Minimize number of servers created for more tests
Move additional RBAC tests into test_server_misc_policy_actions_rbac.py
to further increase gate stability and decrease gate run time.
The number of calls to create_test_server() should be minimized
for RBAC testing because we don't do too much modification to the
resources that are created -- only what's necessary to trigger the
API action corresponding to the RBAC policy under test. Further,
minimizing such calls reduces the risk of spinning up too many servers
concurrently in our gates: the source of various gate failures as
limited resources lead to server faults being raised.
To that end, the following tests can be migrated to
test_server_misc_policy_actions_rbac.py:
- test_admin_password_rbac
- test_lock_server_rbac
- test_suspend_server_rbac
Additional migrations will be made in follow-up patches.
Change-Id: I7cf80d39b770afeb02d666266411fa2a91601eb9
Partial-Bug: #1699415
diff --git a/patrole_tempest_plugin/tests/api/compute/test_admin_password_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_admin_password_rbac.py
deleted file mode 100644
index 38b5f1a..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_admin_password_rbac.py
+++ /dev/null
@@ -1,44 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import testtools
-
-from tempest.common import waiters
-from tempest import config
-from tempest.lib.common.utils import data_utils
-from tempest.lib import decorators
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-CONF = config.CONF
-
-
-class AdminPasswordRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @testtools.skipUnless(CONF.compute_feature_enabled.change_password,
- 'Change password not available.')
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-admin-password")
- @decorators.idempotent_id('908a7d59-3a66-441c-94cf-38e57ed14956')
- def test_change_server_password(self):
- server_id = self.create_test_server(wait_until='ACTIVE')['id']
-
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.change_password(
- server_id, adminPass=data_utils.rand_password())
- waiters.wait_for_server_status(
- self.os_admin.servers_client, server_id, 'ACTIVE')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_lock_server_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_lock_server_rbac.py
deleted file mode 100644
index 1daf305..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_lock_server_rbac.py
+++ /dev/null
@@ -1,58 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest.lib import decorators
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base as base
-
-
-class ComputeLockServersRbacTest(base.BaseV2ComputeRbacTest):
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-lock-server:lock")
- @decorators.idempotent_id('b81e10fb-1864-498f-8c1d-5175c6fec5fb')
- def test_lock_server(self):
- server = self.create_test_server(wait_until='ACTIVE')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.lock_server(server['id'])
- self.addCleanup(self.servers_client.unlock_server, server['id'])
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-lock-server:unlock")
- @decorators.idempotent_id('d50ef8e8-4bce-11e7-b114-b2f933d5fe66')
- def test_unlock_server(self):
- server = self.create_test_server(wait_until='ACTIVE')
- self.servers_client.lock_server(server['id'])
- self.addCleanup(self.servers_client.unlock_server, server['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.unlock_server(server['id'])
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-lock-server:unlock:unlock_override")
- @decorators.idempotent_id('40dfeef9-73ee-48a9-be19-a219875de457')
- def test_unlock_server_override(self):
- server = self.create_test_server(wait_until='ACTIVE')
- # In order to trigger the unlock:unlock_override policy instead
- # of the unlock policy, the server must be locked by a different
- # user than the one who is attempting to unlock it.
- self.os_admin.servers_client.lock_server(server['id'])
- self.addCleanup(self.servers_client.unlock_server, server['id'])
-
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.unlock_server(server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
index cb826e3..d4c856d 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
@@ -13,7 +13,11 @@
# License for the specific language governing permissions and limitations
# under the License.
+import testtools
+
from tempest.common import waiters
+from tempest import config
+from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
from tempest import test
@@ -21,6 +25,8 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base
+CONF = config.CONF
+
class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
"""Test multiple policy actions that require a server to be created.
@@ -88,6 +94,24 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.servers_client.reset_network(self.server_id)
+ @testtools.skipUnless(CONF.compute_feature_enabled.change_password,
+ 'Change password not available.')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-password")
+ @decorators.idempotent_id('908a7d59-3a66-441c-94cf-38e57ed14956')
+ def test_change_server_password(self):
+ """Test change admin password, part of os-admin-password."""
+ original_password = self.servers_client.show_password(self.server_id)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.change_password(
+ self.server_id, adminPass=data_utils.rand_password())
+ self.addCleanup(self.servers_client.change_password, self.server_id,
+ adminPass=original_password)
+ waiters.wait_for_server_status(
+ self.os_admin.servers_client, self.server_id, 'ACTIVE')
+
@test.requires_ext(extension='os-deferred-delete', service='compute')
@decorators.idempotent_id('189bfed4-1e6d-475c-bb8c-d57e60895391')
@rbac_rule_validation.action(
@@ -99,6 +123,45 @@
# Force-deleting a server enforces os-deferred-delete.
self.servers_client.force_delete_server(self.server_id)
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-lock-server:lock")
+ @decorators.idempotent_id('b81e10fb-1864-498f-8c1d-5175c6fec5fb')
+ def test_lock_server(self):
+ """Test lock server, part of os-lock-server."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.lock_server(self.server_id)
+ self.addCleanup(self.servers_client.unlock_server, self.server_id)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-lock-server:unlock")
+ @decorators.idempotent_id('d50ef8e8-4bce-11e7-b114-b2f933d5fe66')
+ def test_unlock_server(self):
+ """Test unlock server, part of os-lock-server."""
+ self.servers_client.lock_server(self.server_id)
+ self.addCleanup(self.servers_client.unlock_server, self.server_id)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.unlock_server(self.server_id)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-lock-server:unlock:unlock_override")
+ @decorators.idempotent_id('40dfeef9-73ee-48a9-be19-a219875de457')
+ def test_unlock_server_override(self):
+ """Test force unlock server, part of os-lock-server.
+
+ In order to trigger the unlock:unlock_override policy instead
+ of the unlock policy, the server must be locked by a different
+ user than the one who is attempting to unlock it.
+ """
+ self.os_admin.servers_client.lock_server(self.server_id)
+ self.addCleanup(self.servers_client.unlock_server, self.server_id)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.unlock_server(self.server_id)
+
@test.requires_ext(extension='os-rescue', service='compute')
@rbac_rule_validation.action(
service="nova",
@@ -152,3 +215,34 @@
"""
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.servers_client.show_server(self.server_id)
+
+ @testtools.skipUnless(CONF.compute_feature_enabled.suspend,
+ "Suspend compute feature is not available.")
+ @decorators.idempotent_id('b775930f-237c-431c-83ae-d33ed1b9700b')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-suspend-server:suspend")
+ def test_suspend_server(self):
+ """Test suspend server, part of os-suspend-server."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.suspend_server(self.server_id)
+ self.addCleanup(self.servers_client.resume_server, self.server_id)
+ waiters.wait_for_server_status(
+ self.os_admin.servers_client, self.server_id, 'SUSPENDED')
+
+ @testtools.skipUnless(CONF.compute_feature_enabled.suspend,
+ "Suspend compute feature is not available.")
+ @decorators.idempotent_id('4d90bd02-11f8-45b1-a8a1-534665584675')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-suspend-server:resume")
+ def test_resume_server(self):
+ """Test resume server, part of os-suspend-server."""
+ self.servers_client.suspend_server(self.server_id)
+ waiters.wait_for_server_status(self.servers_client, self.server_id,
+ 'SUSPENDED')
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.resume_server(self.server_id)
+ waiters.wait_for_server_status(
+ self.os_admin.servers_client, self.server_id, 'ACTIVE')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_suspend_server_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_suspend_server_rbac.py
deleted file mode 100644
index 06ae4cf..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_suspend_server_rbac.py
+++ /dev/null
@@ -1,76 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest.common import waiters
-from tempest import config
-from tempest.lib import decorators
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-CONF = config.CONF
-
-
-class SuspendServerRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def skip_checks(cls):
- super(SuspendServerRbacTest, cls).skip_checks()
- if not CONF.compute_feature_enabled.suspend:
- msg = "%s skipped as suspend compute feature is not available." \
- % cls.__name__
- raise cls.skipException(msg)
-
- @classmethod
- def resource_setup(cls):
- super(SuspendServerRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server(wait_until='ACTIVE')
-
- def tearDown(self):
- # Guarantee that the server is active during each test run.
- vm_state = self.servers_client.show_server(
- self.server['id'])['server']['OS-EXT-STS:vm_state'].upper()
- if vm_state != 'ACTIVE':
- self.servers_client.resume_server(self.server['id'])
- waiters.wait_for_server_status(self.servers_client,
- self.server['id'],
- 'ACTIVE')
-
- super(SuspendServerRbacTest, self).tearDown()
-
- @decorators.idempotent_id('b775930f-237c-431c-83ae-d33ed1b9700b')
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-suspend-server:suspend")
- def test_suspend_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.suspend_server(self.server['id'])
- waiters.wait_for_server_status(self.servers_client, self.server['id'],
- 'SUSPENDED')
-
- @decorators.idempotent_id('4d90bd02-11f8-45b1-a8a1-534665584675')
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-suspend-server:resume")
- def test_resume_server(self):
- self.servers_client.suspend_server(self.server['id'])
- waiters.wait_for_server_status(self.servers_client, self.server['id'],
- 'SUSPENDED')
-
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.resume_server(self.server['id'])
- waiters.wait_for_server_status(self.os_admin.servers_client,
- self.server['id'],
- 'ACTIVE')