Merge "Remove support for py34"
diff --git a/README.rst b/README.rst
index 51940d7..8ba4649 100644
--- a/README.rst
+++ b/README.rst
@@ -69,7 +69,7 @@
the ``rbac_rule_validation.action`` decorator. Then, inside the test, the API
that does policy enforcement for the same rule is called. The outcome is
compared against the result from oslo_policy and a pass or fail is determined
-as outlined above: :ref:`test-flows`.
+as outlined above: `Test Flows`_.
.. note::
@@ -110,14 +110,15 @@
#. After all of the logic above has executed inside the rbac decorator, the
test is executed. The test then sets up test-level resources, if necessary,
with **admin** credentials implicitly. This is accomplished through
- ``rbac_utils.switch_role(toggle_rbac_role=False)``: ::
+ ``rbac_utils.switch_role(toggle_rbac_role=False)``, which is done as part of
+ client setup (inside the call to ``rbac_utils.RbacUtils``): ::
@classmethod
def setup_clients(cls):
super(BaseV2ComputeRbacTest, cls).setup_clients()
- cls.auth_provider = cls.os.auth_provider
- cls.rbac_utils = rbac_utils()
- cls.rbac_utils.switch_role(cls, toggle_rbac_role=False)
+ cls.auth_provider = cls.os_primary.auth_provider
+ cls.rbac_utils = rbac_utils.RbacUtils(cls)
+ ...
This code has *already* executed when the test class is instantiated, because
it is located in the base rbac test class. Whenever ``cls.rbac_utils.switch_role``
@@ -137,7 +138,7 @@
Now the primary credential has the role specified by ``rbac_test_role``.
-#. The API endpoint in which policy enforcement of "os_compute_api:servers:stop"
+#. The API endpoint in which policy enforcement of "os_compute_api:servers:stop"
is performed can now be called.
.. note:
diff --git a/patrole_tempest_plugin/plugin.py b/patrole_tempest_plugin/plugin.py
index cfe5c0a..28ce12c 100644
--- a/patrole_tempest_plugin/plugin.py
+++ b/patrole_tempest_plugin/plugin.py
@@ -36,4 +36,4 @@
project_config.RbacGroup)
def get_opt_lists(self):
- return []
+ return [(project_config.rbac_group.name, project_config.RbacGroup)]
diff --git a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
index 3d66f2e..cdabf6f 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
@@ -178,3 +178,33 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.compute_images_client.delete_image_metadata_item(self.image['id'],
key='foo')
+
+
+class ImageSizeRbacTest(rbac_base.BaseV2ComputeRbacTest):
+ """Tests the ``image_size`` compute policies.
+
+ NOTE(felipemonteiro): If Patrole is enhanced to test multiple policies
+ simultaneously, these policy actions can be combined with the related
+ tests from ``ImagesRbacTest`` above.
+ """
+
+ # These tests will fail with a 404 starting from microversion 2.36.
+ # See the following link for details:
+ # https://developer.openstack.org/api-ref/compute/#images-deprecated
+ max_microversion = '2.35'
+
+ @decorators.idempotent_id('fe34d2a6-5743-45bf-8f92-a1d703d7c7ab')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:image-size")
+ def test_list_images(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.compute_images_client.list_images()
+
+ @decorators.idempotent_id('08342c7d-297d-42ee-b398-90fce2443792')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:image-size")
+ def test_list_images_with_details(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.compute_images_client.list_images(detail=True)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
index a2ae8e5..499f58d 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
@@ -14,6 +14,7 @@
# under the License.
from tempest.common import waiters
+from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
@@ -24,15 +25,19 @@
CONF = config.CONF
-class VolumeV235RbacTest(rbac_base.BaseV2ComputeRbacTest):
+class VolumeRbacTest(rbac_base.BaseV2ComputeRbacTest):
"""RBAC tests for the Nova Volume client."""
# These tests will fail with a 404 starting from microversion 2.36.
# For more information, see:
- # https://developer.openstack.org/api-ref/compute/volume-extension-os-volumes-os-snapshots-deprecated
- min_microversion = '2.10'
+ # https://developer.openstack.org/api-ref/compute/#volume-extension-os-volumes-os-snapshots-deprecated
max_microversion = '2.35'
+ @classmethod
+ def resource_setup(cls):
+ super(VolumeRbacTest, cls).resource_setup()
+ cls.volume = cls.create_volume()
+
@decorators.idempotent_id('2402013e-a624-43e3-9518-44a5d1dbb32d')
@rbac_rule_validation.action(
service="nova",
@@ -61,9 +66,8 @@
service="nova",
rule="os_compute_api:os-volumes")
def test_show_volume(self):
- volume = self.create_volume()
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.volumes_extensions_client.show_volume(volume['id'])
+ self.volumes_extensions_client.show_volume(self.volume['id'])
@decorators.idempotent_id('6e7870f2-1bb2-4b58-96f8-6782071ef327')
@rbac_rule_validation.action(
@@ -73,3 +77,48 @@
volume = self.create_volume()
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.volumes_extensions_client.delete_volume(volume['id'])
+
+ @decorators.idempotent_id('0c3eaa4f-69d6-4a13-9dda-19585f36b1c1')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-volumes")
+ def test_create_snapshot(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ snapshot = self.snapshots_extensions_client.create_snapshot(
+ self.volume['id'])['snapshot']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.snapshots_extensions_client.delete_snapshot,
+ snapshot['id'])
+
+ @decorators.idempotent_id('e944e816-416c-11e7-a919-92ebcb67fe33')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-volumes")
+ def test_list_snapshots(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.snapshots_extensions_client.list_snapshots()
+
+ @decorators.idempotent_id('19c2e6bd-585b-472f-a8d7-71ea9299c655')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-volumes")
+ def test_show_snapshot(self):
+ snapshot = self.snapshots_extensions_client.create_snapshot(
+ self.volume['id'])['snapshot']
+ self.addCleanup(self.snapshots_extensions_client.delete_snapshot,
+ snapshot['id'])
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.snapshots_extensions_client.show_snapshot(snapshot['id'])
+
+ @decorators.idempotent_id('f4f5635c-416c-11e7-a919-92ebcb67fe33')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-volumes")
+ def test_delete_snapshot(self):
+ snapshot = self.snapshots_extensions_client.create_snapshot(
+ self.volume['id'])['snapshot']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.snapshots_extensions_client.delete_snapshot,
+ snapshot['id'])
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.snapshots_extensions_client.delete_snapshot(snapshot['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
index f72fe75..b42be93 100644
--- a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
@@ -110,6 +110,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._create_network(shared=True)
+ @test.requires_ext(extension='external-net', service='network')
@rbac_rule_validation.action(service="neutron",
rule="create_network:router:external")
@decorators.idempotent_id('51adf2a7-739c-41e0-8857-3b4c460cbd24')
@@ -122,6 +123,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._create_network(router_external=True)
+ @test.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(service="neutron",
rule="create_network:provider:network_type")
@decorators.idempotent_id('3c42f7b8-b80c-44ef-8fa4-69ec4b1836bc')
@@ -134,6 +136,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._create_network(provider_network_type='vxlan')
+ @test.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(
service="neutron",
rule="create_network:provider:segmentation_id")
@@ -176,6 +179,7 @@
self._update_network(shared_network=True)
self.addCleanup(self._update_network, shared_network=False)
+ @test.requires_ext(extension='external-net', service='network')
@rbac_rule_validation.action(service="neutron",
rule="update_network:router:external")
@decorators.idempotent_id('34884c22-499b-4960-97f1-e2ed8522a9c9')
@@ -201,6 +205,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.networks_client.show_network(self.network['id'])
+ @test.requires_ext(extension='external-net', service='network')
@rbac_rule_validation.action(service="neutron",
rule="get_network:router:external")
@decorators.idempotent_id('529e4814-22e9-413f-af48-8fefcd637344')
@@ -216,6 +221,7 @@
self.networks_client.show_network(self.network['id'],
**kwargs)
+ @test.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(service="neutron",
rule="get_network:provider:network_type")
@decorators.idempotent_id('6521dd60-0950-458b-8491-09d3c84ac0f4')
@@ -234,6 +240,7 @@
if len(retrieved_network) == 0:
raise rbac_exceptions.RbacActionFailed
+ @test.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(service="neutron",
rule="get_network:provider:physical_network")
@decorators.idempotent_id('c049f11a-240c-4a85-ad43-a4d3fd0a5e39')
@@ -252,6 +259,7 @@
if len(retrieved_network) == 0:
raise rbac_exceptions.RbacActionFailed
+ @test.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(service="neutron",
rule="get_network:provider:segmentation_id")
@decorators.idempotent_id('38d9f085-6365-4f81-bac9-c53c294d727e')
diff --git a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
index 20f4bea..2ccc688 100644
--- a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
@@ -18,6 +18,7 @@
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
+from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.network import rbac_base as base
@@ -28,6 +29,13 @@
class SecGroupRbacTest(base.BaseNetworkRbacTest):
@classmethod
+ def skip_checks(cls):
+ super(SecGroupRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('security-group', 'network'):
+ msg = "security-group extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
def resource_setup(cls):
super(SecGroupRbacTest, cls).resource_setup()
secgroup_name = data_utils.rand_name(cls.__name__ + '-secgroup')
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
index b490ebe..afa83a6 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -52,18 +52,24 @@
self.servers_client.delete_server, server['id'])
return server
- def _attach_volume(self, server):
+ def _attach_volume(self, server, volume_id=None):
+ if volume_id is None:
+ volume_id = self.volume['id']
+
self.servers_client.attach_volume(
- server['id'], volumeId=self.volume['id'],
+ server['id'], volumeId=volume_id,
device='/dev/%s' % CONF.compute.volume_device_name)
waiters.wait_for_volume_resource_status(
- self.volumes_client, self.volume['id'], 'in-use')
- self.addCleanup(self._detach_volume)
+ self.volumes_client, volume_id, 'in-use')
+ self.addCleanup(self._detach_volume, volume_id)
- def _detach_volume(self):
- self.volumes_client.detach_volume(self.volume['id'])
+ def _detach_volume(self, volume_id=None):
+ if volume_id is None:
+ volume_id = self.volume['id']
+
+ self.volumes_client.detach_volume(volume_id)
waiters.wait_for_volume_resource_status(
- self.volumes_client, self.volume['id'], 'available')
+ self.volumes_client, volume_id, 'available')
@test.services('compute')
@rbac_rule_validation.action(service="cinder", rule="volume:attach")
@@ -186,19 +192,21 @@
service="cinder",
rule="volume_extension:volume_admin_actions:force_detach")
def test_force_detach_volume_from_instance(self):
+ volume = self.create_volume()
server = self._create_server()
- self._attach_volume(server)
+ self._attach_volume(server, volume['id'])
attachment = self.volumes_client.show_volume(
- self.volume['id'])['volume']['attachments'][0]
+ volume['id'])['volume']['attachments'][0]
# Reset volume's status to error.
- self.volumes_client.reset_volume_status(self.volume['id'],
- status='error')
+ self.volumes_client.reset_volume_status(volume['id'], status='error')
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.volumes_client.force_detach_volume(
- self.volume['id'], connector=None,
+ volume['id'], connector=None,
attachment_id=attachment['attachment_id'])
+ waiters.wait_for_volume_resource_status(self.os_admin.volumes_client,
+ volume['id'], 'available')
class VolumesActionsV3RbacTest(VolumesActionsRbacTest):
diff --git a/releasenotes/notes/compute-snapshots-tests-86c137eb545707ee.yaml b/releasenotes/notes/compute-snapshots-tests-86c137eb545707ee.yaml
new file mode 100644
index 0000000..b15d0a1
--- /dev/null
+++ b/releasenotes/notes/compute-snapshots-tests-86c137eb545707ee.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - |
+ Adds tests for compute snapshot APIs.
diff --git a/releasenotes/notes/image-size-rbac-tests-545e5ace0d88ab34.yaml b/releasenotes/notes/image-size-rbac-tests-545e5ace0d88ab34.yaml
new file mode 100644
index 0000000..c0340cf
--- /dev/null
+++ b/releasenotes/notes/image-size-rbac-tests-545e5ace0d88ab34.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Add RBAC tests related to the ``image_size`` compute policy action:
+ "os_compute_api:image-size".