Merge "Glance tests - Image Metadef Namespace Properties"
diff --git a/doc/source/conf.py b/doc/source/conf.py
index d75a939..33c2cc3 100755
--- a/doc/source/conf.py
+++ b/doc/source/conf.py
@@ -38,7 +38,7 @@
# General information about the project.
project = u'patrole'
-copyright = u'2016, OpenStack Foundation'
+copyright = u'2017, Patrole Developers'
# If true, '()' will be appended to :func: etc. cross-reference text.
add_function_parentheses = True
@@ -68,7 +68,7 @@
('index',
'%s.tex' % project,
u'%s Documentation' % project,
- u'OpenStack Foundation', 'manual'),
+ u'Patrole Developers', 'manual'),
]
# Example configuration for intersphinx: refer to the Python standard library.
diff --git a/patrole_tempest_plugin/rbac_role_converter.py b/patrole_tempest_plugin/rbac_role_converter.py
index 420de7f..bc6e006 100644
--- a/patrole_tempest_plugin/rbac_role_converter.py
+++ b/patrole_tempest_plugin/rbac_role_converter.py
@@ -17,6 +17,7 @@
import os
from oslo_log import log as logging
+from oslo_policy import generator
from oslo_policy import policy
from tempest import config
@@ -39,51 +40,73 @@
def __init__(self, tenant_id, service, path=None):
"""Initialization of Policy Converter.
- Parse policy files to create dictionary mapping policy actions to
- roles.
+ Parses a policy file to create a dictionary, mapping policy actions to
+ roles. If a policy file does not exist, checks whether the policy file
+ is registered as a namespace under oslo.policy.policies. Nova, for
+ example, doesn't use a policy.json file by default; its policy is
+ implemented in code and registered as 'nova' under
+ oslo.policy.policies.
+
+ If the policy file is not found in either place, raises an exception.
+
+ Additionally, if the policy file exists in both code and as a
+ policy.json (for example, by creating a custom nova policy.json file),
+ the custom policy file over the default policy implementation is
+ prioritized.
:param tenant_id: type uuid
:param service: type string
:param path: type string
"""
+ service = service.lower().strip()
if path is None:
self.path = '/etc/{0}/policy.json'.format(service)
else:
self.path = path
- if not os.path.isfile(self.path):
- raise rbac_exceptions.RbacResourceSetupFailed(
- 'Policy file for service: {0}, {1} not found.'
- .format(service, self.path))
+ policy_data = "{}"
+ # First check whether policy file exists.
+ if os.path.isfile(self.path):
+ policy_data = open(self.path, 'r').read()
+ # Otherwise use oslo_policy to fetch the rules for provided service.
+ else:
+ policy_generator = generator._get_policies_dict([service])
+ if policy_generator and service in policy_generator:
+ policy_data = "{\n"
+ for r in policy_generator[service]:
+ policy_data = policy_data + r.__str__() + ",\n"
+ policy_data = policy_data[:-2] + "\n}"
+ # Otherwise raise an exception.
+ else:
+ raise rbac_exceptions.RbacResourceSetupFailed(
+ 'Policy file for service: {0}, {1} not found.'
+ .format(service, self.path))
+
+ self.rules = policy.Rules.load(policy_data, "default")
self.tenant_id = tenant_id
def allowed(self, rule_name, role):
- policy_file = open(self.path, 'r')
- access_token = self._get_access_token(role)
-
+ is_admin_context = self._is_admin_context(role)
is_allowed = self._allowed(
- policy_file=policy_file,
- access=access_token,
+ access=self._get_access_token(role),
apply_rule=rule_name,
- is_admin=False)
+ is_admin=is_admin_context)
- policy_file = open(self.path, 'r')
- access_token = self._get_access_token(role)
- allowed_as_admin_context = self._allowed(
- policy_file=policy_file,
- access=access_token,
- apply_rule=rule_name,
- is_admin=True)
+ return is_allowed
- if allowed_as_admin_context and is_allowed:
- return True
- if allowed_as_admin_context and not is_allowed:
- return False
- if not allowed_as_admin_context and is_allowed:
- return True
- if not allowed_as_admin_context and not is_allowed:
- return False
+ def _is_admin_context(self, role):
+ """Checks whether a role has admin context.
+
+ If context_is_admin is contained in the policy file, then checks
+ whether the given role is contained in context_is_admin. If it is not
+ in the policy file, then default to context_is_admin: admin.
+ """
+ if 'context_is_admin' in self.rules.keys():
+ return self._allowed(
+ access=self._get_access_token(role),
+ apply_rule='context_is_admin')
+ return role == 'admin'
def _get_access_token(self, role):
access_token = {
@@ -93,45 +116,50 @@
"name": role
}
],
- "project": {
- "id": self.tenant_id
- }
+ "project_id": self.tenant_id,
+ "tenant_id": self.tenant_id
}
}
return access_token
- def _allowed(self, policy_file, access, apply_rule, is_admin=False):
+ def _allowed(self, access, apply_rule, is_admin=False):
"""Checks if a given rule in a policy is allowed with given access.
Adapted from oslo_policy.shell.
- :param policy file: type string: path to policy file
:param access: type dict: dictionary from ``_get_access_token``
:param apply_rule: type string: rule to be checked
:param is_admin: type bool: whether admin context is used
"""
access_data = copy.copy(access['token'])
access_data['roles'] = [role['name'] for role in access_data['roles']]
- access_data['project_id'] = access_data['project']['id']
access_data['is_admin'] = is_admin
- policy_data = policy_file.read()
- rules = policy.Rules.load(policy_data, "default")
+ # TODO(felipemonteiro): Dynamically calculate is_admin_project rather
+ # than hard-coding it to True. is_admin_project cannot be determined
+ # from the role, but rather from project and domain names. See
+ # _populate_is_admin_project in keystone.token.providers.common
+ # for more information.
+ access_data['is_admin_project'] = True
class Object(object):
pass
o = Object()
- o.rules = rules
+ o.rules = self.rules
- target = {"project_id": access_data['project_id']}
+ target = {"project_id": access_data['project_id'],
+ "tenant_id": access_data['project_id'],
+ "network:tenant_id": access_data['project_id']}
- key = apply_rule
- rule = rules[apply_rule]
- result = self._try_rule(key, rule, target, access_data, o)
+ result = self._try_rule(apply_rule, target, access_data, o)
return result
- def _try_rule(self, key, rule, target, access_data, o):
+ def _try_rule(self, apply_rule, target, access_data, o):
try:
+ rule = self.rules[apply_rule]
return rule(target, access_data, o)
+ except KeyError as e:
+ LOG.debug("{0} not found in policy file.".format(apply_rule))
+ return False
except Exception as e:
- LOG.debug("Exception: {0} for rule: {1}".format(e, rule))
+ LOG.debug("Exception: {0} for rule: {1}.".format(e, rule))
return False
diff --git a/patrole_tempest_plugin/tests/api/compute/rbac_base.py b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
index 030ee5c..ca24204 100644
--- a/patrole_tempest_plugin/tests/api/compute/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
@@ -18,7 +18,6 @@
class BaseV2ComputeRbacTest(compute_base.BaseV2ComputeTest):
-
credentials = ['primary', 'admin']
@classmethod
@@ -36,3 +35,24 @@
super(BaseV2ComputeRbacTest, cls).setup_clients()
cls.admin_client = cls.os_admin.agents_client
cls.auth_provider = cls.os.auth_provider
+
+
+class BaseV2ComputeAdminRbacTest(compute_base.BaseV2ComputeAdminTest):
+
+ credentials = ['primary', 'admin']
+
+ @classmethod
+ def skip_checks(cls):
+ super(BaseV2ComputeAdminRbacTest, cls).skip_checks()
+ if not CONF.rbac.rbac_flag:
+ raise cls.skipException(
+ '%s skipped as RBAC flag not enabled' % cls.__name__)
+ if 'admin' not in CONF.auth.tempest_roles:
+ raise cls.skipException(
+ "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_clients(cls):
+ super(BaseV2ComputeAdminRbacTest, cls).setup_clients()
+ cls.admin_client = cls.os_admin.agents_client
+ cls.auth_provider = cls.os.auth_provider
diff --git a/patrole_tempest_plugin/tests/api/compute/test_absolute_limits_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_absolute_limits_rbac.py
index 3da3bd8..8e1f6ee 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_absolute_limits_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_absolute_limits_rbac.py
@@ -11,30 +11,31 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest import config
+from tempest.lib import decorators
+
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.rbac_utils import rbac_utils
from patrole_tempest_plugin.tests.api.compute import rbac_base
-from tempest import config
-from tempest.lib import decorators
CONF = config.CONF
-class RBACAbsoluteLimitsTestJSON(rbac_base.BaseV2ComputeRbacTest):
+class AbsoluteLimitsRbacTest(rbac_base.BaseV2ComputeRbacTest):
def tearDown(self):
rbac_utils.switch_role(self, switchToRbacRole=False)
- super(RBACAbsoluteLimitsTestJSON, self).tearDown()
+ super(AbsoluteLimitsRbacTest, self).tearDown()
@classmethod
def setup_clients(cls):
- super(RBACAbsoluteLimitsTestJSON, cls).setup_clients()
+ super(AbsoluteLimitsRbacTest, cls).setup_clients()
cls.identity_client = cls.os_adm.identity_client
cls.tenants_client = cls.os_adm.tenants_client
@classmethod
def skip_checks(cls):
- super(RBACAbsoluteLimitsTestJSON, cls).skip_checks()
+ super(AbsoluteLimitsRbacTest, cls).skip_checks()
if not CONF.compute_feature_enabled.api_extensions:
raise cls.skipException(
'%s skipped as no compute extensions enabled' % cls.__name__)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_access_ips_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_access_ips_rbac.py
new file mode 100644
index 0000000..ffeebc9
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_access_ips_rbac.py
@@ -0,0 +1,45 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class AccessIpsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ super(AccessIpsRbacTest, self).tearDown()
+
+ @classmethod
+ def skip_checks(cls):
+ super(AccessIpsRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+
+ @rbac_rule_validation.action(service="nova",
+ rule="os_compute_api:os-access-ips")
+ @decorators.idempotent_id('f5811ed1-95d4-4085-a69e-87e6bd958738')
+ def test_access_ip(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ ipv4 = '127.0.0.1'
+ self.create_test_server(accessIPv4=ipv4)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
new file mode 100644
index 0000000..a2f6409
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
@@ -0,0 +1,50 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class ServicesAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
+
+ @classmethod
+ def setup_clients(cls):
+ super(ServicesAdminRbacTest, cls).setup_clients()
+ cls.client = cls.services_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(ServicesAdminRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(ServicesAdminRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-services")
+ @decorators.idempotent_id('7472261b-9c6d-453a-bcb3-aecaa29ad281')
+ def test_list_services(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_services()['services']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_simple_tenant_usage_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_simple_tenant_usage_rbac.py
new file mode 100644
index 0000000..eb7a91f
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_simple_tenant_usage_rbac.py
@@ -0,0 +1,62 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class SimpleTenantUsageRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(SimpleTenantUsageRbacTest, self).tearDown()
+
+ @classmethod
+ def setup_clients(cls):
+ super(SimpleTenantUsageRbacTest, cls).setup_clients()
+ cls.client = cls.os.tenant_usages_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(SimpleTenantUsageRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-simple-tenant-usage:list")
+ @decorators.idempotent_id('2aef094f-0452-4df6-a66a-0ec22a92b16e')
+ def test_simple_tenant_usage_list(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_tenant_usages()
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-simple-tenant-usage:show")
+ @decorators.idempotent_id('fe7eacda-15c4-4bf7-93ef-1091c4546a9d')
+ def test_simple_tenant_usage_show(self):
+ # A server must be created in order for usage activity to exist; else
+ # the validation method in the API call throws an error.
+ self.create_test_server(wait_until='ACTIVE')['id']
+ tenant_id = self.auth_provider.credentials.tenant_id
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.show_tenant_usage(tenant_id=tenant_id)
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_test_image_namespace_resource_type.py b/patrole_tempest_plugin/tests/api/image/v2/test_test_image_namespace_resource_type.py
new file mode 100644
index 0000000..f7e76c1
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_test_image_namespace_resource_type.py
@@ -0,0 +1,64 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.image import rbac_base
+
+CONF = config.CONF
+
+
+class ImageNamespacesResourceTypeRbacTest(rbac_base.BaseV2ImageRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(ImageNamespacesResourceTypeRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(service="glance",
+ rule="list_metadef_resource_types")
+ @decorators.idempotent_id('0416fc4d-cfdc-447b-88b6-d9f1dd0382f7')
+ def test_list_metadef_resource_types(self):
+ """List Metadef Resource Type Image Test
+
+ RBAC test for the glance list_metadef_resource_type policy.
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.resource_types_client.list_resource_types()
+
+ @rbac_rule_validation.action(service="glance",
+ rule="get_metadef_resource_type")
+ @decorators.idempotent_id('3698d53c-71ae-4803-a2c3-c272c054f25c')
+ def test_get_metadef_resource_type(self):
+ """Get Metadef Resource Type Image Test
+
+ RBAC test for the glance get_metadef_resource_type policy.
+ """
+ namespace_name = data_utils.rand_name('test-ns')
+ self.namespaces_client.create_namespace(
+ namespace=namespace_name,
+ protected=False)
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.namespaces_client.delete_namespace,
+ namespace_name)
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.resource_types_client.list_resource_type_association(
+ namespace_name)
diff --git a/patrole_tempest_plugin/tests/api/volume/admin/test_volumes_backup_admin_rbac.py b/patrole_tempest_plugin/tests/api/volume/admin/test_volumes_backup_admin_rbac.py
new file mode 100644
index 0000000..e36d684
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/admin/test_volumes_backup_admin_rbac.py
@@ -0,0 +1,72 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class VolumesBackupsAdminRbacTest(rbac_base.BaseVolumeAdminRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(VolumesBackupsAdminRbacTest, cls).skip_checks()
+ if not CONF.volume_feature_enabled.backup:
+ raise cls.skipException("Cinder backup feature disabled")
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(VolumesBackupsAdminRbacTest, self).tearDown()
+
+ @classmethod
+ def resource_setup(cls):
+ super(VolumesBackupsAdminRbacTest, cls).resource_setup()
+ cls.volume = cls.create_volume()
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="backup:backup-export")
+ @decorators.idempotent_id('e984ec8d-e8eb-485c-98bc-f1856020303c')
+ def test_volume_backup_export(self):
+ # Create a temp backup
+ backup = self.create_backup(volume_id=self.volume['id'])
+ # Export Backup
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.backups_client.export_backup(
+ backup['id'])['backup-record']
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="backup:backup-import")
+ @decorators.idempotent_id('1e70f039-4556-44cc-9cc1-edf2b7ed648b')
+ def test_volume_backup_import(self):
+ # Create a temp backup
+ backup = self.create_backup(volume_id=self.volume['id'])
+ # Export a temp backup
+ export_backup = self.backups_client.export_backup(
+ backup['id'])['backup-record']
+ # Import the temp backup
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ import_backup = self.backups_client.import_backup(
+ backup_service=export_backup['backup_service'],
+ backup_url=export_backup['backup_url'])['backup']
+ self.addCleanup(self.backups_client.delete_backup, import_backup['id'])
+
+
+class VolumesBackupsAdminV3RbacTest(VolumesBackupsAdminRbacTest):
+ _api_version = 3
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
new file mode 100644
index 0000000..b15eb3f
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -0,0 +1,121 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.common import waiters
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class VolumesActionsRbacTest(rbac_base.BaseVolumeRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(VolumesActionsRbacTest, cls).skip_checks()
+ # Nova is needed to create a server
+ if not CONF.service_available.nova:
+ skip_msg = ("%s skipped as nova is not available" % cls.__name__)
+ raise cls.skipException(skip_msg)
+ # Glance is needed to create an image
+ if not CONF.service_available.glance:
+ skip_msg = ("%s skipped as glance is not available" % cls.__name__)
+ raise cls.skipException(skip_msg)
+
+ @classmethod
+ def setup_clients(cls):
+ super(VolumesActionsRbacTest, cls).setup_clients()
+ cls.client = cls.os.volumes_client
+ cls.image_client = cls.os.image_client
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(VolumesActionsRbacTest, self).tearDown()
+
+ @classmethod
+ def resource_setup(cls):
+ super(VolumesActionsRbacTest, cls).resource_setup()
+ cls.volume = cls.create_volume()
+
+ def _attach_volume(self):
+ server = self.create_server(wait_until='ACTIVE')
+ self.servers_client.attach_volume(
+ server['id'], volumeId=self.volume['id'],
+ device='/dev/%s' % CONF.compute.volume_device_name)
+ waiters.wait_for_volume_status(self.client,
+ self.volume['id'], 'in-use')
+ self.addCleanup(self._detach_volume)
+
+ def _detach_volume(self):
+ self.client.detach_volume(self.volume['id'])
+ waiters.wait_for_volume_status(self.client, self.volume['id'],
+ 'available')
+
+ @rbac_rule_validation.action(service="cinder", rule="volume:attach")
+ @decorators.idempotent_id('f97b10e4-2eed-4f8b-8632-71c02cb9fe42')
+ def test_attach_volume_to_instance(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # Attach the volume
+ self._attach_volume()
+
+ @rbac_rule_validation.action(service="cinder", rule="volume:detach")
+ @decorators.idempotent_id('5a042f6a-688b-42e6-a02e-fe5c47b89b07')
+ def test_detach_volume_to_instance(self):
+ # Attach the volume
+ self._attach_volume()
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # Detach the volume
+ self._detach_volume()
+
+ @rbac_rule_validation.action(service="cinder", rule="volume:get")
+ @decorators.idempotent_id('c4c3fdd5-b1b1-49c3-b977-a9f40ee9257a')
+ def test_get_volume_attachment(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # Get attachment
+ self.client.show_volume(self.volume['id'])
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:copy_volume_to_image")
+ @decorators.idempotent_id('b0d0da46-903c-4445-893e-20e680d68b50')
+ def test_volume_upload(self):
+ image_name = data_utils.rand_name('image')
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ body = self.client.upload_volume(
+ self.volume['id'], image_name=image_name,
+ disk_format=CONF.volume.disk_format)['os-volume_upload_image']
+ image_id = body['image_id']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.image_client.delete_image,
+ image_id)
+ waiters.wait_for_image_status(self.image_client, image_id, 'active')
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:update_readonly_flag")
+ @decorators.idempotent_id('2750717a-f250-4e41-9e09-02624aad6ff8')
+ def test_volume_readonly_update(self):
+ volume = self.create_volume()
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # Update volume readonly
+ self.client.update_volume_readonly(volume['id'], readonly=True)
+
+
+class VolumesActionsV3RbacTest(VolumesActionsRbacTest):
+ _api_version = 3
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
new file mode 100644
index 0000000..f88d44f
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
@@ -0,0 +1,96 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.common import waiters
+from tempest import config
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class VolumesTransfersRbacTest(rbac_base.BaseVolumeRbacTest):
+
+ credentials = ['primary', 'alt', 'admin']
+
+ @classmethod
+ def setup_clients(cls):
+ super(VolumesTransfersRbacTest, cls).setup_clients()
+ cls.client = cls.volumes_client
+ cls.alt_client = cls.os_alt.volumes_client
+ cls.alt_tenant_id = cls.alt_client.tenant_id
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(VolumesTransfersRbacTest, self).tearDown()
+
+ @classmethod
+ def resource_setup(cls):
+ super(VolumesTransfersRbacTest, cls).resource_setup()
+ cls.volume = cls.create_volume()
+
+ def _delete_transfer(self, transfer):
+ # Volume from create_volume_transfer test may get stuck in
+ # 'awaiting-transfer' state, preventing cleanup and causing
+ # the test to fail
+ test_utils.call_and_ignore_notfound_exc(
+ self.client.delete_volume_transfer, transfer['id'])
+ waiters.wait_for_volume_status(self.client, self.volume['id'],
+ 'available')
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:create_transfer")
+ @decorators.idempotent_id('25413af4-468d-48ff-94ca-4436f8526b3e')
+ def test_create_volume_transfer(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ transfer = self.client.create_volume_transfer(
+ volume_id=self.volume['id'])['transfer']
+ self.addCleanup(self._delete_transfer, transfer)
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:get_all_transfers")
+ @decorators.idempotent_id('7a0925d3-ed97-4c25-8299-e5cdabe2eb55')
+ def test_get_volume_transfer(self):
+ transfer = self.client.create_volume_transfer(
+ volume_id=self.volume['id'])['transfer']
+ self.addCleanup(self._delete_transfer, transfer)
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.show_volume_transfer(transfer['id'])
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:get_all_transfers")
+ @decorators.idempotent_id('02a06f2b-5040-49e2-b2b7-619a7db59603')
+ def test_list_volume_transfers(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_volume_transfers()
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:accept_transfer")
+ @decorators.idempotent_id('987f2a11-d657-4984-a6c9-28f06c1cd014')
+ def test_accept_volume_transfer(self):
+ transfer = self.client.create_volume_transfer(
+ volume_id=self.volume['id'])['transfer']
+ self.addCleanup(self._delete_transfer, transfer)
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.accept_volume_transfer(transfer['id'],
+ auth_key=transfer['auth_key'])
+
+
+class VolumesTransfersV3RbacTest(VolumesTransfersRbacTest):
+ _api_version = 3
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
new file mode 100644
index 0000000..32a1566
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
@@ -0,0 +1,101 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.common import waiters
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(VolumesBackupsRbacTest, cls).skip_checks()
+ if not CONF.volume_feature_enabled.backup:
+ raise cls.skipException("Cinder backup feature disabled")
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(VolumesBackupsRbacTest, self).tearDown()
+
+ def create_backup(self, volume_id):
+ backup_name = data_utils.rand_name(
+ self.__class__.__name__ + '-Backup')
+ backup = self.backups_client.create_backup(
+ volume_id=volume_id, name=backup_name)['backup']
+ self.addCleanup(self.backups_client.delete_backup, backup['id'])
+ waiters.wait_for_backup_status(self.backups_client, backup['id'],
+ 'available')
+ return backup
+
+ @classmethod
+ def resource_setup(cls):
+ super(VolumesBackupsRbacTest, cls).resource_setup()
+ cls.volume = cls.create_volume()
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="backup:create")
+ @decorators.idempotent_id('6887ec94-0bcf-4ab7-b30f-3808a4b5a2a5')
+ def test_volume_backup_create(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.create_backup(volume_id=self.volume['id'])
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="backup:get")
+ @decorators.idempotent_id('abd92bdd-b0fb-4dc4-9cfc-de9e968f8c8a')
+ def test_volume_backup_get(self):
+ # Create a temp backup
+ backup = self.create_backup(volume_id=self.volume['id'])
+ # Get a given backup
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.backups_client.show_backup(backup['id'])
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="backup:get_all")
+ @decorators.idempotent_id('4d18f0f0-7e01-4007-b622-dedc859b22f6')
+ def test_volume_backup_list(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.backups_client.list_backups()
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="backup:restore")
+ @decorators.idempotent_id('9c794bf9-2446-4f41-8fe0-80b71e757f9d')
+ def test_volume_backup_restore(self):
+ # Create a temp backup
+ backup = self.create_backup(volume_id=self.volume['id'])
+ # Restore backup
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.backups_client.restore_backup(backup['id'])['restore']
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="backup:delete")
+ @decorators.idempotent_id('d5d0c6a2-413d-437e-a73f-4bf2b41a20ed')
+ def test_volume_backup_delete(self):
+ # Create a temp backup
+ backup = self.create_backup(volume_id=self.volume['id'])
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # Delete backup
+ self.backups_client.delete_backup(backup['id'])
+
+
+class VolumesBackupsV3RbacTest(VolumesBackupsRbacTest):
+ _api_version = 3
diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py
index 0fe31a5..d86d91c 100644
--- a/releasenotes/source/conf.py
+++ b/releasenotes/source/conf.py
@@ -12,8 +12,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-# Glance Release Notes documentation build configuration file, created by
-# sphinx-quickstart on Tue Nov 3 17:40:50 2015.
+# Patrole Release Notes documentation build configuration file, created by
+# sphinx-quickstart on Tue Jan 5 17:40:50 2017.
#
# This file is execfile()d with the current directory set to its
# containing dir.
@@ -56,7 +56,7 @@
# General information about the project.
project = u'patrole Release Notes'
-copyright = u'2016, OpenStack Foundation'
+copyright = u'2017, Patrole Developers'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
@@ -189,7 +189,7 @@
# html_file_suffix = None
# Output file base name for HTML help builder.
-htmlhelp_basename = 'GlanceReleaseNotesdoc'
+htmlhelp_basename = 'PatroleReleaseNotesdoc'
# -- Options for LaTeX output ---------------------------------------------
@@ -209,8 +209,9 @@
# (source start file, target name, title,
# author, documentclass [howto, manual, or own class]).
latex_documents = [
- ('index', 'GlanceReleaseNotes.tex', u'Glance Release Notes Documentation',
- u'Glance Developers', 'manual'),
+ ('index', 'PatroleReleaseNotes.tex',
+ u'Patrole Release Notes Documentation',
+ u'Patrole Developers', 'manual'),
]
# The name of an image file (relative to this directory) to place at the top of
@@ -239,8 +240,8 @@
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
- ('index', 'glancereleasenotes', u'Glance Release Notes Documentation',
- [u'Glance Developers'], 1)
+ ('index', 'patrolereleasenotes', u'Patrole Release Notes Documentation',
+ [u'Patrole Developers'], 1)
]
# If true, show URL addresses after external links.
@@ -253,8 +254,8 @@
# (source start file, target name, title, author,
# dir menu entry, description, category)
texinfo_documents = [
- ('index', 'GlanceReleaseNotes', u'Glance Release Notes Documentation',
- u'Glance Developers', 'GlanceReleaseNotes',
+ ('index', 'PatroleReleaseNotes', u'Patrole Release Notes Documentation',
+ u'Patrole Developers', 'PatroleReleaseNotes',
'One line description of project.',
'Miscellaneous'),
]
diff --git a/tests/resources/alt_admin_rbac_policy.json b/tests/resources/alt_admin_rbac_policy.json
new file mode 100644
index 0000000..bf07182
--- /dev/null
+++ b/tests/resources/alt_admin_rbac_policy.json
@@ -0,0 +1,5 @@
+{
+ "context_is_admin": "role:super_admin",
+ "admin_rule": "role:super_admin",
+ "non_admin_rule": "role:fake_admin"
+}
diff --git a/tests/resources/tenant_rbac_policy.json b/tests/resources/tenant_rbac_policy.json
new file mode 100644
index 0000000..2647e4d
--- /dev/null
+++ b/tests/resources/tenant_rbac_policy.json
@@ -0,0 +1,6 @@
+{
+ "rule1": "tenant_id:%(network:tenant_id)s",
+ "rule2": "tenant_id:%(tenant_id)s",
+ "rule3": "project_id:%(project_id)s",
+ "admin_rule": "role:admin and tenant_id:%(tenant_id)s"
+}
\ No newline at end of file
diff --git a/tests/test_rbac_role_converter.py b/tests/test_rbac_role_converter.py
index 04eb626..09fa081 100644
--- a/tests/test_rbac_role_converter.py
+++ b/tests/test_rbac_role_converter.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
+import mock
import os
from tempest import config
@@ -35,8 +36,15 @@
self.admin_policy_file = os.path.join(current_directory,
'resources',
'admin_rbac_policy.json')
+ self.alt_admin_policy_file = os.path.join(current_directory,
+ 'resources',
+ 'alt_admin_rbac_policy.json')
+ self.tenant_policy_file = os.path.join(current_directory,
+ 'resources',
+ 'tenant_rbac_policy.json')
- def test_custom_policy(self):
+ @mock.patch.object(rbac_role_converter, 'LOG', autospec=True)
+ def test_custom_policy(self, m_log):
default_roles = ['zero', 'one', 'two', 'three', 'four',
'five', 'six', 'seven', 'eight', 'nine']
@@ -56,7 +64,10 @@
fake_rule = 'fake_rule'
for role in default_roles:
- self.assertRaises(KeyError, converter.allowed, fake_rule, role)
+ self.assertFalse(converter.allowed(fake_rule, role))
+ m_log.debug.assert_called_once_with(
+ "{0} not found in policy file.".format('fake_rule'))
+ m_log.debug.reset_mock()
for rule, role_list in expected.items():
for role in role_list:
@@ -70,10 +81,9 @@
role = 'admin'
allowed_rules = [
- 'admin_rule'
+ 'admin_rule', 'is_admin_rule', 'alt_admin_rule'
]
- disallowed_rules = [
- 'is_admin_rule', 'alt_admin_rule', 'non_admin_rule']
+ disallowed_rules = ['non_admin_rule']
for rule in allowed_rules:
allowed = converter.allowed(rule, role)
@@ -101,3 +111,72 @@
for rule in disallowed_rules:
allowed = converter.allowed(rule, role)
self.assertFalse(allowed)
+
+ def test_admin_policy_file_with_context_is_admin(self):
+ converter = rbac_role_converter.RbacPolicyConverter(
+ None, "test", self.alt_admin_policy_file)
+
+ role = 'fake_admin'
+ allowed_rules = ['non_admin_rule']
+ disallowed_rules = ['admin_rule']
+
+ for rule in allowed_rules:
+ allowed = converter.allowed(rule, role)
+ self.assertTrue(allowed)
+
+ for rule in disallowed_rules:
+ allowed = converter.allowed(rule, role)
+ self.assertFalse(allowed)
+
+ role = 'super_admin'
+ allowed_rules = ['admin_rule']
+ disallowed_rules = ['non_admin_rule']
+
+ for rule in allowed_rules:
+ allowed = converter.allowed(rule, role)
+ self.assertTrue(allowed)
+
+ for rule in disallowed_rules:
+ allowed = converter.allowed(rule, role)
+ self.assertFalse(allowed)
+
+ def test_tenant_policy(self):
+ """Test whether rules with format tenant_id:%(tenant_id)s work.
+
+ Test whether Neutron rules that contain project_id, tenant_id, and
+ network:tenant_id pass.
+ """
+ test_tenant_id = mock.sentinel.tenant_id
+ converter = rbac_role_converter.RbacPolicyConverter(
+ test_tenant_id, "test", self.tenant_policy_file)
+
+ # Check whether Member role can perform expected actions.
+ allowed_rules = ['rule1', 'rule2', 'rule3']
+ for rule in allowed_rules:
+ allowed = converter.allowed(rule, 'Member')
+ self.assertTrue(allowed)
+ self.assertFalse(converter.allowed('admin_rule', 'Member'))
+
+ # Check whether admin role can perform expected actions.
+ allowed_rules.append('admin_rule')
+ for rule in allowed_rules:
+ allowed = converter.allowed(rule, 'admin')
+ self.assertTrue(allowed)
+
+ # Check whether _try_rule is called with the correct target dictionary.
+ with mock.patch.object(converter, '_try_rule', autospec=True) \
+ as mock_try_rule:
+ mock_try_rule.return_value = True
+
+ expected_target = {
+ "project_id": test_tenant_id,
+ "tenant_id": test_tenant_id,
+ "network:tenant_id": test_tenant_id
+ }
+
+ for rule in allowed_rules:
+ allowed = converter.allowed(rule, 'Member')
+ self.assertTrue(allowed)
+ mock_try_rule.assert_called_once_with(
+ rule, expected_target, mock.ANY, mock.ANY)
+ mock_try_rule.reset_mock()