Merge "Clean up test_admin_password_rbac"
diff --git a/README.rst b/README.rst
index 51940d7..8ba4649 100644
--- a/README.rst
+++ b/README.rst
@@ -69,7 +69,7 @@
the ``rbac_rule_validation.action`` decorator. Then, inside the test, the API
that does policy enforcement for the same rule is called. The outcome is
compared against the result from oslo_policy and a pass or fail is determined
-as outlined above: :ref:`test-flows`.
+as outlined above: `Test Flows`_.
.. note::
@@ -110,14 +110,15 @@
#. After all of the logic above has executed inside the rbac decorator, the
test is executed. The test then sets up test-level resources, if necessary,
with **admin** credentials implicitly. This is accomplished through
- ``rbac_utils.switch_role(toggle_rbac_role=False)``: ::
+ ``rbac_utils.switch_role(toggle_rbac_role=False)``, which is done as part of
+ client setup (inside the call to ``rbac_utils.RbacUtils``): ::
@classmethod
def setup_clients(cls):
super(BaseV2ComputeRbacTest, cls).setup_clients()
- cls.auth_provider = cls.os.auth_provider
- cls.rbac_utils = rbac_utils()
- cls.rbac_utils.switch_role(cls, toggle_rbac_role=False)
+ cls.auth_provider = cls.os_primary.auth_provider
+ cls.rbac_utils = rbac_utils.RbacUtils(cls)
+ ...
This code has *already* executed when the test class is instantiated, because
it is located in the base rbac test class. Whenever ``cls.rbac_utils.switch_role``
@@ -137,7 +138,7 @@
Now the primary credential has the role specified by ``rbac_test_role``.
-#. The API endpoint in which policy enforcement of "os_compute_api:servers:stop"
+#. The API endpoint in which policy enforcement of "os_compute_api:servers:stop"
is performed can now be called.
.. note:
diff --git a/doc/source/installation.rst b/doc/source/installation.rst
index e342dd8..31f94f4 100644
--- a/doc/source/installation.rst
+++ b/doc/source/installation.rst
@@ -7,6 +7,7 @@
At the command line::
+ $ git clone http://git.openstack.org/openstack/patrole
$ sudo pip install patrole
Or, if you have virtualenvwrapper installed::
@@ -19,6 +20,17 @@
$ navigate to patrole directory
$ sudo pip install -e .
+DevStack Installation
+=====================
+
+Patrole can be installed like any other DevStack plugin by including the
+``install_plugin`` directive inside local.conf::
+
+ [[local|localrc]]
+ ...
+
+ enable_plugin patrole git://git.openstack.org/openstack/patrole
+
Configuration Information
=========================
diff --git a/doc/source/usage.rst b/doc/source/usage.rst
index c2fc6d3..d2570bc 100644
--- a/doc/source/usage.rst
+++ b/doc/source/usage.rst
@@ -4,17 +4,28 @@
Usage
========
-Running Patrole Tests in Tempest
-================================
+RBAC (API) Tests
+================
-If Patrole is installed correctly, then the API tests can be executed
-from inside the tempest root directory as follows: ::
+If Patrole is installed correctly, then the RBAC tests can be executed
+from inside the tempest root directory as follows::
- tox -eall-plugin -- patrole_tempest_plugin.tests.api
+ $ tox -eall-plugin -- patrole_tempest_plugin.tests.api
-To execute patrole tests for a specific module, run: ::
+To execute patrole tests for a specific module, run::
- tox -eall-plugin -- patrole_tempest_plugin.tests.api.compute
+ $ tox -eall-plugin -- patrole_tempest_plugin.tests.api.compute
+
+.. note::
+
+ It is possible to run Patrole via ``tox -eall`` in order to run Patrole
+ isolated from other plugins. This can be accomplished by including the
+ installation of services that currently use policy in code -- for example,
+ Nova and Keystone. For example::
+
+ $ tox -evenv-tempest -- pip install /opt/stack/patrole /opt/stack/keystone /opt/stack/nova
+ $ tox -eall -- patrole_tempest_plugin.tests.api
+..
To change the role that the patrole tests are being run as, edit
``rbac_test_role`` in the ``rbac`` section of tempest.conf: ::
@@ -34,3 +45,17 @@
For more information about the Member role,
please see: `<https://ask.openstack.org/en/question/4759/member-vs-_member_/>`__.
+
+Unit Tests
+==========
+
+Patrole includes unit tests for its RBAC framework. They can be run by
+executing::
+
+ $ tox -e py27
+
+or::
+
+ $ tox -e py35
+
+against the Python 3.5 interpreter.
diff --git a/patrole_tempest_plugin/plugin.py b/patrole_tempest_plugin/plugin.py
index cfe5c0a..28ce12c 100644
--- a/patrole_tempest_plugin/plugin.py
+++ b/patrole_tempest_plugin/plugin.py
@@ -36,4 +36,4 @@
project_config.RbacGroup)
def get_opt_lists(self):
- return []
+ return [(project_config.rbac_group.name, project_config.RbacGroup)]
diff --git a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
index 3d66f2e..cdabf6f 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
@@ -178,3 +178,33 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.compute_images_client.delete_image_metadata_item(self.image['id'],
key='foo')
+
+
+class ImageSizeRbacTest(rbac_base.BaseV2ComputeRbacTest):
+ """Tests the ``image_size`` compute policies.
+
+ NOTE(felipemonteiro): If Patrole is enhanced to test multiple policies
+ simultaneously, these policy actions can be combined with the related
+ tests from ``ImagesRbacTest`` above.
+ """
+
+ # These tests will fail with a 404 starting from microversion 2.36.
+ # See the following link for details:
+ # https://developer.openstack.org/api-ref/compute/#images-deprecated
+ max_microversion = '2.35'
+
+ @decorators.idempotent_id('fe34d2a6-5743-45bf-8f92-a1d703d7c7ab')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:image-size")
+ def test_list_images(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.compute_images_client.list_images()
+
+ @decorators.idempotent_id('08342c7d-297d-42ee-b398-90fce2443792')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:image-size")
+ def test_list_images_with_details(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.compute_images_client.list_images(detail=True)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
index f45632e..17a6c74 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
@@ -21,10 +22,54 @@
class SecurityGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+ # Tests in this class will fail with a 404 from microversion 2.36,
+ # according to:
+ # https://developer.openstack.org/api-ref/compute/#security-groups-os-security-groups-deprecated
+ max_microversion = '2.35'
+
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-security-groups")
@decorators.idempotent_id('4ac58e49-48c1-4fca-a6c3-3f95fb99eb77')
- def test_server_security_groups(self):
+ def test_list_security_groups(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.security_groups_client.list_security_groups()
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('e8fe7f5a-69ee-412d-81d3-a8c7a488b54d')
+ def test_create_security_groups(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.create_security_group()['id']
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('59127e8e-302d-11e7-93ae-92361f002671')
+ def test_delete_security_groups(self):
+ sec_group_id = self.create_security_group()['id']
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.security_groups_client.delete_security_group(sec_group_id)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('3de5c6bc-b822-469e-a627-82427d38b067')
+ def test_update_security_groups(self):
+ sec_group_id = self.create_security_group()['id']
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ new_name = data_utils.rand_name()
+ new_desc = data_utils.rand_name()
+ self.security_groups_client.update_security_group(sec_group_id,
+ name=new_name,
+ description=new_desc)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('6edc0320-302d-11e7-93ae-92361f002671')
+ def test_show_security_groups(self):
+ sec_group_id = self.create_security_group()['id']
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.security_groups_client.show_security_group(sec_group_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
index 3c8ef69..3a2b5ec 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
@@ -17,11 +17,11 @@
from tempest.common import waiters
from tempest import config
-
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from tempest.lib import exceptions
+from tempest import test
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
@@ -36,14 +36,14 @@
@classmethod
def setup_clients(cls):
super(ComputeServersRbacTest, cls).setup_clients()
- cls.client = cls.servers_client
cls.networks_client = cls.os_primary.networks_client
+ cls.ports_client = cls.os_primary.ports_client
cls.subnets_client = cls.os_primary.subnets_client
@classmethod
def resource_setup(cls):
super(ComputeServersRbacTest, cls).resource_setup()
-
+ cls.server = cls.create_test_server(wait_until='ACTIVE')
# Create a volume
volume_name = data_utils.rand_name(cls.__name__ + '-volume')
name_field = 'name'
@@ -66,7 +66,8 @@
self.__class__.__name__ + '-network')
network = self.networks_client.create_network(
- **{'name': network_name})['network']
+ name=network_name, port_security_enabled=True)['network']
+ self.addCleanup(self.networks_client.delete_network, network['id'])
# Create subnet for the network
subnet_name = data_utils.rand_name(self.__class__.__name__ + '-subnet')
@@ -75,11 +76,7 @@
network_id=network['id'],
cidr=CONF.network.project_network_cidr,
ip_version=4)['subnet']
-
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.networks_client.delete_network, network['id'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.subnets_client.delete_subnet, subnet['id'])
+ self.addCleanup(self.subnets_client.delete_subnet, subnet['id'])
return network
@@ -134,6 +131,7 @@
self.create_test_server(wait_until='ACTIVE',
availability_zone=availability_zone)
+ @test.services('volume')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:create:attach_volume")
@@ -142,20 +140,18 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._create_test_server_with_volume(self.volume_id)
+ @test.services('network')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:create:attach_network")
@decorators.idempotent_id('b44cd4ff-50a4-42ce-ada3-724e213cd540')
def test_create_server_attach_network(self):
network = self._create_network_resources()
- network_id = {'uuid': network['id']}
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ network_id = {'uuid': network['id']}
server = self.create_test_server(wait_until='ACTIVE',
networks=[network_id])
- # The network resources created is for this test case only. We will
- # clean them up after this test case. In order to do that,
- # we need to clean up the server first.
self.addCleanup(waiters.wait_for_server_termination,
self.servers_client, server['id'])
self.addCleanup(self.servers_client.delete_server, server['id'])
@@ -175,13 +171,80 @@
rule="os_compute_api:servers:update")
@decorators.idempotent_id('077b17cb-5621-43b9-8adf-5725f0d7a863')
def test_update_server(self):
- server = self.create_test_server(wait_until='ACTIVE')
new_name = data_utils.rand_name(self.__class__.__name__ + '-server')
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
try:
- self.servers_client.update_server(server['id'], name=new_name)
+ self.servers_client.update_server(self.server['id'], name=new_name)
+ waiters.wait_for_server_status(self.os_admin.servers_client,
+ self.server['id'], 'ACTIVE')
except exceptions.ServerFault as e:
# Some other policy may have blocked it.
LOG.info("ServerFault exception caught. Some other policy "
"blocked updating of server")
raise rbac_exceptions.RbacActionFailed(e)
+
+
+class SecurtiyGroupsRbacTest(base.BaseV2ComputeRbacTest):
+ """Tests non-deprecated security group policies. Requires network service.
+
+ This class tests non-deprecated policies for adding and removing a security
+ group to and from a server.
+ """
+
+ @classmethod
+ def setup_credentials(cls):
+ # A network and a subnet will be created for these tests.
+ cls.set_network_resources(network=True, subnet=True)
+ super(SecurtiyGroupsRbacTest, cls).setup_credentials()
+
+ @classmethod
+ def skip_checks(cls):
+ super(SecurtiyGroupsRbacTest, cls).skip_checks()
+ # All the tests below require the network service.
+ if not test.get_service_list()['network']:
+ raise cls.skipException(
+ 'Skipped because the network service is not available')
+
+ @classmethod
+ def resource_setup(cls):
+ super(SecurtiyGroupsRbacTest, cls).resource_setup()
+ cls.server = cls.create_test_server(wait_until='ACTIVE')
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520')
+ def test_list_security_groups_by_server(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.list_security_groups_by_server(self.server['id'])
+
+ @test.attr(type=["slow"])
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('ea1ca73f-2d1d-43cb-9a46-900d7927b357')
+ def test_create_security_group_for_server(self):
+ sg_name = self.create_security_group()['name']
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.add_security_group(self.server['id'], name=sg_name)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.servers_client.remove_security_group,
+ self.server['id'], name=sg_name)
+
+ @test.attr(type=["slow"])
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('0ad2e856-e2d3-4ac5-a620-f93d0d3d2626')
+ def test_remove_security_group_from_server(self):
+ sg_name = self.create_security_group()['name']
+
+ self.servers_client.add_security_group(self.server['id'], name=sg_name)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.servers_client.remove_security_group,
+ self.server['id'], name=sg_name)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.remove_security_group(
+ self.server['id'], name=sg_name)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
index a2ae8e5..499f58d 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
@@ -14,6 +14,7 @@
# under the License.
from tempest.common import waiters
+from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
@@ -24,15 +25,19 @@
CONF = config.CONF
-class VolumeV235RbacTest(rbac_base.BaseV2ComputeRbacTest):
+class VolumeRbacTest(rbac_base.BaseV2ComputeRbacTest):
"""RBAC tests for the Nova Volume client."""
# These tests will fail with a 404 starting from microversion 2.36.
# For more information, see:
- # https://developer.openstack.org/api-ref/compute/volume-extension-os-volumes-os-snapshots-deprecated
- min_microversion = '2.10'
+ # https://developer.openstack.org/api-ref/compute/#volume-extension-os-volumes-os-snapshots-deprecated
max_microversion = '2.35'
+ @classmethod
+ def resource_setup(cls):
+ super(VolumeRbacTest, cls).resource_setup()
+ cls.volume = cls.create_volume()
+
@decorators.idempotent_id('2402013e-a624-43e3-9518-44a5d1dbb32d')
@rbac_rule_validation.action(
service="nova",
@@ -61,9 +66,8 @@
service="nova",
rule="os_compute_api:os-volumes")
def test_show_volume(self):
- volume = self.create_volume()
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.volumes_extensions_client.show_volume(volume['id'])
+ self.volumes_extensions_client.show_volume(self.volume['id'])
@decorators.idempotent_id('6e7870f2-1bb2-4b58-96f8-6782071ef327')
@rbac_rule_validation.action(
@@ -73,3 +77,48 @@
volume = self.create_volume()
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.volumes_extensions_client.delete_volume(volume['id'])
+
+ @decorators.idempotent_id('0c3eaa4f-69d6-4a13-9dda-19585f36b1c1')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-volumes")
+ def test_create_snapshot(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ snapshot = self.snapshots_extensions_client.create_snapshot(
+ self.volume['id'])['snapshot']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.snapshots_extensions_client.delete_snapshot,
+ snapshot['id'])
+
+ @decorators.idempotent_id('e944e816-416c-11e7-a919-92ebcb67fe33')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-volumes")
+ def test_list_snapshots(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.snapshots_extensions_client.list_snapshots()
+
+ @decorators.idempotent_id('19c2e6bd-585b-472f-a8d7-71ea9299c655')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-volumes")
+ def test_show_snapshot(self):
+ snapshot = self.snapshots_extensions_client.create_snapshot(
+ self.volume['id'])['snapshot']
+ self.addCleanup(self.snapshots_extensions_client.delete_snapshot,
+ snapshot['id'])
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.snapshots_extensions_client.show_snapshot(snapshot['id'])
+
+ @decorators.idempotent_id('f4f5635c-416c-11e7-a919-92ebcb67fe33')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-volumes")
+ def test_delete_snapshot(self):
+ snapshot = self.snapshots_extensions_client.create_snapshot(
+ self.volume['id'])['snapshot']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.snapshots_extensions_client.delete_snapshot,
+ snapshot['id'])
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.snapshots_extensions_client.delete_snapshot(snapshot['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
index f72fe75..b42be93 100644
--- a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
@@ -110,6 +110,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._create_network(shared=True)
+ @test.requires_ext(extension='external-net', service='network')
@rbac_rule_validation.action(service="neutron",
rule="create_network:router:external")
@decorators.idempotent_id('51adf2a7-739c-41e0-8857-3b4c460cbd24')
@@ -122,6 +123,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._create_network(router_external=True)
+ @test.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(service="neutron",
rule="create_network:provider:network_type")
@decorators.idempotent_id('3c42f7b8-b80c-44ef-8fa4-69ec4b1836bc')
@@ -134,6 +136,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._create_network(provider_network_type='vxlan')
+ @test.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(
service="neutron",
rule="create_network:provider:segmentation_id")
@@ -176,6 +179,7 @@
self._update_network(shared_network=True)
self.addCleanup(self._update_network, shared_network=False)
+ @test.requires_ext(extension='external-net', service='network')
@rbac_rule_validation.action(service="neutron",
rule="update_network:router:external")
@decorators.idempotent_id('34884c22-499b-4960-97f1-e2ed8522a9c9')
@@ -201,6 +205,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.networks_client.show_network(self.network['id'])
+ @test.requires_ext(extension='external-net', service='network')
@rbac_rule_validation.action(service="neutron",
rule="get_network:router:external")
@decorators.idempotent_id('529e4814-22e9-413f-af48-8fefcd637344')
@@ -216,6 +221,7 @@
self.networks_client.show_network(self.network['id'],
**kwargs)
+ @test.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(service="neutron",
rule="get_network:provider:network_type")
@decorators.idempotent_id('6521dd60-0950-458b-8491-09d3c84ac0f4')
@@ -234,6 +240,7 @@
if len(retrieved_network) == 0:
raise rbac_exceptions.RbacActionFailed
+ @test.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(service="neutron",
rule="get_network:provider:physical_network")
@decorators.idempotent_id('c049f11a-240c-4a85-ad43-a4d3fd0a5e39')
@@ -252,6 +259,7 @@
if len(retrieved_network) == 0:
raise rbac_exceptions.RbacActionFailed
+ @test.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(service="neutron",
rule="get_network:provider:segmentation_id")
@decorators.idempotent_id('38d9f085-6365-4f81-bac9-c53c294d727e')
diff --git a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
index 20f4bea..2ccc688 100644
--- a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
@@ -18,6 +18,7 @@
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
+from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.network import rbac_base as base
@@ -28,6 +29,13 @@
class SecGroupRbacTest(base.BaseNetworkRbacTest):
@classmethod
+ def skip_checks(cls):
+ super(SecGroupRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('security-group', 'network'):
+ msg = "security-group extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
def resource_setup(cls):
super(SecGroupRbacTest, cls).resource_setup()
secgroup_name = data_utils.rand_name(cls.__name__ + '-secgroup')
diff --git a/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py
new file mode 100644
index 0000000..e111ae8
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py
@@ -0,0 +1,29 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+
+class ServiceProvidersRbacTest(base.BaseNetworkRbacTest):
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_service_provider")
+ @decorators.idempotent_id('15f573b7-474a-4b37-8629-7fac86553ce5')
+ def test_list_service_providers(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.service_providers_client.list_service_providers()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
index b490ebe..afa83a6 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -52,18 +52,24 @@
self.servers_client.delete_server, server['id'])
return server
- def _attach_volume(self, server):
+ def _attach_volume(self, server, volume_id=None):
+ if volume_id is None:
+ volume_id = self.volume['id']
+
self.servers_client.attach_volume(
- server['id'], volumeId=self.volume['id'],
+ server['id'], volumeId=volume_id,
device='/dev/%s' % CONF.compute.volume_device_name)
waiters.wait_for_volume_resource_status(
- self.volumes_client, self.volume['id'], 'in-use')
- self.addCleanup(self._detach_volume)
+ self.volumes_client, volume_id, 'in-use')
+ self.addCleanup(self._detach_volume, volume_id)
- def _detach_volume(self):
- self.volumes_client.detach_volume(self.volume['id'])
+ def _detach_volume(self, volume_id=None):
+ if volume_id is None:
+ volume_id = self.volume['id']
+
+ self.volumes_client.detach_volume(volume_id)
waiters.wait_for_volume_resource_status(
- self.volumes_client, self.volume['id'], 'available')
+ self.volumes_client, volume_id, 'available')
@test.services('compute')
@rbac_rule_validation.action(service="cinder", rule="volume:attach")
@@ -186,19 +192,21 @@
service="cinder",
rule="volume_extension:volume_admin_actions:force_detach")
def test_force_detach_volume_from_instance(self):
+ volume = self.create_volume()
server = self._create_server()
- self._attach_volume(server)
+ self._attach_volume(server, volume['id'])
attachment = self.volumes_client.show_volume(
- self.volume['id'])['volume']['attachments'][0]
+ volume['id'])['volume']['attachments'][0]
# Reset volume's status to error.
- self.volumes_client.reset_volume_status(self.volume['id'],
- status='error')
+ self.volumes_client.reset_volume_status(volume['id'], status='error')
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.volumes_client.force_detach_volume(
- self.volume['id'], connector=None,
+ volume['id'], connector=None,
attachment_id=attachment['attachment_id'])
+ waiters.wait_for_volume_resource_status(self.os_admin.volumes_client,
+ volume['id'], 'available')
class VolumesActionsV3RbacTest(VolumesActionsRbacTest):
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
index c39a376..25c8504 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
@@ -31,28 +31,16 @@
class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
+ def setUp(self):
+ super(VolumesBackupsRbacTest, self).setUp()
+ self.volume = self.create_volume()
+
@classmethod
def skip_checks(cls):
super(VolumesBackupsRbacTest, cls).skip_checks()
if not CONF.volume_feature_enabled.backup:
raise cls.skipException("Cinder backup feature disabled")
- @classmethod
- def resource_setup(cls):
- super(VolumesBackupsRbacTest, cls).resource_setup()
- cls.volume = cls.create_volume()
-
- def _create_backup(self, volume_id):
- backup_name = data_utils.rand_name(self.__class__.__name__ + 'backup')
- backup = self.backups_client.create_backup(
- volume_id=volume_id, name=backup_name)['backup']
- self.addCleanup(
- test_utils.call_and_ignore_notfound_exc,
- self.backups_client.delete_backup, backup['id'])
- waiters.wait_for_volume_resource_status(
- self.backups_client, backup['id'], 'available')
- return backup
-
def _decode_url(self, backup_url):
return json.loads(base64.decode_as_text(backup_url))
@@ -71,16 +59,14 @@
@decorators.idempotent_id('6887ec94-0bcf-4ab7-b30f-3808a4b5a2a5')
def test_volume_backup_create(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_backup(volume_id=self.volume['id'])
+ self.create_backup(volume_id=self.volume['id'])
@test.attr(type=["slow"])
@rbac_rule_validation.action(service="cinder",
rule="backup:get")
@decorators.idempotent_id('abd92bdd-b0fb-4dc4-9cfc-de9e968f8c8a')
def test_volume_backup_get(self):
- # Create a temp backup
- backup = self._create_backup(volume_id=self.volume['id'])
- # Get a given backup
+ backup = self.create_backup(volume_id=self.volume['id'])
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.backups_client.show_backup(backup['id'])
@@ -96,9 +82,7 @@
rule="backup:restore")
@decorators.idempotent_id('9c794bf9-2446-4f41-8fe0-80b71e757f9d')
def test_volume_backup_restore(self):
- # Create a temp backup
- backup = self._create_backup(volume_id=self.volume['id'])
- # Restore backup
+ backup = self.create_backup(volume_id=self.volume['id'])
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
restore = self.backups_client.restore_backup(backup['id'])['restore']
waiters.wait_for_volume_resource_status(
@@ -109,11 +93,17 @@
rule="backup:delete")
@decorators.idempotent_id('d5d0c6a2-413d-437e-a73f-4bf2b41a20ed')
def test_volume_backup_delete(self):
- # Create a temp backup
- backup = self._create_backup(volume_id=self.volume['id'])
+ # Do not call the create_backup in Tempest's base volume class, because
+ # it doesn't use ``test_utils.call_and_ignore_notfound_exc`` for clean
+ # up.
+ backup = self.backups_client.create_backup(
+ volume_id=self.volume['id'])['backup']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.backups_client.delete_backup, backup['id'])
+
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Delete backup
self.backups_client.delete_backup(backup['id'])
+ # Wait for deletion so error isn't thrown during clean up.
self.backups_client.wait_for_resource_deletion(backup['id'])
@test.attr(type=["slow"])
@@ -121,10 +111,7 @@
rule="backup:backup-export")
@decorators.idempotent_id('e984ec8d-e8eb-485c-98bc-f1856020303c')
def test_volume_backup_export(self):
- # Create a temp backup
- backup = self._create_backup(volume_id=self.volume['id'])
-
- # Export Backup
+ backup = self.create_backup(volume_id=self.volume['id'])
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.backups_client.export_backup(backup['id'])['backup-record']
@@ -133,16 +120,13 @@
rule="backup:backup-import")
@decorators.idempotent_id('1e70f039-4556-44cc-9cc1-edf2b7ed648b')
def test_volume_backup_import(self):
- # Create a temp backup
- backup = self._create_backup(volume_id=self.volume['id'])
- # Export a temp backup
+ backup = self.create_backup(volume_id=self.volume['id'])
export_backup = self.backups_client.export_backup(
backup['id'])['backup-record']
new_id = data_utils.rand_uuid()
new_url = self._modify_backup_url(
export_backup['backup_url'], {'id': new_id})
- # Import the temp backup
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
import_backup = self.backups_client.import_backup(
backup_service=export_backup['backup_service'],
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
index 34889cd..422a3db 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.common import waiters
from tempest import config
from tempest.lib import decorators
@@ -75,6 +76,9 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.snapshots_client.update_snapshot(
self.snapshot['id'], **params)['snapshot']
+ waiters.wait_for_volume_resource_status(
+ self.os_admin.snapshots_client,
+ self.snapshot['id'], 'available')
@rbac_rule_validation.action(service="cinder",
rule="volume:get_all_snapshots")
@@ -95,6 +99,8 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
# Delete the snapshot
self.snapshots_client.delete_snapshot(temp_snapshot['id'])
+ self.os_admin.snapshots_client.wait_for_resource_deletion(
+ temp_snapshot['id'])
class VolumesSnapshotV3RbacTest(VolumesSnapshotRbacTest):
diff --git a/releasenotes/notes/add-extra-hypervisor-tests-9374e5fcdb0266e2.yaml b/releasenotes/notes/add-extra-hypervisor-tests-9374e5fcdb0266e2.yaml
index 0c46435..4cb7b4a 100644
--- a/releasenotes/notes/add-extra-hypervisor-tests-9374e5fcdb0266e2.yaml
+++ b/releasenotes/notes/add-extra-hypervisor-tests-9374e5fcdb0266e2.yaml
@@ -4,8 +4,9 @@
Add additional compute hypervisor RBAC tests, so that the previously
missing hypervisor endpoints are covered. Tests for the following
endpoints were written:
- * show_hypervisor
- * list_servers_on_hypervisor
- * show_hypervisor_statistics
- * show_hypervisor_uptime
- * search_hypervisor
+
+ * show_hypervisor
+ * list_servers_on_hypervisor
+ * show_hypervisor_statistics
+ * show_hypervisor_uptime
+ * search_hypervisor
diff --git a/releasenotes/notes/add-security-group-tests-ae5c07074e0ac849.yaml b/releasenotes/notes/add-security-group-tests-ae5c07074e0ac849.yaml
new file mode 100644
index 0000000..8d250cd
--- /dev/null
+++ b/releasenotes/notes/add-security-group-tests-ae5c07074e0ac849.yaml
@@ -0,0 +1,13 @@
+---
+features:
+ - |
+ Add security groups and server security groups
+ tests to Nova RBAC tests.
+fixes:
+ - |
+ Add microversion check to test_security_groups_rbac
+ as tests in this file will fail with a 404 after
+ 2.36.
+ - Rename test_server_security_groups to
+ test_list_security_groups to properly reflect the
+ test actually being run.
diff --git a/releasenotes/notes/compute-snapshots-tests-86c137eb545707ee.yaml b/releasenotes/notes/compute-snapshots-tests-86c137eb545707ee.yaml
new file mode 100644
index 0000000..b15d0a1
--- /dev/null
+++ b/releasenotes/notes/compute-snapshots-tests-86c137eb545707ee.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - |
+ Adds tests for compute snapshot APIs.
diff --git a/releasenotes/notes/dhcp-agent-scheduler-test-842fc1df45799def.yaml b/releasenotes/notes/dhcp-agent-scheduler-test-842fc1df45799def.yaml
index 1afe82b..0a422e6 100644
--- a/releasenotes/notes/dhcp-agent-scheduler-test-842fc1df45799def.yaml
+++ b/releasenotes/notes/dhcp-agent-scheduler-test-842fc1df45799def.yaml
@@ -2,5 +2,4 @@
features:
- |
Added RBAC network test for listing dhcp agents on a hosting
- network, providing coverage for the following Neutron policy action:
- * "get_dhcp-agents"
+ network, providing coverage for the "get_dhcp-agents" policy.
diff --git a/releasenotes/notes/image-size-rbac-tests-545e5ace0d88ab34.yaml b/releasenotes/notes/image-size-rbac-tests-545e5ace0d88ab34.yaml
new file mode 100644
index 0000000..c0340cf
--- /dev/null
+++ b/releasenotes/notes/image-size-rbac-tests-545e5ace0d88ab34.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Add RBAC tests related to the ``image_size`` compute policy action:
+ "os_compute_api:image-size".
diff --git a/releasenotes/notes/server-metadata-rbac-tests-2404b5d13c492b62.yaml b/releasenotes/notes/server-metadata-rbac-tests-2404b5d13c492b62.yaml
index b8eb281..1bb63c9 100644
--- a/releasenotes/notes/server-metadata-rbac-tests-2404b5d13c492b62.yaml
+++ b/releasenotes/notes/server-metadata-rbac-tests-2404b5d13c492b62.yaml
@@ -3,9 +3,10 @@
- |
Add RBAC tests for the compute server metadata API, providing
coverage for the following policy actions:
- * os_compute_api:server-metadata:index
- * os_compute_api:server-metadata:update_all
- * os_compute_api:server-metadata:create
- * os_compute_api:server-metadata:show
- * os_compute_api:server-metadata:update
- * os_compute_api:server-metadata:delete
+
+ * os_compute_api:server-metadata:index
+ * os_compute_api:server-metadata:update_all
+ * os_compute_api:server-metadata:create
+ * os_compute_api:server-metadata:show
+ * os_compute_api:server-metadata:update
+ * os_compute_api:server-metadata:delete
diff --git a/releasenotes/notes/service-provider-bc71da578e717c3a.yaml b/releasenotes/notes/service-provider-bc71da578e717c3a.yaml
new file mode 100644
index 0000000..855f398
--- /dev/null
+++ b/releasenotes/notes/service-provider-bc71da578e717c3a.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - |
+ Adds test for Neutron's get_service_provider policy.
diff --git a/setup.cfg b/setup.cfg
index f76d172..6fd4b8a 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -17,7 +17,6 @@
Programming Language :: Python :: 2.7
Programming Language :: Python :: 3
Programming Language :: Python :: 3.3
- Programming Language :: Python :: 3.4
Programming Language :: Python :: 3.5
[files]