commit 903da3bc78cdc62070b2a5a9ee77e15a6166f53d
author Jenkins <jenkins@review.openstack.org> Fri Apr 21 16:12:58 2017 +0000
committer Gerrit Code Review <review@openstack.org> Fri Apr 21 16:12:58 2017 +0000
tree 4ab2240525979fdc272651b56d3f75e8b4d58cb3
parent 8c6bd39953c2ccd9780c08cb31c7d7279cd6b7de
parent a7a2916e6a5f1823e20251d890ca2f99463e17ba

Merge "Create heat-specific patrole gate"

patrole_tempest_plugin/rbac_policy_parser.py

diff --git a/patrole_tempest_plugin/rbac_policy_parser.py b/patrole_tempest_plugin/rbac_policy_parser.py
index 38bed7c..69a9842 100644
--- a/patrole_tempest_plugin/rbac_policy_parser.py
+++ b/patrole_tempest_plugin/rbac_policy_parser.py
@@ -101,7 +101,7 @@
             try:
                 file_policy_data = json.loads(file_policy_data)
             except ValueError:
-                pass
+                file_policy_data = None
 
         # Check whether policy actions are defined in code. Nova and Keystone,
         # for example, define their default policy actions in code.

patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
index a47db68..81266af 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
@@ -351,3 +351,32 @@
             LOG.info("host_status attribute not returned when role doesn't "
                      "have permission to access it.")
             raise rbac_exceptions.RbacActionFailed
+
+
+class ServerActionsV214RbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+    min_microversion = '2.14'
+    max_microversion = 'latest'
+
+    @classmethod
+    def setup_clients(cls):
+        super(ServerActionsV214RbacTest, cls).setup_clients()
+        cls.client = cls.servers_client
+
+    @classmethod
+    def resource_setup(cls):
+        cls.set_validation_resources()
+        super(ServerActionsV214RbacTest, cls).resource_setup()
+        cls.server_id = cls.create_test_server(wait_until='ACTIVE')['id']
+
+    @rbac_rule_validation.action(
+        service="nova",
+        rule="os_compute_api:os-evacuate")
+    @decorators.idempotent_id('78ecef3c-faff-412a-83be-47651963eb21')
+    def test_evacuate_server(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.assertRaisesRegex(lib_exc.NotFound,
+                               "Compute host fake-host not found.",
+                               self.client.evacuate_server,
+                               self.server_id,
+                               host='fake-host')

patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
index d5c8528..5e5d918 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
@@ -23,26 +23,33 @@
 CONF = config.CONF
 
 
-class BaseIdentityV2AdminRbacTest(base.BaseIdentityV2AdminTest):
+class BaseIdentityV2RbacTest(base.BaseIdentityV2Test):
 
     credentials = ['admin', 'primary']
 
     @classmethod
     def skip_checks(cls):
-        super(BaseIdentityV2AdminRbacTest, cls).skip_checks()
+        super(BaseIdentityV2RbacTest, cls).skip_checks()
         if not CONF.rbac.enable_rbac:
             raise cls.skipException(
-                "%s skipped as RBAC Flag not enabled" % cls.__name__)
+                "%s skipped as RBAC testing not enabled" % cls.__name__)
 
     @classmethod
     def setup_clients(cls):
-        super(BaseIdentityV2AdminRbacTest, cls).setup_clients()
+        super(BaseIdentityV2RbacTest, cls).setup_clients()
         cls.auth_provider = cls.os.auth_provider
-        cls.tenants_client = cls.os.tenants_client
-        cls.users_client = cls.os.users_client
+
         cls.rbac_utils = rbac_utils()
         cls.rbac_utils.switch_role(cls, toggle_rbac_role=False)
 
+        cls.client = cls.os.identity_client
+        cls.endpoints_client = cls.os.endpoints_client
+        cls.roles_client = cls.os.roles_client
+        cls.services_client = cls.os.identity_services_client
+        cls.tenants_client = cls.os.tenants_client
+        cls.token_client = cls.os.token_client
+        cls.users_client = cls.os.users_client
+
     def _create_service(self):
         name = data_utils.rand_name('service')
         type = data_utils.rand_name('type')
@@ -73,7 +80,7 @@
     def _create_tenant(self):
         """Set up a test tenant."""
         name = data_utils.rand_name('test_tenant')
-        tenant = self.projects_client.create_tenant(
+        tenant = self.tenants_client.create_tenant(
             name=name,
             description=data_utils.rand_name('desc'))['tenant']
         # Delete the tenant at the end of the test

patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
index 9364e2f..b8677cf 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
@@ -24,16 +24,16 @@
 CONF = config.CONF
 
 
-class IdentityEndpointsV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+class IdentityEndpointsV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
 
     @classmethod
     def setup_clients(cls):
-        super(IdentityEndpointsV2AdminRbacTest, cls).setup_clients()
+        super(IdentityEndpointsV2RbacTest, cls).setup_clients()
         cls.endpoints_client = cls.os.endpoints_client
 
     @classmethod
     def resource_setup(cls):
-        super(IdentityEndpointsV2AdminRbacTest, cls).resource_setup()
+        super(IdentityEndpointsV2RbacTest, cls).resource_setup()
         cls.region = data_utils.rand_name('region')
         cls.public_url = data_utils.rand_url()
         cls.admin_url = data_utils.rand_url()
@@ -61,7 +61,7 @@
 
         """Create Endpoint Test
 
-        RBAC test for Identity Admin 2.0 create_endpoint
+        RBAC test for Identity v2 create_endpoint
         """
 
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
@@ -75,7 +75,7 @@
 
         """Delete Endpoint Test
 
-        RBAC test for Identity Admin 2.0 delete_endpoint
+        RBAC test for Identity v2 delete_endpoint
         """
 
         endpoint = self._create_endpoint()
@@ -90,7 +90,7 @@
 
         """List Endpoints Test
 
-        RBAC test for Identity Admin 2.0 list_endpoint
+        RBAC test for Identity v2 list_endpoint
         """
 
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)

patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
index a120562..6853b64 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
@@ -22,7 +22,7 @@
 CONF = config.CONF
 
 
-class IdentityProjectV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+class IdentityProjectV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
 
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:create_project",

patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
index 4196cdd..9dd90e1 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
@@ -24,11 +24,11 @@
 CONF = config.CONF
 
 
-class IdentityRoleV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+class IdentityRoleV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
 
     @classmethod
     def setup_clients(cls):
-        super(IdentityRoleV2AdminRbacTest, cls).setup_clients()
+        super(IdentityRoleV2RbacTest, cls).setup_clients()
         cls.roles_client = cls.os.roles_client
 
     def _create_role(self):
@@ -60,7 +60,7 @@
 
         """Create Role Test
 
-        RBAC test for Identity Admin 2.0 role-create
+        RBAC test for Identity v2 role-create
         """
 
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
@@ -74,7 +74,7 @@
 
         """Delete Role Test
 
-        RBAC test for Identity Admin 2.0 role-delete
+        RBAC test for Identity v2 delete_role
         """
         role = self._create_role()
 
@@ -89,7 +89,7 @@
 
         """Get Role Test
 
-        RBAC test for Identity Admin 2.0
+        RBAC test for Identity v2 show_role
         """
         role = self._create_role()
 
@@ -104,7 +104,7 @@
 
         """List Roles Test
 
-        RBAC test for Identity Admin 2.0 role-list
+        RBAC test for Identity v2 list_roles
         """
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
         self.roles_client.list_roles()
@@ -117,7 +117,7 @@
 
         """Assign User Role Test
 
-        RBAC test for Identity Admin 2.0 create_user_role_on_project
+        RBAC test for Identity v2 create_user_role_on_project
         """
         tenant, user, role = self._create_tenant_user_and_role()
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
@@ -131,7 +131,7 @@
 
         """Remove User Roles Test
 
-        RBAC test for Identity Admin 2.0 delete_role_from_user_on_project
+        RBAC test for Identity v2 delete_role_from_user_on_project
         """
         tenant, user, role = self._create_tenant_user_and_role()
         self._create_role_on_project(tenant, user, role)
@@ -148,7 +148,7 @@
 
         """List User Roles Test
 
-        RBAC test for Identity Admin 2.0 list_user_roles_on_project
+        RBAC test for Identity v2 list_user_roles_on_project
         """
         tenant = self._create_tenant()
         user = self._create_user(tenantid=tenant['id'])

patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
index e9b59be..a371bbc 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
@@ -22,11 +22,11 @@
 CONF = config.CONF
 
 
-class IdentityServicesV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+class IdentityServicesV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
 
     @classmethod
     def setup_clients(cls):
-        super(IdentityServicesV2AdminRbacTest, cls).setup_clients()
+        super(IdentityServicesV2RbacTest, cls).setup_clients()
         cls.services_client = cls.os.identity_services_client
 
     @rbac_rule_validation.action(service="keystone",
@@ -36,7 +36,7 @@
     def test_create_service(self):
         """Create Service Test
 
-        RBAC test for Identity Admin 2.0 create_service
+        RBAC test for Identity v2 create_service
         """
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
         self._create_service()
@@ -48,7 +48,7 @@
     def test_delete_service(self):
         """Delete Service Test
 
-        RBAC test for Identity Admin 2.0 delete_service
+        RBAC test for Identity v2 delete_service
         """
         service_id = self._create_service()['OS-KSADM:service']['id']
 
@@ -62,7 +62,7 @@
     def test_show_service(self):
         """Show Service Test
 
-        RBAC test for Identity Admin 2.0 show_service
+        RBAC test for Identity v2 show_service
         """
         service_id = self._create_service()['OS-KSADM:service']['id']
 
@@ -76,7 +76,7 @@
     def test_list_services(self):
         """List all the services
 
-        RBAC test for Identity Admin 2.0 list_service
+        RBAC test for Identity v2 list_service
         """
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
         self.services_client.list_services()

patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py
index 3222b61..48f3d11 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py
@@ -20,7 +20,7 @@
 from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
 
 
-class IdentityUserV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+class IdentityUserV2RbacTest(rbac_base.BaseIdentityV2RbacTest):
 
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:create_user",

patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
index 6a0a309..a1cdf4c 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
@@ -23,20 +23,20 @@
 CONF = config.CONF
 
 
-class BaseIdentityV3RbacAdminTest(base.BaseIdentityV3AdminTest):
+class BaseIdentityV3RbacTest(base.BaseIdentityV3Test):
 
     credentials = ['admin', 'primary']
 
     @classmethod
     def skip_checks(cls):
-        super(BaseIdentityV3RbacAdminTest, cls).skip_checks()
+        super(BaseIdentityV3RbacTest, cls).skip_checks()
         if not CONF.rbac.enable_rbac:
             raise cls.skipException(
-                "%s skipped as RBAC Flag not enabled" % cls.__name__)
+                "%s skipped as RBAC testing not enabled" % cls.__name__)
 
     @classmethod
     def setup_clients(cls):
-        super(BaseIdentityV3RbacAdminTest, cls).setup_clients()
+        super(BaseIdentityV3RbacTest, cls).setup_clients()
         cls.auth_provider = cls.os.auth_provider
 
         cls.rbac_utils = rbac_utils()
@@ -57,7 +57,7 @@
 
     @classmethod
     def resource_setup(cls):
-        super(BaseIdentityV3RbacAdminTest, cls).resource_setup()
+        super(BaseIdentityV3RbacTest, cls).resource_setup()
         cls.credentials = []
         cls.domains = []
         cls.endpoints = []
@@ -115,7 +115,7 @@
             test_utils.call_and_ignore_notfound_exc(
                 cls.users_client.delete_user, user['id'])
 
-        super(BaseIdentityV3RbacAdminTest, cls).resource_cleanup()
+        super(BaseIdentityV3RbacTest, cls).resource_cleanup()
 
     @classmethod
     def setup_test_credential(cls, user=None):

patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
index ad6feaa..42f2c01 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
@@ -20,8 +20,7 @@
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
 
 
-class IdentityCredentialsV3AdminRbacTest(
-        rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityCredentialsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
 
     def _create_user_project_and_credential(self):
         project = self.setup_test_project()

patrole_tempest_plugin/tests/api/identity/v3/test_domains_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_domains_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_domains_rbac.py
new file mode 100644
index 0000000..ba5d5e0
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_domains_rbac.py
@@ -0,0 +1,68 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
+
+
+class IdentityDomainsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:create_domain")
+    @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd110')
+    def test_create_domain(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.setup_test_domain()
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:update_domain")
+    @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd111')
+    def test_update_domain(self):
+        domain = self.setup_test_domain()
+        new_domain_name = data_utils.rand_name('test_update_domain')
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.domains_client.update_domain(domain['id'],
+                                          domain=domain,
+                                          name=new_domain_name)
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:delete_domain")
+    @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd112')
+    def test_delete_domain(self):
+        domain = self.setup_test_domain()
+        # A domain must be deactivated to be deleted
+        self.domains_client.update_domain(domain['id'],
+                                          domain=domain,
+                                          enabled=False)
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.domains_client.delete_domain(domain['id'])
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:get_domain")
+    @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd113')
+    def test_show_domain(self):
+        domain = self.setup_test_domain()
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.domains_client.show_domain(domain['id'])
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:list_domains")
+    @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd114')
+    def test_list_domains(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.domains_client.list_domains()

patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
index 8c67e5f..eabebb6 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
@@ -20,8 +20,7 @@
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
 
 
-class IdentityEndpointsV3AdminRbacTest(
-        rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityEndpointsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
 
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:create_endpoint")

patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
index 1a96010..3cc71a6 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
@@ -20,7 +20,7 @@
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
 
 
-class IdentityGroupsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityGroupsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
 
     def _create_user_and_add_to_new_group(self):
         """Creates a user and adds to a group for test."""

patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py
index 1032303..f331cff 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py
@@ -21,7 +21,7 @@
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
 
 
-class IdentityConsumersV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityConsumersV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
 
     def _create_consumer(self):
         description = data_utils.rand_name('test_create_consumer')

patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
index d60a1ab..8f11e30 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
@@ -20,7 +20,7 @@
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
 
 
-class IdentityPoliciesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityPoliciesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
 
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:create_policy")
@@ -34,11 +34,11 @@
     @decorators.idempotent_id('9cfed3c6-0b27-4d15-be67-e06e0cfb01b9')
     def test_update_policy(self):
         policy = self.setup_test_policy()
-        new_policy_type = data_utils.rand_name('policy_type')
+        updated_policy_type = data_utils.rand_name('policy_type')
 
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)
         self.policies_client.update_policy(policy['id'],
-                                           type=new_policy_type)
+                                           type=updated_policy_type)
 
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:delete_policy")

patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
index 3f65076..325b987 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
@@ -20,8 +20,7 @@
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
 
 
-class IdentityProjectV3AdminRbacTest(
-        rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityProjectV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
 
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:create_project")

patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py
index 3eefdc4..b35facd 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py
@@ -20,7 +20,7 @@
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
 
 
-class IdentityRegionsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityRegionsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
 
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:create_region")

patrole_tempest_plugin/tests/api/identity/v3/test_role_assignments_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_role_assignments_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_role_assignments_rbac.py
index c683f57..2dd0ff5 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_role_assignments_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_role_assignments_rbac.py
@@ -19,12 +19,11 @@
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
 
 
-class IdentityRoleAssignmentsV3AdminRbacTest(
-        rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityRoleAssignmentsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
 
     @classmethod
     def setup_clients(cls):
-        super(IdentityRoleAssignmentsV3AdminRbacTest, cls).setup_clients()
+        super(IdentityRoleAssignmentsV3RbacTest, cls).setup_clients()
         cls.client = cls.role_assignments_client
 
     @decorators.idempotent_id('afe57adb-1b9c-43d9-84a9-f0cf4c94e416')

patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
index b033c8e..2676bf9 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
@@ -21,11 +21,11 @@
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
 
 
-class IdentityRolesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
 
     @classmethod
     def resource_setup(cls):
-        super(IdentityRolesV3AdminRbacTest, cls).resource_setup()
+        super(IdentityRolesV3RbacTest, cls).resource_setup()
         cls.domain = cls.setup_test_domain()
         cls.project = cls.setup_test_project()
         cls.group = cls.setup_test_group()
@@ -89,6 +89,51 @@
                         self.role['id'])
 
     @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:create_grant")
+    @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90c')
+    def test_create_group_role_on_project(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.roles_client.create_group_role_on_project(
+            self.project['id'],
+            self.group['id'],
+            self.role['id'])
+        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+                        self.roles_client.delete_role_from_group_on_project,
+                        self.project['id'],
+                        self.group['id'],
+                        self.role['id'])
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:create_grant")
+    @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90f')
+    def test_create_user_role_on_domain(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.roles_client.create_user_role_on_domain(
+            self.domain['id'],
+            self.user['id'],
+            self.role['id'])
+        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+                        self.roles_client.delete_role_from_user_on_domain,
+                        self.domain['id'],
+                        self.user['id'],
+                        self.role['id'])
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:create_grant")
+    @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d912')
+    def test_create_group_role_on_domain(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.roles_client.create_group_role_on_domain(
+            self.domain['id'],
+            self.group['id'],
+            self.role['id'])
+        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+                        self.roles_client.delete_role_from_group_on_domain,
+                        self.domain['id'],
+                        self.group['id'],
+                        self.role['id'])
+
+    @rbac_rule_validation.action(service="keystone",
                                  rule="identity:check_grant")
     @decorators.idempotent_id('22921b1e-1a33-4026-bff9-f236d6dd149c')
     def test_check_user_role_existence_on_project(self):
@@ -108,6 +153,66 @@
             self.user['id'],
             self.role['id'])
 
+    @decorators.idempotent_id('92f8e67d-85bf-407d-9814-edd5664abc47')
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:check_grant")
+    def test_check_user_role_existence_on_domain(self):
+        self.roles_client.create_user_role_on_domain(
+            self.domain['id'],
+            self.user['id'],
+            self.role['id'])
+        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+                        self.roles_client.delete_role_from_user_on_domain,
+                        self.domain['id'],
+                        self.user['id'],
+                        self.role['id'])
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.roles_client.check_user_role_existence_on_domain(
+            self.domain['id'],
+            self.user['id'],
+            self.role['id'])
+
+    @decorators.idempotent_id('8738d3d2-8c84-4423-b36c-7c59eaa08b73')
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:check_grant")
+    def test_check_role_from_group_on_project_existence(self):
+        self.roles_client.create_group_role_on_project(
+            self.project['id'],
+            self.group['id'],
+            self.role['id'])
+        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+                        self.roles_client.delete_role_from_group_on_project,
+                        self.project['id'],
+                        self.group['id'],
+                        self.role['id'])
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.roles_client.check_role_from_group_on_project_existence(
+            self.project['id'],
+            self.group['id'],
+            self.role['id'])
+
+    @decorators.idempotent_id('e7d73bd0-cf5e-4c0c-9c93-cf53e23232d6')
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:check_grant")
+    def test_check_role_from_group_on_domain_existence(self):
+        self.roles_client.create_group_role_on_domain(
+            self.domain['id'],
+            self.group['id'],
+            self.role['id'])
+        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+                        self.roles_client.delete_role_from_group_on_domain,
+                        self.domain['id'],
+                        self.group['id'],
+                        self.role['id'])
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.roles_client.check_role_from_group_on_domain_existence(
+            self.domain['id'],
+            self.group['id'],
+            self.role['id'])
+
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:revoke_grant")
     @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90a')
@@ -129,30 +234,6 @@
             self.role['id'])
 
     @rbac_rule_validation.action(service="keystone",
-                                 rule="identity:list_grants")
-    @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90b')
-    def test_list_user_roles_on_project(self):
-        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-        self.roles_client.list_user_roles_on_project(
-            self.project['id'],
-            self.user['id'])
-
-    @rbac_rule_validation.action(service="keystone",
-                                 rule="identity:create_grant")
-    @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90c')
-    def test_create_group_role_on_project(self):
-        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-        self.roles_client.create_group_role_on_project(
-            self.project['id'],
-            self.group['id'],
-            self.role['id'])
-        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
-                        self.roles_client.delete_role_from_group_on_project,
-                        self.project['id'],
-                        self.group['id'],
-                        self.role['id'])
-
-    @rbac_rule_validation.action(service="keystone",
                                  rule="identity:revoke_grant")
     @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90d')
     def test_delete_role_from_group_on_project(self):
@@ -173,30 +254,6 @@
             self.role['id'])
 
     @rbac_rule_validation.action(service="keystone",
-                                 rule="identity:list_grants")
-    @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90e')
-    def test_list_group_roles_on_project(self):
-        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-        self.roles_client.list_group_roles_on_project(
-            self.project['id'],
-            self.group['id'])
-
-    @rbac_rule_validation.action(service="keystone",
-                                 rule="identity:create_grant")
-    @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90f')
-    def test_create_user_role_on_domain(self):
-        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-        self.roles_client.create_user_role_on_domain(
-            self.domain['id'],
-            self.user['id'],
-            self.role['id'])
-        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
-                        self.roles_client.delete_role_from_user_on_domain,
-                        self.domain['id'],
-                        self.user['id'],
-                        self.role['id'])
-
-    @rbac_rule_validation.action(service="keystone",
                                  rule="identity:revoke_grant")
     @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d910')
     def test_delete_role_from_user_on_domain(self):
@@ -217,30 +274,6 @@
             self.role['id'])
 
     @rbac_rule_validation.action(service="keystone",
-                                 rule="identity:list_grants")
-    @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d911')
-    def test_list_user_roles_on_domain(self):
-        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-        self.roles_client.list_user_roles_on_domain(
-            self.domain['id'],
-            self.user['id'])
-
-    @rbac_rule_validation.action(service="keystone",
-                                 rule="identity:create_grant")
-    @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d912')
-    def test_create_group_role_on_domain(self):
-        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-        self.roles_client.create_group_role_on_domain(
-            self.domain['id'],
-            self.group['id'],
-            self.role['id'])
-        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
-                        self.roles_client.delete_role_from_group_on_domain,
-                        self.domain['id'],
-                        self.group['id'],
-                        self.role['id'])
-
-    @rbac_rule_validation.action(service="keystone",
                                  rule="identity:revoke_grant")
     @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d913')
     def test_delete_role_from_group_on_domain(self):
@@ -262,6 +295,33 @@
 
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:list_grants")
+    @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90b')
+    def test_list_user_roles_on_project(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.roles_client.list_user_roles_on_project(
+            self.project['id'],
+            self.user['id'])
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:list_grants")
+    @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90e')
+    def test_list_group_roles_on_project(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.roles_client.list_group_roles_on_project(
+            self.project['id'],
+            self.group['id'])
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:list_grants")
+    @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d911')
+    def test_list_user_roles_on_domain(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.roles_client.list_user_roles_on_domain(
+            self.domain['id'],
+            self.user['id'])
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:list_grants")
     @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d914')
     def test_list_group_roles_on_domain(self):
         self.rbac_utils.switch_role(self, toggle_rbac_role=True)

patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
index f5bd99b..c02b471 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
@@ -20,7 +20,7 @@
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
 
 
-class IdentitySericesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentitySericesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
 
     @rbac_rule_validation.action(service="keystone",
                                  rule="identity:create_service")

patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
index e61b162..956727b 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
@@ -20,12 +20,11 @@
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
 
 
-class IdentityUserV3AdminRbacTest(
-        rbac_base.BaseIdentityV3RbacAdminTest):
+class IdentityUserV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
 
     @classmethod
     def resource_setup(cls):
-        super(IdentityUserV3AdminRbacTest, cls).resource_setup()
+        super(IdentityUserV3RbacTest, cls).resource_setup()
         cls.default_user_id = cls.auth_provider.credentials.user_id
 
     @rbac_rule_validation.action(service="keystone",

patrole_tempest_plugin/tests/api/volume/test_capabilities_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/volume/test_capabilities_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_capabilities_rbac.py
new file mode 100644
index 0000000..28506c0
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_capabilities_rbac.py
@@ -0,0 +1,48 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+
+class CapabilitiesRbacTest(rbac_base.BaseVolumeRbacTest):
+
+    @classmethod
+    def skip_checks(cls):
+        super(CapabilitiesRbacTest, cls).skip_checks()
+        if not test.is_extension_enabled('capabilities', 'volume'):
+            msg = "%s skipped as capabilities not enabled." % cls.__name__
+            raise cls.skipException(msg)
+
+    @classmethod
+    def setup_clients(cls):
+        super(CapabilitiesRbacTest, cls).setup_clients()
+        cls.client = cls.os.volume_capabilities_v2_client
+        cls.hosts_client = cls.os.volume_hosts_v2_client
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="volume_extension:capabilities")
+    @decorators.idempotent_id('40928b74-2141-11e7-93ae-92361f002671')
+    def test_show_back_end_capabilities(self):
+        host = self.hosts_client.list_hosts()['hosts'][0]['host_name']
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.client.show_backend_capabilities(host)
+
+
+class CapabilitiesV3RbacTest(CapabilitiesRbacTest):
+    _api_version = 3

patrole_tempest_plugin/tests/api/volume/test_scheduler_stats_rbac.py

diff --git a/patrole_tempest_plugin/tests/api/volume/test_scheduler_stats_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_scheduler_stats_rbac.py
new file mode 100644
index 0000000..bf6290a
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_scheduler_stats_rbac.py
@@ -0,0 +1,47 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+
+class SchedulerStatsRbacTest(rbac_base.BaseVolumeRbacTest):
+
+    @classmethod
+    def skip_checks(cls):
+        super(SchedulerStatsRbacTest, cls).skip_checks()
+        if not test.is_extension_enabled('scheduler-stats', 'volume'):
+            msg = "%s skipped as scheduler-stats not enabled." % cls.__name__
+            raise cls.skipException(msg)
+
+    @classmethod
+    def setup_clients(cls):
+        super(SchedulerStatsRbacTest, cls).setup_clients()
+        cls.client = cls.os.volume_scheduler_stats_v2_client
+
+    @rbac_rule_validation.action(
+        service="cinder",
+        rule="scheduler_extension:scheduler_stats:get_pools")
+    @decorators.idempotent_id('5f800441-4d30-48ec-9e5b-0d55bc86acbb')
+    def test_list_back_end_storage_pools(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.client.list_pools()
+
+
+class SchedulerStatsV3RbacTest(SchedulerStatsRbacTest):
+    _api_version = 3

patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py

diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
index b0dd179..0906222 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
@@ -384,3 +384,89 @@
         }
 
         self.assertEqual(expected_policy_data, actual_policy_data)
+
+    @mock.patch.object(rbac_policy_parser, 'credentials', autospec=True)
+    @mock.patch.object(rbac_policy_parser, 'stevedore', autospec=True)
+    def test_get_policy_data_cannot_find_policy(self, mock_stevedore,
+                                                mock_creds):
+        mock_stevedore.named.NamedExtensionManager.return_value = None
+        mock_creds.AdminManager.return_value.identity_services_v3_client.\
+            list_services.return_value = {
+                'services': [{'name': 'test_service'}]}
+
+        e = self.assertRaises(rbac_exceptions.RbacParsingException,
+                              rbac_policy_parser.RbacPolicyParser,
+                              None, None, 'test_service', None)
+
+        expected_error = \
+            'Policy file for {0} service neither found in code '\
+            'nor at {1}.'.format('test_service',
+                                 '/etc/test_service/policy.json')
+
+        self.assertIn(expected_error, str(e))
+
+    @mock.patch.object(rbac_policy_parser, 'os', autospec=True)
+    @mock.patch.object(rbac_policy_parser, 'json', autospec=True)
+    @mock.patch.object(rbac_policy_parser, 'credentials', autospec=True)
+    @mock.patch.object(rbac_policy_parser, 'stevedore', autospec=True)
+    def test_get_policy_data_without_valid_policy(self, mock_stevedore,
+                                                  mock_credentials, mock_json,
+                                                  mock_os):
+        mock_os.path.isfile.return_value = False
+
+        test_policy_action = mock.Mock(check='rule:bar')
+        test_policy_action.configure_mock(name='foo')
+
+        test_policy = mock.Mock(obj=[test_policy_action])
+        test_policy.configure_mock(name='test_service')
+
+        mock_stevedore.named.NamedExtensionManager\
+            .return_value = [test_policy]
+
+        mock_credentials.AdminManager.return_value.identity_services_v3_client.\
+            list_services.return_value = {
+                'services': [{'name': 'test_service'}]
+            }
+
+        mock_json.dumps.side_effect = ValueError
+
+        e = self.assertRaises(rbac_exceptions.RbacParsingException,
+                              rbac_policy_parser.RbacPolicyParser,
+                              None, None, 'test_service', None)
+
+        expected_error = "Policy file for {0} service is invalid."\
+                         .format("test_service")
+
+        self.assertIn(expected_error, str(e))
+
+        mock_stevedore.named.NamedExtensionManager.assert_called_once_with(
+            'oslo.policy.policies',
+            names=['test_service'],
+            on_load_failure_callback=None,
+            invoke_on_load=True,
+            warn_on_missing_entrypoint=False)
+
+    @mock.patch.object(rbac_policy_parser, 'json', autospec=True)
+    @mock.patch.object(rbac_policy_parser, 'credentials', autospec=True)
+    @mock.patch.object(rbac_policy_parser, 'stevedore', autospec=True)
+    def test_get_policy_data_from_file_not_json(self, mock_stevedore,
+                                                mock_credentials,
+                                                mock_json):
+
+        mock_credentials.AdminManager.return_value.identity_services_v3_client.\
+            list_services.return_value = {
+                'services': [{'name': 'test_service'}]
+            }
+        mock_stevedore.named.NamedExtensionManager.return_value = None
+        mock_json.loads.side_effect = ValueError
+
+        e = self.assertRaises(rbac_exceptions.RbacParsingException,
+                              rbac_policy_parser.RbacPolicyParser,
+                              None, None, 'test_service',
+                              self.tenant_policy_file)
+
+        expected_error = 'Policy file for {0} service neither found in code '\
+                         'nor at {1}.'.format('test_service',
+                                              self.tenant_policy_file)
+
+        self.assertIn(expected_error, str(e))

tox.ini

diff --git a/tox.ini b/tox.ini
index e123d64..a004c6e 100644
--- a/tox.ini
+++ b/tox.ini
@@ -28,6 +28,10 @@
 commands = {posargs}
 
 [testenv:cover]
+commands = rm -rf *.pyc
+           rm -rf cover
+           rm -f .coverage
+           nosetests {posargs}
 setenv = VIRTUAL_ENV={envdir}
          NOSE_WITH_COVERAGE=1
          NOSE_COVER_BRANCHES=1
@@ -36,7 +40,7 @@
          NOSE_COVER_HTML_DIR={toxinidir}/cover
          NOSE_WHERE=patrole_tempest_plugin/tests/unit
 whitelist_externals = nosetests
-commands = nosetests {posargs}
+                      rm
 
 [testenv:docs]
 commands = python setup.py build_sphinx