Remove admin namespace throughout Patrole - Identity tests
In Tempest, it is meaningful to separate admin and non-admin
tests into different classes and files, because Tempest
must use clients with admin credentials to perform admin-only
API calls, like changing an admin password. More specifically,
Tempest must use the os_adm/os_admin-namespace clients
(instantiated with admin credentials) to perform these tests;
else 403s are thrown.
Patrole, on the other hand, doesn't need to use
os_adm/os_admin-namespace clients, because of the fact that
role-switching is performed to grant the os-namespace
clients sufficient credentials to perform API actions that
require admin credentials during setting up and cleaning up
test resources. Thus, the distinction between admin and
non-admin is not important in Patrole, as role-switching
means that at different points in time the clients have admin
and non-admin credentials.
Thus, all namespaces (files, folders and classes) that contain
"admin" should be renamed, if the non-admin version does not
already exist. If the admin version and non-admin version
tests both exist, then the admin version should be removed and
its tests merged with the non-admin version.
This patch, in addition, adds additional tests to test_rbac_roles:
some identity:check_grant tests were missing. Following tests
were added:
1) Checking user role on domain
2) Checking group role on project
3) Checking group role on domain
Change-Id: Ib82e8b8a0d6c8587fb0b1ce415e751c3ebc3c2f9
Partial-Bug: #1672250
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
index d5c8528..5e5d918 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
@@ -23,26 +23,33 @@
CONF = config.CONF
-class BaseIdentityV2AdminRbacTest(base.BaseIdentityV2AdminTest):
+class BaseIdentityV2RbacTest(base.BaseIdentityV2Test):
credentials = ['admin', 'primary']
@classmethod
def skip_checks(cls):
- super(BaseIdentityV2AdminRbacTest, cls).skip_checks()
+ super(BaseIdentityV2RbacTest, cls).skip_checks()
if not CONF.rbac.enable_rbac:
raise cls.skipException(
- "%s skipped as RBAC Flag not enabled" % cls.__name__)
+ "%s skipped as RBAC testing not enabled" % cls.__name__)
@classmethod
def setup_clients(cls):
- super(BaseIdentityV2AdminRbacTest, cls).setup_clients()
+ super(BaseIdentityV2RbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
- cls.tenants_client = cls.os.tenants_client
- cls.users_client = cls.os.users_client
+
cls.rbac_utils = rbac_utils()
cls.rbac_utils.switch_role(cls, toggle_rbac_role=False)
+ cls.client = cls.os.identity_client
+ cls.endpoints_client = cls.os.endpoints_client
+ cls.roles_client = cls.os.roles_client
+ cls.services_client = cls.os.identity_services_client
+ cls.tenants_client = cls.os.tenants_client
+ cls.token_client = cls.os.token_client
+ cls.users_client = cls.os.users_client
+
def _create_service(self):
name = data_utils.rand_name('service')
type = data_utils.rand_name('type')
@@ -73,7 +80,7 @@
def _create_tenant(self):
"""Set up a test tenant."""
name = data_utils.rand_name('test_tenant')
- tenant = self.projects_client.create_tenant(
+ tenant = self.tenants_client.create_tenant(
name=name,
description=data_utils.rand_name('desc'))['tenant']
# Delete the tenant at the end of the test
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
index 9364e2f..b8677cf 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
@@ -24,16 +24,16 @@
CONF = config.CONF
-class IdentityEndpointsV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+class IdentityEndpointsV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
@classmethod
def setup_clients(cls):
- super(IdentityEndpointsV2AdminRbacTest, cls).setup_clients()
+ super(IdentityEndpointsV2RbacTest, cls).setup_clients()
cls.endpoints_client = cls.os.endpoints_client
@classmethod
def resource_setup(cls):
- super(IdentityEndpointsV2AdminRbacTest, cls).resource_setup()
+ super(IdentityEndpointsV2RbacTest, cls).resource_setup()
cls.region = data_utils.rand_name('region')
cls.public_url = data_utils.rand_url()
cls.admin_url = data_utils.rand_url()
@@ -61,7 +61,7 @@
"""Create Endpoint Test
- RBAC test for Identity Admin 2.0 create_endpoint
+ RBAC test for Identity v2 create_endpoint
"""
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
@@ -75,7 +75,7 @@
"""Delete Endpoint Test
- RBAC test for Identity Admin 2.0 delete_endpoint
+ RBAC test for Identity v2 delete_endpoint
"""
endpoint = self._create_endpoint()
@@ -90,7 +90,7 @@
"""List Endpoints Test
- RBAC test for Identity Admin 2.0 list_endpoint
+ RBAC test for Identity v2 list_endpoint
"""
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
index a120562..6853b64 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
@@ -22,7 +22,7 @@
CONF = config.CONF
-class IdentityProjectV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+class IdentityProjectV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
@rbac_rule_validation.action(service="keystone",
rule="identity:create_project",
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
index 4196cdd..9dd90e1 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
@@ -24,11 +24,11 @@
CONF = config.CONF
-class IdentityRoleV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+class IdentityRoleV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
@classmethod
def setup_clients(cls):
- super(IdentityRoleV2AdminRbacTest, cls).setup_clients()
+ super(IdentityRoleV2RbacTest, cls).setup_clients()
cls.roles_client = cls.os.roles_client
def _create_role(self):
@@ -60,7 +60,7 @@
"""Create Role Test
- RBAC test for Identity Admin 2.0 role-create
+ RBAC test for Identity v2 role-create
"""
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
@@ -74,7 +74,7 @@
"""Delete Role Test
- RBAC test for Identity Admin 2.0 role-delete
+ RBAC test for Identity v2 delete_role
"""
role = self._create_role()
@@ -89,7 +89,7 @@
"""Get Role Test
- RBAC test for Identity Admin 2.0
+ RBAC test for Identity v2 show_role
"""
role = self._create_role()
@@ -104,7 +104,7 @@
"""List Roles Test
- RBAC test for Identity Admin 2.0 role-list
+ RBAC test for Identity v2 list_roles
"""
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.roles_client.list_roles()
@@ -117,7 +117,7 @@
"""Assign User Role Test
- RBAC test for Identity Admin 2.0 create_user_role_on_project
+ RBAC test for Identity v2 create_user_role_on_project
"""
tenant, user, role = self._create_tenant_user_and_role()
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
@@ -131,7 +131,7 @@
"""Remove User Roles Test
- RBAC test for Identity Admin 2.0 delete_role_from_user_on_project
+ RBAC test for Identity v2 delete_role_from_user_on_project
"""
tenant, user, role = self._create_tenant_user_and_role()
self._create_role_on_project(tenant, user, role)
@@ -148,7 +148,7 @@
"""List User Roles Test
- RBAC test for Identity Admin 2.0 list_user_roles_on_project
+ RBAC test for Identity v2 list_user_roles_on_project
"""
tenant = self._create_tenant()
user = self._create_user(tenantid=tenant['id'])
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
index e9b59be..a371bbc 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
@@ -22,11 +22,11 @@
CONF = config.CONF
-class IdentityServicesV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+class IdentityServicesV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
@classmethod
def setup_clients(cls):
- super(IdentityServicesV2AdminRbacTest, cls).setup_clients()
+ super(IdentityServicesV2RbacTest, cls).setup_clients()
cls.services_client = cls.os.identity_services_client
@rbac_rule_validation.action(service="keystone",
@@ -36,7 +36,7 @@
def test_create_service(self):
"""Create Service Test
- RBAC test for Identity Admin 2.0 create_service
+ RBAC test for Identity v2 create_service
"""
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._create_service()
@@ -48,7 +48,7 @@
def test_delete_service(self):
"""Delete Service Test
- RBAC test for Identity Admin 2.0 delete_service
+ RBAC test for Identity v2 delete_service
"""
service_id = self._create_service()['OS-KSADM:service']['id']
@@ -62,7 +62,7 @@
def test_show_service(self):
"""Show Service Test
- RBAC test for Identity Admin 2.0 show_service
+ RBAC test for Identity v2 show_service
"""
service_id = self._create_service()['OS-KSADM:service']['id']
@@ -76,7 +76,7 @@
def test_list_services(self):
"""List all the services
- RBAC test for Identity Admin 2.0 list_service
+ RBAC test for Identity v2 list_service
"""
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.services_client.list_services()
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py
index 3222b61..48f3d11 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py
@@ -20,7 +20,7 @@
from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
-class IdentityUserV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+class IdentityUserV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
@rbac_rule_validation.action(service="keystone",
rule="identity:create_user",
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
index 6a0a309..a1cdf4c 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
@@ -23,20 +23,20 @@
CONF = config.CONF
-class BaseIdentityV3RbacAdminTest(base.BaseIdentityV3AdminTest):
+class BaseIdentityV3RbacTest(base.BaseIdentityV3Test):
credentials = ['admin', 'primary']
@classmethod
def skip_checks(cls):
- super(BaseIdentityV3RbacAdminTest, cls).skip_checks()
+ super(BaseIdentityV3RbacTest, cls).skip_checks()
if not CONF.rbac.enable_rbac:
raise cls.skipException(
- "%s skipped as RBAC Flag not enabled" % cls.__name__)
+ "%s skipped as RBAC testing not enabled" % cls.__name__)
@classmethod
def setup_clients(cls):
- super(BaseIdentityV3RbacAdminTest, cls).setup_clients()
+ super(BaseIdentityV3RbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
cls.rbac_utils = rbac_utils()
@@ -57,7 +57,7 @@
@classmethod
def resource_setup(cls):
- super(BaseIdentityV3RbacAdminTest, cls).resource_setup()
+ super(BaseIdentityV3RbacTest, cls).resource_setup()
cls.credentials = []
cls.domains = []
cls.endpoints = []
@@ -115,7 +115,7 @@
test_utils.call_and_ignore_notfound_exc(
cls.users_client.delete_user, user['id'])
- super(BaseIdentityV3RbacAdminTest, cls).resource_cleanup()
+ super(BaseIdentityV3RbacTest, cls).resource_cleanup()
@classmethod
def setup_test_credential(cls, user=None):
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
index ad6feaa..42f2c01 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
@@ -20,8 +20,7 @@
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-class IdentityCredentialsV3AdminRbacTest(
- rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityCredentialsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
def _create_user_project_and_credential(self):
project = self.setup_test_project()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
index 8c67e5f..eabebb6 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
@@ -20,8 +20,7 @@
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-class IdentityEndpointsV3AdminRbacTest(
- rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityEndpointsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@rbac_rule_validation.action(service="keystone",
rule="identity:create_endpoint")
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
index 1a96010..3cc71a6 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
@@ -20,7 +20,7 @@
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-class IdentityGroupsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityGroupsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
def _create_user_and_add_to_new_group(self):
"""Creates a user and adds to a group for test."""
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py
index 1032303..f331cff 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py
@@ -21,7 +21,7 @@
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-class IdentityConsumersV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityConsumersV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
def _create_consumer(self):
description = data_utils.rand_name('test_create_consumer')
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
index d60a1ab..8f11e30 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
@@ -20,7 +20,7 @@
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-class IdentityPoliciesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityPoliciesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@rbac_rule_validation.action(service="keystone",
rule="identity:create_policy")
@@ -34,11 +34,11 @@
@decorators.idempotent_id('9cfed3c6-0b27-4d15-be67-e06e0cfb01b9')
def test_update_policy(self):
policy = self.setup_test_policy()
- new_policy_type = data_utils.rand_name('policy_type')
+ updated_policy_type = data_utils.rand_name('policy_type')
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.policies_client.update_policy(policy['id'],
- type=new_policy_type)
+ type=updated_policy_type)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_policy")
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
index 3f65076..325b987 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
@@ -20,8 +20,7 @@
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-class IdentityProjectV3AdminRbacTest(
- rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityProjectV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@rbac_rule_validation.action(service="keystone",
rule="identity:create_project")
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py
index 3eefdc4..b35facd 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py
@@ -20,7 +20,7 @@
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-class IdentityRegionsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityRegionsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@rbac_rule_validation.action(service="keystone",
rule="identity:create_region")
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_role_assignments_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_role_assignments_rbac.py
index c683f57..2dd0ff5 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_role_assignments_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_role_assignments_rbac.py
@@ -19,12 +19,11 @@
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-class IdentityRoleAssignmentsV3AdminRbacTest(
- rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityRoleAssignmentsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@classmethod
def setup_clients(cls):
- super(IdentityRoleAssignmentsV3AdminRbacTest, cls).setup_clients()
+ super(IdentityRoleAssignmentsV3RbacTest, cls).setup_clients()
cls.client = cls.role_assignments_client
@decorators.idempotent_id('afe57adb-1b9c-43d9-84a9-f0cf4c94e416')
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
index b033c8e..2676bf9 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
@@ -21,11 +21,11 @@
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-class IdentityRolesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@classmethod
def resource_setup(cls):
- super(IdentityRolesV3AdminRbacTest, cls).resource_setup()
+ super(IdentityRolesV3RbacTest, cls).resource_setup()
cls.domain = cls.setup_test_domain()
cls.project = cls.setup_test_project()
cls.group = cls.setup_test_group()
@@ -89,6 +89,51 @@
self.role['id'])
@rbac_rule_validation.action(service="keystone",
+ rule="identity:create_grant")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90c')
+ def test_create_group_role_on_project(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.roles_client.create_group_role_on_project(
+ self.project['id'],
+ self.group['id'],
+ self.role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_group_on_project,
+ self.project['id'],
+ self.group['id'],
+ self.role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_grant")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90f')
+ def test_create_user_role_on_domain(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.roles_client.create_user_role_on_domain(
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_domain,
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_grant")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d912')
+ def test_create_group_role_on_domain(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.roles_client.create_group_role_on_domain(
+ self.domain['id'],
+ self.group['id'],
+ self.role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_group_on_domain,
+ self.domain['id'],
+ self.group['id'],
+ self.role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
rule="identity:check_grant")
@decorators.idempotent_id('22921b1e-1a33-4026-bff9-f236d6dd149c')
def test_check_user_role_existence_on_project(self):
@@ -108,6 +153,66 @@
self.user['id'],
self.role['id'])
+ @decorators.idempotent_id('92f8e67d-85bf-407d-9814-edd5664abc47')
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:check_grant")
+ def test_check_user_role_existence_on_domain(self):
+ self.roles_client.create_user_role_on_domain(
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_domain,
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.roles_client.check_user_role_existence_on_domain(
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
+
+ @decorators.idempotent_id('8738d3d2-8c84-4423-b36c-7c59eaa08b73')
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:check_grant")
+ def test_check_role_from_group_on_project_existence(self):
+ self.roles_client.create_group_role_on_project(
+ self.project['id'],
+ self.group['id'],
+ self.role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_group_on_project,
+ self.project['id'],
+ self.group['id'],
+ self.role['id'])
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.roles_client.check_role_from_group_on_project_existence(
+ self.project['id'],
+ self.group['id'],
+ self.role['id'])
+
+ @decorators.idempotent_id('e7d73bd0-cf5e-4c0c-9c93-cf53e23232d6')
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:check_grant")
+ def test_check_role_from_group_on_domain_existence(self):
+ self.roles_client.create_group_role_on_domain(
+ self.domain['id'],
+ self.group['id'],
+ self.role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_group_on_domain,
+ self.domain['id'],
+ self.group['id'],
+ self.role['id'])
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.roles_client.check_role_from_group_on_domain_existence(
+ self.domain['id'],
+ self.group['id'],
+ self.role['id'])
+
@rbac_rule_validation.action(service="keystone",
rule="identity:revoke_grant")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90a')
@@ -129,30 +234,6 @@
self.role['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:list_grants")
- @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90b')
- def test_list_user_roles_on_project(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.list_user_roles_on_project(
- self.project['id'],
- self.user['id'])
-
- @rbac_rule_validation.action(service="keystone",
- rule="identity:create_grant")
- @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90c')
- def test_create_group_role_on_project(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.create_group_role_on_project(
- self.project['id'],
- self.group['id'],
- self.role['id'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.roles_client.delete_role_from_group_on_project,
- self.project['id'],
- self.group['id'],
- self.role['id'])
-
- @rbac_rule_validation.action(service="keystone",
rule="identity:revoke_grant")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90d')
def test_delete_role_from_group_on_project(self):
@@ -173,30 +254,6 @@
self.role['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:list_grants")
- @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90e')
- def test_list_group_roles_on_project(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.list_group_roles_on_project(
- self.project['id'],
- self.group['id'])
-
- @rbac_rule_validation.action(service="keystone",
- rule="identity:create_grant")
- @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90f')
- def test_create_user_role_on_domain(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.create_user_role_on_domain(
- self.domain['id'],
- self.user['id'],
- self.role['id'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.roles_client.delete_role_from_user_on_domain,
- self.domain['id'],
- self.user['id'],
- self.role['id'])
-
- @rbac_rule_validation.action(service="keystone",
rule="identity:revoke_grant")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d910')
def test_delete_role_from_user_on_domain(self):
@@ -217,30 +274,6 @@
self.role['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:list_grants")
- @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d911')
- def test_list_user_roles_on_domain(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.list_user_roles_on_domain(
- self.domain['id'],
- self.user['id'])
-
- @rbac_rule_validation.action(service="keystone",
- rule="identity:create_grant")
- @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d912')
- def test_create_group_role_on_domain(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.roles_client.create_group_role_on_domain(
- self.domain['id'],
- self.group['id'],
- self.role['id'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.roles_client.delete_role_from_group_on_domain,
- self.domain['id'],
- self.group['id'],
- self.role['id'])
-
- @rbac_rule_validation.action(service="keystone",
rule="identity:revoke_grant")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d913')
def test_delete_role_from_group_on_domain(self):
@@ -262,6 +295,33 @@
@rbac_rule_validation.action(service="keystone",
rule="identity:list_grants")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90b')
+ def test_list_user_roles_on_project(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.roles_client.list_user_roles_on_project(
+ self.project['id'],
+ self.user['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_grants")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90e')
+ def test_list_group_roles_on_project(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.roles_client.list_group_roles_on_project(
+ self.project['id'],
+ self.group['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_grants")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d911')
+ def test_list_user_roles_on_domain(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.roles_client.list_user_roles_on_domain(
+ self.domain['id'],
+ self.user['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_grants")
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d914')
def test_list_group_roles_on_domain(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
index f5bd99b..c02b471 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
@@ -20,7 +20,7 @@
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-class IdentitySericesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentitySericesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@rbac_rule_validation.action(service="keystone",
rule="identity:create_service")
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
index e61b162..956727b 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
@@ -20,12 +20,11 @@
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-class IdentityUserV3AdminRbacTest(
- rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityUserV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@classmethod
def resource_setup(cls):
- super(IdentityUserV3AdminRbacTest, cls).resource_setup()
+ super(IdentityUserV3RbacTest, cls).resource_setup()
cls.default_user_id = cls.auth_provider.credentials.user_id
@rbac_rule_validation.action(service="keystone",