Merge "Add RBAC test cases to manage cinder volume"
diff --git a/contrib/post_test_hook.sh b/contrib/post_test_hook.sh
index db48fc2..af7c856 100644
--- a/contrib/post_test_hook.sh
+++ b/contrib/post_test_hook.sh
@@ -61,9 +61,7 @@
# Set strict_policy_check=False under [rbac] section in tempest.conf
iniset $TEMPEST_CONFIG rbac strict_policy_check False
# Set additional, necessary CONF values
- iniset $TEMPEST_CONFIG auth use_dynamic_credentials True
iniset $TEMPEST_CONFIG auth tempest_roles Member
- iniset $TEMPEST_CONFIG identity auth_version v3
}
function run_tests() {
diff --git a/doc/source/installation.rst b/doc/source/installation.rst
index b532d63..e342dd8 100644
--- a/doc/source/installation.rst
+++ b/doc/source/installation.rst
@@ -50,3 +50,13 @@
# not found in the policy.json. Otherwise, they throw a
# skipException.
strict_policy_check = False
+
+ # The following config options set the location of the service's
+ # policy file. For services that have their policy in code (e.g.,
+ # Nova), this would be the location of a custom policy.json, if
+ # one exists.
+ cinder_policy_file = /etc/cinder/policy.json
+ glance_policy_file = /etc/glance/policy.json
+ keystone_policy_file = /etc/keystone/policy.json
+ neutron_policy_file = /etc/neutron/policy.json
+ nova_policy_file = /etc/nova/policy.json
diff --git a/patrole_tempest_plugin/config.py b/patrole_tempest_plugin/config.py
index dfb6cef..cb00269 100644
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py
@@ -30,5 +30,20 @@
default=False,
help="If true, throws RbacParsingException for"
" policies which don't exist. If false, "
- "throws skipException.")
+ "throws skipException."),
+ cfg.StrOpt('cinder_policy_file',
+ default='/etc/cinder/policy.json',
+ help="Location of the neutron policy file."),
+ cfg.StrOpt('glance_policy_file',
+ default='/etc/glance/policy.json',
+ help="Location of the glance policy file."),
+ cfg.StrOpt('keystone_policy_file',
+ default='/etc/keystone/policy.json',
+ help="Location of the keystone policy file."),
+ cfg.StrOpt('neutron_policy_file',
+ default='/etc/neutron/policy.json',
+ help="Location of the neutron policy file."),
+ cfg.StrOpt('nova_policy_file',
+ default='/etc/nova/policy.json',
+ help="Location of the nova policy file.")
]
diff --git a/patrole_tempest_plugin/rbac_policy_parser.py b/patrole_tempest_plugin/rbac_policy_parser.py
index 2686736..e68921f 100644
--- a/patrole_tempest_plugin/rbac_policy_parser.py
+++ b/patrole_tempest_plugin/rbac_policy_parser.py
@@ -40,7 +40,7 @@
each role, whether a given rule is allowed using oslo policy.
"""
- def __init__(self, project_id, user_id, service=None, path=None,
+ def __init__(self, project_id, user_id, service=None,
extra_target_data={}):
"""Initialization of Rbac Policy Parser.
@@ -76,7 +76,12 @@
# Use default path in /etc/<service_name/policy.json if no path
# is provided.
- self.path = path or os.path.join('/etc', service, 'policy.json')
+ path = getattr(CONF.rbac, '%s_policy_file' % str(service), None)
+ if not path:
+ LOG.info("No config option found for %s,"
+ " using default path" % str(service))
+ path = os.path.join('/etc', service, 'policy.json')
+ self.path = path
self.rules = policy.Rules.load(self._get_policy_data(service),
'default')
self.project_id = project_id
@@ -98,12 +103,18 @@
# Check whether policy file exists.
if os.path.isfile(self.path):
- with open(self.path, 'r') as policy_file:
- file_policy_data = policy_file.read()
try:
+ with open(self.path, 'r') as policy_file:
+ file_policy_data = policy_file.read()
file_policy_data = json.loads(file_policy_data)
- except ValueError:
- file_policy_data = None
+ except (IOError, ValueError) as e:
+ msg = "Failed to read policy file for service. "
+ if isinstance(e, IOError):
+ msg += "Please check that policy path exists."
+ else:
+ msg += "JSON may be improperly formatted."
+ LOG.debug(msg)
+ file_policy_data = {}
# Check whether policy actions are defined in code. Nova and Keystone,
# for example, define their default policy actions in code.
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index 6a5ed5e..a225c7d 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -29,7 +29,7 @@
LOG = logging.getLogger(__name__)
-def action(service, rule, admin_only=False, expected_error_code=403,
+def action(service, rule='', admin_only=False, expected_error_code=403,
extra_target_data={}):
"""A decorator which does a policy check and matches it against test run.
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index d952014..55a5599 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -20,6 +20,7 @@
import oslo_utils.uuidutils as uuid_utils
import six
+from tempest.common import credentials_factory as credentials
from tempest import config
from patrole_tempest_plugin import rbac_exceptions
@@ -56,10 +57,12 @@
self.token = test_obj.auth_provider.get_token()
self.identity_version = test_obj.get_identity_version()
- if self.identity_version.endswith('v3'):
- self.roles_client = test_obj.os_admin.roles_v3_client
- else:
- self.roles_client = test_obj.os_admin.roles_client
+ if not credentials.is_admin_available(
+ identity_version=self.identity_version):
+ msg = "Missing Identity Admin API credentials in configuration."
+ raise rbac_exceptions.RbacResourceSetupFailed(msg)
+
+ self.roles_client = test_obj.os_admin.roles_v3_client
LOG.debug('Switching role to: %s', toggle_rbac_role)
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
index a85d508..bc07675 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
@@ -23,20 +23,30 @@
CONF = config.CONF
-class BaseIdentityV2RbacTest(base.BaseIdentityV2Test):
+class BaseIdentityV2AdminRbacTest(base.BaseIdentityV2Test):
+ """Base test class for the Identity v2 admin API.
+
+ Keystone's v2 API is split into two APIs: an admin and non-admin API. RBAC
+ testing is only provided for the admin API. Instead of policy enforcement,
+ these APIs execute ``self.assert_admin(request)``, which checks that the
+ request object has ``context_is_admin``. For more details, see the
+ implementation of ``assert_admin`` in ``keystone.common.wsgi``.
+ """
credentials = ['admin', 'primary']
@classmethod
def skip_checks(cls):
- super(BaseIdentityV2RbacTest, cls).skip_checks()
+ super(BaseIdentityV2AdminRbacTest, cls).skip_checks()
if not CONF.rbac.enable_rbac:
raise cls.skipException(
"%s skipped as RBAC testing not enabled" % cls.__name__)
+ if not CONF.identity_feature_enabled.api_v2_admin:
+ raise cls.skipException('Identity v2 admin not available')
@classmethod
def setup_clients(cls):
- super(BaseIdentityV2RbacTest, cls).setup_clients()
+ super(BaseIdentityV2AdminRbacTest, cls).setup_clients()
cls.auth_provider = cls.os_primary.auth_provider
cls.rbac_utils = rbac_utils()
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
index dea7f0b..f16d0aa 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
@@ -13,7 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
-from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
@@ -21,19 +20,17 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
-CONF = config.CONF
-
-class IdentityEndpointsV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
+class IdentityEndpointsV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
@classmethod
def setup_clients(cls):
- super(IdentityEndpointsV2RbacTest, cls).setup_clients()
+ super(IdentityEndpointsV2AdminRbacTest, cls).setup_clients()
cls.endpoints_client = cls.os_primary.endpoints_client
@classmethod
def resource_setup(cls):
- super(IdentityEndpointsV2RbacTest, cls).resource_setup()
+ super(IdentityEndpointsV2AdminRbacTest, cls).resource_setup()
cls.region = data_utils.rand_name('region')
cls.public_url = data_utils.rand_url()
cls.admin_url = data_utils.rand_url()
@@ -54,7 +51,6 @@
return endpoint
@rbac_rule_validation.action(service="keystone",
- rule="identity:create_endpoint",
admin_only=True)
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd124')
def test_create_endpoint(self):
@@ -68,7 +64,6 @@
self._create_endpoint()
@rbac_rule_validation.action(service="keystone",
- rule="identity:delete_endpoint",
admin_only=True)
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd125')
def test_delete_endpoint(self):
@@ -83,7 +78,6 @@
self.endpoints_client.delete_endpoint(endpoint['endpoint']['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:list_endpoints",
admin_only=True)
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd126')
def test_list_endpoints(self):
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
index 6853b64..a557bb8 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
@@ -16,16 +16,16 @@
from tempest import config
from tempest.lib import decorators
+from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
CONF = config.CONF
-class IdentityProjectV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
+class IdentityProjectV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
@rbac_rule_validation.action(service="keystone",
- rule="identity:create_project",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d904')
def test_create_project(self):
@@ -39,7 +39,6 @@
self._create_tenant()
@rbac_rule_validation.action(service="keystone",
- rule="identity:update_project",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d905')
def test_update_project(self):
@@ -55,7 +54,6 @@
description="Changed description")
@rbac_rule_validation.action(service="keystone",
- rule="identity:delete_project",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d906')
def test_delete_project(self):
@@ -70,7 +68,6 @@
self.tenants_client.delete_tenant(tenant['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:get_project",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d907')
def test_get_project(self):
@@ -86,20 +83,6 @@
self.tenants_client.show_tenant(tenant['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:list_projects",
- admin_only=True)
- @decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d908')
- def test_get_all_projects(self):
-
- """List All Projects Test
-
- RBAC test for Identity 2.0 list_tenants
- """
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.tenants_client.list_tenants()
-
- @rbac_rule_validation.action(service="keystone",
- rule="identity:list_user_projects",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d909')
def test_list_project_users(self):
@@ -112,3 +95,37 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.tenants_client.list_tenant_users(tenant['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ admin_only=True)
+ @decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d908')
+ def test_list_all_projects(self):
+
+ """List All Projects Test
+
+ RBAC test for Identity 2.0 list_tenants (admin endpoint)
+
+ There are two separate APIs for listing tenants in the Keystone
+ v2 API: one for admin and one for non-admin. The ``os_admin`` client
+ calls the admin endpoint and the ``os_primary`` client calls the
+ non-admin endpoint. To ensure that the admin endpoint only returns
+ admin-scoped tenants, raise ``RbacActionFailed`` exception otherwise.
+ """
+ tenants_client = self.os_admin.tenants_client if \
+ CONF.identity.admin_role == CONF.rbac.rbac_test_role else \
+ self.os_primary.tenants_client
+ admin_tenant_id = self.os_admin.auth_provider.credentials.project_id
+ non_admin_tenant_id = self.auth_provider.credentials.project_id
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ tenants = tenants_client.list_tenants()['tenants']
+
+ tenant_ids = [t['id'] for t in tenants]
+ if admin_tenant_id not in tenant_ids:
+ raise rbac_exceptions.RbacActionFailed(
+ "The admin tenant id was not returned by the call to "
+ "``list_tenants``.")
+ if non_admin_tenant_id in tenant_ids:
+ raise rbac_exceptions.RbacActionFailed(
+ "The non-admin tenant id was returned by the call to "
+ "``list_tenants``.")
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
index 7b21194..a1ec5c6 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
@@ -13,7 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
-from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
@@ -21,14 +20,12 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
-CONF = config.CONF
-
-class IdentityRoleV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
+class IdentityRolesV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
@classmethod
def setup_clients(cls):
- super(IdentityRoleV2RbacTest, cls).setup_clients()
+ super(IdentityRolesV2AdminRbacTest, cls).setup_clients()
cls.roles_client = cls.os_primary.roles_client
def _create_role(self):
@@ -53,7 +50,6 @@
tenant['id'], user['id'], role['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:create_role",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d904')
def test_create_role(self):
@@ -67,7 +63,6 @@
self._create_role()
@rbac_rule_validation.action(service="keystone",
- rule="identity:delete_role",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d905')
def test_delete_role(self):
@@ -82,7 +77,6 @@
self.roles_client.delete_role(role['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:get_role",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d906')
def test_show_role(self):
@@ -97,7 +91,6 @@
self.roles_client.show_role(role['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:list_roles",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d907')
def test_list_roles(self):
@@ -110,7 +103,6 @@
self.roles_client.list_roles()
@rbac_rule_validation.action(service="keystone",
- rule="identity:add_role_to_user",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d908')
def test_create_role_on_project(self):
@@ -124,7 +116,6 @@
self._create_role_on_project(tenant, user, role)
@rbac_rule_validation.action(service="keystone",
- rule="identity:remove_role_from_user",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d909')
def test_delete_role_from_user_on_project(self):
@@ -141,7 +132,6 @@
tenant['id'], user['id'], role['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:get_user_roles",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d90a')
def test_list_user_roles_on_project(self):
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
index c9803ec..ad47fd2 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
@@ -13,24 +13,20 @@
# License for the specific language governing permissions and limitations
# under the License.
-from tempest import config
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
-CONF = config.CONF
-
-class IdentityServicesV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
+class IdentityServicesV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
@classmethod
def setup_clients(cls):
- super(IdentityServicesV2RbacTest, cls).setup_clients()
+ super(IdentityServicesV2AdminRbacTest, cls).setup_clients()
cls.services_client = cls.os_primary.identity_services_client
@rbac_rule_validation.action(service="keystone",
- rule="identity:create_service",
admin_only=True)
@decorators.idempotent_id('370050f6-d271-4fb4-abc5-4de1d6dfbad2')
def test_create_service(self):
@@ -42,7 +38,6 @@
self._create_service()
@rbac_rule_validation.action(service="keystone",
- rule="identity:delete_service",
admin_only=True)
@decorators.idempotent_id('f6c64fc3-6a1f-423e-af91-e411add3a384')
def test_delete_service(self):
@@ -56,7 +51,6 @@
self.services_client.delete_service(service_id)
@rbac_rule_validation.action(service="keystone",
- rule="identity:get_service",
admin_only=True)
@decorators.idempotent_id('504d62bb-97d7-445e-9d6d-b1945a7c9e08')
def test_show_service(self):
@@ -70,7 +64,6 @@
self.services_client.show_service(service_id)
@rbac_rule_validation.action(service="keystone",
- rule="identity:list_services",
admin_only=True)
@decorators.idempotent_id('d7dc461d-51ad-48e0-9cd2-33add1b88de9')
def test_list_services(self):
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py
index 48f3d11..f90680d 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py
@@ -20,10 +20,9 @@
from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
-class IdentityUserV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
+class IdentityUsersV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
@rbac_rule_validation.action(service="keystone",
- rule="identity:create_user",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d904')
def test_create_user(self):
@@ -31,7 +30,6 @@
self._create_user()
@rbac_rule_validation.action(service="keystone",
- rule="identity:update_user",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d905')
def test_update_user(self):
@@ -41,7 +39,6 @@
self.users_client.update_user(user['id'], email="changedUser@xyz.com")
@rbac_rule_validation.action(service="keystone",
- rule="identity:set_user_enabled",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d9a1')
def test_update_user_enabled(self):
@@ -51,7 +48,6 @@
self.users_client.update_user_enabled(user['id'], enabled=True)
@rbac_rule_validation.action(service="keystone",
- rule="identity:delete_user",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d906')
def test_delete_user(self):
@@ -61,7 +57,6 @@
self.users_client.delete_user(user['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:get_users",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d907')
def test_list_users(self):
@@ -69,7 +64,6 @@
self.users_client.list_users()
@rbac_rule_validation.action(service="keystone",
- rule="identity:get_user",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d908')
def test_show_user(self):
@@ -79,7 +73,6 @@
self.users_client.show_user(user['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:change_password",
admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d909')
def test_update_user_password(self):
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
index 956727b..7380531 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
@@ -20,11 +20,11 @@
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-class IdentityUserV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
+class IdentityUserV3AdminRbacTest(rbac_base.BaseIdentityV3RbacTest):
@classmethod
def resource_setup(cls):
- super(IdentityUserV3RbacTest, cls).resource_setup()
+ super(IdentityUserV3AdminRbacTest, cls).resource_setup()
cls.default_user_id = cls.auth_provider.credentials.user_id
@rbac_rule_validation.action(service="keystone",
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_resource_types_rbac.py b/patrole_tempest_plugin/tests/api/image/v2/test_image_resource_types_rbac.py
index 94c704f..552a137 100644
--- a/patrole_tempest_plugin/tests/api/image/v2/test_image_resource_types_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_image_resource_types_rbac.py
@@ -23,6 +23,21 @@
class ImageResourceTypesRbacTest(rbac_base.BaseV2ImageRbacTest):
+ @classmethod
+ def resource_setup(cls):
+ super(ImageResourceTypesRbacTest, cls).resource_setup()
+ cls.namespace_name = data_utils.rand_name('test-ns')
+ cls.namespaces_client.create_namespace(
+ namespace=cls.namespace_name,
+ protected=False)
+
+ @classmethod
+ def resource_cleanup(cls):
+ test_utils.call_and_ignore_notfound_exc(
+ cls.namespaces_client.delete_namespace,
+ cls.namespace_name)
+ super(ImageResourceTypesRbacTest, cls).resource_setup()
+
@rbac_rule_validation.action(service="glance",
rule="list_metadef_resource_types")
@decorators.idempotent_id('0416fc4d-cfdc-447b-88b6-d9f1dd0382f7')
@@ -42,15 +57,15 @@
RBAC test for the glance get_metadef_resource_type policy.
"""
- namespace_name = data_utils.rand_name('test-ns')
- self.namespaces_client.create_namespace(
- namespace=namespace_name,
- protected=False)
- self.addCleanup(
- test_utils.call_and_ignore_notfound_exc,
- self.namespaces_client.delete_namespace,
- namespace_name)
-
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.resource_types_client.list_resource_type_association(
- namespace_name)
+ self.namespace_name)
+
+ @rbac_rule_validation.action(service="glance",
+ rule="add_metadef_resource_type_association")
+ @decorators.idempotent_id('ef9fbc60-3e28-4164-a25c-d30d892f7939')
+ def test_add_metadef_resource_type(self):
+ type_name = data_utils.rand_name()
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.resource_types_client.create_resource_type_association(
+ self.namespace_name, name=type_name)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
index 416fb4d..16e77ed 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -158,6 +158,48 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.client.retype_volume(volume['id'], new_type=vol_type)
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_admin_actions:reset_status")
+ @decorators.idempotent_id('4b3dad7d-0e73-4839-8781-796dd3d7af1d')
+ def test_volume_reset_status(self):
+ volume = self.create_volume()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.client.reset_volume_status(volume['id'], status='error')
+
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_admin_actions:force_delete")
+ @decorators.idempotent_id('a312a937-6abf-4b91-a950-747086cbce48')
+ def test_volume_force_delete(self):
+ volume = self.create_volume()
+ self.client.reset_volume_status(volume['id'], status='error')
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.client.force_delete_volume(volume['id'])
+ self.client.wait_for_resource_deletion(volume['id'])
+
+ @decorators.idempotent_id('48bd302b-950a-4830-840c-3158246ecdcc')
+ @test.services('compute')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_admin_actions:force_detach")
+ def test_force_detach_volume_from_instance(self):
+ server = self._create_server()
+ self._attach_volume(server)
+ attachment = self.volumes_client.show_volume(
+ self.volume['id'])['volume']['attachments'][0]
+
+ # Reset volume's status to error.
+ self.volumes_client.reset_volume_status(self.volume['id'],
+ status='error')
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volumes_client.force_detach_volume(
+ self.volume['id'], connector=None,
+ attachment_id=attachment['attachment_id'])
+
class VolumesActionsV3RbacTest(VolumesActionsRbacTest):
_api_version = 3
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
deleted file mode 100644
index b10f5b3..0000000
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
+++ /dev/null
@@ -1,60 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from oslo_log import log as logging
-
-from tempest import config
-from tempest.lib import decorators
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.volume import rbac_base
-
-CONF = config.CONF
-LOG = logging.getLogger(__name__)
-
-
-class VolumesRbacTest(rbac_base.BaseVolumeRbacTest):
-
- @classmethod
- def setup_clients(cls):
- super(VolumesRbacTest, cls).setup_clients()
- cls.client = cls.volumes_client
-
- @rbac_rule_validation.action(
- service="cinder",
- rule="volume_extension:volume_admin_actions:reset_status")
- @decorators.idempotent_id('4b3dad7d-0e73-4839-8781-796dd3d7af1d')
- def test_volume_reset_status(self):
- volume = self.create_volume()
- # Test volume reset status : available->error->available
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.client.reset_volume_status(volume['id'], status='error')
- self.client.reset_volume_status(volume['id'], status='available')
-
- @rbac_rule_validation.action(
- service="cinder",
- rule="volume_extension:volume_admin_actions:force_delete")
- @decorators.idempotent_id('a312a937-6abf-4b91-a950-747086cbce48')
- def test_volume_force_delete_when_volume_is_error(self):
- volume = self.create_volume()
- self.client.reset_volume_status(volume['id'], status='error')
- # Test force delete when status of volume is error
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.client.force_delete_volume(volume['id'])
- self.client.wait_for_resource_deletion(volume['id'])
-
-
-class VolumesV3RbacTest(VolumesRbacTest):
- _api_version = 3
diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
index 0906222..6889b44 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
@@ -32,6 +32,8 @@
super(RbacPolicyTest, self).setUp()
self.mock_admin_mgr = mock.patch.object(
rbac_policy_parser, 'credentials').start()
+ self.mock_path = mock.patch.object(
+ rbac_policy_parser, 'os').start()
current_directory = os.path.dirname(os.path.realpath(__file__))
self.custom_policy_file = os.path.join(current_directory,
@@ -88,8 +90,9 @@
test_tenant_id = mock.sentinel.tenant_id
test_user_id = mock.sentinel.user_id
+ self.mock_path.path.join.return_value = self.custom_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test", self.custom_policy_file)
+ test_tenant_id, test_user_id, "test")
expected = {
'policy_action_1': ['two', 'four', 'six', 'eight'],
@@ -110,8 +113,9 @@
def test_admin_policy_file_with_admin_role(self):
test_tenant_id = mock.sentinel.tenant_id
test_user_id = mock.sentinel.user_id
+ self.mock_path.path.join.return_value = self.admin_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test", self.admin_policy_file)
+ test_tenant_id, test_user_id, "test")
role = 'admin'
allowed_rules = [
@@ -130,8 +134,9 @@
def test_admin_policy_file_with_member_role(self):
test_tenant_id = mock.sentinel.tenant_id
test_user_id = mock.sentinel.user_id
+ self.mock_path.path.join.return_value = self.admin_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test", self.admin_policy_file)
+ test_tenant_id, test_user_id, "test")
role = 'Member'
allowed_rules = [
@@ -151,8 +156,9 @@
def test_admin_policy_file_with_context_is_admin(self):
test_tenant_id = mock.sentinel.tenant_id
test_user_id = mock.sentinel.user_id
+ self.mock_path.path.join.return_value = self.alt_admin_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test", self.alt_admin_policy_file)
+ test_tenant_id, test_user_id, "test")
role = 'fake_admin'
allowed_rules = ['non_admin_rule']
@@ -187,8 +193,9 @@
"""
test_tenant_id = mock.sentinel.tenant_id
test_user_id = mock.sentinel.user_id
+ self.mock_path.path.join.return_value = self.tenant_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test", self.tenant_policy_file)
+ test_tenant_id, test_user_id, "test")
# Check whether Member role can perform expected actions.
allowed_rules = ['rule1', 'rule2', 'rule3', 'rule4']
@@ -268,9 +275,9 @@
def test_invalid_policy_rule_throws_rbac_parsing_exception(self, m_log):
test_tenant_id = mock.sentinel.tenant_id
test_user_id = mock.sentinel.user_id
-
+ self.mock_path.path.join.return_value = self.custom_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test", self.custom_policy_file)
+ test_tenant_id, test_user_id, "test")
fake_rule = 'fake_rule'
expected_message = "Policy action: {0} not found in policy file: {1}."\
@@ -285,9 +292,9 @@
def test_unknown_exception_throws_rbac_parsing_exception(self, m_log):
test_tenant_id = mock.sentinel.tenant_id
test_user_id = mock.sentinel.user_id
-
+ self.mock_path.path.join.return_value = self.custom_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test", self.custom_policy_file)
+ test_tenant_id, test_user_id, "test")
parser.rules = mock.MagicMock(
**{'__getitem__.return_value.side_effect': Exception(
mock.sentinel.error)})
@@ -320,9 +327,9 @@
test_tenant_id = mock.sentinel.tenant_id
test_user_id = mock.sentinel.user_id
-
+ self.mock_path.path.join.return_value = self.tenant_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test", self.tenant_policy_file)
+ test_tenant_id, test_user_id, "test")
policy_data = parser._get_policy_data('fake_service')
@@ -364,9 +371,9 @@
test_tenant_id = mock.sentinel.tenant_id
test_user_id = mock.sentinel.user_id
-
+ self.mock_path.path.join.return_value = self.tenant_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test", self.tenant_policy_file)
+ test_tenant_id, test_user_id, "test")
policy_data = parser._get_policy_data('fake_service')
@@ -393,10 +400,10 @@
mock_creds.AdminManager.return_value.identity_services_v3_client.\
list_services.return_value = {
'services': [{'name': 'test_service'}]}
-
+ self.mock_path.path.join.return_value = '/etc/test_service/policy.json'
e = self.assertRaises(rbac_exceptions.RbacParsingException,
rbac_policy_parser.RbacPolicyParser,
- None, None, 'test_service', None)
+ None, None, 'test_service')
expected_error = \
'Policy file for {0} service neither found in code '\
@@ -405,14 +412,12 @@
self.assertIn(expected_error, str(e))
- @mock.patch.object(rbac_policy_parser, 'os', autospec=True)
@mock.patch.object(rbac_policy_parser, 'json', autospec=True)
@mock.patch.object(rbac_policy_parser, 'credentials', autospec=True)
@mock.patch.object(rbac_policy_parser, 'stevedore', autospec=True)
def test_get_policy_data_without_valid_policy(self, mock_stevedore,
- mock_credentials, mock_json,
- mock_os):
- mock_os.path.isfile.return_value = False
+ mock_credentials, mock_json):
+ self.mock_path.path.isfile.return_value = False
test_policy_action = mock.Mock(check='rule:bar')
test_policy_action.configure_mock(name='foo')
@@ -432,7 +437,7 @@
e = self.assertRaises(rbac_exceptions.RbacParsingException,
rbac_policy_parser.RbacPolicyParser,
- None, None, 'test_service', None)
+ None, None, 'test_service')
expected_error = "Policy file for {0} service is invalid."\
.format("test_service")
@@ -459,11 +464,10 @@
}
mock_stevedore.named.NamedExtensionManager.return_value = None
mock_json.loads.side_effect = ValueError
-
+ self.mock_path.path.join.return_value = self.tenant_policy_file
e = self.assertRaises(rbac_exceptions.RbacParsingException,
rbac_policy_parser.RbacPolicyParser,
- None, None, 'test_service',
- self.tenant_policy_file)
+ None, None, 'test_service')
expected_error = 'Policy file for {0} service neither found in code '\
'nor at {1}.'.format('test_service',
diff --git a/releasenotes/notes/add-metadef-resource-type-7973621c5e8fff7f.yaml b/releasenotes/notes/add-metadef-resource-type-7973621c5e8fff7f.yaml
new file mode 100644
index 0000000..61bec83
--- /dev/null
+++ b/releasenotes/notes/add-metadef-resource-type-7973621c5e8fff7f.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Adds test for glance's
+ add_metadef_resource_type_association policy.
diff --git a/releasenotes/notes/admin-only-identity-v2-admin-6f382e38d7a690a4.yaml b/releasenotes/notes/admin-only-identity-v2-admin-6f382e38d7a690a4.yaml
new file mode 100644
index 0000000..750a9f1
--- /dev/null
+++ b/releasenotes/notes/admin-only-identity-v2-admin-6f382e38d7a690a4.yaml
@@ -0,0 +1,12 @@
+---
+fixes:
+ - |
+ Removed ``rule`` kwarg from ``rbac_rule_validation`` decorator for identity
+ v2 admin tests, because the identity v2 admin API does not do policy
+ enforcement, and instead checks whether the request object has
+ ``context_is_admin``.
+other:
+ - |
+ Updated the class names for identity v2 tests to include the "Admin"
+ substring, to convey the fact that these tests are only intended
+ to test the v2 admin API, not the v2 API.
diff --git a/releasenotes/notes/config-opts-paths-01e2a5096a1579b8.yaml b/releasenotes/notes/config-opts-paths-01e2a5096a1579b8.yaml
new file mode 100644
index 0000000..3e63c9d
--- /dev/null
+++ b/releasenotes/notes/config-opts-paths-01e2a5096a1579b8.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - |
+ Refactored framework to remove unused "path"
+ argument. Added config options to allow the path
+ to the policy.json files for Nova, Keystone, Cinder,
+ Neutron, and Glance to be configured without needing
+ to manually change code.