Merge "Skip the deprecated API extensions policy tests"
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index bd0068b..4826d21 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -26,12 +26,18 @@
iniset $TEMPEST_CONFIG policy-feature-enabled volume_extension_volume_actions_attach_policy False
iniset $TEMPEST_CONFIG policy-feature-enabled volume_extension_volume_actions_reserve_policy False
iniset $TEMPEST_CONFIG policy-feature-enabled volume_extension_volume_actions_unreserve_policy False
+
+ # These policies were removed in Stein but are available in Pike.
+ iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
fi
if [[ ${DEVSTACK_SERIES} == 'queens' ]]; then
if [[ "$RBAC_TEST_ROLE" == "member" ]]; then
RBAC_TEST_ROLE="Member"
fi
+
+ # These policies were removed in Stein but are available in Queens.
+ iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
fi
iniset $TEMPEST_CONFIG patrole enable_rbac True
diff --git a/patrole_tempest_plugin/config.py b/patrole_tempest_plugin/config.py
index ebc8a1d..47b76d4 100644
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py
@@ -160,7 +160,17 @@
default=True,
help="""Is the Cinder policy
"volume_extension:volume_actions:unreserve" available in the cloud? This policy
-was changed in a backwards-incompatible way.""")
+was changed in a backwards-incompatible way."""),
+ # *** Include feature flags for groups of policies below. ***
+ # Best practice is to capture new policies, removed policies, renamed
+ # policies in a group, per release.
+ #
+ # TODO(felipemonteiro): Remove these feature flags once Stein is EOL.
+ cfg.BoolOpt('removed_nova_policies_stein',
+ default=True,
+ help="""Are the Nova API extension policies available in the
+cloud (e.g. os_compute_api:os-extended-availability-zone)? These policies were
+removed in Stein because Nova API extension concept was removed in Pike."""),
]
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
index d6364c9..a99ddbd 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
@@ -13,8 +13,9 @@
# License for the specific language governing permissions and limitations
# under the License.
-from tempest import config
+import testtools
+from tempest import config
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
@@ -34,6 +35,8 @@
cls.public_flavor_id = CONF.compute.flavor_ref
cls.tenant_id = cls.os_primary.credentials.tenant_id
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('a2bd3740-765d-4c95-ac98-9e027378c75e')
@rbac_rule_validation.action(
service="nova",
@@ -50,6 +53,8 @@
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('dd388146-9750-4124-82ba-62deff1052bb')
@rbac_rule_validation.action(
service="nova",
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
index fbc03cf..b4531af 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
+import testtools
+
from tempest.common import utils
from tempest import config
from tempest.lib import decorators
@@ -33,6 +35,8 @@
msg = "os-flavor-rxtx extension not enabled."
raise cls.skipException(msg)
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('5e1fd9f0-9a08-485a-ad9c-0fc66e4d64b7')
@rbac_rule_validation.action(
service="nova",
@@ -44,6 +48,8 @@
raise rbac_exceptions.RbacMalformedResponse(
attribute='rxtx_factor')
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('70c55a07-c843-4627-a29d-ba78673c1e63')
@rbac_rule_validation.action(
service="nova",
diff --git a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
index f36b8ec..c988128 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
+import testtools
+
from tempest.common import image as common_image
from tempest import config
from tempest.lib.common.utils import data_utils
@@ -20,6 +22,7 @@
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
+from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base
@@ -245,18 +248,67 @@
# https://developer.openstack.org/api-ref/compute/#images-deprecated
max_microversion = '2.35'
+ @classmethod
+ def skip_checks(cls):
+ super(ImageSizeRbacTest, cls).skip_checks()
+ if not CONF.service_available.glance:
+ skip_msg = ("%s skipped as glance is not available" % cls.__name__)
+ raise cls.skipException(skip_msg)
+
+ @classmethod
+ def setup_clients(cls):
+ super(ImageSizeRbacTest, cls).setup_clients()
+ if CONF.image_feature_enabled.api_v2:
+ cls.glance_image_client = cls.os_primary.image_client_v2
+ elif CONF.image_feature_enabled.api_v1:
+ cls.glance_image_client = cls.os_primary.image_client
+ else:
+ raise lib_exc.InvalidConfiguration(
+ 'Either api_v1 or api_v2 must be True in '
+ '[image-feature-enabled].')
+
+ @classmethod
+ def resource_setup(cls):
+ super(ImageSizeRbacTest, cls).resource_setup()
+ params = {'name': data_utils.rand_name(cls.__name__ + '-image')}
+ if CONF.image_feature_enabled.api_v1:
+ params = {'headers': common_image.image_meta_to_headers(**params)}
+
+ cls.image = cls.glance_image_client.create_image(**params)
+ cls.addClassResourceCleanup(
+ cls.glance_image_client.wait_for_resource_deletion,
+ cls.image['id'])
+ cls.addClassResourceCleanup(
+ cls.glance_image_client.delete_image, cls.image['id'])
+
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('fe34d2a6-5743-45bf-8f92-a1d703d7c7ab')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:image-size")
- def test_list_images(self):
+ def test_show_image_includes_image_size(self):
with self.rbac_utils.override_role(self):
- self.compute_images_client.list_images()
+ body = self.compute_images_client.show_image(self.image['id'])[
+ 'image']
+ expected_attr = 'OS-EXT-IMG-SIZE:size'
+ if expected_attr not in body:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute=expected_attr)
+
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('08342c7d-297d-42ee-b398-90fce2443792')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:image-size")
- def test_list_images_with_details(self):
+ def test_list_images_with_details_includes_image_size(self):
with self.rbac_utils.override_role(self):
- self.compute_images_client.list_images(detail=True)
+ body = self.compute_images_client.list_images(detail=True)[
+ 'images']
+
+ expected_attr = 'OS-EXT-IMG-SIZE:size'
+ if expected_attr not in body[0]:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute=expected_attr)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
index d97f382..5681799 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
@@ -129,6 +129,8 @@
waiters.wait_for_server_status(
self.servers_client, self.server['id'], 'ACTIVE')
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@utils.requires_ext(extension='os-config-drive', service='compute')
@decorators.idempotent_id('2c82e819-382d-4d6f-87f0-a45954cbbc64')
@rbac_rule_validation.action(
@@ -144,6 +146,8 @@
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@utils.requires_ext(extension='os-config-drive', service='compute')
@decorators.idempotent_id('55c62ef7-b72b-4970-acc6-05b0a4316e5d')
@rbac_rule_validation.action(
@@ -169,6 +173,8 @@
# Force-deleting a server enforces os-deferred-delete.
self.servers_client.force_delete_server(self.server['id'])
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('d873740a-7b10-40a9-943d-7cc18115370e')
@utils.requires_ext(extension='OS-EXT-AZ', service='compute')
@rbac_rule_validation.action(
@@ -185,6 +191,8 @@
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('727e5360-770a-4b9c-8015-513a40216635')
@utils.requires_ext(extension='OS-EXT-AZ', service='compute')
@rbac_rule_validation.action(
@@ -200,6 +208,8 @@
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('4aa5d93e-4887-468a-8eb4-b6eca0ca6437')
@utils.requires_ext(extension='OS-EXT-SRV-ATTR', service='compute')
@rbac_rule_validation.action(
@@ -222,6 +232,8 @@
raise rbac_exceptions.RbacMalformedResponse(
attribute=whole_attr)
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('2ed7aee2-94b2-4a9f-ae63-a51b7f94fe30')
@utils.requires_ext(extension='OS-EXT-SRV-ATTR', service='compute')
@rbac_rule_validation.action(
@@ -244,6 +256,8 @@
raise rbac_exceptions.RbacMalformedResponse(
attribute=whole_attr)
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('82053c27-3134-4003-9b55-bc9fafdb0e3b')
@utils.requires_ext(extension='OS-EXT-STS', service='compute')
@rbac_rule_validation.action(
@@ -261,6 +275,8 @@
raise rbac_exceptions.RbacMalformedResponse(
attribute=attr)
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('7d2620a5-eea1-4a8b-96ea-86ad77a73fc8')
@utils.requires_ext(extension='OS-EXT-STS', service='compute')
@rbac_rule_validation.action(
@@ -278,6 +294,8 @@
raise rbac_exceptions.RbacMalformedResponse(
attribute=attr)
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('21e39cbe-6c32-48fc-80dd-3e1fece6053f')
@utils.requires_ext(extension='os-extended-volumes', service='compute')
@rbac_rule_validation.action(
@@ -295,6 +313,8 @@
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@decorators.idempotent_id('7f163708-0d25-4138-8512-dfdd72a92989')
@utils.requires_ext(extension='os-extended-volumes', service='compute')
@rbac_rule_validation.action(
@@ -348,6 +368,8 @@
raise rbac_exceptions.RbacMalformedResponse(
attribute='events.traceback')
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-keypairs")
@@ -360,6 +382,8 @@
raise rbac_exceptions.RbacMalformedResponse(
attribute='key_name')
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-keypairs")
@@ -469,6 +493,8 @@
with self.rbac_utils.override_role(self):
self.servers_client.show_password(self.server['id'])
+ @testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
+ "This API extension policy was removed in Stein")
@utils.requires_ext(extension='OS-SRV-USG', service='compute')
@rbac_rule_validation.action(
service="nova",
diff --git a/releasenotes/notes/remove-deprecated-api-extensions-policies-fca3d31c7f5f1f6c.yaml b/releasenotes/notes/remove-deprecated-api-extensions-policies-fca3d31c7f5f1f6c.yaml
new file mode 100644
index 0000000..925791f
--- /dev/null
+++ b/releasenotes/notes/remove-deprecated-api-extensions-policies-fca3d31c7f5f1f6c.yaml
@@ -0,0 +1,23 @@
+---
+features:
+ - |
+ A new policy feature flag called
+ ``[policy_feature_flag].removed_nova_policies_stein`` has been added to
+ Patrole's config to handle Nova API extension policies removed in Stein.
+
+ The policy feature flag is applied to tests that validate response bodies
+ for expected attributes previously returned for the following policies
+ that passed authorization:
+
+ - os_compute_api:os-config-drive
+ - os_compute_api:os-extended-availability-zone
+ - os_compute_api:os-extended-status
+ - os_compute_api:os-extended-volumes
+ - os_compute_api:os-keypairs
+ - os_compute_api:os-server-usage
+ - os_compute_api:os-flavor-rxtx
+ - os_compute_api:os-flavor-access (only from /flavors APIs)
+ - os_compute_api:image-size
+
+ Note that not all removed policies are included above because test coverage
+ is missing for them (like os_compute_api:os-security-groups).