Merge "Identity v3 RBAC Tests - EP Filter Groups"
diff --git a/patrole_tempest_plugin/rbac_policy_parser.py b/patrole_tempest_plugin/rbac_policy_parser.py
index 1047d37..bb34f6c 100644
--- a/patrole_tempest_plugin/rbac_policy_parser.py
+++ b/patrole_tempest_plugin/rbac_policy_parser.py
@@ -66,15 +66,8 @@
         if extra_target_data is None:
             extra_target_data = {}
 
-        # First check if the service is valid
-        service = service.lower().strip() if service else None
-        self.admin_mgr = credentials.AdminManager()
-        services = self.admin_mgr.identity_services_v3_client.\
-            list_services()['services']
-        service_names = [s['name'] for s in services]
-        if not service or not any(service in name for name in service_names):
-            LOG.debug(str(service) + " is NOT a valid service.")
-            raise rbac_exceptions.RbacInvalidService
+        # First check if the service is valid.
+        self.validate_service(service)
 
         # Use default path in /etc/<service_name/policy.json if no path
         # is provided.
@@ -90,6 +83,24 @@
         self.user_id = user_id
         self.extra_target_data = extra_target_data
 
+    @classmethod
+    def validate_service(cls, service):
+        """Validate whether the service passed to ``init`` exists."""
+        service = service.lower().strip() if service else None
+
+        # Cache the list of available services in memory to avoid needlessly
+        # doing an API call every time.
+        if not hasattr(cls, 'available_services'):
+            admin_mgr = credentials.AdminManager()
+            services = admin_mgr.identity_services_v3_client.\
+                list_services()['services']
+            cls.available_services = [s['name'] for s in services]
+
+        if not service or service not in cls.available_services:
+            LOG.debug("%s is NOT a valid service.", service)
+            raise rbac_exceptions.RbacInvalidService(
+                "%s is NOT a valid service." % service)
+
     def allowed(self, rule_name, role):
         is_admin_context = self._is_admin_context(role)
         is_allowed = self._allowed(
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index ba04a30..53f84ff 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -29,6 +29,8 @@
 CONF = config.CONF
 LOG = logging.getLogger(__name__)
 
+_SUPPORTED_ERROR_CODES = [403, 404]
+
 
 def action(service, rule='', admin_only=False, expected_error_code=403,
            extra_target_data=None):
@@ -47,15 +49,13 @@
     :param service: A OpenStack service: for example, "nova" or "neutron".
     :param rule: A policy action defined in a policy.json file (or in code).
     :param admin_only: Skips over oslo.policy check because the policy action
-                       defined by `rule` is not enforced by the service's
-                       policy enforcement logic. For example, Keystone v2
-                       performs an admin check for most of its endpoints. If
-                       True, `rule` is effectively ignored.
+        defined by `rule` is not enforced by the service's  policy enforcement
+        logic. For example, Keystone v2 performs an admin check for most of its
+        endpoints. If True, `rule` is effectively ignored.
     :param expected_error_code: Overrides default value of 403 (Forbidden)
-                                with endpoint-specific error code. Currently
-                                only supports 403 and 404. Support for 404
-                                is needed because some services, like Neutron,
-                                intentionally throw a 404 for security reasons.
+        with endpoint-specific error code. Currently only supports 403 and 404.
+        Support for 404 is needed because some services, like Neutron,
+        intentionally throw a 404 for security reasons.
 
     :raises NotFound: if `service` is invalid or
                       if Tempest credentials cannot be found.
@@ -163,10 +163,29 @@
     return False
 
 
-def _get_exception_type(expected_error_code):
+def _get_exception_type(expected_error_code=403):
+    """Dynamically calculate the expected exception to be caught.
+
+    Dynamically calculate the expected exception to be caught by the test case.
+    Only `Forbidden` and `NotFound` exceptions are permitted. `NotFound` is
+    supported because Neutron, for security reasons, masks `Forbidden`
+    exceptions as `NotFound` exceptions.
+
+    :param expected_error_code: the integer representation of the expected
+        exception to be caught. Must be contained in `_SUPPORTED_ERROR_CODES`.
+    :returns: tuple of the exception type corresponding to
+        `expected_error_code` and a message explaining that a non-Forbidden
+        exception was expected, if applicable.
+    """
     expected_exception = None
     irregular_msg = None
-    supported_error_codes = [403, 404]
+
+    if not isinstance(expected_error_code, six.integer_types) \
+        or expected_error_code not in _SUPPORTED_ERROR_CODES:
+        msg = ("Please pass an expected error code. Currently "
+               "supported codes: {0}".format(_SUPPORTED_ERROR_CODES))
+        LOG.error(msg)
+        raise rbac_exceptions.RbacInvalidErrorCode(msg)
 
     if expected_error_code == 403:
         expected_exception = exceptions.Forbidden
@@ -175,11 +194,6 @@
         irregular_msg = ("NotFound exception was caught for policy action "
                          "{0}. The service {1} throws a 404 instead of a 403, "
                          "which is irregular.")
-    else:
-        msg = ("Please pass an expected error code. Currently "
-               "supported codes: {0}".format(str(supported_error_codes)))
-        LOG.error(msg)
-        raise rbac_exceptions.RbacInvalidErrorCode()
 
     return expected_exception, irregular_msg
 
@@ -200,7 +214,7 @@
 
     :param test_obj: type BaseTestCase (tempest base test class)
     :param extra_target_data: dictionary with unresolved string literals that
-                              reference nested BaseTestCase attributes
+        reference nested BaseTestCase attributes
     :returns: dictionary with resolved BaseTestCase attributes
     """
     attr_value = test_obj
diff --git a/patrole_tempest_plugin/tests/api/identity/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
index 3c171ab..2998dbe 100644
--- a/patrole_tempest_plugin/tests/api/identity/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
@@ -183,6 +183,7 @@
     def resource_setup(cls):
         super(BaseIdentityV2AdminRbacTest, cls).resource_setup()
         cls.tenants = []
+        cls.tokens = []
 
     @classmethod
     def resource_cleanup(cls):
@@ -190,6 +191,10 @@
             test_utils.call_and_ignore_notfound_exc(
                 cls.tenants_client.delete_tenant, tenant['id'])
 
+        for token in cls.tokens:
+            test_utils.call_and_ignore_notfound_exc(
+                cls.client.delete_token, token)
+
         super(BaseIdentityV2AdminRbacTest, cls).resource_cleanup()
 
     @classmethod
@@ -203,6 +208,15 @@
         cls.tenants.append(tenant)
         return tenant
 
+    @classmethod
+    def setup_test_token(cls, user_name, password, tenant_name):
+        """Set up a test token."""
+        token = cls.token_client.auth(user_name, password,
+                                      tenant_name)['token']
+        token_id = token['id']
+        cls.tokens.append(token_id)
+        return token_id
+
 
 class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
 
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_tokens_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_tokens_rbac.py
new file mode 100644
index 0000000..25150dd
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_tokens_rbac.py
@@ -0,0 +1,72 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity import rbac_base
+
+
+class IdentityTokenV2RbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+
+    def _create_token(self):
+
+        user_name = self.client.auth_provider.credentials.username
+        tenant_name = self.client.auth_provider.credentials.tenant_name
+        password = self.client.auth_provider.credentials.password
+        token_id = self.setup_test_token(user_name, password,
+                                         tenant_name)
+        return token_id
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:validate_token")
+    @decorators.idempotent_id('71471202-4c4e-4a3d-9d41-57eb621bf3bb')
+    def test_validate_token(self):
+
+        """Validate token (get-token)
+
+        RBAC test for Identity v2 get token validation
+        """
+        token_id = self._create_token()
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.client.show_token(token_id)
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:revoke_token")
+    @decorators.idempotent_id('77338f66-0713-4f20-b11c-b0d750618276')
+    def test_revoke_token(self):
+
+        """Revoke token (delete-token)
+
+        RBAC test for Identity v2 delete token
+        """
+        token_id = self._create_token()
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.client.delete_token(token_id)
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:validate_token_head")
+    @decorators.idempotent_id('71471202-4c4e-4a3d-9d41-57eb621bf3ba')
+    def test_check_token_existence(self):
+
+        """Validate Token head
+
+        RBAC test for Identity v2 token head validation
+        """
+        token_id = self._create_token()
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.client.check_token_existence(token_id)
diff --git a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
index a875321..67b32a2 100644
--- a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
@@ -15,7 +15,6 @@
 
 import netaddr
 
-from oslo_log import log
 from tempest import config
 from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators
@@ -24,7 +23,6 @@
 from patrole_tempest_plugin.tests.api.network import rbac_base as base
 
 CONF = config.CONF
-LOG = log.getLogger(__name__)
 
 
 class FloatingIpsRbacTest(base.BaseNetworkRbacTest):
diff --git a/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py b/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
index 2efb3fe..3c74c07 100644
--- a/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
@@ -13,7 +13,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-from oslo_log import log
 from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib.common.utils import test_utils
@@ -24,7 +23,6 @@
 from patrole_tempest_plugin.tests.api.network import rbac_base as base
 
 CONF = config.CONF
-LOG = log.getLogger(__name__)
 
 
 class MeteringLabelRulesRbacTest(base.BaseNetworkRbacTest):
diff --git a/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py b/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
index 9aabfa0..89c6870 100644
--- a/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
@@ -13,7 +13,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-from oslo_log import log
 from tempest.lib.common.utils import data_utils
 from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators
@@ -22,8 +21,6 @@
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.network import rbac_base as base
 
-LOG = log.getLogger(__name__)
-
 
 class MeteringLabelsRbacTest(base.BaseNetworkRbacTest):
 
diff --git a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
index 1be46ab..6aec5d1 100644
--- a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
@@ -15,21 +15,16 @@
 
 import netaddr
 
-from oslo_log import log
-
 from tempest.common.utils import net_utils
-from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators
 from tempest import test
 
+from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.network import rbac_base as base
 
-CONF = config.CONF
-LOG = log.getLogger(__name__)
-
 
 class RouterRbacTest(base.BaseNetworkRbacTest):
     @classmethod
@@ -42,8 +37,9 @@
     @classmethod
     def resource_setup(cls):
         super(RouterRbacTest, cls).resource_setup()
-        post_body = {}
-        post_body['router:external'] = True
+        # Create a network with external gateway so that
+        # ``external_gateway_info`` policies can be validated.
+        post_body = {'router:external': True}
         cls.network = cls.create_network(**post_body)
         cls.subnet = cls.create_subnet(cls.network)
         cls.ip_range = netaddr.IPRange(
@@ -51,6 +47,14 @@
             cls.subnet['allocation_pools'][0]['end'])
         cls.router = cls.create_router()
 
+    def _get_unused_ip_address(self):
+        unused_ip = net_utils.get_unused_ip_addresses(self.ports_client,
+                                                      self.subnets_client,
+                                                      self.network['id'],
+                                                      self.subnet['id'],
+                                                      1)
+        return unused_ip[0]
+
     @rbac_rule_validation.action(service="neutron",
                                  rule="create_router")
     @decorators.idempotent_id('acc5005c-bdb6-4192-bc9f-ece9035bb488')
@@ -64,6 +68,35 @@
         self.addCleanup(self.routers_client.delete_router,
                         router['router']['id'])
 
+    @decorators.idempotent_id('6139eb97-95c0-40d8-a109-99de11ab2e5e')
+    @test.requires_ext(extension='l3-ha', service='network')
+    @rbac_rule_validation.action(service="neutron",
+                                 rule="create_router:ha")
+    def test_create_high_availability_router(self):
+        """Create high-availability router
+
+        RBAC test for the neutron create_router:ha policy
+        """
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        router = self.routers_client.create_router(ha=True)
+        self.addCleanup(self.routers_client.delete_router,
+                        router['router']['id'])
+
+    @decorators.idempotent_id('c6254ca6-2728-412d-803d-d4aa3935e56d')
+    @test.requires_ext(extension='dvr', service='network')
+    @rbac_rule_validation.action(service="neutron",
+                                 rule="create_router:distributed")
+    def test_create_distributed_router(self):
+        """Create distributed router
+
+        RBAC test for the neutron create_router:distributed policy
+        """
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        router = self.routers_client.create_router(distributed=True)
+        self.addCleanup(self.routers_client.delete_router,
+                        router['router']['id'])
+
+    @test.requires_ext(extension='ext-gw-mode', service='network')
     @rbac_rule_validation.action(
         service="neutron",
         rule="create_router:external_gateway_info:enable_snat")
@@ -96,16 +129,11 @@
         """
         name = data_utils.rand_name(self.__class__.__name__ + '-snat-router')
 
-        # Pick an unused IP address.
-        ip_list = net_utils.get_unused_ip_addresses(self.ports_client,
-                                                    self.subnets_client,
-                                                    self.network['id'],
-                                                    self.subnet['id'],
-                                                    1)
+        unused_ip = self._get_unused_ip_address()
         external_fixed_ips = {'subnet_id': self.subnet['id'],
-                              'ip_address': ip_list[0]}
+                              'ip_address': unused_ip}
         external_gateway_info = {'network_id': self.network['id'],
-                                 'enable_snat': False,
+                                 'enable_snat': False,  # Default is True.
                                  'external_fixed_ips': [external_fixed_ips]}
 
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
@@ -124,7 +152,29 @@
         RBAC test for the neutron get_router policy
         """
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-        self.routers_client.show_router(self.router['id'])
+        # Prevent other policies from being enforced by using barebones fields.
+        self.routers_client.show_router(self.router['id'], fields=['id'])
+
+    @decorators.idempotent_id('3ed26ea2-b419-410c-b4b5-576c1edafa06')
+    @test.requires_ext(extension='dvr', service='network')
+    @rbac_rule_validation.action(service="neutron",
+                                 rule="get_router:distributed")
+    def test_show_distributed_router(self):
+        """Get distributed router
+
+        RBAC test for the neutron get_router:distributed policy
+        """
+        router = self.routers_client.create_router(distributed=True)['router']
+        self.addCleanup(self.routers_client.delete_router, router['id'])
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        retrieved_fields = self.routers_client.show_router(
+            router['id'], fields=['distributed'])['router']
+
+        # Rather than throwing a 403, the field is not present, so raise exc.
+        if 'distributed' not in retrieved_fields:
+            raise rbac_exceptions.RbacActionFailed(
+                '"distributed" parameter not present in response body')
 
     @rbac_rule_validation.action(
         service="neutron", rule="update_router")
@@ -134,11 +184,10 @@
 
         RBAC test for the neutron update_router policy
         """
-        new_name = data_utils.rand_name(self.__class__.__name__ +
-                                        '-new-router-name')
+        new_name = data_utils.rand_name(
+            self.__class__.__name__ + '-new-router-name')
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-        self.routers_client.update_router(self.router['id'],
-                                          name=new_name)
+        self.routers_client.update_router(self.router['id'], name=new_name)
 
     @rbac_rule_validation.action(
         service="neutron", rule="update_router:external_gateway_info")
@@ -172,6 +221,7 @@
             self.router['id'],
             external_gateway_info=None)
 
+    @test.requires_ext(extension='ext-gw-mode', service='network')
     @rbac_rule_validation.action(
         service="neutron",
         rule="update_router:external_gateway_info:enable_snat")
@@ -202,14 +252,9 @@
         RBAC test for the neutron
         update_router:external_gateway_info:external_fixed_ips policy
         """
-        # Pick an unused IP address.
-        ip_list = net_utils.get_unused_ip_addresses(self.ports_client,
-                                                    self.subnets_client,
-                                                    self.network['id'],
-                                                    self.subnet['id'],
-                                                    1)
+        unused_ip = self._get_unused_ip_address()
         external_fixed_ips = {'subnet_id': self.subnet['id'],
-                              'ip_address': ip_list[0]}
+                              'ip_address': unused_ip}
         external_gateway_info = {'network_id': self.network['id'],
                                  'external_fixed_ips': [external_fixed_ips]}
 
@@ -222,6 +267,34 @@
             self.router['id'],
             external_gateway_info=None)
 
+    @decorators.idempotent_id('ddc20731-dea1-4321-9abf-8772bf0b5977')
+    @test.requires_ext(extension='l3-ha', service='network')
+    @rbac_rule_validation.action(service="neutron",
+                                 rule="update_router:ha")
+    def test_update_high_availability_router(self):
+        """Update high-availability router
+
+        RBAC test for the neutron update_router:ha policy
+        """
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.routers_client.update_router(self.router['id'], ha=True)
+        self.addCleanup(self.routers_client.update_router, self.router['id'],
+                        ha=False)
+
+    @decorators.idempotent_id('e1932c19-8f73-41cd-b5d2-84c7ae5d530c')
+    @test.requires_ext(extension='dvr', service='network')
+    @rbac_rule_validation.action(service="neutron",
+                                 rule="update_router:distributed")
+    def test_update_distributed_router(self):
+        """Update distributed router
+
+        RBAC test for the neutron update_router:distributed policy
+        """
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.routers_client.update_router(self.router['id'], distributed=True)
+        self.addCleanup(self.routers_client.update_router, self.router['id'],
+                        distributed=False)
+
     @rbac_rule_validation.action(service="neutron",
                                  rule="delete_router",
                                  expected_error_code=404)
diff --git a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
index 2ccc688..2672b57 100644
--- a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
@@ -13,8 +13,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-from oslo_log import log
-
 from tempest.lib.common.utils import data_utils
 from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators
@@ -23,8 +21,6 @@
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.network import rbac_base as base
 
-LOG = log.getLogger(__name__)
-
 
 class SecGroupRbacTest(base.BaseNetworkRbacTest):
 
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
new file mode 100644
index 0000000..68f5156
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
@@ -0,0 +1,96 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+
+class SubnetsRbacTest(base.BaseNetworkRbacTest):
+
+    @classmethod
+    def skip_checks(cls):
+        super(SubnetsRbacTest, cls).skip_checks()
+        if not test.is_extension_enabled('subnet_allocation', 'network'):
+            msg = "subnet_allocation extension not enabled."
+            raise cls.skipException(msg)
+
+    @classmethod
+    def resource_setup(cls):
+        super(SubnetsRbacTest, cls).resource_setup()
+        cls.network = cls.create_network()
+        cls.subnet = cls.create_subnet(cls.network)
+
+    @decorators.idempotent_id('0481adeb-4301-44d5-851c-35910cc18a6b')
+    @rbac_rule_validation.action(service="neutron",
+                                 rule="create_subnet")
+    def test_create_subnet(self):
+        """Create subnet.
+
+        RBAC test for the neutron "create_subnet" policy
+        """
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.create_subnet(self.network)
+
+    @decorators.idempotent_id('c02618e7-bb20-4abd-83c8-6eec2af08752')
+    @rbac_rule_validation.action(service="neutron",
+                                 rule="get_subnet")
+    def test_show_subnet(self):
+        """Show subnet.
+
+        RBAC test for the neutron "get_subnet" policy
+        """
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.subnets_client.show_subnet(self.subnet['id'])
+
+    @decorators.idempotent_id('e2ddc415-5cab-43f4-9b61-166aed65d637')
+    @rbac_rule_validation.action(service="neutron",
+                                 rule="get_subnet")
+    def test_list_subnets(self):
+        """List subnets.
+
+        RBAC test for the neutron "get_subnet" policy
+        """
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.subnets_client.list_subnets()
+
+    @decorators.idempotent_id('f36cd821-dd22-4bd0-b43d-110fc4b553eb')
+    @rbac_rule_validation.action(service="neutron",
+                                 rule="update_subnet")
+    def test_update_subnet(self):
+        """Update subnet.
+
+        RBAC test for the neutron "update_subnet" policy
+        """
+        update_name = data_utils.rand_name(self.__class__.__name__ + '-Subnet')
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.subnets_client.update_subnet(self.subnet['id'], name=update_name)
+
+    @decorators.idempotent_id('bcfc7153-bbd1-43a4-a908-b3e1b0cde0dc')
+    @rbac_rule_validation.action(service="neutron",
+                                 rule="delete_subnet")
+    def test_delete_subnet(self):
+        """Delete subnet.
+
+        RBAC test for the neutron "delete_subnet" policy
+        """
+        subnet = self.create_subnet(self.network)
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.subnets_client.delete_subnet(subnet['id'])
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
index f27b8a8..7916c8c 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -29,13 +29,10 @@
 
 class VolumesActionsRbacTest(rbac_base.BaseVolumeRbacTest):
 
-    # TODO(felipemonteiro): "volume_extension:volume_actions:upload_public"
-    # test can be created once volumes v3 client is created in Tempest.
-
     @classmethod
     def setup_clients(cls):
         super(VolumesActionsRbacTest, cls).setup_clients()
-        cls.image_client = cls.os_primary.image_client_v2
+        cls.admin_image_client = cls.os_admin.image_client_v2
 
     @classmethod
     def resource_setup(cls):
@@ -87,6 +84,7 @@
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
         self._detach_volume()
 
+    @test.attr(type=["slow"])
     @test.services('image')
     @rbac_rule_validation.action(
         service="cinder",
@@ -104,9 +102,10 @@
             disk_format=CONF.volume.disk_format)['os-volume_upload_image']
         image_id = body["image_id"]
         self.addCleanup(test_utils.call_and_ignore_notfound_exc,
-                        self.image_client.delete_image,
+                        self.admin_image_client.delete_image,
                         image_id)
-        waiters.wait_for_image_status(self.image_client, image_id, 'active')
+        waiters.wait_for_image_status(self.admin_image_client, image_id,
+                                      'active')
         waiters.wait_for_volume_resource_status(self.os_admin.volumes_client,
                                                 self.volume['id'], 'available')
 
@@ -210,6 +209,41 @@
     _api_version = 3
 
 
+class VolumesActionsV310RbacTest(rbac_base.BaseVolumeRbacTest):
+    _api_version = 3
+    min_microversion = '3.10'
+    max_microversion = 'latest'
+
+    @classmethod
+    def setup_clients(cls):
+        super(VolumesActionsV310RbacTest, cls).setup_clients()
+        cls.admin_image_client = cls.os_admin.image_client_v2
+
+    @test.attr(type=["slow"])
+    @test.services('image')
+    @rbac_rule_validation.action(
+        service="cinder",
+        rule="volume_extension:volume_actions:upload_public")
+    @decorators.idempotent_id('578a84dd-a6bd-4f97-a418-4a0c3c272c08')
+    def test_volume_upload_public(self):
+        # This also enforces "volume_extension:volume_actions:upload_image".
+        volume = self.create_volume()
+        image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        body = self.volumes_client.upload_volume(
+            volume['id'], image_name=image_name, visibility="public",
+            disk_format=CONF.volume.disk_format)['os-volume_upload_image']
+        image_id = body["image_id"]
+        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+                        self.admin_image_client.delete_image,
+                        image_id)
+        waiters.wait_for_image_status(self.admin_image_client, image_id,
+                                      'active')
+        waiters.wait_for_volume_resource_status(self.os_admin.volumes_client,
+                                                volume['id'], 'available')
+
+
 class VolumesActionsV312RbacTest(rbac_base.BaseVolumeRbacTest):
     _api_version = 3
     min_microversion = '3.12'
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_quotas_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_quotas_rbac.py
index a56ca5a..6e9812b 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_quotas_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_quotas_rbac.py
@@ -13,19 +13,11 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-import logging
-
-from tempest import config
 from tempest.lib import decorators
 
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.volume import rbac_base
 
-QUOTA_KEYS = ['gigabytes', 'snapshots', 'volumes']
-QUOTA_USAGE_KEYS = ['reserved', 'limit', 'in_use']
-CONF = config.CONF
-LOG = logging.getLogger(__name__)
-
 
 class VolumeQuotasRbacTest(rbac_base.BaseVolumeRbacTest):
 
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py
new file mode 100644
index 0000000..8fd68a3
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py
@@ -0,0 +1,81 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+
+class VolumeTypesAccessRbacTest(rbac_base.BaseVolumeRbacTest):
+    _api_version = 3
+
+    @classmethod
+    def skip_checks(cls):
+        super(VolumeTypesAccessRbacTest, cls).skip_checks()
+        if not test.is_extension_enabled('os-volume-type-access', 'volume'):
+            msg = "os-volume-type-access extension not enabled."
+            raise cls.skipException(msg)
+
+    @classmethod
+    def resource_setup(cls):
+        super(VolumeTypesAccessRbacTest, cls).resource_setup()
+        cls.vol_type = cls.create_volume_type(
+            **{'os-volume-type-access:is_public': False})
+        cls.project_id = cls.auth_provider.credentials.project_id
+
+    def _add_type_access(self, ignore_not_found=False):
+        self.volume_types_client.add_type_access(
+            self.vol_type['id'], project=self.project_id)
+
+        if ignore_not_found:
+            self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+                            self.volume_types_client.remove_type_access,
+                            self.vol_type['id'], project=self.project_id)
+        else:
+            self.addCleanup(self.volume_types_client.remove_type_access,
+                            self.vol_type['id'], project=self.project_id)
+
+    @decorators.idempotent_id('af70e6ad-e931-419f-9200-8bcc284e4e47')
+    @rbac_rule_validation.action(
+        service="cinder",
+        rule="volume_extension:volume_type_access")
+    def test_list_type_access(self):
+        self._add_type_access()
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.volume_types_client.list_type_access(self.vol_type['id'])[
+            'volume_type_access']
+
+    @decorators.idempotent_id('b462eeba-45d0-4d6e-945a-a1d27708d367')
+    @rbac_rule_validation.action(
+        service="cinder",
+        rule="volume_extension:volume_type_access:addProjectAccess")
+    def test_add_type_access(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self._add_type_access(ignore_not_found=True)
+
+    @decorators.idempotent_id('8f848aeb-636a-46f1-aeeb-e2a60e9d2bfe')
+    @rbac_rule_validation.action(
+        service="cinder",
+        rule="volume_extension:volume_type_access:removeProjectAccess")
+    def test_remove_type_access(self):
+        self._add_type_access(ignore_not_found=True)
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.volume_types_client.remove_type_access(
+            self.vol_type['id'], project=self.project_id)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
index 94199b5..97eaab7 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
@@ -13,21 +13,88 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators
+from tempest import test
 
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.volume import rbac_base
 
 
 class VolumeTypesExtraSpecsRbacTest(rbac_base.BaseVolumeRbacTest):
+    _api_version = 3
+
+    @classmethod
+    def skip_checks(cls):
+        super(VolumeTypesExtraSpecsRbacTest, cls).skip_checks()
+        if not test.is_extension_enabled('os-types-extra-specs', 'volume'):
+            msg = "os-types-extra-specs extension not enabled."
+            raise cls.skipException(msg)
+
+    @classmethod
+    def resource_setup(cls):
+        super(VolumeTypesExtraSpecsRbacTest, cls).resource_setup()
+        cls.vol_type = cls.create_volume_type()
+        cls.spec_key = data_utils.rand_name(cls.__name__ + '-Spec')
+
+    def _create_volume_type_extra_specs(self, ignore_not_found=False):
+        extra_specs = {self.spec_key: "val1"}
+        self.volume_types_client.create_volume_type_extra_specs(
+            self.vol_type['id'], extra_specs)
+
+        if ignore_not_found:
+            self.addCleanup(
+                test_utils.call_and_ignore_notfound_exc,
+                self.volume_types_client.delete_volume_type_extra_specs,
+                self.vol_type['id'], self.spec_key)
+        else:
+            self.addCleanup(
+                self.volume_types_client.delete_volume_type_extra_specs,
+                self.vol_type['id'], self.spec_key)
+
+    @decorators.idempotent_id('76c36be2-2b6c-4acf-9aac-c9dc5c17cdbe')
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="volume_extension:types_extra_specs")
+    def test_list_volume_types_extra_specs(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.volume_types_client.list_volume_types_extra_specs(
+            self.vol_type['id'])['extra_specs']
 
     @rbac_rule_validation.action(service="cinder",
                                  rule="volume_extension:types_extra_specs")
     @decorators.idempotent_id('eea40251-990b-49b0-99ae-10e4585b479b')
     def test_create_volume_type_extra_specs(self):
-        vol_type = self.create_volume_type()
-        # List Volume types extra specs.
-        extra_specs = {"spec1": "val1"}
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-        self.volume_types_client.create_volume_type_extra_specs(
-            vol_type['id'], extra_specs)
+        self._create_volume_type_extra_specs(ignore_not_found=True)
+
+    @decorators.idempotent_id('e2dcc9c6-2fef-431d-afaf-92b45bc76d1a')
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="volume_extension:types_extra_specs")
+    def test_show_volume_type_extra_specs(self):
+        self._create_volume_type_extra_specs()
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.volume_types_client.show_volume_type_extra_specs(
+            self.vol_type['id'], self.spec_key)
+
+    @decorators.idempotent_id('93001912-f938-41c7-8787-62dc7010fd52')
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="volume_extension:types_extra_specs")
+    def test_delete_volume_type_extra_specs(self):
+        self._create_volume_type_extra_specs(ignore_not_found=True)
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.volume_types_client.delete_volume_type_extra_specs(
+            self.vol_type['id'], self.spec_key)
+
+    @decorators.idempotent_id('0a444437-7402-4fbe-a18a-93af2ee00618')
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="volume_extension:types_extra_specs")
+    def test_update_volume_type_extra_specs(self):
+        self._create_volume_type_extra_specs()
+        update_extra_specs = {self.spec_key: "val2"}
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.volume_types_client.update_volume_type_extra_specs(
+            self.vol_type['id'], self.spec_key, update_extra_specs)
diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
index 6889b44..09de6bf 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
@@ -68,7 +68,7 @@
                 {'name': 'neutron', 'links': 'link', 'enabled': True,
                  'type': 'networking', 'id': 'id',
                  'description': 'description'},
-                {'name': 'test', 'links': 'link', 'enabled': True,
+                {'name': 'test_service', 'links': 'link', 'enabled': True,
                  'type': 'unit_test', 'id': 'id',
                  'description': 'description'}
             ]
@@ -92,7 +92,7 @@
         test_user_id = mock.sentinel.user_id
         self.mock_path.path.join.return_value = self.custom_policy_file
         parser = rbac_policy_parser.RbacPolicyParser(
-            test_tenant_id, test_user_id, "test")
+            test_tenant_id, test_user_id, "test_service")
 
         expected = {
             'policy_action_1': ['two', 'four', 'six', 'eight'],
@@ -115,7 +115,7 @@
         test_user_id = mock.sentinel.user_id
         self.mock_path.path.join.return_value = self.admin_policy_file
         parser = rbac_policy_parser.RbacPolicyParser(
-            test_tenant_id, test_user_id, "test")
+            test_tenant_id, test_user_id, "test_service")
 
         role = 'admin'
         allowed_rules = [
@@ -136,7 +136,7 @@
         test_user_id = mock.sentinel.user_id
         self.mock_path.path.join.return_value = self.admin_policy_file
         parser = rbac_policy_parser.RbacPolicyParser(
-            test_tenant_id, test_user_id, "test")
+            test_tenant_id, test_user_id, "test_service")
 
         role = 'Member'
         allowed_rules = [
@@ -158,7 +158,7 @@
         test_user_id = mock.sentinel.user_id
         self.mock_path.path.join.return_value = self.alt_admin_policy_file
         parser = rbac_policy_parser.RbacPolicyParser(
-            test_tenant_id, test_user_id, "test")
+            test_tenant_id, test_user_id, "test_service")
 
         role = 'fake_admin'
         allowed_rules = ['non_admin_rule']
@@ -195,7 +195,7 @@
         test_user_id = mock.sentinel.user_id
         self.mock_path.path.join.return_value = self.tenant_policy_file
         parser = rbac_policy_parser.RbacPolicyParser(
-            test_tenant_id, test_user_id, "test")
+            test_tenant_id, test_user_id, "test_service")
 
         # Check whether Member role can perform expected actions.
         allowed_rules = ['rule1', 'rule2', 'rule3', 'rule4']
@@ -254,7 +254,7 @@
                           service)
 
         m_log.debug.assert_called_once_with(
-            "{0} is NOT a valid service.".format(str(service)))
+            '%s is NOT a valid service.', 'invalid_service')
 
     @mock.patch.object(rbac_policy_parser, 'LOG', autospec=True)
     def test_service_is_none_raises_exception(self, m_log):
@@ -268,8 +268,7 @@
                           test_user_id,
                           service)
 
-        m_log.debug.assert_called_once_with(
-            "{0} is NOT a valid service.".format(str(service)))
+        m_log.debug.assert_called_once_with('%s is NOT a valid service.', None)
 
     @mock.patch.object(rbac_policy_parser, 'LOG', autospec=True)
     def test_invalid_policy_rule_throws_rbac_parsing_exception(self, m_log):
@@ -277,7 +276,7 @@
         test_user_id = mock.sentinel.user_id
         self.mock_path.path.join.return_value = self.custom_policy_file
         parser = rbac_policy_parser.RbacPolicyParser(
-            test_tenant_id, test_user_id, "test")
+            test_tenant_id, test_user_id, "test_service")
 
         fake_rule = 'fake_rule'
         expected_message = "Policy action: {0} not found in policy file: {1}."\
@@ -293,8 +292,9 @@
         test_tenant_id = mock.sentinel.tenant_id
         test_user_id = mock.sentinel.user_id
         self.mock_path.path.join.return_value = self.custom_policy_file
+
         parser = rbac_policy_parser.RbacPolicyParser(
-            test_tenant_id, test_user_id, "test")
+            test_tenant_id, test_user_id, "test_service")
         parser.rules = mock.MagicMock(
             **{'__getitem__.return_value.side_effect': Exception(
                mock.sentinel.error)})
@@ -329,7 +329,7 @@
         test_user_id = mock.sentinel.user_id
         self.mock_path.path.join.return_value = self.tenant_policy_file
         parser = rbac_policy_parser.RbacPolicyParser(
-            test_tenant_id, test_user_id, "test")
+            test_tenant_id, test_user_id, "test_service")
 
         policy_data = parser._get_policy_data('fake_service')
 
@@ -373,7 +373,7 @@
         test_user_id = mock.sentinel.user_id
         self.mock_path.path.join.return_value = self.tenant_policy_file
         parser = rbac_policy_parser.RbacPolicyParser(
-            test_tenant_id, test_user_id, "test")
+            test_tenant_id, test_user_id, "test_service")
 
         policy_data = parser._get_policy_data('fake_service')
 
@@ -413,10 +413,9 @@
         self.assertIn(expected_error, str(e))
 
     @mock.patch.object(rbac_policy_parser, 'json', autospec=True)
-    @mock.patch.object(rbac_policy_parser, 'credentials', autospec=True)
     @mock.patch.object(rbac_policy_parser, 'stevedore', autospec=True)
     def test_get_policy_data_without_valid_policy(self, mock_stevedore,
-                                                  mock_credentials, mock_json):
+                                                  mock_json):
         self.mock_path.path.isfile.return_value = False
 
         test_policy_action = mock.Mock(check='rule:bar')
@@ -428,11 +427,6 @@
         mock_stevedore.named.NamedExtensionManager\
             .return_value = [test_policy]
 
-        mock_credentials.AdminManager.return_value.identity_services_v3_client.\
-            list_services.return_value = {
-                'services': [{'name': 'test_service'}]
-            }
-
         mock_json.dumps.side_effect = ValueError
 
         e = self.assertRaises(rbac_exceptions.RbacParsingException,
@@ -441,7 +435,6 @@
 
         expected_error = "Policy file for {0} service is invalid."\
                          .format("test_service")
-
         self.assertIn(expected_error, str(e))
 
         mock_stevedore.named.NamedExtensionManager.assert_called_once_with(
@@ -452,16 +445,9 @@
             warn_on_missing_entrypoint=False)
 
     @mock.patch.object(rbac_policy_parser, 'json', autospec=True)
-    @mock.patch.object(rbac_policy_parser, 'credentials', autospec=True)
     @mock.patch.object(rbac_policy_parser, 'stevedore', autospec=True)
     def test_get_policy_data_from_file_not_json(self, mock_stevedore,
-                                                mock_credentials,
                                                 mock_json):
-
-        mock_credentials.AdminManager.return_value.identity_services_v3_client.\
-            list_services.return_value = {
-                'services': [{'name': 'test_service'}]
-            }
         mock_stevedore.named.NamedExtensionManager.return_value = None
         mock_json.loads.side_effect = ValueError
         self.mock_path.path.join.return_value = self.tenant_policy_file
diff --git a/releasenotes/notes/additional-router-rbac-tests-66ef013c54016326.yaml b/releasenotes/notes/additional-router-rbac-tests-66ef013c54016326.yaml
new file mode 100644
index 0000000..4f91a12
--- /dev/null
+++ b/releasenotes/notes/additional-router-rbac-tests-66ef013c54016326.yaml
@@ -0,0 +1,11 @@
+---
+features:
+  - |
+    Add additional RBAC tests for network routers API, providing coverage for
+    the following policy actions:
+
+      * create_router:ha
+      * create_router:distributed
+      * get_router:distributed
+      * update_router:ha
+      * update_router:distributed
\ No newline at end of file
diff --git a/releasenotes/notes/extra-volume-types-tests-2e4538bed7348be4.yaml b/releasenotes/notes/extra-volume-types-tests-2e4538bed7348be4.yaml
new file mode 100644
index 0000000..9be15fc
--- /dev/null
+++ b/releasenotes/notes/extra-volume-types-tests-2e4538bed7348be4.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Added RBAC tests for volume type access and volume type extra specs
+    APIs, providing coverage for the following policy actions:
+
+      * "volume_extension:types_extra_specs"
+      * "volume_extension:volume_type_access"
+      * "volume_extension:volume_type_access:addProjectAccess"
+      * "volume_extension:volume_type_access:removeProjectAccess"
diff --git a/releasenotes/notes/subnet-rbac-tests-6d3cf54e39a7b486.yaml b/releasenotes/notes/subnet-rbac-tests-6d3cf54e39a7b486.yaml
new file mode 100644
index 0000000..8d3d22a
--- /dev/null
+++ b/releasenotes/notes/subnet-rbac-tests-6d3cf54e39a7b486.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Add RBAC tests for network subnet endpoints, providing coverage for the
+    following policy actions:
+
+      * create_subnet
+      * get_subnet
+      * update_subnet
+      * delete_subnet
diff --git a/releasenotes/notes/test_tokens_rbac-7f36919b786e9ffc.yaml b/releasenotes/notes/test_tokens_rbac-7f36919b786e9ffc.yaml
new file mode 100644
index 0000000..5ff448b
--- /dev/null
+++ b/releasenotes/notes/test_tokens_rbac-7f36919b786e9ffc.yaml
@@ -0,0 +1,3 @@
+---
+features:
+  - Added RBAC test scenarios for the token-related admin v2 identity API.
diff --git a/releasenotes/notes/volume-upload-public-test-f8e741a838ae7607.yaml b/releasenotes/notes/volume-upload-public-test-f8e741a838ae7607.yaml
new file mode 100644
index 0000000..c8c0ecd
--- /dev/null
+++ b/releasenotes/notes/volume-upload-public-test-f8e741a838ae7607.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add RBAC test to provide coverage for the following cinder policy:
+    "volume_extension:volume_actions:upload_public".