Merge "Glance tests - Image Metadef Namespace Properties"
diff --git a/doc/source/conf.py b/doc/source/conf.py
index d75a939..33c2cc3 100755
--- a/doc/source/conf.py
+++ b/doc/source/conf.py
@@ -38,7 +38,7 @@
 
 # General information about the project.
 project = u'patrole'
-copyright = u'2016, OpenStack Foundation'
+copyright = u'2017, Patrole Developers'
 
 # If true, '()' will be appended to :func: etc. cross-reference text.
 add_function_parentheses = True
@@ -68,7 +68,7 @@
     ('index',
      '%s.tex' % project,
      u'%s Documentation' % project,
-     u'OpenStack Foundation', 'manual'),
+     u'Patrole Developers', 'manual'),
 ]
 
 # Example configuration for intersphinx: refer to the Python standard library.
diff --git a/patrole_tempest_plugin/rbac_role_converter.py b/patrole_tempest_plugin/rbac_role_converter.py
index 420de7f..bc6e006 100644
--- a/patrole_tempest_plugin/rbac_role_converter.py
+++ b/patrole_tempest_plugin/rbac_role_converter.py
@@ -17,6 +17,7 @@
 import os
 
 from oslo_log import log as logging
+from oslo_policy import generator
 from oslo_policy import policy
 from tempest import config
 
@@ -39,51 +40,73 @@
     def __init__(self, tenant_id, service, path=None):
         """Initialization of Policy Converter.
 
-        Parse policy files to create dictionary mapping policy actions to
-        roles.
+        Parses a policy file to create a dictionary, mapping policy actions to
+        roles. If a policy file does not exist, checks whether the policy file
+        is registered as a namespace under oslo.policy.policies. Nova, for
+        example, doesn't use a policy.json file by default; its policy is
+        implemented in code and registered as 'nova' under
+        oslo.policy.policies.
+
+        If the policy file is not found in either place, raises an exception.
+
+        Additionally, if the policy file exists in both code and as a
+        policy.json (for example, by creating a custom nova policy.json file),
+        the custom policy file over the default policy implementation is
+        prioritized.
 
         :param tenant_id: type uuid
         :param service: type string
         :param path: type string
         """
+        service = service.lower().strip()
         if path is None:
             self.path = '/etc/{0}/policy.json'.format(service)
         else:
             self.path = path
 
-        if not os.path.isfile(self.path):
-            raise rbac_exceptions.RbacResourceSetupFailed(
-                'Policy file for service: {0}, {1} not found.'
-                .format(service, self.path))
+        policy_data = "{}"
 
+        # First check whether policy file exists.
+        if os.path.isfile(self.path):
+            policy_data = open(self.path, 'r').read()
+        # Otherwise use oslo_policy to fetch the rules for provided service.
+        else:
+            policy_generator = generator._get_policies_dict([service])
+            if policy_generator and service in policy_generator:
+                policy_data = "{\n"
+                for r in policy_generator[service]:
+                    policy_data = policy_data + r.__str__() + ",\n"
+                policy_data = policy_data[:-2] + "\n}"
+            # Otherwise raise an exception.
+            else:
+                raise rbac_exceptions.RbacResourceSetupFailed(
+                    'Policy file for service: {0}, {1} not found.'
+                    .format(service, self.path))
+
+        self.rules = policy.Rules.load(policy_data, "default")
         self.tenant_id = tenant_id
 
     def allowed(self, rule_name, role):
-        policy_file = open(self.path, 'r')
-        access_token = self._get_access_token(role)
-
+        is_admin_context = self._is_admin_context(role)
         is_allowed = self._allowed(
-            policy_file=policy_file,
-            access=access_token,
+            access=self._get_access_token(role),
             apply_rule=rule_name,
-            is_admin=False)
+            is_admin=is_admin_context)
 
-        policy_file = open(self.path, 'r')
-        access_token = self._get_access_token(role)
-        allowed_as_admin_context = self._allowed(
-            policy_file=policy_file,
-            access=access_token,
-            apply_rule=rule_name,
-            is_admin=True)
+        return is_allowed
 
-        if allowed_as_admin_context and is_allowed:
-            return True
-        if allowed_as_admin_context and not is_allowed:
-            return False
-        if not allowed_as_admin_context and is_allowed:
-            return True
-        if not allowed_as_admin_context and not is_allowed:
-            return False
+    def _is_admin_context(self, role):
+        """Checks whether a role has admin context.
+
+        If context_is_admin is contained in the policy file, then checks
+        whether the given role is contained in context_is_admin. If it is not
+        in the policy file, then default to context_is_admin: admin.
+        """
+        if 'context_is_admin' in self.rules.keys():
+            return self._allowed(
+                access=self._get_access_token(role),
+                apply_rule='context_is_admin')
+        return role == 'admin'
 
     def _get_access_token(self, role):
         access_token = {
@@ -93,45 +116,50 @@
                         "name": role
                     }
                 ],
-                "project": {
-                    "id": self.tenant_id
-                }
+                "project_id": self.tenant_id,
+                "tenant_id": self.tenant_id
             }
         }
         return access_token
 
-    def _allowed(self, policy_file, access, apply_rule, is_admin=False):
+    def _allowed(self, access, apply_rule, is_admin=False):
         """Checks if a given rule in a policy is allowed with given access.
 
         Adapted from oslo_policy.shell.
 
-        :param policy file: type string: path to policy file
         :param access: type dict: dictionary from ``_get_access_token``
         :param apply_rule: type string: rule to be checked
         :param is_admin: type bool: whether admin context is used
         """
         access_data = copy.copy(access['token'])
         access_data['roles'] = [role['name'] for role in access_data['roles']]
-        access_data['project_id'] = access_data['project']['id']
         access_data['is_admin'] = is_admin
-        policy_data = policy_file.read()
-        rules = policy.Rules.load(policy_data, "default")
+        # TODO(felipemonteiro): Dynamically calculate is_admin_project rather
+        # than hard-coding it to True. is_admin_project cannot be determined
+        # from the role, but rather from project and domain names. See
+        # _populate_is_admin_project in keystone.token.providers.common
+        # for more information.
+        access_data['is_admin_project'] = True
 
         class Object(object):
             pass
         o = Object()
-        o.rules = rules
+        o.rules = self.rules
 
-        target = {"project_id": access_data['project_id']}
+        target = {"project_id": access_data['project_id'],
+                  "tenant_id": access_data['project_id'],
+                  "network:tenant_id": access_data['project_id']}
 
-        key = apply_rule
-        rule = rules[apply_rule]
-        result = self._try_rule(key, rule, target, access_data, o)
+        result = self._try_rule(apply_rule, target, access_data, o)
         return result
 
-    def _try_rule(self, key, rule, target, access_data, o):
+    def _try_rule(self, apply_rule, target, access_data, o):
         try:
+            rule = self.rules[apply_rule]
             return rule(target, access_data, o)
+        except KeyError as e:
+            LOG.debug("{0} not found in policy file.".format(apply_rule))
+            return False
         except Exception as e:
-            LOG.debug("Exception: {0} for rule: {1}".format(e, rule))
+            LOG.debug("Exception: {0} for rule: {1}.".format(e, rule))
             return False
diff --git a/patrole_tempest_plugin/tests/api/compute/rbac_base.py b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
index 030ee5c..ca24204 100644
--- a/patrole_tempest_plugin/tests/api/compute/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
@@ -18,7 +18,6 @@
 
 
 class BaseV2ComputeRbacTest(compute_base.BaseV2ComputeTest):
-
     credentials = ['primary', 'admin']
 
     @classmethod
@@ -36,3 +35,24 @@
         super(BaseV2ComputeRbacTest, cls).setup_clients()
         cls.admin_client = cls.os_admin.agents_client
         cls.auth_provider = cls.os.auth_provider
+
+
+class BaseV2ComputeAdminRbacTest(compute_base.BaseV2ComputeAdminTest):
+
+    credentials = ['primary', 'admin']
+
+    @classmethod
+    def skip_checks(cls):
+        super(BaseV2ComputeAdminRbacTest, cls).skip_checks()
+        if not CONF.rbac.rbac_flag:
+            raise cls.skipException(
+                '%s skipped as RBAC flag not enabled' % cls.__name__)
+        if 'admin' not in CONF.auth.tempest_roles:
+            raise cls.skipException(
+                "%s skipped because tempest roles is not admin" % cls.__name__)
+
+    @classmethod
+    def setup_clients(cls):
+        super(BaseV2ComputeAdminRbacTest, cls).setup_clients()
+        cls.admin_client = cls.os_admin.agents_client
+        cls.auth_provider = cls.os.auth_provider
diff --git a/patrole_tempest_plugin/tests/api/compute/test_absolute_limits_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_absolute_limits_rbac.py
index 3da3bd8..8e1f6ee 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_absolute_limits_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_absolute_limits_rbac.py
@@ -11,30 +11,31 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from tempest import config
+from tempest.lib import decorators
+
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base
-from tempest import config
-from tempest.lib import decorators
 
 CONF = config.CONF
 
 
-class RBACAbsoluteLimitsTestJSON(rbac_base.BaseV2ComputeRbacTest):
+class AbsoluteLimitsRbacTest(rbac_base.BaseV2ComputeRbacTest):
 
     def tearDown(self):
         rbac_utils.switch_role(self, switchToRbacRole=False)
-        super(RBACAbsoluteLimitsTestJSON, self).tearDown()
+        super(AbsoluteLimitsRbacTest, self).tearDown()
 
     @classmethod
     def setup_clients(cls):
-        super(RBACAbsoluteLimitsTestJSON, cls).setup_clients()
+        super(AbsoluteLimitsRbacTest, cls).setup_clients()
         cls.identity_client = cls.os_adm.identity_client
         cls.tenants_client = cls.os_adm.tenants_client
 
     @classmethod
     def skip_checks(cls):
-        super(RBACAbsoluteLimitsTestJSON, cls).skip_checks()
+        super(AbsoluteLimitsRbacTest, cls).skip_checks()
         if not CONF.compute_feature_enabled.api_extensions:
             raise cls.skipException(
                 '%s skipped as no compute extensions enabled' % cls.__name__)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_access_ips_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_access_ips_rbac.py
new file mode 100644
index 0000000..ffeebc9
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_access_ips_rbac.py
@@ -0,0 +1,45 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class AccessIpsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+    def tearDown(self):
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        super(AccessIpsRbacTest, self).tearDown()
+
+    @classmethod
+    def skip_checks(cls):
+        super(AccessIpsRbacTest, cls).skip_checks()
+        if not CONF.compute_feature_enabled.api_extensions:
+            raise cls.skipException(
+                '%s skipped as no compute extensions enabled' % cls.__name__)
+
+    @rbac_rule_validation.action(service="nova",
+                                 rule="os_compute_api:os-access-ips")
+    @decorators.idempotent_id('f5811ed1-95d4-4085-a69e-87e6bd958738')
+    def test_access_ip(self):
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        ipv4 = '127.0.0.1'
+        self.create_test_server(accessIPv4=ipv4)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
new file mode 100644
index 0000000..a2f6409
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
@@ -0,0 +1,50 @@
+#    Copyright 2017 AT&T Corporation.
+#    All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class ServicesAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
+
+    @classmethod
+    def setup_clients(cls):
+        super(ServicesAdminRbacTest, cls).setup_clients()
+        cls.client = cls.services_client
+
+    @classmethod
+    def skip_checks(cls):
+        super(ServicesAdminRbacTest, cls).skip_checks()
+        if not CONF.compute_feature_enabled.api_extensions:
+            raise cls.skipException(
+                '%s skipped as no compute extensions enabled' % cls.__name__)
+
+    def tearDown(self):
+        rbac_utils.switch_role(self, switchToRbacRole=False)
+        super(ServicesAdminRbacTest, self).tearDown()
+
+    @rbac_rule_validation.action(
+        service="nova",
+        rule="os_compute_api:os-services")
+    @decorators.idempotent_id('7472261b-9c6d-453a-bcb3-aecaa29ad281')
+    def test_list_services(self):
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.client.list_services()['services']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_simple_tenant_usage_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_simple_tenant_usage_rbac.py
new file mode 100644
index 0000000..eb7a91f
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_simple_tenant_usage_rbac.py
@@ -0,0 +1,62 @@
+#    Copyright 2017 AT&T Corporation.
+#    All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class SimpleTenantUsageRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+    def tearDown(self):
+        rbac_utils.switch_role(self, switchToRbacRole=False)
+        super(SimpleTenantUsageRbacTest, self).tearDown()
+
+    @classmethod
+    def setup_clients(cls):
+        super(SimpleTenantUsageRbacTest, cls).setup_clients()
+        cls.client = cls.os.tenant_usages_client
+
+    @classmethod
+    def skip_checks(cls):
+        super(SimpleTenantUsageRbacTest, cls).skip_checks()
+        if not CONF.compute_feature_enabled.api_extensions:
+            raise cls.skipException(
+                '%s skipped as no compute extensions enabled' % cls.__name__)
+
+    @rbac_rule_validation.action(
+        service="nova",
+        rule="os_compute_api:os-simple-tenant-usage:list")
+    @decorators.idempotent_id('2aef094f-0452-4df6-a66a-0ec22a92b16e')
+    def test_simple_tenant_usage_list(self):
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.client.list_tenant_usages()
+
+    @rbac_rule_validation.action(
+        service="nova",
+        rule="os_compute_api:os-simple-tenant-usage:show")
+    @decorators.idempotent_id('fe7eacda-15c4-4bf7-93ef-1091c4546a9d')
+    def test_simple_tenant_usage_show(self):
+        # A server must be created in order for usage activity to exist; else
+        # the validation method in the API call throws an error.
+        self.create_test_server(wait_until='ACTIVE')['id']
+        tenant_id = self.auth_provider.credentials.tenant_id
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.client.show_tenant_usage(tenant_id=tenant_id)
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_test_image_namespace_resource_type.py b/patrole_tempest_plugin/tests/api/image/v2/test_test_image_namespace_resource_type.py
new file mode 100644
index 0000000..f7e76c1
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_test_image_namespace_resource_type.py
@@ -0,0 +1,64 @@
+#    Copyright 2017 AT&T Corporation.
+#    All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.image import rbac_base
+
+CONF = config.CONF
+
+
+class ImageNamespacesResourceTypeRbacTest(rbac_base.BaseV2ImageRbacTest):
+
+    def tearDown(self):
+        rbac_utils.switch_role(self, switchToRbacRole=False)
+        super(ImageNamespacesResourceTypeRbacTest, self).tearDown()
+
+    @rbac_rule_validation.action(service="glance",
+                                 rule="list_metadef_resource_types")
+    @decorators.idempotent_id('0416fc4d-cfdc-447b-88b6-d9f1dd0382f7')
+    def test_list_metadef_resource_types(self):
+        """List Metadef Resource Type Image Test
+
+        RBAC test for the glance list_metadef_resource_type policy.
+        """
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.resource_types_client.list_resource_types()
+
+    @rbac_rule_validation.action(service="glance",
+                                 rule="get_metadef_resource_type")
+    @decorators.idempotent_id('3698d53c-71ae-4803-a2c3-c272c054f25c')
+    def test_get_metadef_resource_type(self):
+        """Get Metadef Resource Type Image Test
+
+        RBAC test for the glance get_metadef_resource_type policy.
+        """
+        namespace_name = data_utils.rand_name('test-ns')
+        self.namespaces_client.create_namespace(
+            namespace=namespace_name,
+            protected=False)
+        self.addCleanup(
+            test_utils.call_and_ignore_notfound_exc,
+            self.namespaces_client.delete_namespace,
+            namespace_name)
+
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.resource_types_client.list_resource_type_association(
+            namespace_name)
diff --git a/patrole_tempest_plugin/tests/api/volume/admin/test_volumes_backup_admin_rbac.py b/patrole_tempest_plugin/tests/api/volume/admin/test_volumes_backup_admin_rbac.py
new file mode 100644
index 0000000..e36d684
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/admin/test_volumes_backup_admin_rbac.py
@@ -0,0 +1,72 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class VolumesBackupsAdminRbacTest(rbac_base.BaseVolumeAdminRbacTest):
+
+    @classmethod
+    def skip_checks(cls):
+        super(VolumesBackupsAdminRbacTest, cls).skip_checks()
+        if not CONF.volume_feature_enabled.backup:
+            raise cls.skipException("Cinder backup feature disabled")
+
+    def tearDown(self):
+        rbac_utils.switch_role(self, switchToRbacRole=False)
+        super(VolumesBackupsAdminRbacTest, self).tearDown()
+
+    @classmethod
+    def resource_setup(cls):
+        super(VolumesBackupsAdminRbacTest, cls).resource_setup()
+        cls.volume = cls.create_volume()
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="backup:backup-export")
+    @decorators.idempotent_id('e984ec8d-e8eb-485c-98bc-f1856020303c')
+    def test_volume_backup_export(self):
+        # Create a temp backup
+        backup = self.create_backup(volume_id=self.volume['id'])
+        # Export Backup
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.backups_client.export_backup(
+            backup['id'])['backup-record']
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="backup:backup-import")
+    @decorators.idempotent_id('1e70f039-4556-44cc-9cc1-edf2b7ed648b')
+    def test_volume_backup_import(self):
+        # Create a temp backup
+        backup = self.create_backup(volume_id=self.volume['id'])
+        # Export a temp backup
+        export_backup = self.backups_client.export_backup(
+            backup['id'])['backup-record']
+        # Import the temp backup
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        import_backup = self.backups_client.import_backup(
+            backup_service=export_backup['backup_service'],
+            backup_url=export_backup['backup_url'])['backup']
+        self.addCleanup(self.backups_client.delete_backup, import_backup['id'])
+
+
+class VolumesBackupsAdminV3RbacTest(VolumesBackupsAdminRbacTest):
+    _api_version = 3
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
new file mode 100644
index 0000000..b15eb3f
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -0,0 +1,121 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest.common import waiters
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class VolumesActionsRbacTest(rbac_base.BaseVolumeRbacTest):
+
+    @classmethod
+    def skip_checks(cls):
+        super(VolumesActionsRbacTest, cls).skip_checks()
+        # Nova is needed to create a server
+        if not CONF.service_available.nova:
+            skip_msg = ("%s skipped as nova is not available" % cls.__name__)
+            raise cls.skipException(skip_msg)
+        # Glance is needed to create an image
+        if not CONF.service_available.glance:
+            skip_msg = ("%s skipped as glance is not available" % cls.__name__)
+            raise cls.skipException(skip_msg)
+
+    @classmethod
+    def setup_clients(cls):
+        super(VolumesActionsRbacTest, cls).setup_clients()
+        cls.client = cls.os.volumes_client
+        cls.image_client = cls.os.image_client
+
+    def tearDown(self):
+        rbac_utils.switch_role(self, switchToRbacRole=False)
+        super(VolumesActionsRbacTest, self).tearDown()
+
+    @classmethod
+    def resource_setup(cls):
+        super(VolumesActionsRbacTest, cls).resource_setup()
+        cls.volume = cls.create_volume()
+
+    def _attach_volume(self):
+        server = self.create_server(wait_until='ACTIVE')
+        self.servers_client.attach_volume(
+            server['id'], volumeId=self.volume['id'],
+            device='/dev/%s' % CONF.compute.volume_device_name)
+        waiters.wait_for_volume_status(self.client,
+                                       self.volume['id'], 'in-use')
+        self.addCleanup(self._detach_volume)
+
+    def _detach_volume(self):
+        self.client.detach_volume(self.volume['id'])
+        waiters.wait_for_volume_status(self.client, self.volume['id'],
+                                       'available')
+
+    @rbac_rule_validation.action(service="cinder", rule="volume:attach")
+    @decorators.idempotent_id('f97b10e4-2eed-4f8b-8632-71c02cb9fe42')
+    def test_attach_volume_to_instance(self):
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        # Attach the volume
+        self._attach_volume()
+
+    @rbac_rule_validation.action(service="cinder", rule="volume:detach")
+    @decorators.idempotent_id('5a042f6a-688b-42e6-a02e-fe5c47b89b07')
+    def test_detach_volume_to_instance(self):
+        # Attach the volume
+        self._attach_volume()
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        # Detach the volume
+        self._detach_volume()
+
+    @rbac_rule_validation.action(service="cinder", rule="volume:get")
+    @decorators.idempotent_id('c4c3fdd5-b1b1-49c3-b977-a9f40ee9257a')
+    def test_get_volume_attachment(self):
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        # Get attachment
+        self.client.show_volume(self.volume['id'])
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="volume:copy_volume_to_image")
+    @decorators.idempotent_id('b0d0da46-903c-4445-893e-20e680d68b50')
+    def test_volume_upload(self):
+        image_name = data_utils.rand_name('image')
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        body = self.client.upload_volume(
+            self.volume['id'], image_name=image_name,
+            disk_format=CONF.volume.disk_format)['os-volume_upload_image']
+        image_id = body['image_id']
+        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+                        self.image_client.delete_image,
+                        image_id)
+        waiters.wait_for_image_status(self.image_client, image_id, 'active')
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="volume:update_readonly_flag")
+    @decorators.idempotent_id('2750717a-f250-4e41-9e09-02624aad6ff8')
+    def test_volume_readonly_update(self):
+        volume = self.create_volume()
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        # Update volume readonly
+        self.client.update_volume_readonly(volume['id'], readonly=True)
+
+
+class VolumesActionsV3RbacTest(VolumesActionsRbacTest):
+    _api_version = 3
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
new file mode 100644
index 0000000..f88d44f
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
@@ -0,0 +1,96 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest.common import waiters
+from tempest import config
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class VolumesTransfersRbacTest(rbac_base.BaseVolumeRbacTest):
+
+    credentials = ['primary', 'alt', 'admin']
+
+    @classmethod
+    def setup_clients(cls):
+        super(VolumesTransfersRbacTest, cls).setup_clients()
+        cls.client = cls.volumes_client
+        cls.alt_client = cls.os_alt.volumes_client
+        cls.alt_tenant_id = cls.alt_client.tenant_id
+
+    def tearDown(self):
+        rbac_utils.switch_role(self, switchToRbacRole=False)
+        super(VolumesTransfersRbacTest, self).tearDown()
+
+    @classmethod
+    def resource_setup(cls):
+        super(VolumesTransfersRbacTest, cls).resource_setup()
+        cls.volume = cls.create_volume()
+
+    def _delete_transfer(self, transfer):
+        # Volume from create_volume_transfer test may get stuck in
+        # 'awaiting-transfer' state, preventing cleanup and causing
+        # the test to fail
+        test_utils.call_and_ignore_notfound_exc(
+            self.client.delete_volume_transfer, transfer['id'])
+        waiters.wait_for_volume_status(self.client, self.volume['id'],
+                                       'available')
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="volume:create_transfer")
+    @decorators.idempotent_id('25413af4-468d-48ff-94ca-4436f8526b3e')
+    def test_create_volume_transfer(self):
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        transfer = self.client.create_volume_transfer(
+            volume_id=self.volume['id'])['transfer']
+        self.addCleanup(self._delete_transfer, transfer)
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="volume:get_all_transfers")
+    @decorators.idempotent_id('7a0925d3-ed97-4c25-8299-e5cdabe2eb55')
+    def test_get_volume_transfer(self):
+        transfer = self.client.create_volume_transfer(
+            volume_id=self.volume['id'])['transfer']
+        self.addCleanup(self._delete_transfer, transfer)
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.client.show_volume_transfer(transfer['id'])
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="volume:get_all_transfers")
+    @decorators.idempotent_id('02a06f2b-5040-49e2-b2b7-619a7db59603')
+    def test_list_volume_transfers(self):
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.client.list_volume_transfers()
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="volume:accept_transfer")
+    @decorators.idempotent_id('987f2a11-d657-4984-a6c9-28f06c1cd014')
+    def test_accept_volume_transfer(self):
+        transfer = self.client.create_volume_transfer(
+            volume_id=self.volume['id'])['transfer']
+        self.addCleanup(self._delete_transfer, transfer)
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.client.accept_volume_transfer(transfer['id'],
+                                           auth_key=transfer['auth_key'])
+
+
+class VolumesTransfersV3RbacTest(VolumesTransfersRbacTest):
+    _api_version = 3
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
new file mode 100644
index 0000000..32a1566
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
@@ -0,0 +1,101 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest.common import waiters
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
+
+    @classmethod
+    def skip_checks(cls):
+        super(VolumesBackupsRbacTest, cls).skip_checks()
+        if not CONF.volume_feature_enabled.backup:
+            raise cls.skipException("Cinder backup feature disabled")
+
+    def tearDown(self):
+        rbac_utils.switch_role(self, switchToRbacRole=False)
+        super(VolumesBackupsRbacTest, self).tearDown()
+
+    def create_backup(self, volume_id):
+        backup_name = data_utils.rand_name(
+            self.__class__.__name__ + '-Backup')
+        backup = self.backups_client.create_backup(
+            volume_id=volume_id, name=backup_name)['backup']
+        self.addCleanup(self.backups_client.delete_backup, backup['id'])
+        waiters.wait_for_backup_status(self.backups_client, backup['id'],
+                                       'available')
+        return backup
+
+    @classmethod
+    def resource_setup(cls):
+        super(VolumesBackupsRbacTest, cls).resource_setup()
+        cls.volume = cls.create_volume()
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="backup:create")
+    @decorators.idempotent_id('6887ec94-0bcf-4ab7-b30f-3808a4b5a2a5')
+    def test_volume_backup_create(self):
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.create_backup(volume_id=self.volume['id'])
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="backup:get")
+    @decorators.idempotent_id('abd92bdd-b0fb-4dc4-9cfc-de9e968f8c8a')
+    def test_volume_backup_get(self):
+        # Create a temp backup
+        backup = self.create_backup(volume_id=self.volume['id'])
+        # Get a given backup
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.backups_client.show_backup(backup['id'])
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="backup:get_all")
+    @decorators.idempotent_id('4d18f0f0-7e01-4007-b622-dedc859b22f6')
+    def test_volume_backup_list(self):
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.backups_client.list_backups()
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="backup:restore")
+    @decorators.idempotent_id('9c794bf9-2446-4f41-8fe0-80b71e757f9d')
+    def test_volume_backup_restore(self):
+        # Create a temp backup
+        backup = self.create_backup(volume_id=self.volume['id'])
+        # Restore backup
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.backups_client.restore_backup(backup['id'])['restore']
+
+    @rbac_rule_validation.action(service="cinder",
+                                 rule="backup:delete")
+    @decorators.idempotent_id('d5d0c6a2-413d-437e-a73f-4bf2b41a20ed')
+    def test_volume_backup_delete(self):
+        # Create a temp backup
+        backup = self.create_backup(volume_id=self.volume['id'])
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        # Delete backup
+        self.backups_client.delete_backup(backup['id'])
+
+
+class VolumesBackupsV3RbacTest(VolumesBackupsRbacTest):
+    _api_version = 3
diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py
index 0fe31a5..d86d91c 100644
--- a/releasenotes/source/conf.py
+++ b/releasenotes/source/conf.py
@@ -12,8 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Glance Release Notes documentation build configuration file, created by
-# sphinx-quickstart on Tue Nov  3 17:40:50 2015.
+# Patrole Release Notes documentation build configuration file, created by
+# sphinx-quickstart on Tue Jan 5 17:40:50 2017.
 #
 # This file is execfile()d with the current directory set to its
 # containing dir.
@@ -56,7 +56,7 @@
 
 # General information about the project.
 project = u'patrole Release Notes'
-copyright = u'2016, OpenStack Foundation'
+copyright = u'2017, Patrole Developers'
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
@@ -189,7 +189,7 @@
 # html_file_suffix = None
 
 # Output file base name for HTML help builder.
-htmlhelp_basename = 'GlanceReleaseNotesdoc'
+htmlhelp_basename = 'PatroleReleaseNotesdoc'
 
 
 # -- Options for LaTeX output ---------------------------------------------
@@ -209,8 +209,9 @@
 # (source start file, target name, title,
 #  author, documentclass [howto, manual, or own class]).
 latex_documents = [
-    ('index', 'GlanceReleaseNotes.tex', u'Glance Release Notes Documentation',
-     u'Glance Developers', 'manual'),
+    ('index', 'PatroleReleaseNotes.tex',
+     u'Patrole Release Notes Documentation',
+     u'Patrole Developers', 'manual'),
 ]
 
 # The name of an image file (relative to this directory) to place at the top of
@@ -239,8 +240,8 @@
 # One entry per manual page. List of tuples
 # (source start file, name, description, authors, manual section).
 man_pages = [
-    ('index', 'glancereleasenotes', u'Glance Release Notes Documentation',
-     [u'Glance Developers'], 1)
+    ('index', 'patrolereleasenotes', u'Patrole Release Notes Documentation',
+     [u'Patrole Developers'], 1)
 ]
 
 # If true, show URL addresses after external links.
@@ -253,8 +254,8 @@
 # (source start file, target name, title, author,
 #  dir menu entry, description, category)
 texinfo_documents = [
-    ('index', 'GlanceReleaseNotes', u'Glance Release Notes Documentation',
-     u'Glance Developers', 'GlanceReleaseNotes',
+    ('index', 'PatroleReleaseNotes', u'Patrole Release Notes Documentation',
+     u'Patrole Developers', 'PatroleReleaseNotes',
      'One line description of project.',
      'Miscellaneous'),
 ]
diff --git a/tests/resources/alt_admin_rbac_policy.json b/tests/resources/alt_admin_rbac_policy.json
new file mode 100644
index 0000000..bf07182
--- /dev/null
+++ b/tests/resources/alt_admin_rbac_policy.json
@@ -0,0 +1,5 @@
+{
+	"context_is_admin": "role:super_admin",
+	"admin_rule": "role:super_admin",
+	"non_admin_rule": "role:fake_admin"
+}
diff --git a/tests/resources/tenant_rbac_policy.json b/tests/resources/tenant_rbac_policy.json
new file mode 100644
index 0000000..2647e4d
--- /dev/null
+++ b/tests/resources/tenant_rbac_policy.json
@@ -0,0 +1,6 @@
+{
+	"rule1": "tenant_id:%(network:tenant_id)s",
+	"rule2": "tenant_id:%(tenant_id)s",
+	"rule3": "project_id:%(project_id)s",
+	"admin_rule": "role:admin and tenant_id:%(tenant_id)s"
+}
\ No newline at end of file
diff --git a/tests/test_rbac_role_converter.py b/tests/test_rbac_role_converter.py
index 04eb626..09fa081 100644
--- a/tests/test_rbac_role_converter.py
+++ b/tests/test_rbac_role_converter.py
@@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import mock
 import os
 
 from tempest import config
@@ -35,8 +36,15 @@
         self.admin_policy_file = os.path.join(current_directory,
                                               'resources',
                                               'admin_rbac_policy.json')
+        self.alt_admin_policy_file = os.path.join(current_directory,
+                                                  'resources',
+                                                  'alt_admin_rbac_policy.json')
+        self.tenant_policy_file = os.path.join(current_directory,
+                                               'resources',
+                                               'tenant_rbac_policy.json')
 
-    def test_custom_policy(self):
+    @mock.patch.object(rbac_role_converter, 'LOG', autospec=True)
+    def test_custom_policy(self, m_log):
         default_roles = ['zero', 'one', 'two', 'three', 'four',
                          'five', 'six', 'seven', 'eight', 'nine']
 
@@ -56,7 +64,10 @@
         fake_rule = 'fake_rule'
 
         for role in default_roles:
-            self.assertRaises(KeyError, converter.allowed, fake_rule, role)
+            self.assertFalse(converter.allowed(fake_rule, role))
+            m_log.debug.assert_called_once_with(
+                "{0} not found in policy file.".format('fake_rule'))
+            m_log.debug.reset_mock()
 
         for rule, role_list in expected.items():
             for role in role_list:
@@ -70,10 +81,9 @@
 
         role = 'admin'
         allowed_rules = [
-            'admin_rule'
+            'admin_rule', 'is_admin_rule', 'alt_admin_rule'
         ]
-        disallowed_rules = [
-            'is_admin_rule', 'alt_admin_rule', 'non_admin_rule']
+        disallowed_rules = ['non_admin_rule']
 
         for rule in allowed_rules:
             allowed = converter.allowed(rule, role)
@@ -101,3 +111,72 @@
         for rule in disallowed_rules:
             allowed = converter.allowed(rule, role)
             self.assertFalse(allowed)
+
+    def test_admin_policy_file_with_context_is_admin(self):
+        converter = rbac_role_converter.RbacPolicyConverter(
+            None, "test", self.alt_admin_policy_file)
+
+        role = 'fake_admin'
+        allowed_rules = ['non_admin_rule']
+        disallowed_rules = ['admin_rule']
+
+        for rule in allowed_rules:
+            allowed = converter.allowed(rule, role)
+            self.assertTrue(allowed)
+
+        for rule in disallowed_rules:
+            allowed = converter.allowed(rule, role)
+            self.assertFalse(allowed)
+
+        role = 'super_admin'
+        allowed_rules = ['admin_rule']
+        disallowed_rules = ['non_admin_rule']
+
+        for rule in allowed_rules:
+            allowed = converter.allowed(rule, role)
+            self.assertTrue(allowed)
+
+        for rule in disallowed_rules:
+            allowed = converter.allowed(rule, role)
+            self.assertFalse(allowed)
+
+    def test_tenant_policy(self):
+        """Test whether rules with format tenant_id:%(tenant_id)s work.
+
+        Test whether Neutron rules that contain project_id, tenant_id, and
+        network:tenant_id pass.
+        """
+        test_tenant_id = mock.sentinel.tenant_id
+        converter = rbac_role_converter.RbacPolicyConverter(
+            test_tenant_id, "test", self.tenant_policy_file)
+
+        # Check whether Member role can perform expected actions.
+        allowed_rules = ['rule1', 'rule2', 'rule3']
+        for rule in allowed_rules:
+            allowed = converter.allowed(rule, 'Member')
+            self.assertTrue(allowed)
+        self.assertFalse(converter.allowed('admin_rule', 'Member'))
+
+        # Check whether admin role can perform expected actions.
+        allowed_rules.append('admin_rule')
+        for rule in allowed_rules:
+            allowed = converter.allowed(rule, 'admin')
+            self.assertTrue(allowed)
+
+        # Check whether _try_rule is called with the correct target dictionary.
+        with mock.patch.object(converter, '_try_rule', autospec=True) \
+            as mock_try_rule:
+            mock_try_rule.return_value = True
+
+            expected_target = {
+                "project_id": test_tenant_id,
+                "tenant_id": test_tenant_id,
+                "network:tenant_id": test_tenant_id
+            }
+
+            for rule in allowed_rules:
+                allowed = converter.allowed(rule, 'Member')
+                self.assertTrue(allowed)
+                mock_try_rule.assert_called_once_with(
+                    rule, expected_target, mock.ANY, mock.ANY)
+                mock_try_rule.reset_mock()