoint()
@rbac_rule_validation.action(service="keystone",
@@ -68,7 +67,7 @@
service, endpoint = self._create_endpoint()
new_url = data_utils.rand_url()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.endpoints_client.update_endpoint(endpoint["id"],
service_id=service['id'],
url=new_url)
@@ -83,7 +82,7 @@
"""
_, endpoint = self._create_endpoint()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.endpoints_client.delete_endpoint(endpoint['id'])
@rbac_rule_validation.action(service="keystone",
@@ -96,7 +95,7 @@
"""
_, endpoint = self._create_endpoint()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.endpoints_client.show_endpoint(endpoint['id'])
@rbac_rule_validation.action(service="keystone",
@@ -107,5 +106,5 @@
RBAC test for Keystone: identity:create_domain
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.endpoints_client.list_endpoints()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
index ec4fd41..a9c998a 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
CONF = config.CONF
@@ -29,7 +28,7 @@
def tearDown(self):
"""Reverts user back to admin for cleanup."""
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(IdentityGroupsV3AdminRbacTest, self).tearDown()
def _create_group(self):
@@ -55,7 +54,7 @@
rule="identity:create_group")
@decorators.idempotent_id('88377f51-9074-4d64-a22f-f8931d048c9a')
def test_create_group(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_group()
@rbac_rule_validation.action(service="keystone",
@@ -66,7 +65,7 @@
# Update Group
new_name = data_utils.rand_name('UpdateGroup')
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.groups_client.update_group(group['id'],
name=new_name)
@@ -76,7 +75,7 @@
def test_delete_group(self):
group = self._create_group()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.groups_client.delete_group(group['id'])
@rbac_rule_validation.action(service="keystone",
@@ -85,14 +84,14 @@
def test_show_group(self):
group = self._create_group()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.groups_client.show_group(group['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_groups")
@decorators.idempotent_id('c4d0f76b-735f-4fd0-868b-0006bc420ff4')
def test_list_groups(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.groups_client.list_groups()
@rbac_rule_validation.action(service="keystone",
@@ -101,7 +100,7 @@
def test_add_user_group(self):
group = self._create_group()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._add_user_to_group(group['id'])
@rbac_rule_validation.action(service="keystone",
@@ -111,7 +110,7 @@
group = self._create_group()
user_id = self._add_user_to_group(group['id'])
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.groups_client.delete_group_user(group['id'], user_id)
@rbac_rule_validation.action(service="keystone",
@@ -120,7 +119,7 @@
def test_list_user_group(self):
group = self._create_group()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.groups_client.list_group_users(group['id'])
@rbac_rule_validation.action(service="keystone",
@@ -130,5 +129,5 @@
group = self._create_group()
user_id = self._add_user_to_group(group['id'])
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.groups_client.check_group_user_existence(group['id'], user_id)
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
index 9341fcb..ade418f 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
CONF = config.CONF
@@ -29,7 +28,7 @@
def tearDown(self):
"""Reverts user back to admin for cleanup."""
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(IdentityPoliciesV3AdminRbacTest, self).tearDown()
def _create_policy(self):
@@ -49,7 +48,7 @@
rule="identity:create_policy")
@decorators.idempotent_id('de2f7ecb-fbf0-41f3-abf4-b97b5e082fd5')
def test_create_policy(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_policy()
@rbac_rule_validation.action(service="keystone",
@@ -59,7 +58,7 @@
policy = self._create_policy()
update_type = data_utils.rand_name('UpdatedPolicyType')
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.policies_client.update_policy(policy['id'],
type=update_type)
@@ -69,7 +68,7 @@
def test_delete_policy(self):
policy = self._create_policy()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.policies_client.delete_policy(policy['id'])
@rbac_rule_validation.action(service="keystone",
@@ -78,12 +77,12 @@
def test_show_policy(self):
policy = self._create_policy()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.policies_client.show_policy(policy['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_policies")
@decorators.idempotent_id('35a56161-4054-4237-8a78-7ce805dce202')
def test_list_policies(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.policies_client.list_policies()['policies']
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
index c347e56..9d6467c 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
@@ -18,7 +18,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
CONF = config.CONF
@@ -29,7 +28,7 @@
def tearDown(self):
"""Reverts user back to admin for cleanup."""
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(IdentityProjectV3AdminRbacTest, self).tearDown()
@rbac_rule_validation.action(service="keystone",
@@ -41,7 +40,7 @@
RBAC test for Keystone: identity:create_project
"""
name = data_utils.rand_name('project')
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
project = self.non_admin_projects_client \
.create_project(name)['project']
self.addCleanup(self.projects_client.delete_project, project['id'])
@@ -56,7 +55,7 @@
"""
project = self._setup_test_project()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_projects_client \
.update_project(project['id'],
description="Changed description")
@@ -71,7 +70,7 @@
"""
project = self._setup_test_project()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_projects_client.delete_project(project['id'])
@rbac_rule_validation.action(service="keystone",
@@ -84,7 +83,7 @@
"""
project = self._setup_test_project()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_projects_client.show_project(project['id'])
@rbac_rule_validation.action(service="keystone",
@@ -95,5 +94,5 @@
RBAC test for Keystone: identity:list_projects
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_projects_client.list_projects()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
index f5a0a3e..e431216 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
@@ -15,10 +15,9 @@
from tempest.common.utils import data_utils
from tempest import config
-from tempest import test
+from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
CONF = config.CONF
@@ -28,23 +27,23 @@
def tearDown(self):
"""Reverts user back to admin for cleanup."""
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(IdentitySericesV3AdminRbacTest, self).tearDown()
@rbac_rule_validation.action(service="keystone",
rule="identity:create_service")
- @test.idempotent_id('9a4bb317-f0bb-4005-8df0-4b672885b7c8')
+ @decorators.idempotent_id('9a4bb317-f0bb-4005-8df0-4b672885b7c8')
def test_create_service(self):
"""Create a service.
RBAC test for Keystone: identity:create_service
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_service()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_service")
- @test.idempotent_id('b39447d1-2cf6-40e5-a899-46f287f2ecf0')
+ @decorators.idempotent_id('b39447d1-2cf6-40e5-a899-46f287f2ecf0')
def test_update_service(self):
"""Update a service.
@@ -53,7 +52,7 @@
service = self._create_service()
new_name = data_utils.rand_name('new_test_name')
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.services_client.update_service(service['id'],
service=service,
name=new_name,
@@ -61,7 +60,7 @@
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_service")
- @test.idempotent_id('177b991a-438d-4bef-8e9f-9c6cc5a1c9e8')
+ @decorators.idempotent_id('177b991a-438d-4bef-8e9f-9c6cc5a1c9e8')
def test_delete_service(self):
"""Delete a service.
@@ -69,12 +68,12 @@
"""
service = self._create_service()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.services_client.delete_service(service['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_service")
- @test.idempotent_id('d89a9ac6-cd53-428d-84c0-5bc71f4a432d')
+ @decorators.idempotent_id('d89a9ac6-cd53-428d-84c0-5bc71f4a432d')
def test_show_service(self):
"""Show/Get a service.
@@ -82,16 +81,16 @@
"""
service = self._create_service()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.services_client.show_service(service['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_services")
- @test.idempotent_id('706e6bea-3385-4718-919c-0b5121395806')
+ @decorators.idempotent_id('706e6bea-3385-4718-919c-0b5121395806')
def test_list_services(self):
"""list all services.
RBAC test for Keystone: identity:list_services
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.services_client.list_services()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
index b611541..84d3be6 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
@@ -18,7 +18,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
CONF = config.CONF
@@ -29,7 +28,7 @@
def tearDown(self):
"""Reverts user back to admin for cleanup."""
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(IdentityUserV3AdminRbacTest, self).tearDown()
@rbac_rule_validation.action(service="keystone",
@@ -41,7 +40,7 @@
RBAC test for Keystone: identity:create_user
"""
user_name = data_utils.rand_name('test_create_user')
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_users_client.create_user(name=user_name)
@rbac_rule_validation.action(service="keystone",
@@ -55,7 +54,7 @@
user_name = data_utils.rand_name('test_update_user')
user = self._create_test_user(name=user_name, password=None)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_users_client.update_user(user['id'],
name=user_name,
email="changedUser@xyz.com")
@@ -71,7 +70,7 @@
user_name = data_utils.rand_name('test_delete_user')
user = self._create_test_user(name=user_name, password=None)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_users_client.delete_user(user['id'])
@rbac_rule_validation.action(service="keystone",
@@ -82,7 +81,7 @@
RBAC test for Keystone: identity:list_users
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_users_client.list_users()
@rbac_rule_validation.action(service="keystone",
@@ -96,7 +95,7 @@
user_name = data_utils.rand_name('test_get_user')
user = self._create_test_user(name=user_name, password=None)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_users_client.show_user(user['id'])
@rbac_rule_validation.action(service="keystone",
@@ -110,7 +109,7 @@
user_name = data_utils.rand_name('test_change_password')
user = self._create_test_user(name=user_name, password='nova')
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_users_client \
.update_user_password(user['id'],
original_password='nova',
@@ -127,7 +126,7 @@
user_name = data_utils.rand_name('User')
user = self._create_test_user(name=user_name, password=None)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_users_client.list_user_groups(user['id'])
@rbac_rule_validation.action(service="keystone",
@@ -140,5 +139,5 @@
"""
user = self.setup_test_user()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_users_client.list_user_projects(user['id'])
diff --git a/patrole_tempest_plugin/tests/api/image/rbac_base.py b/patrole_tempest_plugin/tests/api/image/rbac_base.py
index 5a9731a..9072cb3 100644
--- a/patrole_tempest_plugin/tests/api/image/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/image/rbac_base.py
@@ -11,16 +11,17 @@
# License for the specific language governing permissions and limitations
# under the License.
-# Maybe these should be in lib or recreated?
from tempest.api.image import base as image_base
from tempest import config
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+
CONF = config.CONF
class BaseV1ImageRbacTest(image_base.BaseV1ImageTest):
- credentials = ['primary', 'admin']
+ credentials = ['admin']
@classmethod
def skip_checks(cls):
@@ -28,20 +29,23 @@
if not CONF.rbac.rbac_flag:
raise cls.skipException(
"%s skipped as RBAC Flag not enabled" % cls.__name__)
- if 'admin' not in CONF.auth.tempest_roles:
- raise cls.skipException(
- "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_credentials(cls):
+ super(BaseV1ImageRbacTest, cls).setup_credentials()
+ cls.os = cls.os_adm
@classmethod
def setup_clients(cls):
super(BaseV1ImageRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
cls.admin_client = cls.os_adm.image_client
+ cls.rbac_utils = rbac_utils()
class BaseV2ImageRbacTest(image_base.BaseV2ImageTest):
- credentials = ['primary', 'admin']
+ credentials = ['admin']
@classmethod
def skip_checks(cls):
@@ -49,12 +53,15 @@
if not CONF.rbac.rbac_flag:
raise cls.skipException(
"%s skipped as RBAC Flag not enabled" % cls.__name__)
- if 'admin' not in CONF.auth.tempest_roles:
- raise cls.skipException(
- "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_credentials(cls):
+ super(BaseV2ImageRbacTest, cls).setup_credentials()
+ cls.os = cls.os_adm
@classmethod
def setup_clients(cls):
super(BaseV2ImageRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
cls.admin_client = cls.os_adm.image_client_v2
+ cls.rbac_utils = rbac_utils()
diff --git a/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py b/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py
index 97c218a..8ded2ec 100644
--- a/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.image import rbac_base as base
CONF = config.CONF
@@ -39,7 +38,7 @@
cls.alt_tenant_id = cls.alt_image_member_client.tenant_id
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(ImagesMemberRbacTest, self).tearDown()
@rbac_rule_validation.action(service="glance", rule="add_member")
@@ -51,7 +50,7 @@
"""
image = self.create_image()
# Toggle role and add image member
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.image_member_client.create_image_member(image['id'],
self.alt_tenant_id)
@@ -66,7 +65,7 @@
self.image_member_client.create_image_member(image['id'],
self.alt_tenant_id)
# Toggle role and delete image member
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.image_member_client.delete_image_member(image['id'],
self.alt_tenant_id)
@@ -81,5 +80,5 @@
self.image_member_client.create_image_member(image['id'],
self.alt_tenant_id)
# Toggle role and delete image member
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.image_member_client.list_image_members(image['id'])
diff --git a/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py b/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py
index ee6a2eb..2bebc2c 100644
--- a/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py
@@ -20,7 +20,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.image import rbac_base
CONF = config.CONF
@@ -29,7 +28,7 @@
class BasicOperationsImagesRbacTest(rbac_base.BaseV1ImageRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(BasicOperationsImagesRbacTest, self).tearDown()
@rbac_rule_validation.action(service="glance", rule="add_image")
@@ -41,7 +40,7 @@
"""
properties = {'prop1': 'val1'}
image_name = data_utils.rand_name('image')
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.create_image(name=image_name,
container_format='bare',
disk_format='raw',
@@ -63,7 +62,7 @@
is_public=False,
properties=properties)
image_id = body['id']
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.delete_image(image_id)
@rbac_rule_validation.action(service="glance", rule="download_image")
@@ -85,7 +84,7 @@
image_file = moves.cStringIO(data_utils.random_bytes())
self.client.update_image(image_id, data=image_file)
# Toggle role and get created image
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_image(image_id)
@rbac_rule_validation.action(service="glance", rule="get_image")
@@ -107,7 +106,7 @@
image_file = moves.cStringIO(data_utils.random_bytes())
self.client.update_image(image_id, data=image_file)
# Toggle role and get created image
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.check_image(image_id)
@rbac_rule_validation.action(service="glance", rule="get_images")
@@ -117,7 +116,7 @@
RBAC test for the glance get_images policy.
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_images()
@rbac_rule_validation.action(service="glance", rule="modify_image")
@@ -136,7 +135,7 @@
properties=properties)
image_id = body.get('id')
properties = {'prop1': 'val2'}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.update_image(image_id, headers=properties)
@rbac_rule_validation.action(service="glance", rule="publicize_image")
@@ -148,7 +147,7 @@
"""
image_name = data_utils.rand_name('image')
properties = {'prop1': 'val1'}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.create_image(name=image_name,
container_format='bare',
disk_format='raw',
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_objects_rbac.py b/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_objects_rbac.py
index 324543e..f66b00c 100644
--- a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_objects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_objects_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.image import rbac_base
CONF = config.CONF
@@ -28,7 +27,7 @@
class ImageNamespacesObjectsRbacTest(rbac_base.BaseV2ImageRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(ImageNamespacesObjectsRbacTest, self).tearDown()
@rbac_rule_validation.action(service="glance",
@@ -40,7 +39,7 @@
RBAC test for the glance add_metadef_object policy
"""
namespace = self.create_namespace()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# create a md object, it will be cleaned automatically after
# cleanup of namespace
object_name = data_utils.rand_name('test-object')
@@ -60,7 +59,7 @@
RBAC test for the glance get_metadef_objects policy
"""
namespace = self.create_namespace()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# list md objects
self.namespace_objects_client.list_namespace_objects(
namespace['namespace'])
@@ -83,7 +82,7 @@
namespace['namespace'], object_name)
# Toggle role and modify object
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
new_name = "Object New Name"
self.namespace_objects_client.update_namespace_object(
namespace['namespace'], object_name, name=new_name)
@@ -105,7 +104,7 @@
self.namespace_objects_client.delete_namespace_object,
namespace['namespace'], object_name)
# Toggle role and get object
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.namespace_objects_client.show_namespace_object(
namespace['namespace'],
object_name)
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_property_rbac.py b/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_property_rbac.py
index 6804fa3..cd7982b 100644
--- a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_property_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_property_rbac.py
@@ -18,7 +18,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.image import rbac_base
CONF = config.CONF
@@ -33,7 +32,7 @@
cls.resource_name = body['resource_types'][0]['name']
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(NamespacesPropertyRbacTest, self).tearDown()
@rbac_rule_validation.action(service="glance",
@@ -45,7 +44,7 @@
RBAC test for the glance add_metadef_property policy
"""
namespace = self.create_namespace()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
property_name = data_utils.rand_name('test-ns-property')
self.namespace_properties_client.create_namespace_property(
namespace=namespace['namespace'], type="string",
@@ -60,7 +59,7 @@
RBAC test for the glance get_metadef_properties policy
"""
namespace = self.create_namespace()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.namespace_properties_client.list_namespace_properties(
namespace=namespace['namespace'])
@@ -78,7 +77,7 @@
namespace=namespace['namespace'], type="string",
title=property_name, name=self.resource_name)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.namespace_properties_client.show_namespace_properties(
namespace['namespace'], self.resource_name)
@@ -96,7 +95,7 @@
namespace=namespace['namespace'], type="string",
title=property_name, name=self.resource_name)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.namespace_properties_client.update_namespace_properties(
namespace['namespace'], self.resource_name, type="string",
title=property_name, name=self.resource_name)
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_rbac.py b/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_rbac.py
index 6396f4f..19b815e 100644
--- a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.image import rbac_base
CONF = config.CONF
@@ -28,7 +27,7 @@
class ImageNamespacesRbacTest(rbac_base.BaseV2ImageRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(ImageNamespacesRbacTest, self).tearDown()
@rbac_rule_validation.action(service="glance",
@@ -40,7 +39,7 @@
RBAC test for the glance add_metadef_namespace policy
"""
namespace_name = data_utils.rand_name('test-ns')
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.namespaces_client.create_namespace(
namespace=namespace_name,
protected=False)
@@ -57,7 +56,7 @@
RBAC test for the glance get_metadef_namespaces policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.namespaces_client.list_namespaces()
@rbac_rule_validation.action(service="glance",
@@ -72,7 +71,7 @@
body = self.namespaces_client.create_namespace(
namespace=namespace_name,
protected=False)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.namespaces_client.update_namespace(body['namespace'],
description="My new "
"description")
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_resource_type.py b/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_resource_type.py
index f7e76c1..8d9bc24 100644
--- a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_resource_type.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_resource_type.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.image import rbac_base
CONF = config.CONF
@@ -28,7 +27,7 @@
class ImageNamespacesResourceTypeRbacTest(rbac_base.BaseV2ImageRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(ImageNamespacesResourceTypeRbacTest, self).tearDown()
@rbac_rule_validation.action(service="glance",
@@ -39,7 +38,7 @@
RBAC test for the glance list_metadef_resource_type policy.
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.resource_types_client.list_resource_types()
@rbac_rule_validation.action(service="glance",
@@ -59,6 +58,6 @@
self.namespaces_client.delete_namespace,
namespace_name)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.resource_types_client.list_resource_type_association(
namespace_name)
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py b/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py
index d6a6d62..81d03d6 100644
--- a/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py
@@ -20,7 +20,6 @@
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.image import rbac_base as base
CONF = config.CONF
@@ -29,7 +28,7 @@
class ImagesMemberRbacTest(base.BaseV2ImageRbacTest):
- credentials = ['primary', 'alt', 'admin']
+ credentials = ['admin', 'alt']
@classmethod
def resource_setup(cls):
@@ -45,11 +44,11 @@
cls.alt_image_member_client = cls.os_alt.image_member_client_v2
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(ImagesMemberRbacTest, self).tearDown()
def setUp(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(ImagesMemberRbacTest, self).setUp()
@rbac_rule_validation.action(service="glance",
@@ -63,7 +62,7 @@
"""
image_id = self.create_image()['id']
# Toggle role and add image member
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.image_member_client.create_image_member(image_id,
member=self.alt_tenant_id)
@@ -80,7 +79,7 @@
self.image_member_client.create_image_member(image_id,
member=self.alt_tenant_id)
# Toggle role and delete image member
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.image_member_client.delete_image_member(image_id,
self.alt_tenant_id)
@@ -100,7 +99,7 @@
member=self.alt_tenant_id)
# Toggle role and get image member
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.image_member_client.show_image_member(
image_id,
self.alt_tenant_id)
@@ -126,7 +125,7 @@
image_id,
member=self.image_client.tenant_id)
# Toggle role and update member
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.image_member_client.update_image_member(
image_id, self.image_client.tenant_id,
status='accepted')
@@ -144,5 +143,5 @@
self.image_member_client.create_image_member(image_id,
member=self.alt_tenant_id)
# Toggle role and list image members
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.image_member_client.list_image_members(image_id)
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py b/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py
index 5e20612..faba098 100644
--- a/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py
@@ -21,7 +21,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.image import rbac_base
CONF = config.CONF
@@ -36,7 +35,7 @@
cls.client = cls.os.image_client_v2
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(BasicOperationsImagesRbacTest, self).tearDown()
@rbac_rule_validation.action(service="glance",
@@ -50,7 +49,7 @@
"""
uuid = '00000000-1111-2222-3333-444455556666'
image_name = data_utils.rand_name('image')
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.create_image(name=image_name,
container_format='bare',
disk_format='raw',
@@ -74,7 +73,7 @@
visibility='private',
ramdisk_id=uuid)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Try uploading an image file
image_file = moves.cStringIO(data_utils.random_bytes())
self.client.store_image_file(body['id'], image_file)
@@ -95,7 +94,7 @@
visibility='public')
image_id = body.get('id')
# Toggle role and delete created image
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.delete_image(image_id)
self.client.wait_for_resource_deletion(image_id)
@@ -116,7 +115,7 @@
visibility='private')
image_id = body.get('id')
# Toggle role and get created image
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_image(image_id)
@rbac_rule_validation.action(service="glance",
@@ -130,7 +129,7 @@
"""
# Toggle role and get created image
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_images()
@rbac_rule_validation.action(service="glance",
@@ -154,7 +153,7 @@
self.client.store_image_file(image_id, image_file)
# Toggle role and update created image
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
new_image_name = data_utils.rand_name('new-image')
body = self.client.update_image(image_id, [
dict(replace='/name', value=new_image_name)])
@@ -169,7 +168,7 @@
RBAC test for the glance publicize_image endpoint
"""
image_name = data_utils.rand_name('image')
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.create_image(name=image_name,
container_format='bare',
disk_format='raw',
@@ -196,7 +195,7 @@
image_file = moves.cStringIO(data_utils.random_bytes())
self.client.store_image_file(image_id=image_id, data=image_file)
# Toggling role and deacivate image
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.deactivate_image(image_id)
@rbac_rule_validation.action(service="glance",
@@ -221,5 +220,5 @@
image_file = moves.cStringIO(data_utils.random_bytes())
self.client.store_image_file(image_id=image_id, data=image_file)
# Toggling role and reactivate image
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.reactivate_image(image_id)
diff --git a/patrole_tempest_plugin/tests/api/network/rbac_base.py b/patrole_tempest_plugin/tests/api/network/rbac_base.py
index 18a80a1..5f93d81 100644
--- a/patrole_tempest_plugin/tests/api/network/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/network/rbac_base.py
@@ -16,12 +16,14 @@
from tempest.api.network import base as network_base
from tempest import config
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+
CONF = config.CONF
class BaseNetworkRbacTest(network_base.BaseNetworkTest):
- credentials = ['primary', 'admin']
+ credentials = ['admin']
@classmethod
def skip_checks(cls):
@@ -29,12 +31,15 @@
if not CONF.rbac.rbac_flag:
raise cls.skipException(
"%s skipped as RBAC Flag not enabled" % cls.__name__)
- if 'admin' not in CONF.auth.tempest_roles:
- raise cls.skipException(
- "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_credentials(cls):
+ super(BaseNetworkRbacTest, cls).setup_credentials()
+ cls.os = cls.os_adm
@classmethod
def setup_clients(cls):
super(BaseNetworkRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
cls.admin_client = cls.os_adm.agents_client
+ cls.rbac_utils = rbac_utils()
diff --git a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
new file mode 100644
index 0000000..698d462
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
@@ -0,0 +1,153 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import netaddr
+
+from oslo_log import log
+from tempest import config
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+from tempest.lib import exceptions
+
+from patrole_tempest_plugin import rbac_exceptions
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+CONF = config.CONF
+LOG = log.getLogger(__name__)
+
+
+class FloatingIpsRbacTest(base.BaseNetworkRbacTest):
+
+ @classmethod
+ def resource_setup(cls):
+ super(FloatingIpsRbacTest, cls).resource_setup()
+
+ # Create an external network for floating ip creation
+ cls.fip_extnet = cls.create_network(**{'router:external': True})
+ cls.fip_extnet_id = cls.fip_extnet['id']
+
+ # Create a subnet for the external network
+ cls.cidr = netaddr.IPNetwork(CONF.network.project_network_cidr)
+ cls.create_subnet(cls.fip_extnet,
+ cidr=cls.cidr,
+ mask_bits=24)
+
+ @classmethod
+ def resource_cleanup(cls):
+ # Update router:external attribute to False for proper subnet resource
+ # cleanup by base class
+ cls.networks_client.update_network(cls.fip_extnet_id,
+ **{'router:external': False})
+ super(FloatingIpsRbacTest, cls).resource_cleanup()
+
+ def _create_floatingip(self, floating_ip_address=None):
+ if floating_ip_address is not None:
+ body = self.floating_ips_client.create_floatingip(
+ floating_network_id=self.fip_extnet_id,
+ floating_ip_address=floating_ip_address)
+ else:
+ body = self.floating_ips_client.create_floatingip(
+ floating_network_id=self.fip_extnet_id)
+
+ floating_ip = body['floatingip']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.floating_ips_client.delete_floatingip,
+ floating_ip['id'])
+
+ return floating_ip
+
+ def tearDown(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(FloatingIpsRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_floatingip")
+ @decorators.idempotent_id('f8f7474c-b8a5-4174-af84-73097d6ced38')
+ def test_create_floating_ip(self):
+ """Create floating IP.
+
+ RBAC test for the neutron create_floatingip policy
+ """
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_floatingip()
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_floatingip:floating_ip_address")
+ @decorators.idempotent_id('a8bb826a-403d-4130-a55d-120a0a660806')
+ def test_create_floating_ip_floatingip_address(self):
+ """Create floating IP with address.
+
+ RBAC test for the neutron create_floatingip:floating_ip_address policy
+ """
+ fip = str(netaddr.IPAddress(self.cidr) + 10)
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_floatingip(floating_ip_address=fip)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_floatingip")
+ @decorators.idempotent_id('2ab1b060-19f8-4ef6-a838-e2ab7b377c63')
+ def test_update_floating_ip(self):
+ """Update floating IP.
+
+ RBAC test for the neutron update_floatingip policy
+ """
+ floating_ip = self._create_floatingip()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+
+ # Associate floating IP to the other port
+ self.floating_ips_client.update_floatingip(
+ floating_ip['id'], port_id=None)
+
+ @rbac_rule_validation.action(service="neutron", rule="get_floatingip")
+ @decorators.idempotent_id('f8846fd0-c976-48fe-a148-105303931b32')
+ def test_show_floating_ip(self):
+ """Show floating IP.
+
+ RBAC test for the neutron get_floatingip policy
+ """
+ floating_ip = self._create_floatingip()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+
+ try:
+ # Show floating IP
+ self.floating_ips_client.show_floatingip(floating_ip['id'])
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_floatingip")
+ @decorators.idempotent_id('2611b068-30d4-4241-a78f-1b801a14db7e')
+ def test_delete_floating_ip(self):
+ """Delete floating IP.
+
+ RBAC test for the neutron delete_floatingip policy
+ """
+ floating_ip = self._create_floatingip()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+
+ try:
+ # Delete the floating IP
+ self.floating_ips_client.delete_floatingip(floating_ip['id'])
+
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
diff --git a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
index 3faa696..cb79742 100644
--- a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
@@ -22,7 +22,6 @@
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.network import rbac_base as base
CONF = config.CONF
@@ -129,7 +128,7 @@
return updated_network
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(RbacNetworksTest, self).tearDown()
@rbac_rule_validation.action(service="neutron",
@@ -141,7 +140,7 @@
RBAC test for the neutron create_network policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_network()
@rbac_rule_validation.action(service="neutron",
@@ -153,7 +152,7 @@
RBAC test for the neutron create_network:shared policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_network(shared=True)
@rbac_rule_validation.action(service="neutron",
@@ -165,7 +164,7 @@
RBAC test for the neutron create_network:router:external policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_network(router_external=True)
@rbac_rule_validation.action(service="neutron",
@@ -177,7 +176,7 @@
RBAC test for the neutron create_network:provider:network_type policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_network(provider_network_type='vxlan')
@rbac_rule_validation.action(
@@ -190,7 +189,7 @@
RBAC test for the neutron create_network:provider:segmentation_id
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_network(provider_network_type='vxlan',
provider_segmentation_id=200)
@@ -203,7 +202,7 @@
RBAC test for the neutron update_network policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
updated_network = self._update_network(admin=False)
self.assertEqual(updated_network['admin_state_up'], False)
@@ -220,7 +219,7 @@
RBAC test for the neutron update_network:shared policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
updated_network = self._update_network(shared_network=True)
self.assertEqual(updated_network['shared'], True)
@@ -238,7 +237,7 @@
RBAC test for the neutron update_network:router:external policy
"""
network = self._create_network()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._update_network(net_id=network['id'], router_external=True)
@rbac_rule_validation.action(service="neutron",
@@ -250,7 +249,7 @@
RBAC test for the neutron get_network policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# show a network that has been created during class setup
self.networks_client.show_network(self.admin_network['id'])
@@ -265,7 +264,7 @@
"""
post_body = {'fields': 'router:external'}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.networks_client.show_network(self.admin_network['id'],
**post_body)
@@ -280,7 +279,7 @@
"""
post_body = {'fields': 'provider:network_type'}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
body = self.networks_client.show_network(self.admin_network['id'],
**post_body)
showed_net = body['network']
@@ -299,7 +298,7 @@
"""
post_body = {'fields': 'provider:physical_network'}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
body = self.networks_client.show_network(self.admin_network['id'],
**post_body)
showed_net = body['network']
@@ -318,7 +317,7 @@
"""
post_body = {'fields': 'provider:segmentation_id'}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
body = self.networks_client.show_network(self.admin_network['id'],
**post_body)
showed_net = body['network']
@@ -339,7 +338,7 @@
RBAC test for the neutron delete_network policy
"""
network = self._create_network()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.networks_client.delete_network(network['id'])
@rbac_rule_validation.action(service="neutron",
@@ -354,7 +353,7 @@
network = self._create_network()
self.assertEqual('ACTIVE', network['status'])
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Create a subnet
self.create_subnet(network, enable_dhcp=False)
@@ -367,7 +366,7 @@
RBAC test for the neutron get_subnet policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.subnets_client.show_subnet(self.admin_subnet['id'])
@rbac_rule_validation.action(service="neutron",
@@ -379,7 +378,7 @@
RBAC test for the neutron update_subnet policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.subnets_client.update_subnet(self.admin_subnet['id'],
name="New_subnet")
@@ -399,6 +398,6 @@
# Create a subnet using admin privilege
subnet = self.create_subnet(network, enable_dhcp=False)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Delete the subnet
self.subnets_client.delete_subnet(subnet['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
index 207ae54..65d9fee 100644
--- a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
@@ -25,7 +25,6 @@
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.network import rbac_base as base
CONF = config.CONF
@@ -70,7 +69,7 @@
return port
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(PortsRbacTest, self).tearDown()
@rbac_rule_validation.action(service="neutron",
@@ -78,7 +77,7 @@
@decorators.idempotent_id('0ec8c551-625c-4864-8a52-85baa7c40f22')
def test_create_port(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
post_body = {'network_id': self.admin_network['id']}
self._create_port(**post_body)
@@ -90,7 +89,7 @@
post_body = {'network_id': self.admin_network['id'],
'binding:host_id': "rbac_test_host"}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_port(**post_body)
@rbac_rule_validation.action(service="neutron",
@@ -106,7 +105,7 @@
post_body = {'network_id': self.admin_network['id'],
'fixed_ips': fixed_ips}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_port(**post_body)
@rbac_rule_validation.action(service="neutron",
@@ -117,7 +116,7 @@
post_body = {'network_id': self.admin_network['id'],
'mac_address': data_utils.rand_mac_address()}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_port(**post_body)
@rbac_rule_validation.action(service="neutron",
@@ -130,7 +129,7 @@
post_body = {'network_id': self.admin_network['id'],
'binding:profile': binding_profile}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_port(**post_body)
@rbac_rule_validation.action(service="neutron",
@@ -145,7 +144,7 @@
post_body = {'network_id': self.admin_network['id'],
'allowed_address_pairs': allowed_address_pairs}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_port(**post_body)
@rbac_rule_validation.action(service="neutron", rule="get_port")
@@ -153,7 +152,7 @@
def test_show_port(self):
try:
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.show_port(self.admin_port['id'])
@@ -172,7 +171,7 @@
fields = ['binding:vif_type']
try:
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.show_port(self.admin_port['id'],
fields=fields)
@@ -191,7 +190,7 @@
fields = ['binding:vif_details']
try:
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.show_port(self.admin_port['id'],
fields=fields)
@@ -213,7 +212,7 @@
port = self._create_port(**post_body)
try:
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.show_port(port['id'],
fields=fields)
@@ -236,7 +235,7 @@
port = self._create_port(**post_body)
try:
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.show_port(port['id'],
fields=fields)
@@ -252,7 +251,7 @@
def test_update_port(self):
port = self.create_port(self.admin_network)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.update_port(port['id'],
admin_state_up=False)
@@ -262,7 +261,7 @@
def test_update_port_mac_address(self):
port = self.create_port(self.admin_network)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.update_port(
port['id'],
mac_address=data_utils.rand_mac_address())
@@ -278,7 +277,7 @@
post_body = {'network_id': self.admin_network['id']}
port = self._create_port(**post_body)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.update_port(port['id'],
fixed_ips=fixed_ips)
@@ -288,7 +287,7 @@
def test_update_port_security_enabled(self):
port = self.create_port(self.admin_network)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.update_port(port['id'],
security_groups=[])
@@ -304,7 +303,7 @@
updated_body = {'port_id': port['id'],
'binding:host_id': 'rbac_test_host_updated'}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.update_port(**updated_body)
@rbac_rule_validation.action(service="neutron",
@@ -322,7 +321,7 @@
updated_body = {'port_id': port['id'],
'binding:profile': new_binding_profile}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.update_port(**updated_body)
@rbac_rule_validation.action(service="neutron",
@@ -337,7 +336,7 @@
post_body = {'network_id': self.admin_network['id']}
port = self._create_port(**post_body)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.update_port(port['id'],
allowed_address_pairs=address_pairs)
@@ -348,7 +347,7 @@
try:
port = self._create_port(network_id=self.admin_network['id'])
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.delete_port(port['id'])
except exceptions.NotFound as e:
diff --git a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
index 662eb41..580b064 100644
--- a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
@@ -26,7 +26,6 @@
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.network import rbac_base as base
CONF = config.CONF
@@ -54,7 +53,7 @@
cls.admin_router = cls.create_router()
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(RouterRbacTest, self).tearDown()
@rbac_rule_validation.action(service="neutron",
@@ -65,7 +64,7 @@
RBAC test for the neutron create_router policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
router = self.routers_client.create_router()
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -84,7 +83,7 @@
external_gateway_info = {'network_id': self.admin_network['id'],
'enable_snat': True}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
router = self.routers_client.create_router(
name=name, external_gateway_info=external_gateway_info)
self.addCleanup(self.routers_client.delete_router,
@@ -110,7 +109,7 @@
'enable_snat': False,
'external_fixed_ips': [external_fixed_ips]}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
router = self.routers_client.create_router(
name=name, external_gateway_info=external_gateway_info)
self.addCleanup(self.routers_client.delete_router,
@@ -123,7 +122,7 @@
RBAC test for the neutron get_router policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
try:
self.routers_client.show_router(self.admin_router['id'])
except exceptions.NotFound as e:
@@ -141,7 +140,7 @@
RBAC test for the neutron update_router policy
"""
new_name = data_utils.rand_name('new-router-name')
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.routers_client.update_router(self.admin_router['id'],
name=new_name)
@@ -154,7 +153,7 @@
RBAC test for the neutron
update_router:external_gateway_info policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.routers_client.update_router(self.admin_router['id'],
external_gateway_info={})
@@ -168,7 +167,7 @@
RBAC test for the neutron
update_router:external_gateway_info:network_id policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.routers_client.update_router(
self.admin_router['id'],
external_gateway_info={'network_id': self.admin_network['id']})
@@ -183,7 +182,7 @@
RBAC test for the neutron
update_router:external_gateway_info:enable_snat policy
"""
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.routers_client.update_router(
self.admin_router['id'],
external_gateway_info={'network_id': self.admin_network['id'],
@@ -206,7 +205,7 @@
external_gateway_info = {'network_id': self.admin_network['id'],
'external_fixed_ips': [external_fixed_ips]}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.routers_client.update_router(
self.admin_router['id'],
external_gateway_info=external_gateway_info)
@@ -224,7 +223,7 @@
RBAC test for the neutron delete_router policy
"""
router = self.create_router()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
try:
self.routers_client.delete_router(router['id'])
except exceptions.NotFound as e:
@@ -245,7 +244,7 @@
subnet = self.create_subnet(network)
router = self.create_router()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
try:
self.routers_client.add_router_interface(
router['id'], subnet_id=subnet['id'])
@@ -280,7 +279,7 @@
router['id'],
subnet_id=subnet['id'])
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
try:
self.routers_client.remove_router_interface(
router['id'],
diff --git a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
new file mode 100644
index 0000000..25f1acf
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
@@ -0,0 +1,191 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_log import log
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+from tempest.lib import exceptions
+
+from patrole_tempest_plugin import rbac_exceptions
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+LOG = log.getLogger(__name__)
+
+
+class SecGroupRbacTest(base.BaseNetworkRbacTest):
+
+ def tearDown(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(SecGroupRbacTest, self).tearDown()
+
+ @classmethod
+ def resource_setup(cls):
+ super(SecGroupRbacTest, cls).resource_setup()
+ secgroup_name = data_utils.rand_name('secgroup')
+ cls.secgroup = cls.security_groups_client.create_security_group(
+ name=secgroup_name)['security_group']
+
+ @classmethod
+ def resource_cleanup(cls):
+ # Clean up security group
+ test_utils.call_and_ignore_notfound_exc(
+ cls.security_groups_client.delete_security_group,
+ cls.secgroup['id'])
+ super(SecGroupRbacTest, cls).resource_cleanup()
+
+ def _create_security_group(self):
+ # Create a security group
+ name = data_utils.rand_name('secgroup')
+ security_group =\
+ self.security_groups_client.create_security_group(
+ name=name)['security_group']
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.security_groups_client.delete_security_group,
+ security_group['id'])
+ return security_group
+
+ def _create_security_group_rule(self):
+ # Create a security group rule
+ sec_group_rule = \
+ self.security_group_rules_client.create_security_group_rule(
+ security_group_id=self.secgroup['id'],
+ direction='ingress',
+ protocol='tcp',
+ port_range_min=99,
+ port_range_max=99)['security_group_rule']
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.security_group_rules_client.delete_security_group_rule,
+ sec_group_rule['id'])
+ return sec_group_rule
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_security_group")
+ @decorators.idempotent_id('db7003ce-5717-4e5b-afc7-befa35e8c67f')
+ def test_create_security_group(self):
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_security_group()
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_security_group")
+ @decorators.idempotent_id('56335e77-aef2-4b54-86c7-7f772034b585')
+ def test_show_security_groups(self):
+
+ try:
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.security_groups_client.show_security_group(
+ self.secgroup['id'])
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_security_group")
+ @decorators.idempotent_id('0b1330fd-dd28-40f3-ad73-966052e4b3de')
+ def test_delete_security_group(self):
+
+ # Create a security group
+ secgroup_id = self._create_security_group()['id']
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.security_groups_client.delete_security_group(secgroup_id)
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_security_group")
+ @decorators.idempotent_id('56c5e4dc-f8aa-11e6-bc64-92361f002671')
+ def test_update_security_group(self):
+
+ # Create a security group
+ secgroup_id = self._create_security_group()['id']
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.security_groups_client.update_security_group(
+ secgroup_id,
+ description="test description")
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_security_groups")
+ @decorators.idempotent_id('fbaf8d96-ed3e-49af-b24c-5fb44f05bbb7')
+ def test_list_security_groups(self):
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.security_groups_client.list_security_groups()
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_security_group_rule")
+ @decorators.idempotent_id('953d78df-00cd-416f-9cbd-b7cb4ea65772')
+ def test_create_security_group_rule(self):
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_security_group_rule()
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_security_group_rule")
+ @decorators.idempotent_id('2262539e-b7d9-438c-acf9-a5ce0613be28')
+ def test_delete_security_group_rule(self):
+
+ sec_group_rule = self._create_security_group_rule()
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.security_group_rules_client.delete_security_group_rule(
+ sec_group_rule['id'])
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_security_group_rule")
+ @decorators.idempotent_id('84b4038c-261e-4a94-90d5-c885739ab0d5')
+ def test_show_security_group_rule(self):
+
+ sec_group_rule = self._create_security_group_rule()
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.security_group_rules_client.show_security_group_rule(
+ sec_group_rule['id'])
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_security_group_rules")
+ @decorators.idempotent_id('05739ab6-fa35-11e6-bc64-92361f002671')
+ def test_list_security_group_rules(self):
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.security_group_rules_client.list_security_group_rules()
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
new file mode 100644
index 0000000..ce38aea
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
@@ -0,0 +1,132 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_log import log
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+from tempest.lib import exceptions
+from tempest import test
+
+from patrole_tempest_plugin import rbac_exceptions
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+CONF = config.CONF
+LOG = log.getLogger(__name__)
+
+
+class SubnetPoolsRbacTest(base.BaseNetworkRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(SubnetPoolsRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('subnet_allocation', 'network'):
+ msg = "subnet_allocation extension not enabled."
+ raise cls.skipException(msg)
+
+ def tearDown(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(SubnetPoolsRbacTest, self).tearDown()
+
+ def _create_subnetpool(self, shared=None):
+ post_body = {'name': data_utils.rand_name(self.__class__.__name__),
+ 'min_prefixlen': 24,
+ 'max_prefixlen': 32,
+ 'prefixes': [CONF.network.project_network_cidr]}
+
+ if shared is not None:
+ post_body['shared'] = shared
+
+ body = self.subnetpools_client.create_subnetpool(**post_body)
+ subnetpool = body['subnetpool']
+
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.subnetpools_client.delete_subnetpool,
+ subnetpool['id'])
+
+ return subnetpool
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_subnetpool")
+ @decorators.idempotent_id('1b5509fd-2c32-44a8-a786-1b6ca162dbd1')
+ def test_create_subnetpool(self):
+ """Create subnetpool.
+
+ RBAC test for the neutron create_subnetpool policy
+ """
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_subnetpool()
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_subnetpool:shared")
+ @decorators.idempotent_id('cf730989-0d47-40bc-b39a-99e7de484723')
+ def test_create_subnetpool_shared(self):
+ """Create subnetpool shared.
+
+ RBAC test for the neutron create_subnetpool:shared policy
+ """
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_subnetpool(shared=True)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_subnetpool")
+ @decorators.idempotent_id('4f5aee26-0507-4b6d-b44c-3128a25094d2')
+ def test_show_subnetpool(self):
+ """Show subnetpool.
+
+ RBAC test for the neutron get_subnetpool policy
+ """
+ subnetpool = self._create_subnetpool()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.subnetpools_client.show_subnetpool(subnetpool['id'])
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_subnetpool")
+ @decorators.idempotent_id('1e79cead-5081-4be2-a4f7-484c0f443b9b')
+ def test_update_subnetpool(self):
+ """Update subnetpool.
+
+ RBAC test for the neutron update_subnetpool policy
+ """
+ subnetpool = self._create_subnetpool()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.subnetpools_client.update_subnetpool(subnetpool['id'],
+ min_prefixlen=24)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_subnetpool")
+ @decorators.idempotent_id('50f5944e-43e5-457b-ab50-fb48a73f0d3e')
+ def test_delete_subnetpool(self):
+ """Delete subnetpool.
+
+ RBAC test for the neutron delete_subnetpool policy
+ """
+ subnetpool = self._create_subnetpool()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.subnetpools_client.delete_subnetpool(subnetpool['id'])
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
diff --git a/patrole_tempest_plugin/tests/api/volume/admin/test_qos_rbac.py b/patrole_tempest_plugin/tests/api/volume/admin/test_qos_rbac.py
index 197cbf6..0d59f77 100644
--- a/patrole_tempest_plugin/tests/api/volume/admin/test_qos_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/admin/test_qos_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -34,14 +33,14 @@
cls.client = cls.admin_volume_qos_client
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(VolumeQOSRbacTest, self).tearDown()
@rbac_rule_validation.action(
service="cinder", rule="volume_extension:qos_specs_manage:create")
@decorators.idempotent_id('4f9f45f0-b379-4577-a279-cec3e917cbec')
def test_create_qos_with_consumer(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Create a qos
self.create_test_qos_specs()
@@ -51,7 +50,7 @@
def test_delete_qos_with_consumer(self):
# Create a qos
qos = self.create_test_qos_specs()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Delete a qos
self.client.delete_qos(qos['id'])
@@ -61,7 +60,7 @@
def test_get_qos(self):
# Create a qos
qos = self.create_test_qos_specs()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Get a qos
self.client.show_qos(qos['id'])['qos_specs']
@@ -69,7 +68,7 @@
rule="volume_extension:qos_specs_manage:read")
@decorators.idempotent_id('546b8bb1-04a4-4387-9506-a538a7f3cd6a')
def test_list_qos(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# list all qos
self.client.list_qos()['qos_specs']
@@ -79,7 +78,7 @@
def test_set_qos_key(self):
# Create a qos
qos = self.create_test_qos_specs()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# set key
self.client.set_qos_key(qos['id'], iops_bytes='500')['qos_specs']
@@ -91,7 +90,7 @@
qos = self.create_test_qos_specs()
# Set key
self.client.set_qos_key(qos['id'], iops_bytes='500')['qos_specs']
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Unset key
keys = ['iops_bytes']
self.client.unset_qos_key(qos['id'], keys)
@@ -107,7 +106,7 @@
qos = self.create_test_qos_specs()
# create a test volume-type
vol_type = self.create_volume_type()['id']
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# associate the qos-specs with volume-types
self.client.associate_qos(qos['id'], vol_type)
self.addCleanup(self.client.disassociate_qos, qos['id'], vol_type)
@@ -122,7 +121,7 @@
# associate the qos-specs with volume-types
self.client.associate_qos(qos['id'], vol_type)
self.addCleanup(self.client.disassociate_qos, qos['id'], vol_type)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# get the association of the qos-specs
self.client.show_association_qos(qos['id'])
@@ -137,7 +136,7 @@
self.client.associate_qos(qos['id'], vol_type)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.client.disassociate_qos, qos['id'], vol_type)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# disassociate a volume-type with qos-specs
self.client.disassociate_qos(qos['id'], vol_type)
operation = 'disassociate'
@@ -155,7 +154,7 @@
self.client.associate_qos(qos['id'], vol_type)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.client.disassociate_qos, qos['id'], vol_type)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# disassociate all volume-types from qos-specs
self.client.disassociate_all_qos(qos['id'])
operation = 'disassociate-all'
diff --git a/patrole_tempest_plugin/tests/api/volume/admin/test_volume_quotas_rbac.py b/patrole_tempest_plugin/tests/api/volume/admin/test_volume_quotas_rbac.py
index c4bd578..4fd8cd6 100644
--- a/patrole_tempest_plugin/tests/api/volume/admin/test_volume_quotas_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/admin/test_volume_quotas_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
QUOTA_KEYS = ['gigabytes', 'snapshots', 'volumes']
@@ -41,14 +40,14 @@
cls.client = cls.os.volume_quotas_client
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(VolumeQuotasAdminRbacTest, self).tearDown()
@rbac_rule_validation.action(service="cinder",
rule="volume_extension:quotas:show")
@decorators.idempotent_id('b3c7177e-b6b1-4d0f-810a-fc95606964dd')
def test_list_default_quotas(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_default_quota_set(
self.demo_tenant_id)['quota_set']
@@ -60,7 +59,7 @@
'volumes': 11,
'snapshots': 11}
# Update limits for all quota resources
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.update_quota_set(
self.demo_tenant_id,
**new_quota_set)['quota_set']
diff --git a/patrole_tempest_plugin/tests/api/volume/admin/test_volumes_backup_admin_rbac.py b/patrole_tempest_plugin/tests/api/volume/admin/test_volumes_backup_admin_rbac.py
index e36d684..468cb61 100644
--- a/patrole_tempest_plugin/tests/api/volume/admin/test_volumes_backup_admin_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/admin/test_volumes_backup_admin_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -32,7 +31,7 @@
raise cls.skipException("Cinder backup feature disabled")
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(VolumesBackupsAdminRbacTest, self).tearDown()
@classmethod
@@ -47,7 +46,7 @@
# Create a temp backup
backup = self.create_backup(volume_id=self.volume['id'])
# Export Backup
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.backups_client.export_backup(
backup['id'])['backup-record']
@@ -61,7 +60,7 @@
export_backup = self.backups_client.export_backup(
backup['id'])['backup-record']
# Import the temp backup
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
import_backup = self.backups_client.import_backup(
backup_service=export_backup['backup_service'],
backup_url=export_backup['backup_url'])['backup']
diff --git a/patrole_tempest_plugin/tests/api/volume/rbac_base.py b/patrole_tempest_plugin/tests/api/volume/rbac_base.py
index 67953ee..1cb128e 100644
--- a/patrole_tempest_plugin/tests/api/volume/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/volume/rbac_base.py
@@ -14,12 +14,14 @@
from tempest.api.volume import base as vol_base
from tempest import config
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+
CONF = config.CONF
class BaseVolumeRbacTest(vol_base.BaseVolumeTest):
- credentials = ['primary', 'admin']
+ credentials = ['admin']
@classmethod
def skip_checks(cls):
@@ -27,20 +29,23 @@
if not CONF.rbac.rbac_flag:
raise cls.skipException(
"%s skipped as RBAC Flag not enabled" % cls.__name__)
- if 'admin' not in CONF.auth.tempest_roles:
- raise cls.skipException(
- "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_credentials(cls):
+ super(BaseVolumeRbacTest, cls).setup_credentials()
+ cls.os = cls.os_adm
@classmethod
def setup_clients(cls):
super(BaseVolumeRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
cls.admin_client = cls.os_adm.volumes_client
+ cls.rbac_utils = rbac_utils()
class BaseVolumeAdminRbacTest(vol_base.BaseVolumeAdminTest):
- credentials = ['primary', 'admin']
+ credentials = ['admin']
@classmethod
def skip_checks(cls):
@@ -48,12 +53,21 @@
if not CONF.rbac.rbac_flag:
raise cls.skipException(
"%s skipped as RBAC Flag not enabled" % cls.__name__)
- if 'admin' not in CONF.auth.tempest_roles:
- raise cls.skipException(
- "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_credentials(cls):
+ super(BaseVolumeAdminRbacTest, cls).setup_credentials()
+ cls.os = cls.os_adm
@classmethod
def setup_clients(cls):
super(BaseVolumeAdminRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
cls.admin_client = cls.os_adm.volumes_client
+ cls.rbac_utils = rbac_utils()
+ version_checker = {
+ 1: [cls.os.volume_hosts_client, cls.os.volume_types_client],
+ 2: [cls.os.volume_hosts_v2_client, cls.os.volume_types_v2_client]
+ }
+ cls.volume_hosts_client, cls.volume_types_client = \
+ version_checker[cls._api_version]
diff --git a/patrole_tempest_plugin/tests/api/volume/test_availability_zone_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_availability_zone_rbac.py
index d6426dd..f20d767 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_availability_zone_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_availability_zone_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -31,12 +30,12 @@
cls.client = cls.availability_zone_client
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(AvailabilityZoneRbacTest, self).tearDown()
@rbac_rule_validation.action(service="cinder",
rule="volume:availability_zone_list")
@decorators.idempotent_id('8cfd920c-4b6c-402d-b6e2-ede86bedc702')
def test_get_availability_zone_list(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_availability_zones()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_extensions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_extensions_rbac.py
index a0ff55f..f952ee5 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_extensions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_extensions_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -26,14 +25,14 @@
class ExtensionsRbacTest(rbac_base.BaseVolumeRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(ExtensionsRbacTest, self).tearDown()
@rbac_rule_validation.action(service="cinder",
rule="volume:list_extensions")
@decorators.idempotent_id('7f2dcc41-e850-493f-a400-82db4e2b50c0')
def test_list_extensions(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.volumes_extension_client.list_extensions()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
index c321400..5b1b560 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -40,7 +39,7 @@
cls.client = cls.os.snapshots_client
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(SnapshotsActionsRbacTest, self).tearDown()
@classmethod
@@ -59,7 +58,7 @@
def test_reset_snapshot_status(self):
# Reset snapshot status to error
status = 'error'
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.\
reset_snapshot_status(self.snapshot['id'], status)
@@ -73,7 +72,7 @@
# and force delete temp snapshot
temp_snapshot = self.create_snapshot(self.volume['id'])
# Force delete the snapshot
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.force_delete_snapshot(temp_snapshot['id'])
self.client.wait_for_resource_deletion(temp_snapshot['id'])
diff --git a/patrole_tempest_plugin/tests/api/volume/test_snapshots_metadata_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_snapshots_metadata_rbac.py
index d650177..e445214 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_snapshots_metadata_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshots_metadata_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -32,7 +31,7 @@
raise cls.skipException("Cinder snapshot feature disabled")
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(SnapshotMetadataRbacTest, self).tearDown()
@classmethod
@@ -58,7 +57,7 @@
@decorators.idempotent_id('c9cbec1c-edfe-46b8-825b-7b6ac0a58c25')
def test_create_snapshot_metadata(self):
# Create metadata for the snapshot
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_test_snapshot_metadata()
@rbac_rule_validation.action(service="cinder",
@@ -68,7 +67,7 @@
# Create volume and snapshot metadata
self._create_test_snapshot_metadata()
# Get metadata for the snapshot
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.snapshots_client.show_snapshot_metadata(
self.snapshot_id)
@@ -80,7 +79,7 @@
# Create volume and snapshot metadata
self._create_test_snapshot_metadata()
# Get metadata for the snapshot
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Get the metadata of the snapshot
self.snapshots_client.show_snapshot_metadata(
self.snapshot_id)['metadata']
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
index b15eb3f..d8861b1 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -20,7 +20,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -47,7 +46,7 @@
cls.image_client = cls.os.image_client
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(VolumesActionsRbacTest, self).tearDown()
@classmethod
@@ -72,7 +71,7 @@
@rbac_rule_validation.action(service="cinder", rule="volume:attach")
@decorators.idempotent_id('f97b10e4-2eed-4f8b-8632-71c02cb9fe42')
def test_attach_volume_to_instance(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Attach the volume
self._attach_volume()
@@ -81,14 +80,14 @@
def test_detach_volume_to_instance(self):
# Attach the volume
self._attach_volume()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Detach the volume
self._detach_volume()
@rbac_rule_validation.action(service="cinder", rule="volume:get")
@decorators.idempotent_id('c4c3fdd5-b1b1-49c3-b977-a9f40ee9257a')
def test_get_volume_attachment(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Get attachment
self.client.show_volume(self.volume['id'])
@@ -97,7 +96,7 @@
@decorators.idempotent_id('b0d0da46-903c-4445-893e-20e680d68b50')
def test_volume_upload(self):
image_name = data_utils.rand_name('image')
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
body = self.client.upload_volume(
self.volume['id'], image_name=image_name,
disk_format=CONF.volume.disk_format)['os-volume_upload_image']
@@ -112,7 +111,7 @@
@decorators.idempotent_id('2750717a-f250-4e41-9e09-02624aad6ff8')
def test_volume_readonly_update(self):
volume = self.create_volume()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Update volume readonly
self.client.update_volume_readonly(volume['id'], readonly=True)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_create_delete_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_create_delete_rbac.py
index 4814fa7..2f65f9a 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_create_delete_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_create_delete_rbac.py
@@ -21,7 +21,6 @@
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -31,7 +30,7 @@
class CreateDeleteVolumeRbacTest(rbac_base.BaseVolumeRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(CreateDeleteVolumeRbacTest, self).tearDown()
def _create_volume(self):
@@ -45,7 +44,7 @@
rule="volume:create")
@decorators.idempotent_id('426b08ef-6394-4d06-9128-965d5a6c38ef')
def test_create_volume(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Create a volume
self._create_volume()
@@ -56,7 +55,7 @@
try:
# Create a volume
volume = self._create_volume()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Delete a volume
self.volumes_client.delete_volume(volume['id'])
except exceptions.NotFound as e:
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_hosts_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_hosts_rbac.py
new file mode 100644
index 0000000..45720e6
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_hosts_rbac.py
@@ -0,0 +1,33 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+
+class VolumeHostsAdminRbacTest(rbac_base.BaseVolumeAdminRbacTest):
+
+ def tearDown(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(VolumeHostsAdminRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:hosts")
+ @decorators.idempotent_id('64e837f5-5452-4e26-b934-c721ea7a8644')
+ def test_list_hosts(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.volume_hosts_client.list_hosts()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
index 234865c..a90fadc 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -33,7 +32,7 @@
cls.client = cls.os.volumes_client
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(VolumeMetadataRbacTest, self).tearDown()
def _add_metadata(self, volume):
@@ -50,7 +49,7 @@
@decorators.idempotent_id('232bbb8b-4c29-44dc-9077-b1398c20b738')
def test_create_volume_metadata(self):
volume = self.create_volume()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._add_metadata(volume)
@rbac_rule_validation.action(service="cinder",
@@ -59,7 +58,7 @@
def test_get_volume_metadata(self):
volume = self.create_volume()
self._add_metadata(volume)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.volumes_client.show_volume_metadata(volume['id'])['metadata']
@rbac_rule_validation.action(service="cinder",
@@ -68,7 +67,7 @@
def test_delete_volume_metadata(self):
volume = self.create_volume()
self._add_metadata(volume)
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.volumes_client.delete_volume_metadata_item(volume['id'],
"key1")
@@ -80,7 +79,7 @@
self._add_metadata(volume)
# Metadata to update
update_item = {"key3": "value3_update"}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.volumes_client.update_volume_metadata_item(
volume['id'], "key3", update_item)['meta']
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
index 485844f..885ab8b 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -27,7 +26,7 @@
class VolumesTransfersRbacTest(rbac_base.BaseVolumeRbacTest):
- credentials = ['primary', 'alt', 'admin']
+ credentials = ['alt', 'admin']
@classmethod
def setup_clients(cls):
@@ -37,7 +36,7 @@
cls.alt_tenant_id = cls.alt_client.tenant_id
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(VolumesTransfersRbacTest, self).tearDown()
@classmethod
@@ -64,7 +63,7 @@
rule="volume:create_transfer")
@decorators.idempotent_id('25413af4-468d-48ff-94ca-4436f8526b3e')
def test_create_volume_transfer(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_transfer()
@rbac_rule_validation.action(service="cinder",
@@ -72,14 +71,14 @@
@decorators.idempotent_id('7a0925d3-ed97-4c25-8299-e5cdabe2eb55')
def test_get_volume_transfer(self):
transfer = self._create_transfer()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_volume_transfer(transfer['id'])
@rbac_rule_validation.action(service="cinder",
rule="volume:get_all_transfers")
@decorators.idempotent_id('02a06f2b-5040-49e2-b2b7-619a7db59603')
def test_list_volume_transfers(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_volume_transfers()
@rbac_rule_validation.action(service="cinder",
@@ -87,7 +86,7 @@
@decorators.idempotent_id('987f2a11-d657-4984-a6c9-28f06c1cd014')
def test_accept_volume_transfer(self):
transfer = self._create_transfer()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.accept_volume_transfer(transfer['id'],
auth_key=transfer['auth_key'])
@@ -96,7 +95,7 @@
@decorators.idempotent_id('4672187e-7fff-454b-832a-5c8865dda868')
def test_delete_volume_transfer(self):
transfer = self._create_transfer()
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.delete_volume_transfer(transfer['id'])
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
new file mode 100644
index 0000000..0e9d2c3
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
@@ -0,0 +1,40 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class VolumeTypesExtraSpecsAdminRbacTest(rbac_base.BaseVolumeAdminRbacTest):
+
+ def tearDown(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(VolumeTypesExtraSpecsAdminRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:types_extra_specs")
+ @decorators.idempotent_id('eea40251-990b-49b0-99ae-10e4585b479b')
+ def test_volume_type_extra_specs_list(self):
+ vol_type = self.create_volume_type()
+ # List Volume types extra specs.
+ extra_specs = {"spec1": "val1"}
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.volume_types_client.create_volume_type_extra_specs(
+ vol_type['id'], extra_specs)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
index 32a1566..8fb1c67 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -34,7 +33,7 @@
raise cls.skipException("Cinder backup feature disabled")
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(VolumesBackupsRbacTest, self).tearDown()
def create_backup(self, volume_id):
@@ -56,7 +55,7 @@
rule="backup:create")
@decorators.idempotent_id('6887ec94-0bcf-4ab7-b30f-3808a4b5a2a5')
def test_volume_backup_create(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.create_backup(volume_id=self.volume['id'])
@rbac_rule_validation.action(service="cinder",
@@ -66,14 +65,14 @@
# Create a temp backup
backup = self.create_backup(volume_id=self.volume['id'])
# Get a given backup
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.backups_client.show_backup(backup['id'])
@rbac_rule_validation.action(service="cinder",
rule="backup:get_all")
@decorators.idempotent_id('4d18f0f0-7e01-4007-b622-dedc859b22f6')
def test_volume_backup_list(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.backups_client.list_backups()
@rbac_rule_validation.action(service="cinder",
@@ -83,7 +82,7 @@
# Create a temp backup
backup = self.create_backup(volume_id=self.volume['id'])
# Restore backup
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.backups_client.restore_backup(backup['id'])['restore']
@rbac_rule_validation.action(service="cinder",
@@ -92,7 +91,7 @@
def test_volume_backup_delete(self):
# Create a temp backup
backup = self.create_backup(volume_id=self.volume['id'])
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Delete backup
self.backups_client.delete_backup(backup['id'])
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_extend_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_extend_rbac.py
index 87e98e2..8fccb47 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_extend_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_extend_rbac.py
@@ -18,7 +18,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -27,7 +26,7 @@
class VolumesExtendRbacTest(rbac_base.BaseVolumeRbacTest):
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(VolumesExtendRbacTest, self).tearDown()
@classmethod
@@ -41,7 +40,7 @@
def test_volume_extend(self):
# Extend volume test
extend_size = int(self.volume['size']) + 1
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.volumes_client.extend_volume(self.volume['id'],
new_size=extend_size)
waiters.wait_for_volume_status(self.volumes_client, self.volume['id'],
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_list_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_list_rbac.py
index 90e238c..cd37d1c 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_list_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_list_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -31,7 +30,7 @@
cls.client = cls.os.volumes_client
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(VolumesListRbacTest, self).tearDown()
@rbac_rule_validation.action(service="cinder",
@@ -39,7 +38,7 @@
@decorators.idempotent_id('e3ab7906-b04b-4c45-aa11-1104d302f940')
def test_volume_list(self):
# Get a list of Volumes
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_volumes()
@rbac_rule_validation.action(
@@ -48,7 +47,7 @@
@decorators.idempotent_id('3d48ca91-f02b-4616-a69d-4a8b296c8529')
def test_volume_list_image_metadata(self):
# Get a list of Volumes
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_volumes(detail=True)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
index 093e2bc..71401f3 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
@@ -19,7 +19,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -34,7 +33,7 @@
cls.client = cls.volumes_client
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(VolumesRbacTest, self).tearDown()
@rbac_rule_validation.action(
@@ -44,7 +43,7 @@
def test_volume_reset_status(self):
volume = self.create_volume()
# Test volume reset status : available->error->available
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.reset_volume_status(volume['id'], status='error')
self.client.reset_volume_status(volume['id'], status='available')
@@ -56,7 +55,7 @@
volume = self.create_volume()
self.client.reset_volume_status(volume['id'], status='error')
# Test force delete when status of volume is error
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.force_delete_volume(volume['id'])
self.client.wait_for_resource_deletion(volume['id'])
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
index 2fb8885..c6e7417 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
@@ -31,7 +30,7 @@
cls.client = cls.snapshots_client
def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=False)
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
super(VolumesSnapshotRbacTest, self).tearDown()
@classmethod
@@ -66,7 +65,7 @@
@decorators.idempotent_id('ac7b2ee5-fbc0-4360-afc2-de8fa4881ede')
def test_snapshot_create(self):
# Create a temp snapshot
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.create_snapshot(self.volume['id'])
@rbac_rule_validation.action(service="cinder",
@@ -74,7 +73,7 @@
@decorators.idempotent_id('93a11b40-1ba8-44d6-a196-f8d97220f796')
def test_snapshot_get(self):
# Get the snapshot
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_snapshot(self.snapshot
['id'])['snapshot']
@@ -85,7 +84,7 @@
new_desc = 'This is the new description of snapshot.'
params = {self.descrip_field: new_desc}
# Updates snapshot with new values
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.update_snapshot(
self.snapshot['id'], **params)['snapshot']
@@ -96,7 +95,7 @@
"""list snapshots with params."""
# Verify list snapshots by display_name filter
params = {self.name_field: self.snapshot[self.name_field]}
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._list_by_param_values(params)
@rbac_rule_validation.action(service="cinder",
@@ -105,7 +104,7 @@
def test_snapshot_delete(self):
# Create a temp snapshot
temp_snapshot = self.create_snapshot(self.volume['id'])
- rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
# Delete the snapshot
self.client.delete_snapshot(temp_snapshot['id'])
diff --git a/tests/__init__.py b/patrole_tempest_plugin/tests/unit/__init__.py
similarity index 100%
rename from tests/__init__.py
rename to patrole_tempest_plugin/tests/unit/__init__.py
diff --git a/tests/base.py b/patrole_tempest_plugin/tests/unit/base.py
similarity index 100%
rename from tests/base.py
rename to patrole_tempest_plugin/tests/unit/base.py
diff --git a/tests/resources/admin_rbac_policy.json b/patrole_tempest_plugin/tests/unit/resources/admin_rbac_policy.json
similarity index 100%
rename from tests/resources/admin_rbac_policy.json
rename to patrole_tempest_plugin/tests/unit/resources/admin_rbac_policy.json
diff --git a/tests/resources/alt_admin_rbac_policy.json b/patrole_tempest_plugin/tests/unit/resources/alt_admin_rbac_policy.json
similarity index 100%
rename from tests/resources/alt_admin_rbac_policy.json
rename to patrole_tempest_plugin/tests/unit/resources/alt_admin_rbac_policy.json
diff --git a/tests/resources/custom_rbac_policy.json b/patrole_tempest_plugin/tests/unit/resources/custom_rbac_policy.json
similarity index 100%
rename from tests/resources/custom_rbac_policy.json
rename to patrole_tempest_plugin/tests/unit/resources/custom_rbac_policy.json
diff --git a/patrole_tempest_plugin/tests/unit/resources/tenant_rbac_policy.json b/patrole_tempest_plugin/tests/unit/resources/tenant_rbac_policy.json
new file mode 100644
index 0000000..ea65c88
--- /dev/null
+++ b/patrole_tempest_plugin/tests/unit/resources/tenant_rbac_policy.json
@@ -0,0 +1,8 @@
+{
+ "rule1": "tenant_id:%(network:tenant_id)s",
+ "rule2": "tenant_id:%(tenant_id)s",
+ "rule3": "project_id:%(project_id)s",
+ "rule4": "user_id:%(user_id)s",
+ "admin_tenant_rule": "role:admin and tenant_id:%(tenant_id)s",
+ "admin_user_rule": "role:admin and user_id:%(user_id)s"
+}
\ No newline at end of file
diff --git a/tests/test_patrole.py b/patrole_tempest_plugin/tests/unit/test_patrole.py
similarity index 93%
rename from tests/test_patrole.py
rename to patrole_tempest_plugin/tests/unit/test_patrole.py
index d374e20..58aff05 100644
--- a/tests/test_patrole.py
+++ b/patrole_tempest_plugin/tests/unit/test_patrole.py
@@ -20,7 +20,7 @@
Tests for `patrole` module.
"""
-from tests import base
+from patrole_tempest_plugin.tests.unit import base
class TestPatrole(base.TestCase):
diff --git a/tests/test_rbac_role_converter.py b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
similarity index 69%
rename from tests/test_rbac_role_converter.py
rename to patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
index 09fa081..35aaa82 100644
--- a/tests/test_rbac_role_converter.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
@@ -19,7 +19,7 @@
from tempest import config
from tempest.tests import base
-from patrole_tempest_plugin import rbac_role_converter
+from patrole_tempest_plugin import rbac_policy_parser
CONF = config.CONF
@@ -43,13 +43,15 @@
'resources',
'tenant_rbac_policy.json')
- @mock.patch.object(rbac_role_converter, 'LOG', autospec=True)
+ @mock.patch.object(rbac_policy_parser, 'LOG', autospec=True)
def test_custom_policy(self, m_log):
default_roles = ['zero', 'one', 'two', 'three', 'four',
'five', 'six', 'seven', 'eight', 'nine']
- converter = rbac_role_converter.RbacPolicyConverter(
- None, "test", self.custom_policy_file)
+ test_tenant_id = mock.sentinel.tenant_id
+ test_user_id = mock.sentinel.user_id
+ converter = rbac_policy_parser.RbacPolicyParser(
+ test_tenant_id, test_user_id, "test", self.custom_policy_file)
expected = {
'policy_action_1': ['two', 'four', 'six', 'eight'],
@@ -76,8 +78,10 @@
self.assertFalse(converter.allowed(rule, role))
def test_admin_policy_file_with_admin_role(self):
- converter = rbac_role_converter.RbacPolicyConverter(
- None, "test", self.admin_policy_file)
+ test_tenant_id = mock.sentinel.tenant_id
+ test_user_id = mock.sentinel.user_id
+ converter = rbac_policy_parser.RbacPolicyParser(
+ test_tenant_id, test_user_id, "test", self.admin_policy_file)
role = 'admin'
allowed_rules = [
@@ -94,8 +98,10 @@
self.assertFalse(allowed)
def test_admin_policy_file_with_member_role(self):
- converter = rbac_role_converter.RbacPolicyConverter(
- None, "test", self.admin_policy_file)
+ test_tenant_id = mock.sentinel.tenant_id
+ test_user_id = mock.sentinel.user_id
+ converter = rbac_policy_parser.RbacPolicyParser(
+ test_tenant_id, test_user_id, "test", self.admin_policy_file)
role = 'Member'
allowed_rules = [
@@ -113,8 +119,10 @@
self.assertFalse(allowed)
def test_admin_policy_file_with_context_is_admin(self):
- converter = rbac_role_converter.RbacPolicyConverter(
- None, "test", self.alt_admin_policy_file)
+ test_tenant_id = mock.sentinel.tenant_id
+ test_user_id = mock.sentinel.user_id
+ converter = rbac_policy_parser.RbacPolicyParser(
+ test_tenant_id, test_user_id, "test", self.alt_admin_policy_file)
role = 'fake_admin'
allowed_rules = ['non_admin_rule']
@@ -140,43 +148,58 @@
allowed = converter.allowed(rule, role)
self.assertFalse(allowed)
- def test_tenant_policy(self):
- """Test whether rules with format tenant_id:%(tenant_id)s work.
+ def test_tenant_user_policy(self):
+ """Test whether rules with format tenant_id/user_id formatting work.
Test whether Neutron rules that contain project_id, tenant_id, and
- network:tenant_id pass.
+ network:tenant_id pass. And test whether Nova rules that contain
+ user_id pass.
"""
test_tenant_id = mock.sentinel.tenant_id
- converter = rbac_role_converter.RbacPolicyConverter(
- test_tenant_id, "test", self.tenant_policy_file)
+ test_user_id = mock.sentinel.user_id
+ converter = rbac_policy_parser.RbacPolicyParser(
+ test_tenant_id, test_user_id, "test", self.tenant_policy_file)
# Check whether Member role can perform expected actions.
- allowed_rules = ['rule1', 'rule2', 'rule3']
+ allowed_rules = ['rule1', 'rule2', 'rule3', 'rule4']
for rule in allowed_rules:
allowed = converter.allowed(rule, 'Member')
self.assertTrue(allowed)
- self.assertFalse(converter.allowed('admin_rule', 'Member'))
+
+ disallowed_rules = ['admin_tenant_rule', 'admin_user_rule']
+ for disallowed_rule in disallowed_rules:
+ self.assertFalse(converter.allowed(disallowed_rule, 'Member'))
# Check whether admin role can perform expected actions.
- allowed_rules.append('admin_rule')
+ allowed_rules.extend(disallowed_rules)
for rule in allowed_rules:
allowed = converter.allowed(rule, 'admin')
self.assertTrue(allowed)
# Check whether _try_rule is called with the correct target dictionary.
- with mock.patch.object(converter, '_try_rule', autospec=True) \
+ with mock.patch.object(
+ converter, '_try_rule', return_value=True, autospec=True) \
as mock_try_rule:
- mock_try_rule.return_value = True
expected_target = {
- "project_id": test_tenant_id,
- "tenant_id": test_tenant_id,
- "network:tenant_id": test_tenant_id
+ "project_id": mock.sentinel.tenant_id,
+ "tenant_id": mock.sentinel.tenant_id,
+ "network:tenant_id": mock.sentinel.tenant_id,
+ "user_id": mock.sentinel.user_id
+ }
+
+ expected_access_data = {
+ "roles": ['Member'],
+ "is_admin": False,
+ "is_admin_project": True,
+ "user_id": mock.sentinel.user_id,
+ "tenant_id": mock.sentinel.tenant_id,
+ "project_id": mock.sentinel.tenant_id
}
for rule in allowed_rules:
allowed = converter.allowed(rule, 'Member')
self.assertTrue(allowed)
mock_try_rule.assert_called_once_with(
- rule, expected_target, mock.ANY, mock.ANY)
+ rule, expected_target, expected_access_data, mock.ANY)
mock_try_rule.reset_mock()
diff --git a/tests/test_rbac_rule_validation.py b/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
similarity index 100%
rename from tests/test_rbac_rule_validation.py
rename to patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_utils.py b/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
new file mode 100644
index 0000000..add1770
--- /dev/null
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
@@ -0,0 +1,155 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import mock
+
+from tempest import config
+from tempest.lib import exceptions as lib_exc
+from tempest.tests import base
+
+from patrole_tempest_plugin import rbac_exceptions
+from patrole_tempest_plugin import rbac_utils
+
+CONF = config.CONF
+
+
+class RBACUtilsTest(base.TestCase):
+
+ @mock.patch.object(rbac_utils, 'time', autospec=True)
+ def setUp(self, _):
+ super(RBACUtilsTest, self).setUp()
+ self.mock_creds_provider = mock.patch.object(
+ rbac_utils, 'credentials_factory', autospec=True).start()
+
+ available_roles = {
+ 'roles': [
+ {'name': 'admin', 'id': 'admin_id'},
+ {'name': 'Member', 'id': 'member_id'}
+ ]
+ }
+ self.mock_creds_provider.get_credentials_provider.return_value.\
+ creds_client.roles_client.list_roles.return_value = \
+ available_roles
+ self.addCleanup(mock.patch.stopall)
+
+ CONF.set_override('rbac_test_role', 'Member', group='rbac',
+ enforce_type=True)
+ self.addCleanup(CONF.clear_override, 'rbac_test_role', group='rbac')
+
+ # Because rbac_utils is a singleton, reset all of its role-related
+ # parameters to the correct values for each test run.
+ self.rbac_utils = rbac_utils.rbac_utils()
+ self.rbac_utils.available_roles = available_roles
+ self.rbac_utils.admin_role_id = 'admin_id'
+ self.rbac_utils.rbac_role_id = 'member_id'
+
+ def test_initialization_with_missing_admin_role(self):
+ self.rbac_utils.admin_role_id = None
+ e = self.assertRaises(rbac_exceptions.RbacResourceSetupFailed,
+ self.rbac_utils.switch_role, None)
+ self.assertIn("Defined 'rbac_role' or 'admin' role does not exist"
+ " in the system.", e.__str__())
+
+ def test_initialization_with_missing_rbac_role(self):
+ self.rbac_utils.rbac_role_id = None
+ e = self.assertRaises(rbac_exceptions.RbacResourceSetupFailed,
+ self.rbac_utils.switch_role, None)
+ self.assertIn("Defined 'rbac_role' or 'admin' role does not exist"
+ " in the system.", e.__str__())
+
+ def test_clear_user_roles(self):
+ self.rbac_utils.creds_client = mock.Mock()
+ creds_client = self.rbac_utils.creds_client
+ creds_client.roles_client.list_user_roles_on_project.return_value = {
+ 'roles': [{'id': 'admin_id'}, {'id': 'member_id'}]
+ }
+
+ self.rbac_utils._clear_user_roles(mock.sentinel.user_id,
+ mock.sentinel.project_id)
+
+ creds_client.roles_client.list_user_roles_on_project.\
+ assert_called_once_with(mock.sentinel.project_id,
+ mock.sentinel.user_id)
+ creds_client.roles_client.delete_role_from_user_on_project.\
+ assert_has_calls([
+ mock.call(mock.sentinel.project_id, mock.sentinel.user_id,
+ 'admin_id'),
+ mock.call(mock.sentinel.project_id, mock.sentinel.user_id,
+ 'member_id'),
+ ])
+
+ @mock.patch.object(rbac_utils.rbac_utils, '_clear_user_roles',
+ autospec=True)
+ def test_rbac_utils_switch_role_to_admin(self, mock_clear_user_roles):
+ mock_test_object = mock.Mock()
+ mock_test_object.auth_provider.credentials.user_id = \
+ mock.sentinel.user_id
+ mock_test_object.auth_provider.credentials.tenant_id = \
+ mock.sentinel.project_id
+
+ self.rbac_utils.creds_client = mock.Mock()
+ creds_client = self.rbac_utils.creds_client
+
+ self.rbac_utils.switch_role(mock_test_object, False)
+
+ creds_client.roles_client.create_user_role_on_project.\
+ assert_called_once_with(mock.sentinel.project_id,
+ mock.sentinel.user_id,
+ 'admin_id')
+ mock_clear_user_roles.assert_called_once_with(
+ self.rbac_utils, mock.sentinel.user_id, mock.sentinel.project_id)
+ mock_test_object.auth_provider.clear_auth.assert_called_once_with()
+ mock_test_object.auth_provider.set_auth.assert_called_once_with()
+
+ @mock.patch.object(rbac_utils.rbac_utils, '_clear_user_roles',
+ autospec=True)
+ def test_rbac_utils_switch_role_to_rbac_role(self, mock_clear_user_roles):
+ mock_test_object = mock.Mock()
+ mock_test_object.auth_provider.credentials.user_id = \
+ mock.sentinel.user_id
+ mock_test_object.auth_provider.credentials.tenant_id = \
+ mock.sentinel.project_id
+
+ self.rbac_utils.creds_client = mock.Mock()
+ creds_client = self.rbac_utils.creds_client
+
+ self.rbac_utils.switch_role(mock_test_object, True)
+
+ creds_client.roles_client.create_user_role_on_project.\
+ assert_called_once_with(mock.sentinel.project_id,
+ mock.sentinel.user_id,
+ 'member_id')
+ mock_clear_user_roles.assert_called_once_with(
+ self.rbac_utils, mock.sentinel.user_id, mock.sentinel.project_id)
+ mock_test_object.auth_provider.clear_auth.assert_called_once_with()
+ mock_test_object.auth_provider.set_auth.assert_called_once_with()
+
+ def test_rbac_utils_switch_roles_with_invalid_value(self):
+ e = self.assertRaises(rbac_exceptions.RbacResourceSetupFailed,
+ self.rbac_utils.switch_role, None)
+ self.assertIn("Wrong value for parameter 'switchToRbacRole' is passed."
+ " It should be either 'True' or 'False'.", e.__str__())
+
+ @mock.patch.object(rbac_utils.rbac_utils, '_clear_user_roles',
+ autospec=True)
+ def test_rbac_utils_switch_role_except_exception(self,
+ mock_clear_user_roles):
+ self.rbac_utils.creds_client = mock.Mock()
+ creds_client = self.rbac_utils.creds_client
+ creds_client.roles_client.create_user_role_on_project.side_effect =\
+ lib_exc.NotFound
+
+ self.assertRaises(lib_exc.NotFound, self.rbac_utils.switch_role,
+ mock.Mock(), True)
diff --git a/test-requirements.txt b/test-requirements.txt
index dddb31f..7c97fa7 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -2,12 +2,14 @@
# of appearance. Changing the order has an impact on the overall integration
# process, which may cause wedges in the gate later.
hacking>=0.12.0,!=0.13.0,<0.14 # Apache-2.0
-# needed for doc build
+
sphinx>=1.2.1,!=1.3b1,<1.4 # BSD
oslosphinx>=4.7.0 # Apache-2.0
reno>=1.8.0 # Apache-2.0
mock>=2.0 # BSD
coverage>=4.0 # Apache-2.0
+nose # LGPL
+nosexcover # BSD
oslotest>=1.10.0 # Apache-2.0
oslo.policy>=1.17.0 # Apache-2.0
oslo.log>=3.11.0 # Apache-2.0
diff --git a/test-whitelist.txt b/test-whitelist.txt
new file mode 100644
index 0000000..162992a
--- /dev/null
+++ b/test-whitelist.txt
@@ -0,0 +1 @@
+patrole_tempest_plugin.tests.unit.test*
diff --git a/tests/resources/tenant_rbac_policy.json b/tests/resources/tenant_rbac_policy.json
deleted file mode 100644
index 2647e4d..0000000
--- a/tests/resources/tenant_rbac_policy.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
- "rule1": "tenant_id:%(network:tenant_id)s",
- "rule2": "tenant_id:%(tenant_id)s",
- "rule3": "project_id:%(project_id)s",
- "admin_rule": "role:admin and tenant_id:%(tenant_id)s"
-}
\ No newline at end of file
diff --git a/tests/test_rbac_utils.py b/tests/test_rbac_utils.py
deleted file mode 100644
index 3c645f8..0000000
--- a/tests/test_rbac_utils.py
+++ /dev/null
@@ -1,199 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import json
-import mock
-
-from tempest.tests import base
-
-from patrole_tempest_plugin import rbac_exceptions
-from patrole_tempest_plugin import rbac_utils as utils
-
-
-class RBACUtilsTest(base.TestCase):
- def setUp(self):
- super(RBACUtilsTest, self).setUp()
- self.rbac_utils = utils.RbacUtils
-
- get_response = 200
- put_response = 204
- delete_response = 204
- response_data = json.dumps({"roles": []})
-
- def _response_side_effect(self, action, *args, **kwargs):
- response = mock.MagicMock()
- if action == "GET":
- response.status = self.get_response
- response.data = self.response_data
- if action == "PUT":
- response.status = self.put_response
- if action == "DELETE":
- response.status = self.delete_response
- return response
-
- @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
- @mock.patch('patrole_tempest_plugin.rbac_utils.http')
- def test_RBAC_utils_get_roles(self, http, config):
- self.rbac_utils.dictionary = {}
-
- caller = mock.Mock()
- caller.admin_client.token = "test_token"
-
- http.request.side_effect = self._response_side_effect
-
- self.assertEqual({'admin_role_id': None, 'rbac_role_id': None},
- self.rbac_utils.get_roles(caller))
-
- @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
- @mock.patch('patrole_tempest_plugin.rbac_utils.http')
- def test_RBAC_utils_get_roles_member(self, http, config):
- self.rbac_utils.dictionary = {}
-
- caller = mock.Mock()
- caller.admin_client.token = "test_token"
-
- self.response_data = json.dumps({'roles': [{'name': '_member_',
- 'id': '_member_id'}]})
- http.request.side_effect = self._response_side_effect
-
- config.rbac.rbac_test_role = '_member_'
-
- self.assertEqual({'admin_role_id': None,
- 'rbac_role_id': '_member_id'},
- self.rbac_utils.get_roles(caller))
-
- @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
- @mock.patch('patrole_tempest_plugin.rbac_utils.http')
- def test_RBAC_utils_get_roles_admin(self, http, config):
- self.rbac_utils.dictionary = {}
-
- caller = mock.Mock()
- caller.admin_client.token = "test_token"
-
- self.response_data = json.dumps({'roles': [{'name': 'admin',
- 'id': 'admin_id'}]})
-
- http.request.side_effect = self._response_side_effect
-
- config.rbac.rbac_test_role = 'admin'
-
- self.assertEqual({'admin_role_id': 'admin_id',
- 'rbac_role_id': 'admin_id'},
- self.rbac_utils.get_roles(caller))
-
- @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
- @mock.patch('patrole_tempest_plugin.rbac_utils.http')
- def test_RBAC_utils_get_roles_admin_not_role(self, http, config):
- self.rbac_utils.dictionary = {}
-
- caller = mock.Mock()
- caller.admin_client.token = "test_token"
-
- self.response_data = json.dumps(
- {'roles': [{'name': 'admin', 'id': 'admin_id'}]}
- )
- http.request.side_effect = self._response_side_effect
-
- self.assertEqual({'admin_role_id': 'admin_id', 'rbac_role_id': None},
- self.rbac_utils.get_roles(caller))
-
- def test_RBAC_utils_get_existing_roles(self):
- self.rbac_utils.dictionary = {'admin_role_id': None,
- 'rbac_role_id': None}
-
- self.assertEqual({'admin_role_id': None, 'rbac_role_id': None},
- self.rbac_utils.get_roles(None))
-
- @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
- @mock.patch('patrole_tempest_plugin.rbac_utils.http')
- def test_RBAC_utils_get_roles_response_404(self, http, config):
- self.rbac_utils.dictionary = {}
-
- caller = mock.Mock()
- caller.admin_client.token = "test_token"
-
- http.request.side_effect = self._response_side_effect
- self.get_response = 404
-
- self.assertRaises(rbac_exceptions.RbacResourceSetupFailed,
- self.rbac_utils.get_roles, caller)
- self.get_response = 200
-
- def test_RBAC_utils_switch_roles_none(self):
- self.assertIsNone(self.rbac_utils.switch_role(None))
-
- @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
- @mock.patch('patrole_tempest_plugin.rbac_utils.RbacUtils.get_roles')
- @mock.patch('patrole_tempest_plugin.rbac_utils.http')
- def test_RBAC_utils_switch_roles_member(self, http,
- get_roles, config):
- get_roles.return_value = {'admin_role_id': None,
- 'rbac_role_id': '_member_id'}
-
- self.auth_provider = mock.Mock()
- self.auth_provider.credentials.user_id = "user_id"
- self.auth_provider.credentials.tenant_id = "tenant_id"
- self.admin_client = mock.Mock()
- self.admin_client.token = "admin_token"
-
- http.request.side_effect = self._response_side_effect
-
- self.assertIsNone(self.rbac_utils.switch_role(self, "_member_"))
-
- @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
- @mock.patch('patrole_tempest_plugin.rbac_utils.RbacUtils.get_roles')
- @mock.patch('patrole_tempest_plugin.rbac_utils.http')
- def test_RBAC_utils_switch_roles_false(self, http,
- get_roles, config):
- get_roles.return_value = {'admin_role_id': None,
- 'rbac_role_id': '_member_id'}
-
- self.auth_provider = mock.Mock()
- self.auth_provider.credentials.user_id = "user_id"
- self.auth_provider.credentials.tenant_id = "tenant_id"
- self.admin_client = mock.Mock()
- self.admin_client.token = "admin_token"
-
- http.request.side_effect = self._response_side_effect
-
- self.assertIsNone(self.rbac_utils.switch_role(self, False))
-
- @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
- @mock.patch('patrole_tempest_plugin.rbac_utils.RbacUtils.get_roles')
- @mock.patch('patrole_tempest_plugin.rbac_utils.http')
- def test_RBAC_utils_switch_roles_get_roles_fails(self, http,
- get_roles, config):
- get_roles.return_value = {'admin_role_id': None,
- 'rbac_role_id': '_member_id'}
-
- self.auth_provider = mock.Mock()
- self.auth_provider.credentials.user_id = "user_id"
- self.auth_provider.credentials.tenant_id = "tenant_id"
- self.admin_client = mock.Mock()
- self.admin_client.token = "admin_token"
-
- self.get_response = 404
-
- self.assertRaises(rbac_exceptions.RbacResourceSetupFailed,
- self.rbac_utils.switch_role, self, False)
-
- self.get_response = 200
-
- @mock.patch('patrole_tempest_plugin.rbac_utils.RbacUtils.get_roles')
- def test_RBAC_utils_switch_roles_exception(self, get_roles):
- get_roles.return_value = {'admin_role_id': None,
- 'rbac_role_id': '_member_id'}
- self.assertRaises(AttributeError, self.rbac_utils.switch_role,
- self, "admin")
diff --git a/tox.ini b/tox.ini
index 847adad..b4953e7 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,6 +1,6 @@
[tox]
minversion = 1.6
-envlist = py35,py27,pypy,pep8
+envlist = pep8,py35,py27
skipsdist = True
[testenv]
@@ -9,22 +9,34 @@
setenv =
VIRTUAL_ENV={envdir}
PYTHONWARNINGS=default::DeprecationWarning
-passenv = OS_STDOUT_CAPTURE OS_STDERR_CAPTURE OS_TEST_TIMEOUT OS_TEST_LOCK_PATH OS_TEST_PATH TEMPEST_CONFIG TEMPEST_CONFIG_DIR http_proxy HTTP_PROXY https_proxy HTTPS_PROXY no_proxy NO_PROXY
-whitelist_externals = *
+passenv = OS_STDOUT_CAPTURE OS_STDERR_CAPTURE OS_TEST_TIMEOUT OS_TEST_LOCK_PATH OS_TEST_PATH http_proxy HTTP_PROXY https_proxy HTTPS_PROXY no_proxy NO_PROXY
+whitelist_externals = find
deps = -r{toxinidir}/requirements.txt
-r{toxinidir}/test-requirements.txt
commands =
find . -type f -name "*.pyc" -delete
- ostestr {posargs}
+ ostestr {posargs} --whitelist-file test-whitelist.txt
[testenv:pep8]
commands = flake8 {posargs}
+ check-uuid
+
+[testenv:uuidgen]
+commands = check-uuid --fix
[testenv:venv]
commands = {posargs}
[testenv:cover]
-commands = python setup.py test --coverage --testr-args='{posargs}'
+setenv = VIRTUAL_ENV={envdir}
+ NOSE_WITH_COVERAGE=1
+ NOSE_COVER_BRANCHES=1
+ NOSE_COVER_PACKAGE=patrole_tempest_plugin
+ NOSE_COVER_HTML=1
+ NOSE_COVER_HTML_DIR={toxinidir}/cover
+ NOSE_WHERE=patrole_tempest_plugin/tests/unit
+whitelist_externals = nosetests
+commands = nosetests {posargs}
[testenv:docs]
commands = python setup.py build_sphinx