Merge "Add tests to cover segments"
diff --git a/patrole_tempest_plugin/config.py b/patrole_tempest_plugin/config.py
index 4dc27b9..ebc8a1d 100644
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py
@@ -22,13 +22,18 @@
PatroleGroup = [
cfg.StrOpt('rbac_test_role',
default='admin',
- help="""The current RBAC role against which to run Patrole
-tests."""),
+ help="""The current RBAC role against which to run
+Patrole tests."""),
cfg.BoolOpt('enable_rbac',
default=True,
- help="Enables RBAC tests."),
- # TODO(rb560u): There needs to be support for reading these JSON files from
- # other hosts. It may be possible to leverage the v3 identity policy API.
+ deprecated_for_removal=True,
+ deprecated_reason="""This is a legacy option that was
+meaningful when Patrole existed downstream as a suite of tests inside Tempest.
+Installing the Patrole plugin necessarily means that RBAC tests should be run.
+This option is paradoxical with the Tempest plugin architecture.
+""",
+ deprecated_since='R',
+ help="Enables Patrole RBAC tests."),
cfg.ListOpt('custom_policy_files',
default=['/etc/%s/policy.json'],
help="""List of the paths to search for policy files. Each
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 6c40aa1..02b9297 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -17,6 +17,7 @@
import time
from oslo_log import log as logging
+from oslo_log import versionutils
from oslo_utils import excutils
from tempest import clients
@@ -220,6 +221,12 @@
@classmethod
def skip_rbac_checks(cls):
if not CONF.patrole.enable_rbac:
+ deprecation_msg = ("The `[patrole].enable_rbac` option is "
+ "deprecated and will be removed in the S "
+ "release. Patrole tests will always be enabled "
+ "following installation of the Patrole Tempest "
+ "plugin. Use a regex to skip tests.")
+ versionutils.report_deprecated_feature(LOG, deprecation_msg)
raise cls.skipException(
'Patrole testing not enabled so skipping %s.' % cls.__name__)
diff --git a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
index 5506d90..72674f6 100644
--- a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
@@ -110,6 +110,25 @@
@rbac_rule_validation.action(service="neutron",
rules=["create_network",
+ "create_network:is_default"],
+ expected_error_codes=[403, 403])
+ @decorators.idempotent_id('28602661-5ac7-407e-b739-e393f619f5e3')
+ def test_create_network_is_default(self):
+
+ """Create Is Default Network Test
+
+ RBAC test for the neutron create_network:is_default policy
+ """
+ try:
+ with self.rbac_utils.override_role(self):
+ self._create_network(is_default=True)
+ except lib_exc.Conflict as exc:
+ # A default network might already exist
+ self.assertIn('A default external network already exists',
+ str(exc))
+
+ @rbac_rule_validation.action(service="neutron",
+ rules=["create_network",
"create_network:shared"],
expected_error_codes=[403, 403])
@decorators.idempotent_id('ccabf2a9-28c8-44b2-80e6-ffd65d43eef2')
@@ -141,6 +160,30 @@
@rbac_rule_validation.action(
service="neutron",
rules=["create_network",
+ "create_network:provider:physical_network"],
+ expected_error_codes=[403, 403])
+ @decorators.idempotent_id('76783fed-9ff3-4499-a0d1-82d99eec364e')
+ def test_create_network_provider_physical_network(self):
+
+ """Create Network Physical Network Provider Test
+
+ RBAC test for neutron create_network:provider:physical_network policy
+ """
+ try:
+ with self.rbac_utils.override_role(self):
+ self._create_network(provider_physical_network='provider',
+ provider_network_type='flat')
+ except lib_exc.BadRequest as exc:
+ # There probably won't be a physical network called 'provider', but
+ # we aren't testing state of the network
+ self.assertIn("Invalid input for operation: physical_network " +
+ "'provider' unknown for flat provider network.",
+ str(exc))
+
+ @utils.requires_ext(extension='provider', service='network')
+ @rbac_rule_validation.action(
+ service="neutron",
+ rules=["create_network",
"create_network:provider:network_type"],
expected_error_codes=[403, 403])
@decorators.idempotent_id('3c42f7b8-b80c-44ef-8fa4-69ec4b1836bc')
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
index 5aff7a9..1e0a17d 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
@@ -176,6 +176,11 @@
class VolumesBackupsV318RbacTest(rbac_base.BaseVolumeRbacTest):
+ """Validates that the ``GET /backups/{backup_id}`` and
+ ``GET /backups/details`` APIs inject the expected attribute
+ 'os-backup-project-attr:project_id' into the response body following
+ successful authorization.
+ """
_api_version = 3
# The minimum microversion for showing 'os-backup-project-attr:project_id'
# is 3.18.
@@ -208,6 +213,17 @@
raise rbac_exceptions.RbacMalformedResponse(
attribute=self.expected_attr)
+ @decorators.idempotent_id('aa40b7c0-5974-48be-8cbc-e23cc61c4c68')
+ @rbac_rule_validation.action(service="cinder",
+ rule="backup:backup_project_attribute")
+ def test_list_backup_details_project_attribute(self):
+ with self.rbac_utils.override_role(self):
+ body = self.backups_client.list_backups(detail=True)['backups']
+
+ if self.expected_attr not in body[0]:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute=self.expected_attr)
+
class VolumesBackupsV39RbacTest(rbac_base.BaseVolumeRbacTest):
_api_version = 3
diff --git a/releasenotes/notes/deprecate-enable-rbac-option-1e499bb0914cdee8.yaml b/releasenotes/notes/deprecate-enable-rbac-option-1e499bb0914cdee8.yaml
new file mode 100644
index 0000000..7354c4f
--- /dev/null
+++ b/releasenotes/notes/deprecate-enable-rbac-option-1e499bb0914cdee8.yaml
@@ -0,0 +1,13 @@
+---
+deprecations:
+ - |
+ The ``[patrole].enable_rbac`` option is deprecated and will be removed
+ during the "S" release. This is a legacy option that was meaningful
+ downstream when Patrole was a suite of tests inside Tempest itself. Now
+ that Patrole exists upstream as a Tempest plugin, it is paradoxical to
+ install the Patrole plugin yet have an option that allows all Patrole
+ tests to be skipped. This option is at odds with current Patrole
+ architecture.
+
+ To skip RBAC tests going forward, with Patrole Tempest plugin already
+ installed, use an appropriate regex.