feature flag: Policy feature enabled config group
A new configuration group ``[policy_feature_enabled]`` has been added to
Patrole which will be responsible for collecting the feature flags to be
used for newly introduced policies or policies that were changed in a
backwards-incompatible way.
* create_port_fixed_ips_ip_address_policy (Neutron)
* update_port_fixed_ips_ip_address_policy (Neutron)
* limits_extension_used_limits_policy (Cinder)
* volume_extension_volume_actions_attach_policy (Cinder)
* volume_extension_volume_actions_reserve_policy (Cinder)
* volume_extension_volume_actions_unreserve_policy (Cinder)
These feature flags will be supported until Pike release cycle
is EOL.
The motivation behind these feature flags is [0] which adds
Pike/Queens gating to Patrole. However, in Queens, Neutron
and Cinder renamed or removed a few policies in a backwards-
incompatible way. These policies can be reviewed here: [1].
This PS requires another PS [2] in devstack's lib/tempest
because Patrole, being a branchless project and hosting the
Patrole devstack plugin itself, must fall back to Tempest's
devstack script to list out the backwards-incompatible
policies in Pike.
A documentation update will also come in a follow up with
information on these feature flags.
[0] I76c4a9b8737bf94f230ab141def652b054120f3b
[1] e.g. http://logs.openstack.org/51/547851/4/check/patrole-member-pike/139c534/job-output.txt.gz#_2018-03-22_21_46_08_392229
[2] I00bdeff9474c54d38b6d6844a041b305bec01ad8
Change-Id: Ia0d9847908a8e723446c16465d68cd7f622c04cc
diff --git a/patrole_tempest_plugin/config.py b/patrole_tempest_plugin/config.py
index 0077d19..5103888 100644
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py
@@ -94,6 +94,7 @@
patrole_log_group = cfg.OptGroup(
name='patrole_log', title='Patrole Logging Options')
+
PatroleLogGroup = [
cfg.BoolOpt('enable_reporting',
default=False,
@@ -112,6 +113,47 @@
]
+policy_feature_enabled = cfg.OptGroup(
+ name='policy-feature-enabled',
+ title='Feature Flags for New or Changed Policies')
+
+
+PolicyFeatureEnabledGroup = [
+ # TODO(felipemonteiro): The 6 feature flags below should be removed after
+ # Pike is EOL.
+ cfg.BoolOpt('create_port_fixed_ips_ip_address_policy',
+ default=True,
+ help="""Is the Neutron policy
+"create_port:fixed_ips:ip_address" available in the cloud? This policy was
+changed in a backwards-incompatible way."""),
+ cfg.BoolOpt('update_port_fixed_ips_ip_address_policy',
+ default=True,
+ help="""Is the Neutron policy
+"update_port:fixed_ips:ip_address" available in the cloud? This policy was
+changed in a backwards-incompatible way."""),
+ cfg.BoolOpt('limits_extension_used_limits_policy',
+ default=True,
+ help="""Is the Cinder policy
+"limits_extension:used_limits" available in the cloud? This policy was
+changed in a backwards-incompatible way."""),
+ cfg.BoolOpt('volume_extension_volume_actions_attach_policy',
+ default=True,
+ help="""Is the Cinder policy
+"volume_extension:volume_actions:attach" available in the cloud? This policy
+was changed in a backwards-incompatible way."""),
+ cfg.BoolOpt('volume_extension_volume_actions_reserve_policy',
+ default=True,
+ help="""Is the Cinder policy
+"volume_extension:volume_actions:reserve" available in the cloud? This policy
+was changed in a backwards-incompatible way."""),
+ cfg.BoolOpt('volume_extension_volume_actions_unreserve_policy',
+ default=True,
+ help="""Is the Cinder policy
+"volume_extension:volume_actions:unreserve" available in the cloud? This policy
+was changed in a backwards-incompatible way.""")
+]
+
+
def list_opts():
"""Return a list of oslo.config options available.
@@ -120,7 +162,9 @@
"""
opt_list = [
(patrole_group, PatroleGroup),
- (patrole_log_group, PatroleLogGroup)
+ (patrole_log_group, PatroleLogGroup),
+ (policy_feature_enabled, PolicyFeatureEnabledGroup)
+
]
return opt_list
diff --git a/patrole_tempest_plugin/plugin.py b/patrole_tempest_plugin/plugin.py
index a214892..8af6a69 100644
--- a/patrole_tempest_plugin/plugin.py
+++ b/patrole_tempest_plugin/plugin.py
@@ -21,7 +21,7 @@
from tempest import config
from tempest.test_discover import plugins
-from patrole_tempest_plugin import config as project_config
+from patrole_tempest_plugin import config as pconfig
RBACLOG = logging.getLogger('rbac_reporting')
@@ -64,16 +64,23 @@
def register_opts(self, conf):
config.register_opt_group(
conf,
- project_config.patrole_group,
- project_config.PatroleGroup)
+ pconfig.patrole_group,
+ pconfig.PatroleGroup)
config.register_opt_group(
conf,
- project_config.patrole_log_group,
- project_config.PatroleLogGroup)
+ pconfig.patrole_log_group,
+ pconfig.PatroleLogGroup)
+ config.register_opt_group(
+ conf,
+ pconfig.policy_feature_enabled,
+ pconfig.PolicyFeatureEnabledGroup)
if conf.patrole_log.enable_reporting:
self._configure_per_test_logging(conf)
def get_opt_lists(self):
- return [(project_config.patrole_group.name,
- project_config.PatroleGroup)]
+ return [
+ (pconfig.patrole_group.name, pconfig.PatroleGroup),
+ (pconfig.policy_feature_enabled.name,
+ pconfig.PolicyFeatureEnabledGroup)
+ ]
diff --git a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
index 0b91e14..a8c7d68 100644
--- a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
@@ -15,6 +15,7 @@
#
import netaddr
+import testtools
from tempest.common import utils
from tempest.common.utils import net_utils
@@ -106,6 +107,9 @@
with self.rbac_utils.override_role(self):
self.create_port(**post_body)
+ @testtools.skipUnless(
+ CONF.policy_feature_enabled.create_port_fixed_ips_ip_address_policy,
+ '"create_port:fixed_ips:ip_address" must be available in the cloud.')
@rbac_rule_validation.action(service="neutron",
rule="create_port:fixed_ips:ip_address")
@decorators.idempotent_id('2551e10d-006a-413c-925a-8c6f834c09ac')
@@ -268,6 +272,9 @@
self.addCleanup(self.ports_client.update_port, self.port['id'],
mac_address=original_mac_address)
+ @testtools.skipUnless(
+ CONF.policy_feature_enabled.update_port_fixed_ips_ip_address_policy,
+ '"update_port:fixed_ips:ip_address" must be available in the cloud.')
@rbac_rule_validation.action(service="neutron",
rule="update_port:fixed_ips:ip_address")
@decorators.idempotent_id('c091c825-532b-4c6f-a14f-affd3259c1c3')
diff --git a/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py
index 78cfd9a..aec5cb1 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py
@@ -13,16 +13,24 @@
# License for the specific language governing permissions and limitations
# under the License.
+import testtools
+
+from tempest import config
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.volume import rbac_base
+CONF = config.CONF
+
class LimitsV3RbacTest(rbac_base.BaseVolumeRbacTest):
_api_version = 3
+ @testtools.skipUnless(
+ CONF.policy_feature_enabled.limits_extension_used_limits_policy,
+ '"limits_extension:used_limits" must be available in the cloud.')
@decorators.idempotent_id('dab04510-5b86-4479-a633-6e496ff405af')
@rbac_rule_validation.action(service="cinder",
rule="limits_extension:used_limits")
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
index a755d48..46f7a3e 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
+import testtools
+
from tempest.common import compute
from tempest.common import utils
from tempest.common import waiters
@@ -65,6 +67,11 @@
waiters.wait_for_volume_resource_status(
self.volumes_client, volume_id, 'available')
+ @testtools.skipUnless(
+ CONF.policy_feature_enabled
+ .volume_extension_volume_actions_attach_policy,
+ '"volume_extension:volume_actions:attach" must be available in the '
+ 'cloud.')
@utils.services('compute')
@rbac_rule_validation.action(
service="cinder",
@@ -151,6 +158,11 @@
self.volumes_client.set_bootable_volume(self.volume['id'],
bootable=True)
+ @testtools.skipUnless(
+ CONF.policy_feature_enabled
+ .volume_extension_volume_actions_reserve_policy,
+ '"volume_extension:volume_actions:reserve" must be available in the '
+ 'cloud.')
@decorators.idempotent_id('41566922-75a1-4484-99c7-9c8782ee99ac')
@rbac_rule_validation.action(
service="cinder",
@@ -159,6 +171,11 @@
with self.rbac_utils.override_role(self):
self.volumes_client.reserve_volume(self.volume['id'])
+ @testtools.skipUnless(
+ CONF.policy_feature_enabled
+ .volume_extension_volume_actions_unreserve_policy,
+ '"volume_extension:volume_actions:unreserve" must be available in the '
+ 'cloud.')
@decorators.idempotent_id('e5fa9564-77d9-4e57-b0c0-3e0ae4d08535')
@rbac_rule_validation.action(
service="cinder",