Merge "Initial Cinder tests"

commit: 86e2200c59d0ee92e40fbfeaa66b7c8daaa1ccee [log] [tgz]
author: Jenkins <jenkins@review.openstack.org> Fri Jan 20 21:23:04 2017 +0000
committer: Gerrit Code Review <review@openstack.org> Fri Jan 20 21:23:04 2017 +0000
tree: 4ced7e1789e4204f82ae07557758d0ac6db0e949
parent: 929daf6c65949b1529f8a696538231371dcafd97 [diff]
parent: 3589f2bc011f5bb45102606db735746f7ebeb20f [diff]
diff --git a/README.rst b/README.rst
index 6be7812..d9a6507 100644
--- a/README.rst
+++ b/README.rst

@@ -17,4 +17,16 @@
 Features
 --------
 
-* TODO
+Patrole offers RBAC testing for various OpenStack RBAC policies.  It includes
+a decorator that wraps around tests which verifies that when the test calls the
+corresponding api endpoint, access is only granted for correct roles.
+
+There are several possible test flows.
+
+If the rbac_test_role is allowed to access the endpoint
+ - The test passes if no 403 forbidden or RbacActionFailed exception is raised.
+
+If the rbac_test_role is not allowed to access the endpoint
+ - If the endpoint returns a 403 forbidden exception the test will pass
+ - If the endpoint returns something other than a 403 forbidden to indicate
+   that the role is not allowed, the test will raise an RbacActionFailed exception.

diff --git a/doc/source/installation.rst b/doc/source/installation.rst
index 9bfe14e..b0a6f33 100644
--- a/doc/source/installation.rst
+++ b/doc/source/installation.rst

@@ -14,6 +14,11 @@
     $ mkvirtualenv patrole
     $ pip install patrole
 
+Or to install from the source::
+
+    $ navigate to patrole directory
+    $ pip install -e .
+
 Configuration Information
 #########################
 
@@ -44,6 +49,11 @@
 
        # The role that you want the RBAC tests to use for RBAC testing
        # This needs to be edited to run the test as a different role. 
-       rbac_role=_member_
+       rbac_test_role=_member_
+
+       # The list of roles that your system contains.
+       # This needs to be updated as new roles are added.
+       rbac_roles=admin,_member_
+
        # Tell standard RBAC test cases to run other wise it they are skipped.
        rbac_flag=true

diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
new file mode 100644
index 0000000..632abdd
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py

@@ -0,0 +1,65 @@
+# Copyright 2016 AT&T Corp
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_log import log as logging
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api import rbac_base
+
+CONF = config.CONF
+LOG = logging.getLogger(__name__)
+
+
+class VolumesRbacTest(rbac_base.BaseVolumeRbacTest):
+
+    @classmethod
+    def setup_clients(cls):
+        super(VolumesRbacTest, cls).setup_clients()
+        cls.client = cls.volumes_client
+
+    def tearDown(self):
+        rbac_utils.switch_role(self, switchToRbacRole=False)
+        super(VolumesRbacTest, self).tearDown()
+
+    @rbac_rule_validation.action(
+        component="Volume", service="cinder",
+        rule="volume_extension:volume_admin_actions:reset_status")
+    @decorators.idempotent_id('4b3dad7d-0e73-4839-8781-796dd3d7af1d')
+    def test_volume_reset_status(self):
+        volume = self.create_volume()
+        # Test volume reset status : available->error->available
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.client.reset_volume_status(volume['id'], status='error')
+        self.client.reset_volume_status(volume['id'], status='availble')
+
+    @rbac_rule_validation.action(
+        component="Volume", service="cinder",
+        rule="volume_extension:volume_admin_actions:force_delete")
+    @decorators.idempotent_id('a312a937-6abf-4b91-a950-747086cbce48')
+    def test_volume_force_delete_when_volume_is_error(self):
+        volume = self.create_volume()
+        self.client.reset_volume_status(volume['id'], status='error')
+        # Test force delete when status of volume is error
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.client.force_delete_volume(volume['id'])
+        self.client.wait_for_resource_deletion(volume['id'])
+
+
+class VolumesV3RbacTest(VolumesRbacTest):
+    _api_version = 3
commit	86e2200c59d0ee92e40fbfeaa66b7c8daaa1ccee	[log] [tgz]
author	Jenkins <jenkins@review.openstack.org>	Fri Jan 20 21:23:04 2017 +0000
committer	Gerrit Code Review <review@openstack.org>	Fri Jan 20 21:23:04 2017 +0000
tree	4ced7e1789e4204f82ae07557758d0ac6db0e949
parent	929daf6c65949b1529f8a696538231371dcafd97 [diff]
parent	3589f2bc011f5bb45102606db735746f7ebeb20f [diff]