Merge "Cinder tests - Volume Quotas"
diff --git a/README.rst b/README.rst
index 6be7812..d9a6507 100644
--- a/README.rst
+++ b/README.rst
@@ -17,4 +17,16 @@
Features
--------
-* TODO
+Patrole offers RBAC testing for various OpenStack RBAC policies. It includes
+a decorator that wraps around tests which verifies that when the test calls the
+corresponding api endpoint, access is only granted for correct roles.
+
+There are several possible test flows.
+
+If the rbac_test_role is allowed to access the endpoint
+ - The test passes if no 403 forbidden or RbacActionFailed exception is raised.
+
+If the rbac_test_role is not allowed to access the endpoint
+ - If the endpoint returns a 403 forbidden exception the test will pass
+ - If the endpoint returns something other than a 403 forbidden to indicate
+ that the role is not allowed, the test will raise an RbacActionFailed exception.
diff --git a/doc/source/installation.rst b/doc/source/installation.rst
index 9bfe14e..b0a6f33 100644
--- a/doc/source/installation.rst
+++ b/doc/source/installation.rst
@@ -14,6 +14,11 @@
$ mkvirtualenv patrole
$ pip install patrole
+Or to install from the source::
+
+ $ navigate to patrole directory
+ $ pip install -e .
+
Configuration Information
#########################
@@ -44,6 +49,11 @@
# The role that you want the RBAC tests to use for RBAC testing
# This needs to be edited to run the test as a different role.
- rbac_role=_member_
+ rbac_test_role=_member_
+
+ # The list of roles that your system contains.
+ # This needs to be updated as new roles are added.
+ rbac_roles=admin,_member_
+
# Tell standard RBAC test cases to run other wise it they are skipped.
rbac_flag=true
diff --git a/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
new file mode 100644
index 0000000..9718bfc
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
@@ -0,0 +1,82 @@
+# Copyright 2016 AT&T Corp
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_log import log as logging
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api import rbac_base
+
+CONF = config.CONF
+LOG = logging.getLogger(__name__)
+
+
+class SnapshotsActionsRbacTest(rbac_base.BaseVolumeRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(SnapshotsActionsRbacTest, cls).skip_checks()
+ if not CONF.volume_feature_enabled.snapshot:
+ raise cls.skipException("Cinder snapshot feature disabled")
+
+ @classmethod
+ def setup_clients(cls):
+ super(SnapshotsActionsRbacTest, cls).setup_clients()
+ cls.client = cls.os.snapshots_client
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(SnapshotsActionsRbacTest, self).tearDown()
+
+ @classmethod
+ def resource_setup(cls):
+ super(SnapshotsActionsRbacTest, cls).resource_setup()
+ # Create a volume
+ cls.volume = cls.create_volume()
+ # Create a snapshot
+ cls.snapshot = cls.create_snapshot(volume_id=cls.volume['id'])
+ cls.snapshot_id = cls.snapshot['id']
+
+ @rbac_rule_validation.action(
+ component="Volume", service="cinder",
+ rule="volume_extension:snapshot_admin_actions:reset_status")
+ @decorators.idempotent_id('ea430145-34ef-408d-b678-95d5ae5f46eb')
+ def test_reset_snapshot_status(self):
+ # Reset snapshot status to error
+ status = 'error'
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.\
+ reset_snapshot_status(self.snapshot['id'], status)
+
+ @rbac_rule_validation.action(
+ component="Volume", service="cinder",
+ rule="volume_extension:volume_admin_actions:force_delete")
+ @decorators.idempotent_id('a8b0f7d8-4c00-4645-b8d5-33ab4eecc6cb')
+ def test_snapshot_force_delete(self):
+ # Test force delete of snapshot
+ # Create snapshot,
+ # and force delete temp snapshot
+ temp_snapshot = self.create_snapshot(self.volume['id'])
+ # Force delete the snapshot
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.force_delete_snapshot(temp_snapshot['id'])
+ self.client.wait_for_resource_deletion(temp_snapshot['id'])
+
+
+class SnapshotsActionsV3RbacTest(SnapshotsActionsRbacTest):
+ _api_version = 3
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
new file mode 100644
index 0000000..9c5d2d9
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
@@ -0,0 +1,89 @@
+# Copyright 2017 AT&T Corp
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_log import log as logging
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api import rbac_base
+
+CONF = config.CONF
+LOG = logging.getLogger(__name__)
+
+
+class VolumeMetadataRbacTest(rbac_base.BaseVolumeRbacTest):
+ @classmethod
+ def setup_clients(cls):
+ super(VolumeMetadataRbacTest, cls).setup_clients()
+ cls.client = cls.os.volumes_client
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(VolumeMetadataRbacTest, self).tearDown()
+
+ def _add_metadata(self, volume):
+ # Create metadata for the volume
+ metadata = {"key1": "value1",
+ "key2": "value2",
+ "key3": "value3",
+ "key4": "<value&special_chars>"}
+ self.volumes_client.create_volume_metadata(volume['id'],
+ metadata)['metadata']
+
+ @rbac_rule_validation.action(component="Volume", service="cinder",
+ rule="volume:update_volume_metadata")
+ @decorators.idempotent_id('232bbb8b-4c29-44dc-9077-b1398c20b738')
+ def test_create_volume_metadata(self):
+ volume = self.create_volume()
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._add_metadata(volume)
+
+ @rbac_rule_validation.action(component="Volume", service="cinder",
+ rule="volume:get")
+ @decorators.idempotent_id('87ea37d9-23ab-47b2-a59c-16fc4d2c6dfa')
+ def test_get_volume_metadata(self):
+ volume = self.create_volume()
+ self._add_metadata(volume)
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.volumes_client.show_volume_metadata(volume['id'])['metadata']
+
+ @rbac_rule_validation.action(component="Volume", service="cinder",
+ rule="volume:delete_volume_metadata")
+ @decorators.idempotent_id('7498dfc1-9db2-4423-ad20-e6dcb25d1beb')
+ def test_delete_volume_metadata(self):
+ volume = self.create_volume()
+ self._add_metadata(volume)
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.volumes_client.delete_volume_metadata_item(volume['id'],
+ "key1")
+
+ @rbac_rule_validation.action(component="Volume", service="cinder",
+ rule="volume:update_volume_metadata")
+ @decorators.idempotent_id('8ce2ff80-99ba-49ae-9bb1-7e96729ee5af')
+ def test_update_volume_metadata(self):
+ volume = self.create_volume()
+ self._add_metadata(volume)
+ # Metadata to update
+ update_item = {"key3": "value3_update"}
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.volumes_client.update_volume_metadata_item(
+ volume['id'], "key3", update_item)['meta']
+
+
+class VolumeMetadataV3RbacTest(VolumeMetadataRbacTest):
+ _api_version = 3