Merge "Migrate to override_role for network multiprovider tests"
diff --git a/.gitignore b/.gitignore
index b77e7f3..350e0da 100644
--- a/.gitignore
+++ b/.gitignore
@@ -44,6 +44,7 @@
# Sphinx
doc/build
+doc/source/_static/patrole.conf.sample
# pbr generates these
AUTHORS
diff --git a/doc/source/framework/overview.rst b/doc/source/framework/overview.rst
index 1c9bf3b..d862770 100644
--- a/doc/source/framework/overview.rst
+++ b/doc/source/framework/overview.rst
@@ -7,32 +7,32 @@
RBAC testing validation is broken up into 3 stages:
- #. "Expected" stage. Determine whether the test should be able to succeed
- or fail based on the test role defined by ``[patrole] rbac_test_role``)
- and the policy action that the test enforces.
- #. "Actual" stage. Run the test by calling the API endpoint that enforces
- the expected policy action using the test role.
- #. Comparing the outputs from both stages for consistency. A "consistent"
- result is treated as a pass and an "inconsistent" result is treated
- as a failure. "Consistent" (or successful) cases include:
+#. "Expected" stage. Determine whether the test should be able to succeed
+ or fail based on the test role defined by ``[patrole] rbac_test_role``)
+ and the policy action that the test enforces.
+#. "Actual" stage. Run the test by calling the API endpoint that enforces
+ the expected policy action using the test role.
+#. Comparing the outputs from both stages for consistency. A "consistent"
+ result is treated as a pass and an "inconsistent" result is treated
+ as a failure. "Consistent" (or successful) cases include:
- * Expected result is ``True`` and the test passes.
- * Expected result is ``False`` and the test fails.
+ * Expected result is ``True`` and the test passes.
+ * Expected result is ``False`` and the test fails.
- For example, a 200 from the API call and a ``True`` result from
- ``oslo.policy`` or a 403 from the API call and a ``False`` result from
- ``oslo.policy`` are successful results.
+ For example, a 200 from the API call and a ``True`` result from
+ ``oslo.policy`` or a 403 from the API call and a ``False`` result from
+ ``oslo.policy`` are successful results.
- "Inconsistent" (or failing) cases include:
+ "Inconsistent" (or failing) cases include:
- * Expected result is ``False`` and the test passes. This results in an
- ``RbacOverPermission`` exception getting thrown.
- * Expected result is ``True`` and the test fails. This results in a
- ``Forbidden`` exception getting thrown.
+ * Expected result is ``False`` and the test passes. This results in an
+ ``RbacOverPermission`` exception getting thrown.
+ * Expected result is ``True`` and the test fails. This results in a
+ ``Forbidden`` exception getting thrown.
- For example, a 200 from the API call and a ``False`` result from
- ``oslo.policy`` or a 403 from the API call and a ``True`` result from
- ``oslo.policy`` are failing results.
+ For example, a 200 from the API call and a ``False`` result from
+ ``oslo.policy`` or a 403 from the API call and a ``True`` result from
+ ``oslo.policy`` are failing results.
-------------------------------
The RBAC Rule Validation Module
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index fc8b145..75d1baa 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -43,15 +43,15 @@
A decorator which allows for positive and negative RBAC testing. Given:
- * an OpenStack service,
- * a policy action (``rule``) enforced by that service, and
- * the test role defined by ``[patrole] rbac_test_role``
+ * an OpenStack service,
+ * a policy action (``rule``) enforced by that service, and
+ * the test role defined by ``[patrole] rbac_test_role``
determines whether the test role has sufficient permissions to perform an
API call that enforces the ``rule``.
This decorator should only be applied to an instance or subclass of
- ``tempest.test.BaseTestCase``.
+ ``tempest.test.BaseTestCase``.
The result from ``_is_authorized`` is used to determine the *expected*
test result. The *actual* test result is determined by running the
@@ -306,14 +306,14 @@
Before being formatted, "extra_target_data" is a dictionary that maps a
policy string like "trust.trustor_user_id" to a nested list of
``tempest.test.BaseTestCase`` attributes. For example, the attribute list
- in:
+ in::
- "trust.trustor_user_id": "os.auth_provider.credentials.user_id"
+ "trust.trustor_user_id": "os.auth_provider.credentials.user_id"
is parsed by iteratively calling ``getattr`` until the value of "user_id"
- is resolved. The resulting dictionary returns:
+ is resolved. The resulting dictionary returns::
- "trust.trustor_user_id": "the user_id of the `os_primary` credential"
+ "trust.trustor_user_id": "the user_id of the `os_primary` credential"
:param test_obj: An instance or subclass of ``tempest.test.BaseTestCase``.
:param extra_target_data: Dictionary, keyed with ``oslo.policy`` generic
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 4ef0f80..49cb5e1 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -68,8 +68,9 @@
"""Override the role used by ``os_primary`` Tempest credentials.
Temporarily change the role used by ``os_primary`` credentials to:
- * ``[patrole] rbac_test_role`` before test execution
- * ``[identity] admin_role`` after test execution
+
+ * ``[patrole] rbac_test_role`` before test execution
+ * ``[identity] admin_role`` after test execution
Automatically switches to admin role after test execution.
@@ -111,10 +112,11 @@
"""Switch the role used by `os_primary` Tempest credentials.
Switch the role used by `os_primary` credentials to:
- * admin if `toggle_rbac_role` is False
- * `CONF.patrole.rbac_test_role` if `toggle_rbac_role` is True
- :param test_obj: test object of type tempest.lib.base.BaseTestCase
+ * admin if `toggle_rbac_role` is False
+ * `CONF.patrole.rbac_test_role` if `toggle_rbac_role` is True
+
+ :param test_obj: instance of :py:class:`tempest.test.BaseTestCase`
:param toggle_rbac_role: role to switch `os_primary` Tempest creds to
"""
self._override_role(test_obj, toggle_rbac_role)
@@ -122,7 +124,7 @@
def _override_role(self, test_obj, toggle_rbac_role=False):
"""Private helper for overriding ``os_primary`` Tempest credentials.
- :param test_obj: test object of type tempest.lib.base.BaseTestCase
+ :param test_obj: instance of :py:class:`tempest.test.BaseTestCase`
:param toggle_rbac_role: Boolean value that controls the role that
overrides default role of ``os_primary`` credentials.
* If True: role is set to ``[patrole] rbac_test_role``
@@ -203,6 +205,39 @@
return False
+class RbacUtilsMixin(object):
+ """Mixin class to be used alongside an instance of
+ :py:class:`tempest.test.BaseTestCase`.
+
+ Should be used to perform Patrole class setup for a base RBAC class. Child
+ classes should not use this mixin.
+
+ Example::
+
+ class BaseRbacTest(rbac_utils.RbacUtilsMixin, base.BaseV2ComputeTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(BaseRbacTest, cls).skip_checks()
+ cls.skip_rbac_checks()
+
+ @classmethod
+ def setup_clients(cls):
+ super(BaseRbacTest, cls).setup_clients()
+ cls.setup_rbac_utils()
+ """
+
+ @classmethod
+ def skip_rbac_checks(cls):
+ if not CONF.patrole.enable_rbac:
+ raise cls.skipException(
+ '%s skipped as Patrole testing not enabled.' % cls.__name__)
+
+ @classmethod
+ def setup_rbac_utils(cls):
+ cls.rbac_utils = RbacUtils(cls)
+
+
def is_admin():
"""Verifies whether the current test role equals the admin role.
diff --git a/patrole_tempest_plugin/tests/api/compute/rbac_base.py b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
index 6246446..1bd1cc7 100644
--- a/patrole_tempest_plugin/tests/api/compute/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
@@ -21,20 +21,18 @@
CONF = config.CONF
-class BaseV2ComputeRbacTest(compute_base.BaseV2ComputeTest):
+class BaseV2ComputeRbacTest(rbac_utils.RbacUtilsMixin,
+ compute_base.BaseV2ComputeTest):
@classmethod
def skip_checks(cls):
super(BaseV2ComputeRbacTest, cls).skip_checks()
- if not CONF.patrole.enable_rbac:
- raise cls.skipException(
- '%s skipped as RBAC testing not enabled' % cls.__name__)
+ cls.skip_rbac_checks()
@classmethod
def setup_clients(cls):
super(BaseV2ComputeRbacTest, cls).setup_clients()
- cls.rbac_utils = rbac_utils.RbacUtils(cls)
-
+ cls.setup_rbac_utils()
cls.hosts_client = cls.os_primary.hosts_client
cls.tenant_usages_client = cls.os_primary.tenant_usages_client
diff --git a/patrole_tempest_plugin/tests/api/identity/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
index a99365d..63f6ff8 100644
--- a/patrole_tempest_plugin/tests/api/identity/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
@@ -26,19 +26,18 @@
LOG = logging.getLogger(__name__)
-class BaseIdentityRbacTest(base.BaseIdentityTest):
+class BaseIdentityRbacTest(rbac_utils.RbacUtilsMixin,
+ base.BaseIdentityTest):
@classmethod
def skip_checks(cls):
super(BaseIdentityRbacTest, cls).skip_checks()
- if not CONF.patrole.enable_rbac:
- raise cls.skipException(
- "%s skipped as RBAC testing not enabled" % cls.__name__)
+ cls.skip_rbac_checks()
@classmethod
def setup_clients(cls):
super(BaseIdentityRbacTest, cls).setup_clients()
- cls.rbac_utils = rbac_utils.RbacUtils(cls)
+ cls.setup_rbac_utils()
@classmethod
def setup_test_endpoint(cls, service=None):
diff --git a/patrole_tempest_plugin/tests/api/image/rbac_base.py b/patrole_tempest_plugin/tests/api/image/rbac_base.py
index ed69c3d..954790d 100644
--- a/patrole_tempest_plugin/tests/api/image/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/image/rbac_base.py
@@ -19,16 +19,15 @@
CONF = config.CONF
-class BaseV2ImageRbacTest(image_base.BaseV2ImageTest):
+class BaseV2ImageRbacTest(rbac_utils.RbacUtilsMixin,
+ image_base.BaseV2ImageTest):
@classmethod
def skip_checks(cls):
super(BaseV2ImageRbacTest, cls).skip_checks()
- if not CONF.patrole.enable_rbac:
- raise cls.skipException(
- "%s skipped as RBAC testing not enabled" % cls.__name__)
+ cls.skip_rbac_checks()
@classmethod
def setup_clients(cls):
super(BaseV2ImageRbacTest, cls).setup_clients()
- cls.rbac_utils = rbac_utils.RbacUtils(cls)
+ cls.setup_rbac_utils()
diff --git a/patrole_tempest_plugin/tests/api/image/test_image_namespace_objects_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_objects_rbac.py
index 74c64e1..3ad5c74 100644
--- a/patrole_tempest_plugin/tests/api/image/test_image_namespace_objects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/test_image_namespace_objects_rbac.py
@@ -32,14 +32,14 @@
RBAC test for the glance add_metadef_object policy
"""
namespace = self.create_namespace()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
# create a md object, it will be cleaned automatically after
# cleanup of namespace
object_name = data_utils.rand_name(
self.__class__.__name__ + '-test-object')
- self.namespace_objects_client.create_namespace_object(
- namespace['namespace'],
- name=object_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_objects_client.create_namespace_object(
+ namespace['namespace'],
+ name=object_name)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.namespace_objects_client.delete_namespace_object,
namespace['namespace'], object_name)
@@ -53,10 +53,10 @@
RBAC test for the glance get_metadef_objects policy
"""
namespace = self.create_namespace()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # list md objects
- self.namespace_objects_client.list_namespace_objects(
- namespace['namespace'])
+ with self.rbac_utils.override_role(self):
+ # list md objects
+ self.namespace_objects_client.list_namespace_objects(
+ namespace['namespace'])
@rbac_rule_validation.action(service="glance",
rule="modify_metadef_object")
@@ -77,10 +77,10 @@
namespace['namespace'], object_name)
# Toggle role and modify object
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
new_name = "Object New Name"
- self.namespace_objects_client.update_namespace_object(
- namespace['namespace'], object_name, name=new_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_objects_client.update_namespace_object(
+ namespace['namespace'], object_name, name=new_name)
@rbac_rule_validation.action(service="glance",
rule="get_metadef_object")
@@ -100,7 +100,7 @@
self.namespace_objects_client.delete_namespace_object,
namespace['namespace'], object_name)
# Toggle role and get object
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespace_objects_client.show_namespace_object(
- namespace['namespace'],
- object_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_objects_client.show_namespace_object(
+ namespace['namespace'],
+ object_name)
diff --git a/patrole_tempest_plugin/tests/api/image/test_image_namespace_property_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_property_rbac.py
index 93c50c4..75cf66d 100644
--- a/patrole_tempest_plugin/tests/api/image/test_image_namespace_property_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/test_image_namespace_property_rbac.py
@@ -37,12 +37,12 @@
RBAC test for the glance add_metadef_property policy
"""
namespace = self.create_namespace()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
property_name = data_utils.rand_name(
self.__class__.__name__ + '-test-ns-property')
- self.namespace_properties_client.create_namespace_property(
- namespace=namespace['namespace'], type="string",
- title=property_name, name=self.resource_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_properties_client.create_namespace_property(
+ namespace=namespace['namespace'], type="string",
+ title=property_name, name=self.resource_name)
@rbac_rule_validation.action(service="glance",
rule="get_metadef_properties")
@@ -53,9 +53,9 @@
RBAC test for the glance get_metadef_properties policy
"""
namespace = self.create_namespace()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespace_properties_client.list_namespace_properties(
- namespace=namespace['namespace'])
+ with self.rbac_utils.override_role(self):
+ self.namespace_properties_client.list_namespace_properties(
+ namespace=namespace['namespace'])
@rbac_rule_validation.action(service="glance",
rule="get_metadef_property")
@@ -72,9 +72,9 @@
namespace=namespace['namespace'], type="string",
title=property_name, name=self.resource_name)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespace_properties_client.show_namespace_properties(
- namespace['namespace'], self.resource_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_properties_client.show_namespace_properties(
+ namespace['namespace'], self.resource_name)
@rbac_rule_validation.action(service="glance",
rule="modify_metadef_property")
@@ -91,7 +91,7 @@
namespace=namespace['namespace'], type="string",
title=property_name, name=self.resource_name)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespace_properties_client.update_namespace_properties(
- namespace['namespace'], self.resource_name, type="string",
- title=property_name, name=self.resource_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_properties_client.update_namespace_properties(
+ namespace['namespace'], self.resource_name, type="string",
+ title=property_name, name=self.resource_name)
diff --git a/patrole_tempest_plugin/tests/api/image/test_image_namespace_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_rbac.py
index c6bd60e..204263a 100644
--- a/patrole_tempest_plugin/tests/api/image/test_image_namespace_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/test_image_namespace_rbac.py
@@ -33,10 +33,10 @@
"""
namespace_name = data_utils.rand_name(
self.__class__.__name__ + '-test-ns')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespaces_client.create_namespace(
- namespace=namespace_name,
- protected=False)
+ with self.rbac_utils.override_role(self):
+ self.namespaces_client.create_namespace(
+ namespace=namespace_name,
+ protected=False)
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.namespaces_client.delete_namespace,
@@ -50,8 +50,8 @@
RBAC test for the glance get_metadef_namespaces policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespaces_client.list_namespaces()
+ with self.rbac_utils.override_role(self):
+ self.namespaces_client.list_namespaces()
@rbac_rule_validation.action(service="glance",
rule="modify_metadef_namespace")
@@ -66,10 +66,9 @@
body = self.namespaces_client.create_namespace(
namespace=namespace_name,
protected=False)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespaces_client.update_namespace(body['namespace'],
- description="My new "
- "description")
+ with self.rbac_utils.override_role(self):
+ self.namespaces_client.update_namespace(
+ body['namespace'], description="My new description")
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.namespaces_client.delete_namespace,
diff --git a/patrole_tempest_plugin/tests/api/image/test_image_namespace_tags_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_tags_rbac.py
index ecf2ec2..1a85b74 100644
--- a/patrole_tempest_plugin/tests/api/image/test_image_namespace_tags_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/test_image_namespace_tags_rbac.py
@@ -69,16 +69,17 @@
@rbac_rule_validation.action(service="glance",
rule="add_metadef_tag")
def test_create_namespace_tag(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_namespace_tag()
+ with self.rbac_utils.override_role(self):
+ self._create_namespace_tag()
@decorators.idempotent_id('4acf70cc-05da-4b1e-87b2-d5e4475164e7')
@rbac_rule_validation.action(service="glance",
rule="get_metadef_tag")
def test_show_namespace_tag(self):
tag_name = self._create_namespace_tag()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespace_tags_client.show_namespace_tag(self.namespace, tag_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_tags_client.show_namespace_tag(self.namespace,
+ tag_name)
@decorators.idempotent_id('01593828-3edb-461e-8abc-8fdeb3927e37')
@rbac_rule_validation.action(service="glance",
@@ -88,20 +89,20 @@
updated_tag_name = data_utils.rand_name(
self.__class__.__name__ + '-tag')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespace_tags_client.update_namespace_tag(
- self.namespace, tag_name, name=updated_tag_name)
+ with self.rbac_utils.override_role(self):
+ self.namespace_tags_client.update_namespace_tag(
+ self.namespace, tag_name, name=updated_tag_name)
@decorators.idempotent_id('20ffaf76-ebdc-4267-a1ad-194346f5cc91')
@rbac_rule_validation.action(service="glance",
rule="add_metadef_tags")
def test_create_namespace_tags(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_namespace_tag(multiple=True)
+ with self.rbac_utils.override_role(self):
+ self._create_namespace_tag(multiple=True)
@decorators.idempotent_id('d37c1501-e787-449d-89b3-754a942a459a')
@rbac_rule_validation.action(service="glance",
rule="get_metadef_tags")
def test_list_namespace_tags(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.namespace_tags_client.list_namespace_tags(self.namespace)
+ with self.rbac_utils.override_role(self):
+ self.namespace_tags_client.list_namespace_tags(self.namespace)
diff --git a/patrole_tempest_plugin/tests/api/image/test_image_resource_types_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_resource_types_rbac.py
index 701e345..7b03158 100644
--- a/patrole_tempest_plugin/tests/api/image/test_image_resource_types_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/test_image_resource_types_rbac.py
@@ -43,8 +43,8 @@
RBAC test for the glance list_metadef_resource_type policy.
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.resource_types_client.list_resource_types()
+ with self.rbac_utils.override_role(self):
+ self.resource_types_client.list_resource_types()
@rbac_rule_validation.action(service="glance",
rule="get_metadef_resource_type")
@@ -54,15 +54,15 @@
RBAC test for the glance get_metadef_resource_type policy.
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.resource_types_client.list_resource_type_association(
- self.namespace_name)
+ with self.rbac_utils.override_role(self):
+ self.resource_types_client.list_resource_type_association(
+ self.namespace_name)
@rbac_rule_validation.action(service="glance",
rule="add_metadef_resource_type_association")
@decorators.idempotent_id('ef9fbc60-3e28-4164-a25c-d30d892f7939')
def test_add_metadef_resource_type(self):
type_name = data_utils.rand_name()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.resource_types_client.create_resource_type_association(
- self.namespace_name, name=type_name)
+ with self.rbac_utils.override_role(self):
+ self.resource_types_client.create_resource_type_association(
+ self.namespace_name, name=type_name)
diff --git a/patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py b/patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py
index 59c4aaf..952c41f 100644
--- a/patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py
@@ -46,9 +46,9 @@
"""
image_id = self.create_image()['id']
# Toggle role and add image member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.create_image_member(image_id,
- member=self.alt_tenant_id)
+ with self.rbac_utils.override_role(self):
+ self.image_member_client.create_image_member(
+ image_id, member=self.alt_tenant_id)
@rbac_rule_validation.action(service="glance",
rule="delete_member")
@@ -63,9 +63,9 @@
self.image_member_client.create_image_member(image_id,
member=self.alt_tenant_id)
# Toggle role and delete image member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.delete_image_member(image_id,
- self.alt_tenant_id)
+ with self.rbac_utils.override_role(self):
+ self.image_member_client.delete_image_member(image_id,
+ self.alt_tenant_id)
@rbac_rule_validation.action(service="glance",
rule="get_member",
@@ -83,10 +83,9 @@
member=self.alt_tenant_id)
# Toggle role and get image member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.show_image_member(
- image_id,
- self.alt_tenant_id)
+ with self.rbac_utils.override_role(self):
+ self.image_member_client.show_image_member(image_id,
+ self.alt_tenant_id)
@rbac_rule_validation.action(service="glance",
rule="modify_member")
@@ -105,10 +104,10 @@
image_id, self.tenant_id,
status='accepted')
# Toggle role and update member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.update_image_member(
- image_id, self.tenant_id,
- status='pending')
+ with self.rbac_utils.override_role(self):
+ self.image_member_client.update_image_member(
+ image_id, self.tenant_id,
+ status='pending')
@rbac_rule_validation.action(service="glance",
rule="get_members")
@@ -123,5 +122,5 @@
self.image_member_client.create_image_member(image_id,
member=self.alt_tenant_id)
# Toggle role and list image members
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.list_image_members(image_id)
+ with self.rbac_utils.override_role(self):
+ self.image_member_client.list_image_members(image_id)
diff --git a/patrole_tempest_plugin/tests/api/image/test_images_rbac.py b/patrole_tempest_plugin/tests/api/image/test_images_rbac.py
index b08f8bd..e97e803 100644
--- a/patrole_tempest_plugin/tests/api/image/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/test_images_rbac.py
@@ -24,13 +24,10 @@
class BasicOperationsImagesRbacTest(rbac_base.BaseV2ImageRbacTest):
- credentials = ['primary', 'admin']
-
@classmethod
def setup_clients(cls):
super(BasicOperationsImagesRbacTest, cls).setup_clients()
cls.image_client = cls.os_primary.image_client_v2
- cls.admin_image_client = cls.os_admin.image_client_v2
def _create_image(self, **kwargs):
image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
@@ -53,8 +50,8 @@
RBAC test for the glance create_image endpoint
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_image()
+ with self.rbac_utils.override_role(self):
+ self._create_image()
@rbac_rule_validation.action(service="glance",
rule="upload_image")
@@ -67,8 +64,8 @@
"""
image = self._create_image()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._upload_image(image['id'])
+ with self.rbac_utils.override_role(self):
+ self._upload_image(image['id'])
@decorators.idempotent_id('f0c268f3-cb51-49aa-9bd5-d30cf647322f')
@rbac_rule_validation.action(service="glance",
@@ -82,8 +79,8 @@
image = self._create_image()
self._upload_image(image['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_client.show_image_file(image['id'])
+ with self.rbac_utils.override_role(self):
+ self.image_client.show_image_file(image['id'])
@rbac_rule_validation.action(service="glance",
rule="delete_image")
@@ -96,9 +93,9 @@
"""
image = self._create_image()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_client.delete_image(image['id'])
- self.admin_image_client.wait_for_resource_deletion(image['id'])
+ with self.rbac_utils.override_role(self):
+ self.image_client.delete_image(image['id'])
+ self.image_client.wait_for_resource_deletion(image['id'])
@rbac_rule_validation.action(service="glance",
rule="get_image")
@@ -111,8 +108,8 @@
"""
image = self._create_image()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_client.show_image(image['id'])
+ with self.rbac_utils.override_role(self):
+ self.image_client.show_image(image['id'])
@rbac_rule_validation.action(service="glance",
rule="get_images")
@@ -123,8 +120,8 @@
RBAC test for the glance list_images endpoint
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_client.list_images()['images']
+ with self.rbac_utils.override_role(self):
+ self.image_client.list_images()['images']
@rbac_rule_validation.action(service="glance",
rule="modify_image")
@@ -137,11 +134,11 @@
"""
image = self._create_image()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
updated_image_name = data_utils.rand_name(
self.__class__.__name__ + '-image')
- self.image_client.update_image(image['id'], [
- dict(replace='/name', value=updated_image_name)])
+ with self.rbac_utils.override_role(self):
+ self.image_client.update_image(image['id'], [
+ dict(replace='/name', value=updated_image_name)])
@decorators.idempotent_id('244050d9-1b9a-446a-b3c5-f26f3ba8eb75')
@rbac_rule_validation.action(service="glance",
@@ -154,10 +151,10 @@
"""
image = self._create_image()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_client.add_image_tag(
- image['id'],
- data_utils.rand_name(self.__class__.__name__ + '-tag'))
+ with self.rbac_utils.override_role(self):
+ self.image_client.add_image_tag(
+ image['id'],
+ data_utils.rand_name(self.__class__.__name__ + '-tag'))
@decorators.idempotent_id('c4a0bf9c-b78b-48c6-a31f-72c95f943c6e')
@rbac_rule_validation.action(service="glance",
@@ -172,8 +169,8 @@
tag_name = data_utils.rand_name(self.__class__.__name__ + '-tag')
self.image_client.add_image_tag(image['id'], tag_name)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_client.delete_image_tag(image['id'], tag_name)
+ with self.rbac_utils.override_role(self):
+ self.image_client.delete_image_tag(image['id'], tag_name)
@rbac_rule_validation.action(service="glance",
rule="publicize_image")
@@ -184,8 +181,8 @@
RBAC test for the glance publicize_image endpoint
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_image(visibility='public')
+ with self.rbac_utils.override_role(self):
+ self._create_image(visibility='public')
@decorators.idempotent_id('0f2d8427-134a-4d3c-a102-5fcdf5443d09')
@rbac_rule_validation.action(service="glance",
@@ -196,8 +193,8 @@
RBAC test for the glance communitize_image policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_image(visibility='community')
+ with self.rbac_utils.override_role(self):
+ self._create_image(visibility='community')
@rbac_rule_validation.action(service="glance",
rule="deactivate")
@@ -211,8 +208,8 @@
image = self._create_image()
self._upload_image(image['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_client.deactivate_image(image['id'])
+ with self.rbac_utils.override_role(self):
+ self.image_client.deactivate_image(image['id'])
@rbac_rule_validation.action(service="glance",
rule="reactivate")
@@ -226,5 +223,5 @@
image = self._create_image()
self._upload_image(image['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_client.reactivate_image(image['id'])
+ with self.rbac_utils.override_role(self):
+ self.image_client.reactivate_image(image['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/rbac_base.py b/patrole_tempest_plugin/tests/api/network/rbac_base.py
index b495098..3065c13 100644
--- a/patrole_tempest_plugin/tests/api/network/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/network/rbac_base.py
@@ -21,16 +21,15 @@
CONF = config.CONF
-class BaseNetworkRbacTest(network_base.BaseNetworkTest):
+class BaseNetworkRbacTest(rbac_utils.RbacUtilsMixin,
+ network_base.BaseNetworkTest):
@classmethod
def skip_checks(cls):
super(BaseNetworkRbacTest, cls).skip_checks()
- if not CONF.patrole.enable_rbac:
- raise cls.skipException(
- "%s skipped as RBAC testing not enabled" % cls.__name__)
+ cls.skip_rbac_checks()
@classmethod
def setup_clients(cls):
super(BaseNetworkRbacTest, cls).setup_clients()
- cls.rbac_utils = rbac_utils.RbacUtils(cls)
+ cls.setup_rbac_utils()
diff --git a/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
index fb747d6..6b03ebe 100644
--- a/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
@@ -45,8 +45,8 @@
RBAC test for the neutron get_agent policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.show_agent(self.agent['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.show_agent(self.agent['id'])
@decorators.idempotent_id('8ca68fdb-eaf6-4880-af82-ba0982949dec')
@rbac_rule_validation.action(service="neutron",
@@ -60,9 +60,9 @@
original_status = self.agent['admin_state_up']
agent_status = {'admin_state_up': original_status}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.update_agent(agent_id=self.agent['id'],
- agent=agent_status)
+ with self.rbac_utils.override_role(self):
+ self.agents_client.update_agent(agent_id=self.agent['id'],
+ agent=agent_status)
class L3AgentSchedulerRbacTest(base.BaseNetworkRbacTest):
@@ -105,8 +105,8 @@
RBAC test for the neutron get_l3-routers policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.list_routers_on_l3_agent(self.agent['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.list_routers_on_l3_agent(self.agent['id'])
@decorators.idempotent_id('466b2a10-8747-4c09-855a-bd90a1c86ce7')
@rbac_rule_validation.action(service="neutron",
@@ -116,9 +116,9 @@
RBAC test for the neutron create_l3-router policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.create_router_on_l3_agent(
- self.agent['id'], router_id=self.router['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.create_router_on_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.agents_client.delete_router_from_l3_agent,
@@ -139,9 +139,9 @@
self.agents_client.delete_router_from_l3_agent,
self.agent['id'], router_id=self.router['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.delete_router_from_l3_agent(
- self.agent['id'], router_id=self.router['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.delete_router_from_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
class DHCPAgentSchedulersRbacTest(base.BaseNetworkRbacTest):
@@ -198,9 +198,9 @@
RBAC test for the neutron get_dhcp-networks policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.list_networks_hosted_by_one_dhcp_agent(
- self.agent['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.list_networks_hosted_by_one_dhcp_agent(
+ self.agent['id'])
@decorators.idempotent_id('14e014ac-f355-46d3-b6d8-98f2c9ec1610')
@rbac_rule_validation.action(service="neutron",
@@ -213,9 +213,9 @@
network_id = self._create_and_prepare_network_for_agent(
self.agent['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.add_dhcp_agent_to_network(
- self.agent['id'], network_id=network_id)
+ with self.rbac_utils.override_role(self):
+ self.agents_client.add_dhcp_agent_to_network(
+ self.agent['id'], network_id=network_id)
# Clean up is not necessary and might result in 409 being raised.
@decorators.idempotent_id('937a4302-4b49-407d-9980-5843d7badc38')
@@ -232,6 +232,6 @@
self.agent['id'], network_id=network_id)
# Clean up is not necessary and might result in 409 being raised.
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.delete_network_from_dhcp_agent(
- self.agent['id'], network_id=network_id)
+ with self.rbac_utils.override_role(self):
+ self.agents_client.delete_network_from_dhcp_agent(
+ self.agent['id'], network_id=network_id)
diff --git a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
index dc674d1..20e4aa7 100644
--- a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
@@ -70,8 +70,8 @@
RBAC test for the neutron create_floatingip policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_floatingip()
+ with self.rbac_utils.override_role(self):
+ self._create_floatingip()
@rbac_rule_validation.action(service="neutron",
rule="create_floatingip:floating_ip_address")
@@ -83,8 +83,8 @@
"""
fip = str(netaddr.IPAddress(self.cidr) + 10)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_floatingip(floating_ip_address=fip)
+ with self.rbac_utils.override_role(self):
+ self._create_floatingip(floating_ip_address=fip)
@rbac_rule_validation.action(service="neutron",
rule="update_floatingip")
@@ -95,11 +95,10 @@
RBAC test for the neutron update_floatingip policy
"""
floating_ip = self._create_floatingip()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-
- # Associate floating IP to the other port
- self.floating_ips_client.update_floatingip(
- floating_ip['id'], port_id=None)
+ with self.rbac_utils.override_role(self):
+ # Associate floating IP to the other port
+ self.floating_ips_client.update_floatingip(
+ floating_ip['id'], port_id=None)
@rbac_rule_validation.action(service="neutron",
rule="get_floatingip",
@@ -111,9 +110,9 @@
RBAC test for the neutron get_floatingip policy
"""
floating_ip = self._create_floatingip()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Show floating IP
- self.floating_ips_client.show_floatingip(floating_ip['id'])
+ with self.rbac_utils.override_role(self):
+ # Show floating IP
+ self.floating_ips_client.show_floatingip(floating_ip['id'])
@rbac_rule_validation.action(service="neutron",
rule="delete_floatingip",
@@ -125,6 +124,6 @@
RBAC test for the neutron delete_floatingip policy
"""
floating_ip = self._create_floatingip()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Delete the floating IP
- self.floating_ips_client.delete_floatingip(floating_ip['id'])
+ with self.rbac_utils.override_role(self):
+ # Delete the floating IP
+ self.floating_ips_client.delete_floatingip(floating_ip['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py b/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
index 5ffc966..7a9d814 100644
--- a/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
@@ -70,8 +70,8 @@
RBAC test for the neutron create_metering_label_rule policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_metering_label_rule(self.label)
+ with self.rbac_utils.override_role(self):
+ self._create_metering_label_rule(self.label)
@rbac_rule_validation.action(service="neutron",
rule="get_metering_label_rule",
@@ -83,9 +83,9 @@
RBAC test for the neutron get_metering_label_rule policy
"""
label_rule = self._create_metering_label_rule(self.label)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.metering_label_rules_client.show_metering_label_rule(
- label_rule['id'])
+ with self.rbac_utils.override_role(self):
+ self.metering_label_rules_client.show_metering_label_rule(
+ label_rule['id'])
@rbac_rule_validation.action(service="neutron",
rule="delete_metering_label_rule",
@@ -97,6 +97,6 @@
RBAC test for the neutron delete_metering_label_rule policy
"""
label_rule = self._create_metering_label_rule(self.label)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.metering_label_rules_client.delete_metering_label_rule(
- label_rule['id'])
+ with self.rbac_utils.override_role(self):
+ self.metering_label_rules_client.delete_metering_label_rule(
+ label_rule['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py b/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
index 64df7c5..abd7326 100644
--- a/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
@@ -54,8 +54,8 @@
RBAC test for the neutron "create_metering_label" policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_metering_label()
+ with self.rbac_utils.override_role(self):
+ self._create_metering_label()
@rbac_rule_validation.action(service="neutron",
rule="get_metering_label",
@@ -67,8 +67,8 @@
RBAC test for the neutron "get_metering_label" policy
"""
label = self._create_metering_label()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.metering_labels_client.show_metering_label(label['id'])
+ with self.rbac_utils.override_role(self):
+ self.metering_labels_client.show_metering_label(label['id'])
@rbac_rule_validation.action(service="neutron",
rule="delete_metering_label",
@@ -80,5 +80,5 @@
RBAC test for the neutron "delete_metering_label" policy
"""
label = self._create_metering_label()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.metering_labels_client.delete_metering_label(label['id'])
+ with self.rbac_utils.override_role(self):
+ self.metering_labels_client.delete_metering_label(label['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
index e0cf098..84ce2c7 100644
--- a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
@@ -95,8 +95,8 @@
RBAC test for the neutron create_network policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_network()
+ with self.rbac_utils.override_role(self):
+ self._create_network()
@rbac_rule_validation.action(service="neutron",
rule="create_network:shared")
@@ -107,8 +107,8 @@
RBAC test for the neutron create_network:shared policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_network(shared=True)
+ with self.rbac_utils.override_role(self):
+ self._create_network(shared=True)
@utils.requires_ext(extension='external-net', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -120,8 +120,8 @@
RBAC test for the neutron create_network:router:external policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_network(router_external=True)
+ with self.rbac_utils.override_role(self):
+ self._create_network(router_external=True)
@utils.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -133,8 +133,8 @@
RBAC test for the neutron create_network:provider:network_type policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_network(provider_network_type='vxlan')
+ with self.rbac_utils.override_role(self):
+ self._create_network(provider_network_type='vxlan')
@utils.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(
@@ -147,9 +147,9 @@
RBAC test for the neutron create_network:provider:segmentation_id
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_network(provider_network_type='vxlan',
- provider_segmentation_id=200)
+ with self.rbac_utils.override_role(self):
+ self._create_network(provider_network_type='vxlan',
+ provider_segmentation_id=200)
@rbac_rule_validation.action(service="neutron",
rule="update_network")
@@ -163,8 +163,8 @@
updated_name = data_utils.rand_name(
self.__class__.__name__ + '-Network')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._update_network(name=updated_name)
+ with self.rbac_utils.override_role(self):
+ self._update_network(name=updated_name)
@rbac_rule_validation.action(service="neutron",
rule="update_network:shared")
@@ -175,8 +175,8 @@
RBAC test for the neutron update_network:shared policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._update_network(shared_network=True)
+ with self.rbac_utils.override_role(self):
+ self._update_network(shared_network=True)
self.addCleanup(self._update_network, shared_network=False)
@utils.requires_ext(extension='external-net', service='network')
@@ -190,8 +190,8 @@
RBAC test for the neutron update_network:router:external policy
"""
network = self._create_network()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._update_network(net_id=network['id'], router_external=True)
+ with self.rbac_utils.override_role(self):
+ self._update_network(net_id=network['id'], router_external=True)
@rbac_rule_validation.action(service="neutron",
rule="get_network")
@@ -202,8 +202,8 @@
RBAC test for the neutron get_network policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.networks_client.show_network(self.network['id'])
+ with self.rbac_utils.override_role(self):
+ self.networks_client.show_network(self.network['id'])
@utils.requires_ext(extension='external-net', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -217,9 +217,9 @@
"""
kwargs = {'fields': 'router:external'}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.networks_client.show_network(self.network['id'],
- **kwargs)
+ with self.rbac_utils.override_role(self):
+ self.networks_client.show_network(self.network['id'],
+ **kwargs)
@utils.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -233,9 +233,9 @@
"""
kwargs = {'fields': 'provider:network_type'}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- retrieved_network = self.networks_client.show_network(
- self.network['id'], **kwargs)['network']
+ with self.rbac_utils.override_role(self):
+ retrieved_network = self.networks_client.show_network(
+ self.network['id'], **kwargs)['network']
if len(retrieved_network) == 0:
raise rbac_exceptions.RbacMalformedResponse(True)
@@ -252,9 +252,9 @@
"""
kwargs = {'fields': 'provider:physical_network'}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- retrieved_network = self.networks_client.show_network(
- self.network['id'], **kwargs)['network']
+ with self.rbac_utils.override_role(self):
+ retrieved_network = self.networks_client.show_network(
+ self.network['id'], **kwargs)['network']
if len(retrieved_network) == 0:
raise rbac_exceptions.RbacMalformedResponse(empty=True)
@@ -271,9 +271,9 @@
"""
kwargs = {'fields': 'provider:segmentation_id'}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- retrieved_network = self.networks_client.show_network(
- self.network['id'], **kwargs)['network']
+ with self.rbac_utils.override_role(self):
+ retrieved_network = self.networks_client.show_network(
+ self.network['id'], **kwargs)['network']
if len(retrieved_network) == 0:
raise rbac_exceptions.RbacMalformedResponse(empty=True)
@@ -291,8 +291,8 @@
RBAC test for the neutron delete_network policy
"""
network = self._create_network()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.networks_client.delete_network(network['id'])
+ with self.rbac_utils.override_role(self):
+ self.networks_client.delete_network(network['id'])
@rbac_rule_validation.action(service="neutron",
rule="create_subnet")
@@ -305,8 +305,8 @@
"""
network = self._create_network()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_subnet(network, enable_dhcp=False)
+ with self.rbac_utils.override_role(self):
+ self.create_subnet(network, enable_dhcp=False)
@rbac_rule_validation.action(service="neutron",
rule="get_subnet")
@@ -317,8 +317,8 @@
RBAC test for the neutron get_subnet policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.show_subnet(self.subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.show_subnet(self.subnet['id'])
@rbac_rule_validation.action(service="neutron",
rule="update_subnet")
@@ -332,9 +332,9 @@
updated_name = data_utils.rand_name(
self.__class__.__name__ + '-Network')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.update_subnet(self.subnet['id'],
- name=updated_name)
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.update_subnet(self.subnet['id'],
+ name=updated_name)
@rbac_rule_validation.action(service="neutron",
rule="delete_subnet")
@@ -348,8 +348,8 @@
network = self._create_network()
subnet = self.create_subnet(network, enable_dhcp=False)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.delete_subnet(subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.delete_subnet(subnet['id'])
@utils.requires_ext(extension='dhcp_agent_scheduler', service='network')
@decorators.idempotent_id('b524f19f-fbb4-4d11-a85d-03bfae17bf0e')
@@ -361,6 +361,6 @@
RBAC test for the neutron "get_dhcp-agents" policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.networks_client.list_dhcp_agents_on_hosting_network(
- self.network['id'])
+ with self.rbac_utils.override_role(self):
+ self.networks_client.list_dhcp_agents_on_hosting_network(
+ self.network['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
index c55935f..0b91e14 100644
--- a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
@@ -62,22 +62,23 @@
@decorators.idempotent_id('0ec8c551-625c-4864-8a52-85baa7c40f22')
def test_create_port(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_port(self.network)
+ with self.rbac_utils.override_role(self):
+ self.create_port(self.network)
@decorators.idempotent_id('045ee797-4962-4913-b96a-5d7ea04099e7')
@rbac_rule_validation.action(service="neutron",
rule="create_port:device_owner")
def test_create_port_device_owner(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_port(self.network, device_owner='network:router_interface')
+ with self.rbac_utils.override_role(self):
+ self.create_port(self.network,
+ device_owner='network:router_interface')
@decorators.idempotent_id('c4fa8844-f5ef-4daa-bfa2-b89897dfaedf')
@rbac_rule_validation.action(service="neutron",
rule="create_port:port_security_enabled")
def test_create_port_security_enabled(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_port(self.network, port_security_enabled=True)
+ with self.rbac_utils.override_role(self):
+ self.create_port(self.network, port_security_enabled=True)
@utils.requires_ext(extension='binding', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -88,8 +89,8 @@
post_body = {'network': self.network,
'binding:host_id': "rbac_test_host"}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_port(**post_body)
+ with self.rbac_utils.override_role(self):
+ self.create_port(**post_body)
@utils.requires_ext(extension='binding', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -102,8 +103,8 @@
post_body = {'network': self.network,
'binding:profile': binding_profile}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_port(**post_body)
+ with self.rbac_utils.override_role(self):
+ self.create_port(**post_body)
@rbac_rule_validation.action(service="neutron",
rule="create_port:fixed_ips:ip_address")
@@ -117,8 +118,8 @@
post_body = {'network': self.network,
'fixed_ips': fixed_ips}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_port(**post_body)
+ with self.rbac_utils.override_role(self):
+ self.create_port(**post_body)
@rbac_rule_validation.action(service="neutron",
rule="create_port:mac_address")
@@ -128,8 +129,8 @@
post_body = {'network': self.network,
'mac_address': data_utils.rand_mac_address()}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_port(**post_body)
+ with self.rbac_utils.override_role(self):
+ self.create_port(**post_body)
@rbac_rule_validation.action(service="neutron",
rule="create_port:allowed_address_pairs")
@@ -143,16 +144,16 @@
post_body = {'network': self.network,
'allowed_address_pairs': allowed_address_pairs}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_port(**post_body)
+ with self.rbac_utils.override_role(self):
+ self.create_port(**post_body)
@rbac_rule_validation.action(service="neutron",
rule="get_port",
expected_error_code=404)
@decorators.idempotent_id('a9d41cb8-78a2-4b97-985c-44e4064416f4')
def test_show_port(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ports_client.show_port(self.port['id'])
+ with self.rbac_utils.override_role(self):
+ self.ports_client.show_port(self.port['id'])
@utils.requires_ext(extension='binding', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -163,10 +164,9 @@
# Verify specific fields of a port
fields = ['binding:vif_type']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-
- retrieved_port = self.ports_client.show_port(
- self.port['id'], fields=fields)['port']
+ with self.rbac_utils.override_role(self):
+ retrieved_port = self.ports_client.show_port(
+ self.port['id'], fields=fields)['port']
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
@@ -182,10 +182,9 @@
# Verify specific fields of a port
fields = ['binding:vif_details']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-
- retrieved_port = self.ports_client.show_port(
- self.port['id'], fields=fields)['port']
+ with self.rbac_utils.override_role(self):
+ retrieved_port = self.ports_client.show_port(
+ self.port['id'], fields=fields)['port']
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
@@ -204,9 +203,9 @@
'binding:host_id': data_utils.rand_name('host-id')}
port = self.create_port(**post_body)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- retrieved_port = self.ports_client.show_port(
- port['id'], fields=fields)['port']
+ with self.rbac_utils.override_role(self):
+ retrieved_port = self.ports_client.show_port(
+ port['id'], fields=fields)['port']
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
@@ -226,9 +225,9 @@
'binding:profile': binding_profile}
port = self.create_port(**post_body)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- retrieved_port = self.ports_client.show_port(
- port['id'], fields=fields)['port']
+ with self.rbac_utils.override_role(self):
+ retrieved_port = self.ports_client.show_port(
+ port['id'], fields=fields)['port']
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
@@ -239,8 +238,9 @@
rule="update_port")
@decorators.idempotent_id('afa80981-3c59-42fd-9531-3bcb2cd03711')
def test_update_port(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ports_client.update_port(self.port['id'], admin_state_up=False)
+ with self.rbac_utils.override_role(self):
+ self.ports_client.update_port(self.port['id'],
+ admin_state_up=False)
self.addCleanup(self.ports_client.update_port, self.port['id'],
admin_state_up=True)
@@ -250,9 +250,9 @@
def test_update_port_device_owner(self):
original_device_owner = self.port['device_owner']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ports_client.update_port(
- self.port['id'], device_owner='network:router_interface')
+ with self.rbac_utils.override_role(self):
+ self.ports_client.update_port(
+ self.port['id'], device_owner='network:router_interface')
self.addCleanup(self.ports_client.update_port, self.port['id'],
device_owner=original_device_owner)
@@ -262,9 +262,9 @@
def test_update_port_mac_address(self):
original_mac_address = self.port['mac_address']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ports_client.update_port(
- self.port['id'], mac_address=data_utils.rand_mac_address())
+ with self.rbac_utils.override_role(self):
+ self.ports_client.update_port(
+ self.port['id'], mac_address=data_utils.rand_mac_address())
self.addCleanup(self.ports_client.update_port, self.port['id'],
mac_address=original_mac_address)
@@ -280,15 +280,15 @@
ip_list = self._get_unused_ip_address()
fixed_ips = [{'ip_address': ip_list[0]}]
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ports_client.update_port(port['id'], fixed_ips=fixed_ips)
+ with self.rbac_utils.override_role(self):
+ self.ports_client.update_port(port['id'], fixed_ips=fixed_ips)
@rbac_rule_validation.action(service="neutron",
rule="update_port:port_security_enabled")
@decorators.idempotent_id('795541af-6652-4e35-9581-fd58224f7545')
def test_update_port_security_enabled(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ports_client.update_port(self.port['id'], security_groups=[])
+ with self.rbac_utils.override_role(self):
+ self.ports_client.update_port(self.port['id'], security_groups=[])
@utils.requires_ext(extension='binding', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -303,8 +303,8 @@
updated_body = {'port_id': port['id'],
'binding:host_id': 'rbac_test_host_updated'}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ports_client.update_port(**updated_body)
+ with self.rbac_utils.override_role(self):
+ self.ports_client.update_port(**updated_body)
@utils.requires_ext(extension='binding', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -322,8 +322,8 @@
updated_body = {'port_id': port['id'],
'binding:profile': new_binding_profile}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ports_client.update_port(**updated_body)
+ with self.rbac_utils.override_role(self):
+ self.ports_client.update_port(**updated_body)
@rbac_rule_validation.action(service="neutron",
rule="update_port:allowed_address_pairs")
@@ -337,9 +337,9 @@
post_body = {'network': self.network}
port = self.create_port(**post_body)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ports_client.update_port(port['id'],
- allowed_address_pairs=address_pairs)
+ with self.rbac_utils.override_role(self):
+ self.ports_client.update_port(port['id'],
+ allowed_address_pairs=address_pairs)
@rbac_rule_validation.action(service="neutron",
rule="delete_port",
@@ -348,5 +348,5 @@
def test_delete_port(self):
port = self.create_port(self.network)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ports_client.delete_port(port['id'])
+ with self.rbac_utils.override_role(self):
+ self.ports_client.delete_port(port['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
index fff2ada..ab85745 100644
--- a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
@@ -63,8 +63,8 @@
RBAC test for the neutron create_router policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router()
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router()
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -77,8 +77,8 @@
RBAC test for the neutron create_router:ha policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router(ha=True)
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router(ha=True)
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -91,8 +91,8 @@
RBAC test for the neutron create_router:distributed policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router(distributed=True)
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router(distributed=True)
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -111,9 +111,9 @@
external_gateway_info = {'network_id': self.network['id'],
'enable_snat': True}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router(
- name=name, external_gateway_info=external_gateway_info)
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router(
+ name=name, external_gateway_info=external_gateway_info)
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -136,9 +136,9 @@
'enable_snat': False, # Default is True.
'external_fixed_ips': [external_fixed_ips]}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- router = self.routers_client.create_router(
- name=name, external_gateway_info=external_gateway_info)
+ with self.rbac_utils.override_role(self):
+ router = self.routers_client.create_router(
+ name=name, external_gateway_info=external_gateway_info)
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
@@ -151,9 +151,9 @@
RBAC test for the neutron get_router policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
# Prevent other policies from being enforced by using barebones fields.
- self.routers_client.show_router(self.router['id'], fields=['id'])
+ with self.rbac_utils.override_role(self):
+ self.routers_client.show_router(self.router['id'], fields=['id'])
@decorators.idempotent_id('3ed26ea2-b419-410c-b4b5-576c1edafa06')
@utils.requires_ext(extension='dvr', service='network')
@@ -167,9 +167,9 @@
router = self.routers_client.create_router(distributed=True)['router']
self.addCleanup(self.routers_client.delete_router, router['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- retrieved_fields = self.routers_client.show_router(
- router['id'], fields=['distributed'])['router']
+ with self.rbac_utils.override_role(self):
+ retrieved_fields = self.routers_client.show_router(
+ router['id'], fields=['distributed'])['router']
# Rather than throwing a 403, the field is not present, so raise exc.
if 'distributed' not in retrieved_fields:
@@ -188,9 +188,9 @@
router = self.routers_client.create_router(ha=True)['router']
self.addCleanup(self.routers_client.delete_router, router['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- retrieved_fields = self.routers_client.show_router(
- router['id'], fields=['ha'])['router']
+ with self.rbac_utils.override_role(self):
+ retrieved_fields = self.routers_client.show_router(
+ router['id'], fields=['ha'])['router']
# Rather than throwing a 403, the field is not present, so raise exc.
if 'ha' not in retrieved_fields:
@@ -207,8 +207,8 @@
"""
new_name = data_utils.rand_name(
self.__class__.__name__ + '-new-router-name')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(self.router['id'], name=new_name)
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(self.router['id'], name=new_name)
@rbac_rule_validation.action(
service="neutron", rule="update_router:external_gateway_info")
@@ -219,9 +219,9 @@
RBAC test for the neutron
update_router:external_gateway_info policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(self.router['id'],
- external_gateway_info={})
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(self.router['id'],
+ external_gateway_info={})
@rbac_rule_validation.action(
service="neutron",
@@ -233,10 +233,10 @@
RBAC test for the neutron
update_router:external_gateway_info:network_id policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(
- self.router['id'],
- external_gateway_info={'network_id': self.network['id']})
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(
+ self.router['id'],
+ external_gateway_info={'network_id': self.network['id']})
self.addCleanup(
self.routers_client.update_router,
self.router['id'],
@@ -253,11 +253,11 @@
RBAC test for the neutron
update_router:external_gateway_info:enable_snat policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(
- self.router['id'],
- external_gateway_info={'network_id': self.network['id'],
- 'enable_snat': True})
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(
+ self.router['id'],
+ external_gateway_info={'network_id': self.network['id'],
+ 'enable_snat': True})
self.addCleanup(
self.routers_client.update_router,
self.router['id'],
@@ -279,10 +279,10 @@
external_gateway_info = {'network_id': self.network['id'],
'external_fixed_ips': [external_fixed_ips]}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(
- self.router['id'],
- external_gateway_info=external_gateway_info)
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(
+ self.router['id'],
+ external_gateway_info=external_gateway_info)
self.addCleanup(
self.routers_client.update_router,
self.router['id'],
@@ -297,8 +297,8 @@
RBAC test for the neutron update_router:ha policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(self.router['id'], ha=True)
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(self.router['id'], ha=True)
self.addCleanup(self.routers_client.update_router, self.router['id'],
ha=False)
@@ -311,8 +311,9 @@
RBAC test for the neutron update_router:distributed policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(self.router['id'], distributed=True)
+ with self.rbac_utils.override_role(self):
+ self.routers_client.update_router(self.router['id'],
+ distributed=True)
self.addCleanup(self.routers_client.update_router, self.router['id'],
distributed=False)
@@ -325,8 +326,8 @@
RBAC test for the neutron delete_router policy
"""
router = self.create_router()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.delete_router(router['id'])
+ with self.rbac_utils.override_role(self):
+ self.routers_client.delete_router(router['id'])
@rbac_rule_validation.action(service="neutron",
rule="add_router_interface")
@@ -340,9 +341,9 @@
subnet = self.create_subnet(network)
router = self.create_router()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.add_router_interface(
- router['id'], subnet_id=subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.routers_client.add_router_interface(
+ router['id'], subnet_id=subnet['id'])
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.routers_client.remove_router_interface,
@@ -369,7 +370,7 @@
router['id'],
subnet_id=subnet['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.remove_router_interface(
- router['id'],
- subnet_id=subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.routers_client.remove_router_interface(
+ router['id'],
+ subnet_id=subnet['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py
index e111ae8..fd85444 100644
--- a/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py
@@ -25,5 +25,5 @@
rule="get_service_provider")
@decorators.idempotent_id('15f573b7-474a-4b37-8629-7fac86553ce5')
def test_list_service_providers(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.service_providers_client.list_service_providers()
+ with self.rbac_utils.override_role(self):
+ self.service_providers_client.list_service_providers()
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
index 9231c15..fe14c92 100644
--- a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
@@ -60,8 +60,8 @@
RBAC test for the neutron create_subnetpool policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_subnetpool()
+ with self.rbac_utils.override_role(self):
+ self._create_subnetpool()
@rbac_rule_validation.action(service="neutron",
rule="create_subnetpool:shared")
@@ -71,8 +71,8 @@
RBAC test for the neutron create_subnetpool:shared policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_subnetpool(shared=True)
+ with self.rbac_utils.override_role(self):
+ self._create_subnetpool(shared=True)
@rbac_rule_validation.action(service="neutron",
rule="get_subnetpool",
@@ -84,8 +84,8 @@
RBAC test for the neutron get_subnetpool policy
"""
subnetpool = self._create_subnetpool()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.show_subnetpool(subnetpool['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.show_subnetpool(subnetpool['id'])
@rbac_rule_validation.action(service="neutron",
rule="update_subnetpool")
@@ -96,9 +96,9 @@
RBAC test for the neutron update_subnetpool policy
"""
subnetpool = self._create_subnetpool()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.update_subnetpool(subnetpool['id'],
- min_prefixlen=24)
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.update_subnetpool(subnetpool['id'],
+ min_prefixlen=24)
@decorators.idempotent_id('a16f4e5c-0675-415f-b636-00af00638693')
@rbac_rule_validation.action(service="neutron",
@@ -117,9 +117,9 @@
default_pool = self._create_subnetpool(is_default=True)
original_desc = default_pool['description']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.update_subnetpool(
- default_pool['id'], description=original_desc, is_default=True)
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.update_subnetpool(
+ default_pool['id'], description=original_desc, is_default=True)
@rbac_rule_validation.action(service="neutron",
rule="delete_subnetpool")
@@ -130,5 +130,5 @@
RBAC test for the neutron delete_subnetpool policy
"""
subnetpool = self._create_subnetpool()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.delete_subnetpool(subnetpool['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.delete_subnetpool(subnetpool['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
index 23f11cf..bc36c21 100644
--- a/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
@@ -44,8 +44,8 @@
RBAC test for the neutron "create_subnet" policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_subnet(self.network)
+ with self.rbac_utils.override_role(self):
+ self.create_subnet(self.network)
@decorators.idempotent_id('c02618e7-bb20-4abd-83c8-6eec2af08752')
@rbac_rule_validation.action(service="neutron",
@@ -55,8 +55,8 @@
RBAC test for the neutron "get_subnet" policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.show_subnet(self.subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.show_subnet(self.subnet['id'])
@decorators.idempotent_id('e2ddc415-5cab-43f4-9b61-166aed65d637')
@rbac_rule_validation.action(service="neutron",
@@ -66,8 +66,8 @@
RBAC test for the neutron "get_subnet" policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.list_subnets()
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.list_subnets()
@decorators.idempotent_id('f36cd821-dd22-4bd0-b43d-110fc4b553eb')
@rbac_rule_validation.action(service="neutron",
@@ -79,8 +79,9 @@
"""
update_name = data_utils.rand_name(self.__class__.__name__ + '-Subnet')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.update_subnet(self.subnet['id'], name=update_name)
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.update_subnet(self.subnet['id'],
+ name=update_name)
@decorators.idempotent_id('bcfc7153-bbd1-43a4-a908-b3e1b0cde0dc')
@rbac_rule_validation.action(service="neutron",
@@ -92,5 +93,5 @@
"""
subnet = self.create_subnet(self.network)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnets_client.delete_subnet(subnet['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnets_client.delete_subnet(subnet['id'])
diff --git a/patrole_tempest_plugin/tests/api/volume/rbac_base.py b/patrole_tempest_plugin/tests/api/volume/rbac_base.py
index 7e2ebad..798f311 100644
--- a/patrole_tempest_plugin/tests/api/volume/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/volume/rbac_base.py
@@ -21,7 +21,8 @@
CONF = config.CONF
-class BaseVolumeRbacTest(vol_base.BaseVolumeTest):
+class BaseVolumeRbacTest(rbac_utils.RbacUtilsMixin,
+ vol_base.BaseVolumeTest):
# NOTE(felipemonteiro): Patrole currently only tests the v3 Cinder API
# because it is the current API and because policy enforcement does not
# change between API major versions. So, it is not necessary to specify
@@ -32,15 +33,12 @@
@classmethod
def skip_checks(cls):
super(BaseVolumeRbacTest, cls).skip_checks()
- if not CONF.patrole.enable_rbac:
- raise cls.skipException(
- "%s skipped as RBAC testing not enabled" % cls.__name__)
+ cls.skip_rbac_checks()
@classmethod
def setup_clients(cls):
super(BaseVolumeRbacTest, cls).setup_clients()
- cls.rbac_utils = rbac_utils.RbacUtils(cls)
-
+ cls.setup_rbac_utils()
cls.volume_hosts_client = cls.os_primary.volume_hosts_v2_client
cls.volume_types_client = cls.os_primary.volume_types_v2_client
cls.groups_client = cls.os_primary.groups_v3_client
diff --git a/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py
index fa92cad..976d756 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py
@@ -26,5 +26,5 @@
@rbac_rule_validation.action(service="cinder",
rule="limits_extension:used_limits")
def test_show_limits(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.volume_limits_client.show_limits()
+ with self.rbac_utils.override_role(self):
+ self.volume_limits_client.show_limits()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py
index adfd397..a62bbda 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py
@@ -23,13 +23,11 @@
class VolumeQOSV3RbacTest(rbac_base.BaseVolumeRbacTest):
- credentials = ['primary', 'admin']
@classmethod
def setup_clients(cls):
super(VolumeQOSV3RbacTest, cls).setup_clients()
cls.qos_client = cls.os_primary.volume_qos_v2_client
- cls.admin_qos_client = cls.os_admin.volume_qos_v2_client
def _create_test_qos_specs(self, name=None, consumer=None, **kwargs):
name = name or data_utils.rand_name(self.__class__.__name__ + '-QoS')
@@ -44,24 +42,24 @@
service="cinder", rule="volume_extension:qos_specs_manage:create")
@decorators.idempotent_id('4f9f45f0-b379-4577-a279-cec3e917cbec')
def test_create_qos_with_consumer(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_test_qos_specs()
+ with self.rbac_utils.override_role(self):
+ self._create_test_qos_specs()
@rbac_rule_validation.action(
service="cinder", rule="volume_extension:qos_specs_manage:delete")
@decorators.idempotent_id('fbc8a77e-6b6d-45ae-bebe-c496eb8f06f7')
def test_delete_qos_with_consumer(self):
qos = self._create_test_qos_specs()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.qos_client.delete_qos(qos['id'])
+ with self.rbac_utils.override_role(self):
+ self.qos_client.delete_qos(qos['id'])
@rbac_rule_validation.action(service="cinder",
rule="volume_extension:qos_specs_manage:get")
@decorators.idempotent_id('22aff0dd-0343-408d-ae80-e77551956e14')
def test_show_qos(self):
qos = self._create_test_qos_specs()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.qos_client.show_qos(qos['id'])['qos_specs']
+ with self.rbac_utils.override_role(self):
+ self.qos_client.show_qos(qos['id'])['qos_specs']
@rbac_rule_validation.action(service="cinder",
rule="volume_extension:"
@@ -73,24 +71,25 @@
self.qos_client.associate_qos(qos['id'], vol_type)
self.addCleanup(self.qos_client.disassociate_qos, qos['id'], vol_type)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.qos_client.show_association_qos(qos['id'])
+ with self.rbac_utils.override_role(self):
+ self.qos_client.show_association_qos(qos['id'])
@rbac_rule_validation.action(
service="cinder",
rule="volume_extension:qos_specs_manage:get_all")
@decorators.idempotent_id('546b8bb1-04a4-4387-9506-a538a7f3cd6a')
def test_list_qos(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.qos_client.list_qos()['qos_specs']
+ with self.rbac_utils.override_role(self):
+ self.qos_client.list_qos()['qos_specs']
@rbac_rule_validation.action(
service="cinder", rule="volume_extension:qos_specs_manage:update")
@decorators.idempotent_id('89b630b7-c170-47c3-ac80-50ed425c2d98')
def test_set_qos_key(self):
qos = self._create_test_qos_specs()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.qos_client.set_qos_key(qos['id'], iops_bytes='500')['qos_specs']
+ with self.rbac_utils.override_role(self):
+ self.qos_client.set_qos_key(
+ qos['id'], iops_bytes='500')['qos_specs']
@rbac_rule_validation.action(
service="cinder", rule="volume_extension:qos_specs_manage:update")
@@ -99,9 +98,9 @@
qos = self._create_test_qos_specs()
self.qos_client.set_qos_key(qos['id'], iops_bytes='500')['qos_specs']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.qos_client.unset_qos_key(qos['id'], ['iops_bytes'])
- waiters.wait_for_qos_operations(self.admin_qos_client, qos['id'],
+ with self.rbac_utils.override_role(self):
+ self.qos_client.unset_qos_key(qos['id'], ['iops_bytes'])
+ waiters.wait_for_qos_operations(self.qos_client, qos['id'],
'qos-key-unset', args=['iops_bytes'])
@rbac_rule_validation.action(
@@ -111,8 +110,8 @@
qos = self._create_test_qos_specs()
vol_type = self.create_volume_type()['id']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.qos_client.associate_qos(qos['id'], vol_type)
+ with self.rbac_utils.override_role(self):
+ self.qos_client.associate_qos(qos['id'], vol_type)
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.qos_client.disassociate_qos, qos['id'], vol_type)
@@ -127,9 +126,9 @@
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.qos_client.disassociate_qos, qos['id'], vol_type)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.qos_client.disassociate_qos(qos['id'], vol_type)
- waiters.wait_for_qos_operations(self.admin_qos_client, qos['id'],
+ with self.rbac_utils.override_role(self):
+ self.qos_client.disassociate_qos(qos['id'], vol_type)
+ waiters.wait_for_qos_operations(self.qos_client, qos['id'],
'disassociate', args=vol_type)
@rbac_rule_validation.action(
@@ -142,7 +141,7 @@
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.qos_client.disassociate_qos, qos['id'], vol_type)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.qos_client.disassociate_all_qos(qos['id'])
- waiters.wait_for_qos_operations(self.admin_qos_client, qos['id'],
+ with self.rbac_utils.override_role(self):
+ self.qos_client.disassociate_all_qos(qos['id'])
+ waiters.wait_for_qos_operations(self.qos_client, qos['id'],
'disassociate-all')
diff --git a/patrole_tempest_plugin/tests/api/volume/test_quota_classes_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_quota_classes_rbac.py
index a81f1b9..dace257 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_quota_classes_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_quota_classes_rbac.py
@@ -41,9 +41,9 @@
@rbac_rule_validation.action(service="cinder",
rule="volume_extension:quota_classes")
def test_show_quota_class_set(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.quota_classes_client.show_quota_class_set(
- self.quota_name)['quota_class_set']
+ with self.rbac_utils.override_role(self):
+ self.quota_classes_client.show_quota_class_set(
+ self.quota_name)['quota_class_set']
@decorators.idempotent_id('72159478-23a7-4c75-989f-6bac609eca62')
@rbac_rule_validation.action(service="cinder",
@@ -53,6 +53,6 @@
self.quota_name)['quota_class_set']
quota_class_set.pop('id')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.quota_classes_client.update_quota_class_set(self.quota_name,
- **quota_class_set)
+ with self.rbac_utils.override_role(self):
+ self.quota_classes_client.update_quota_class_set(self.quota_name,
+ **quota_class_set)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_scheduler_stats_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_scheduler_stats_rbac.py
index 8fded0a..a243587 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_scheduler_stats_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_scheduler_stats_rbac.py
@@ -40,5 +40,5 @@
rule="scheduler_extension:scheduler_stats:get_pools")
@decorators.idempotent_id('5f800441-4d30-48ec-9e5b-0d55bc86acbb')
def test_list_back_end_storage_pools(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.scheduler_stats_client.list_pools()
+ with self.rbac_utils.override_role(self):
+ self.scheduler_stats_client.list_pools()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
index f7a4151..65b7526 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
@@ -66,8 +66,8 @@
def test_snapshot_force_delete(self):
temp_snapshot = self.create_snapshot(self.volume['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.snapshots_client.force_delete_snapshot(temp_snapshot['id'])
+ with self.rbac_utils.override_role(self):
+ self.snapshots_client.force_delete_snapshot(temp_snapshot['id'])
self.snapshots_client.wait_for_resource_deletion(temp_snapshot['id'])
@decorators.idempotent_id('a95eab2a-c441-4609-9235-f7478627da88')
diff --git a/patrole_tempest_plugin/tests/api/volume/test_snapshots_metadata_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_snapshots_metadata_rbac.py
index 1f82671..226411f 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_snapshots_metadata_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshots_metadata_rbac.py
@@ -53,8 +53,8 @@
@decorators.idempotent_id('c9cbec1c-edfe-46b8-825b-7b6ac0a58c25')
def test_create_snapshot_metadata(self):
# Create metadata for the snapshot
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_test_snapshot_metadata()
+ with self.rbac_utils.override_role(self):
+ self._create_test_snapshot_metadata()
@rbac_rule_validation.action(service="cinder",
rule="volume:get_snapshot_metadata")
@@ -63,9 +63,9 @@
# Create volume and snapshot metadata
self._create_test_snapshot_metadata()
# Get metadata for the snapshot
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.snapshots_client.show_snapshot_metadata(
- self.snapshot_id)
+ with self.rbac_utils.override_role(self):
+ self.snapshots_client.show_snapshot_metadata(
+ self.snapshot_id)
@rbac_rule_validation.action(
service="cinder",
@@ -74,31 +74,30 @@
def test_get_snapshot_metadata_for_volume_tenant(self):
# Create volume and snapshot metadata
self._create_test_snapshot_metadata()
- # Get metadata for the snapshot
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
# Get the metadata of the snapshot
- self.snapshots_client.show_snapshot_metadata(
- self.snapshot_id)['metadata']
+ with self.rbac_utils.override_role(self):
+ self.snapshots_client.show_snapshot_metadata(
+ self.snapshot_id)['metadata']
@decorators.idempotent_id('7ea597f6-c544-4b10-aab0-ff68f595fb06')
@rbac_rule_validation.action(service="cinder",
rule="volume:update_snapshot_metadata")
def test_update_snapshot_metadata(self):
self._create_test_snapshot_metadata()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- update = {"key3": "value3_update",
- "key4": "value4"}
- self.snapshots_client.update_snapshot_metadata(
- self.snapshot['id'], metadata=update)
+ with self.rbac_utils.override_role(self):
+ update = {"key3": "value3_update",
+ "key4": "value4"}
+ self.snapshots_client.update_snapshot_metadata(
+ self.snapshot['id'], metadata=update)
@decorators.idempotent_id('93068d02-0131-4dd3-af16-fc40d7128d93')
@rbac_rule_validation.action(service="cinder",
rule="volume:get_snapshot_metadata")
def test_show_snapshot_metadata_item(self):
self._create_test_snapshot_metadata()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.snapshots_client.show_snapshot_metadata_item(
- self.snapshot['id'], "key3")['meta']
+ with self.rbac_utils.override_role(self):
+ self.snapshots_client.show_snapshot_metadata_item(
+ self.snapshot['id'], "key3")['meta']
@decorators.idempotent_id('1f8f43e7-da31-4128-bb3c-73fc548650e3')
@rbac_rule_validation.action(service="cinder",
@@ -106,15 +105,15 @@
def test_update_snapshot_metadata_item(self):
update_item = {"key3": "value3_update"}
self._create_test_snapshot_metadata()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.snapshots_client.update_snapshot_metadata_item(
- self.snapshot['id'], "key3", meta=update_item)['meta']
+ with self.rbac_utils.override_role(self):
+ self.snapshots_client.update_snapshot_metadata_item(
+ self.snapshot['id'], "key3", meta=update_item)['meta']
@decorators.idempotent_id('3ec32516-f7cd-4f88-b78a-ddee67492071')
@rbac_rule_validation.action(service="cinder",
rule="volume:delete_snapshot_metadata")
def test_delete_snapshot_metadata_item(self):
self._create_test_snapshot_metadata()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.snapshots_client.delete_snapshot_metadata_item(
- self.snapshot['id'], "key1")
+ with self.rbac_utils.override_role(self):
+ self.snapshots_client.delete_snapshot_metadata_item(
+ self.snapshot['id'], "key1")
diff --git a/patrole_tempest_plugin/tests/api/volume/test_user_messages_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_user_messages_rbac.py
index bac9189..56ee1e0 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_user_messages_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_user_messages_rbac.py
@@ -28,13 +28,10 @@
min_microversion = '3.3'
max_microversion = 'latest'
- credentials = ['primary', 'admin']
-
@classmethod
def setup_clients(cls):
super(MessagesV3RbacTest, cls).setup_clients()
cls.messages_client = cls.os_primary.volume_v3_messages_client
- cls.admin_messages_client = cls.os_admin.volume_v3_messages_client
def _create_user_message(self):
"""Trigger a 'no valid host' situation to generate a message."""
@@ -70,8 +67,8 @@
service="cinder",
rule="message:get_all")
def test_list_messages(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.messages_client.list_messages()['messages']
+ with self.rbac_utils.override_role(self):
+ self.messages_client.list_messages()['messages']
@decorators.idempotent_id('9cc1ad1e-68a2-4407-8b60-ea77909bce08')
@rbac_rule_validation.action(
@@ -80,8 +77,8 @@
def test_show_message(self):
message_id = self._create_user_message()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.messages_client.show_message(message_id)['message']
+ with self.rbac_utils.override_role(self):
+ self.messages_client.show_message(message_id)['message']
@decorators.idempotent_id('65ca7fb7-7f2c-443e-b144-ac86973a97be')
@rbac_rule_validation.action(
@@ -90,6 +87,6 @@
def test_delete_message(self):
message_id = self._create_user_message()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.messages_client.delete_message(message_id)
- self.admin_messages_client.wait_for_resource_deletion(message_id)
+ with self.rbac_utils.override_role(self):
+ self.messages_client.delete_message(message_id)
+ self.messages_client.wait_for_resource_deletion(message_id)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_services_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_services_rbac.py
index d36fb5a..1711c88 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_services_rbac.py
@@ -43,5 +43,5 @@
service="cinder",
rule="volume_extension:services:index")
def test_list_services(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.services_client.list_services()['services']
+ with self.rbac_utils.override_role(self):
+ self.services_client.list_services()['services']
diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_utils.py b/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
index 0d75c3e..55db501 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
@@ -17,6 +17,7 @@
import testtools
from tempest.lib import exceptions as lib_exc
+from tempest import test
from tempest.tests import base
from patrole_tempest_plugin import rbac_exceptions
@@ -199,3 +200,60 @@
_do_test()
mock_override_role.assert_called_once_with(_rbac_utils, test_obj,
False)
+
+
+class RBACUtilsMixinTest(base.TestCase):
+
+ def setUp(self):
+ super(RBACUtilsMixinTest, self).setUp()
+
+ class FakeRbacTest(rbac_utils.RbacUtilsMixin, test.BaseTestCase):
+
+ @classmethod
+ def skip_checks(cls):
+ super(FakeRbacTest, cls).skip_checks()
+ cls.skip_rbac_checks()
+
+ @classmethod
+ def setup_clients(cls):
+ super(FakeRbacTest, cls).setup_clients()
+ cls.setup_rbac_utils()
+
+ def runTest(self):
+ pass
+
+ self.parent_class = FakeRbacTest
+
+ def test_setup_rbac_utils(self):
+ """Validate that the child class has the `rbac_utils` attribute after
+ running parent class's `cls.setup_rbac_utils`.
+ """
+ class ChildRbacTest(self.parent_class):
+ pass
+
+ child_test = ChildRbacTest()
+
+ with mock.patch.object(rbac_utils.RbacUtils, '__init__',
+ lambda *args: None):
+ child_test.setUpClass()
+
+ self.assertTrue(hasattr(child_test, 'rbac_utils'))
+ self.assertIsInstance(child_test.rbac_utils, rbac_utils.RbacUtils)
+
+ def test_skip_rbac_checks(self):
+ """Validate that the child class is skipped if `[patrole] enable_rbac`
+ is False and that the child class's name is in the skip message.
+ """
+ self.useFixture(patrole_fixtures.ConfPatcher(enable_rbac=False,
+ group='patrole'))
+
+ class ChildRbacTest(self.parent_class):
+ pass
+
+ child_test = ChildRbacTest()
+
+ with testtools.ExpectedException(
+ testtools.TestCase.skipException,
+ value_re=('%s skipped as Patrole testing not enabled.'
+ % ChildRbacTest.__name__)):
+ child_test.setUpClass()