Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 68d922342afd4ba0662a48761497851d4a6c87e7^! / .
commit68d922342afd4ba0662a48761497851d4a6c87e7[log] [tgz]
authorFelipe Monteiro <felipe.monteiro@att.com>Thu Mar 16 17:20:23 2017 -0400
committerFelipe Monteiro <felipe.monteiro@att.com>Thu Mar 16 17:20:23 2017 -0400
tree31e6a9510fca9b69a62bca0182e9601e58e8a32b
parentf0256e3fe19a6c3ca160649b9e0702821bc46f85 [diff]
Fixes v3 identity tests with policy actions with rule admin_or_owner.

Currently, v3 identity tests like show_user fail because Keystone
only allows a non-admin user to show itself, not any other user.

These v3 identity tests are failing on admin_or_owner policy actions
because Keystone interprets "user_id" as "your own" user_id.
admin_or_owner policy action is defined as "user_id: %(user_id)s",
so any tests with that policy rule are currently failing.

The solution is to not dynamically create users during these tests
and instead pass the current Tempest user_id to these APIs, so
that the tests pass for Member (and not just admin).

Change-Id: I5dc0914c95c51194dfee7c823488c4d346bda884
Partial-Bug: #1670553

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
index 66798cd..3ae4c21 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py

@@ -26,6 +26,10 @@
 class IdentityUserV3AdminRbacTest(
         rbac_base.BaseIdentityV3RbacAdminTest):
 
+    def setUp(self):
+        super(IdentityUserV3AdminRbacTest, self).setUp()
+        self.default_user_id = self.auth_provider.credentials.user_id
+
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:create_user")
     @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d904')
@@ -82,16 +86,13 @@
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:get_user")
     @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d908')
-    def test_show_user(self):
+    def test_show_own_user(self):
         """Get one user.
 
         RBAC test for Keystone: identity:get_user
         """
-        user_name = data_utils.rand_name('test_get_user')
-        user = self._create_test_user(name=user_name, password=None)
-
         self.rbac_utils.switch_role(self, switchToRbacRole=True)
-        self.non_admin_users_client.show_user(user['id'])
+        self.non_admin_users_client.show_user(self.default_user_id)
 
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:change_password")
@@ -102,37 +103,33 @@
         RBAC test for Keystone: identity:change_password
         """
         user_name = data_utils.rand_name('test_change_password')
-        user = self._create_test_user(name=user_name, password='nova')
+        original_password = data_utils.rand_password()
+        user = self._create_test_user(name=user_name,
+                                      password=original_password)
 
         self.rbac_utils.switch_role(self, switchToRbacRole=True)
-        self.non_admin_users_client \
-            .update_user_password(user['id'],
-                                  original_password='nova',
-                                  password='neutron')
+        self.non_admin_users_client.update_user_password(
+            user['id'], original_password=original_password,
+            password=data_utils.rand_password())
 
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:list_groups_for_user")
     @decorators.idempotent_id('bd5946d4-46d2-423d-a800-a3e7aabc18b3')
-    def test_list_group_user(self):
+    def test_list_own_user_group(self):
         """Lists groups which a user belongs to.
 
         RBAC test for Keystone: identity:list_groups_for_user
         """
-        user_name = data_utils.rand_name('User')
-        user = self._create_test_user(name=user_name, password=None)
-
         self.rbac_utils.switch_role(self, switchToRbacRole=True)
-        self.non_admin_users_client.list_user_groups(user['id'])
+        self.non_admin_users_client.list_user_groups(self.default_user_id)
 
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:list_user_projects")
     @decorators.idempotent_id('0f148510-63bf-11e6-1564-080044d0d909')
-    def test_list_user_projects(self):
+    def test_list_own_user_projects(self):
         """List User's Projects.
 
         RBAC test for Keystone: identity:list_user_projects
         """
-        user = self.setup_test_user()
-
         self.rbac_utils.switch_role(self, switchToRbacRole=True)
-        self.non_admin_users_client.list_user_projects(user['id'])
+        self.non_admin_users_client.list_user_projects(self.default_user_id)