Merge "Update plugin.py"
diff --git a/doc/source/installation.rst b/doc/source/installation.rst
index e342dd8..31f94f4 100644
--- a/doc/source/installation.rst
+++ b/doc/source/installation.rst
@@ -7,6 +7,7 @@
At the command line::
+ $ git clone http://git.openstack.org/openstack/patrole
$ sudo pip install patrole
Or, if you have virtualenvwrapper installed::
@@ -19,6 +20,17 @@
$ navigate to patrole directory
$ sudo pip install -e .
+DevStack Installation
+=====================
+
+Patrole can be installed like any other DevStack plugin by including the
+``install_plugin`` directive inside local.conf::
+
+ [[local|localrc]]
+ ...
+
+ enable_plugin patrole git://git.openstack.org/openstack/patrole
+
Configuration Information
=========================
diff --git a/doc/source/usage.rst b/doc/source/usage.rst
index c2fc6d3..d2570bc 100644
--- a/doc/source/usage.rst
+++ b/doc/source/usage.rst
@@ -4,17 +4,28 @@
Usage
========
-Running Patrole Tests in Tempest
-================================
+RBAC (API) Tests
+================
-If Patrole is installed correctly, then the API tests can be executed
-from inside the tempest root directory as follows: ::
+If Patrole is installed correctly, then the RBAC tests can be executed
+from inside the tempest root directory as follows::
- tox -eall-plugin -- patrole_tempest_plugin.tests.api
+ $ tox -eall-plugin -- patrole_tempest_plugin.tests.api
-To execute patrole tests for a specific module, run: ::
+To execute patrole tests for a specific module, run::
- tox -eall-plugin -- patrole_tempest_plugin.tests.api.compute
+ $ tox -eall-plugin -- patrole_tempest_plugin.tests.api.compute
+
+.. note::
+
+ It is possible to run Patrole via ``tox -eall`` in order to run Patrole
+ isolated from other plugins. This can be accomplished by including the
+ installation of services that currently use policy in code -- for example,
+ Nova and Keystone. For example::
+
+ $ tox -evenv-tempest -- pip install /opt/stack/patrole /opt/stack/keystone /opt/stack/nova
+ $ tox -eall -- patrole_tempest_plugin.tests.api
+..
To change the role that the patrole tests are being run as, edit
``rbac_test_role`` in the ``rbac`` section of tempest.conf: ::
@@ -34,3 +45,17 @@
For more information about the Member role,
please see: `<https://ask.openstack.org/en/question/4759/member-vs-_member_/>`__.
+
+Unit Tests
+==========
+
+Patrole includes unit tests for its RBAC framework. They can be run by
+executing::
+
+ $ tox -e py27
+
+or::
+
+ $ tox -e py35
+
+against the Python 3.5 interpreter.
diff --git a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
index 3d66f2e..cdabf6f 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
@@ -178,3 +178,33 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.compute_images_client.delete_image_metadata_item(self.image['id'],
key='foo')
+
+
+class ImageSizeRbacTest(rbac_base.BaseV2ComputeRbacTest):
+ """Tests the ``image_size`` compute policies.
+
+ NOTE(felipemonteiro): If Patrole is enhanced to test multiple policies
+ simultaneously, these policy actions can be combined with the related
+ tests from ``ImagesRbacTest`` above.
+ """
+
+ # These tests will fail with a 404 starting from microversion 2.36.
+ # See the following link for details:
+ # https://developer.openstack.org/api-ref/compute/#images-deprecated
+ max_microversion = '2.35'
+
+ @decorators.idempotent_id('fe34d2a6-5743-45bf-8f92-a1d703d7c7ab')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:image-size")
+ def test_list_images(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.compute_images_client.list_images()
+
+ @decorators.idempotent_id('08342c7d-297d-42ee-b398-90fce2443792')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:image-size")
+ def test_list_images_with_details(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.compute_images_client.list_images(detail=True)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
index a2ae8e5..499f58d 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
@@ -14,6 +14,7 @@
# under the License.
from tempest.common import waiters
+from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
@@ -24,15 +25,19 @@
CONF = config.CONF
-class VolumeV235RbacTest(rbac_base.BaseV2ComputeRbacTest):
+class VolumeRbacTest(rbac_base.BaseV2ComputeRbacTest):
"""RBAC tests for the Nova Volume client."""
# These tests will fail with a 404 starting from microversion 2.36.
# For more information, see:
- # https://developer.openstack.org/api-ref/compute/volume-extension-os-volumes-os-snapshots-deprecated
- min_microversion = '2.10'
+ # https://developer.openstack.org/api-ref/compute/#volume-extension-os-volumes-os-snapshots-deprecated
max_microversion = '2.35'
+ @classmethod
+ def resource_setup(cls):
+ super(VolumeRbacTest, cls).resource_setup()
+ cls.volume = cls.create_volume()
+
@decorators.idempotent_id('2402013e-a624-43e3-9518-44a5d1dbb32d')
@rbac_rule_validation.action(
service="nova",
@@ -61,9 +66,8 @@
service="nova",
rule="os_compute_api:os-volumes")
def test_show_volume(self):
- volume = self.create_volume()
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.volumes_extensions_client.show_volume(volume['id'])
+ self.volumes_extensions_client.show_volume(self.volume['id'])
@decorators.idempotent_id('6e7870f2-1bb2-4b58-96f8-6782071ef327')
@rbac_rule_validation.action(
@@ -73,3 +77,48 @@
volume = self.create_volume()
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.volumes_extensions_client.delete_volume(volume['id'])
+
+ @decorators.idempotent_id('0c3eaa4f-69d6-4a13-9dda-19585f36b1c1')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-volumes")
+ def test_create_snapshot(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ snapshot = self.snapshots_extensions_client.create_snapshot(
+ self.volume['id'])['snapshot']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.snapshots_extensions_client.delete_snapshot,
+ snapshot['id'])
+
+ @decorators.idempotent_id('e944e816-416c-11e7-a919-92ebcb67fe33')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-volumes")
+ def test_list_snapshots(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.snapshots_extensions_client.list_snapshots()
+
+ @decorators.idempotent_id('19c2e6bd-585b-472f-a8d7-71ea9299c655')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-volumes")
+ def test_show_snapshot(self):
+ snapshot = self.snapshots_extensions_client.create_snapshot(
+ self.volume['id'])['snapshot']
+ self.addCleanup(self.snapshots_extensions_client.delete_snapshot,
+ snapshot['id'])
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.snapshots_extensions_client.show_snapshot(snapshot['id'])
+
+ @decorators.idempotent_id('f4f5635c-416c-11e7-a919-92ebcb67fe33')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-volumes")
+ def test_delete_snapshot(self):
+ snapshot = self.snapshots_extensions_client.create_snapshot(
+ self.volume['id'])['snapshot']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.snapshots_extensions_client.delete_snapshot,
+ snapshot['id'])
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.snapshots_extensions_client.delete_snapshot(snapshot['id'])
diff --git a/releasenotes/notes/add-extra-hypervisor-tests-9374e5fcdb0266e2.yaml b/releasenotes/notes/add-extra-hypervisor-tests-9374e5fcdb0266e2.yaml
index 0c46435..4cb7b4a 100644
--- a/releasenotes/notes/add-extra-hypervisor-tests-9374e5fcdb0266e2.yaml
+++ b/releasenotes/notes/add-extra-hypervisor-tests-9374e5fcdb0266e2.yaml
@@ -4,8 +4,9 @@
Add additional compute hypervisor RBAC tests, so that the previously
missing hypervisor endpoints are covered. Tests for the following
endpoints were written:
- * show_hypervisor
- * list_servers_on_hypervisor
- * show_hypervisor_statistics
- * show_hypervisor_uptime
- * search_hypervisor
+
+ * show_hypervisor
+ * list_servers_on_hypervisor
+ * show_hypervisor_statistics
+ * show_hypervisor_uptime
+ * search_hypervisor
diff --git a/releasenotes/notes/compute-snapshots-tests-86c137eb545707ee.yaml b/releasenotes/notes/compute-snapshots-tests-86c137eb545707ee.yaml
new file mode 100644
index 0000000..b15d0a1
--- /dev/null
+++ b/releasenotes/notes/compute-snapshots-tests-86c137eb545707ee.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - |
+ Adds tests for compute snapshot APIs.
diff --git a/releasenotes/notes/dhcp-agent-scheduler-test-842fc1df45799def.yaml b/releasenotes/notes/dhcp-agent-scheduler-test-842fc1df45799def.yaml
index 1afe82b..0a422e6 100644
--- a/releasenotes/notes/dhcp-agent-scheduler-test-842fc1df45799def.yaml
+++ b/releasenotes/notes/dhcp-agent-scheduler-test-842fc1df45799def.yaml
@@ -2,5 +2,4 @@
features:
- |
Added RBAC network test for listing dhcp agents on a hosting
- network, providing coverage for the following Neutron policy action:
- * "get_dhcp-agents"
+ network, providing coverage for the "get_dhcp-agents" policy.
diff --git a/releasenotes/notes/image-size-rbac-tests-545e5ace0d88ab34.yaml b/releasenotes/notes/image-size-rbac-tests-545e5ace0d88ab34.yaml
new file mode 100644
index 0000000..c0340cf
--- /dev/null
+++ b/releasenotes/notes/image-size-rbac-tests-545e5ace0d88ab34.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Add RBAC tests related to the ``image_size`` compute policy action:
+ "os_compute_api:image-size".
diff --git a/releasenotes/notes/server-metadata-rbac-tests-2404b5d13c492b62.yaml b/releasenotes/notes/server-metadata-rbac-tests-2404b5d13c492b62.yaml
index b8eb281..1bb63c9 100644
--- a/releasenotes/notes/server-metadata-rbac-tests-2404b5d13c492b62.yaml
+++ b/releasenotes/notes/server-metadata-rbac-tests-2404b5d13c492b62.yaml
@@ -3,9 +3,10 @@
- |
Add RBAC tests for the compute server metadata API, providing
coverage for the following policy actions:
- * os_compute_api:server-metadata:index
- * os_compute_api:server-metadata:update_all
- * os_compute_api:server-metadata:create
- * os_compute_api:server-metadata:show
- * os_compute_api:server-metadata:update
- * os_compute_api:server-metadata:delete
+
+ * os_compute_api:server-metadata:index
+ * os_compute_api:server-metadata:update_all
+ * os_compute_api:server-metadata:create
+ * os_compute_api:server-metadata:show
+ * os_compute_api:server-metadata:update
+ * os_compute_api:server-metadata:delete