Merge "Compute API Compute Flavor Extra Specs Test."
diff --git a/patrole_tempest_plugin/config.py b/patrole_tempest_plugin/config.py
index 6ee1528..94e6aef 100644
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py
@@ -25,5 +25,5 @@
" Patrole tests."),
cfg.BoolOpt('rbac_flag',
default=False,
- help="Enables RBAC tests."),
+ help="Enables RBAC tests.")
]
diff --git a/patrole_tempest_plugin/tests/api/compute/admin/__init__.py b/patrole_tempest_plugin/tests/api/compute/admin/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/admin/__init__.py
diff --git a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py
new file mode 100644
index 0000000..953f518
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py
@@ -0,0 +1,69 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import testtools
+
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+
+CONF = config.CONF
+
+
+class PasswordAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(PasswordAdminRbacTest, self).tearDown()
+
+ @classmethod
+ def setup_clients(cls):
+ super(PasswordAdminRbacTest, cls).setup_clients()
+ cls.client = cls.servers_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(PasswordAdminRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+
+ @classmethod
+ def resource_setup(cls):
+ super(PasswordAdminRbacTest, cls).resource_setup()
+ cls.server_id = cls.create_test_server(wait_until='ACTIVE')['id']
+
+ @testtools.skipUnless(CONF.compute_feature_enabled.change_password,
+ 'Change password not available.')
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-admin-password")
+ @decorators.idempotent_id('908a7d59-3a66-441c-94cf-38e57ed14956')
+ def test_change_server_password(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.change_password(
+ self.server_id,
+ adminPass=data_utils.rand_password())
+
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-admin-password:discoverable")
+ @decorators.idempotent_id('379fce8a-f1ff-11e6-bc64-92361f002671')
+ def test_admin_password_discoverable(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.extensions_client.show_extension('os-admin-password')
diff --git a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py
new file mode 100644
index 0000000..c49ba82
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py
@@ -0,0 +1,83 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+
+CONF = config.CONF
+
+
+class ServersAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(ServersAdminRbacTest, self).tearDown()
+
+ @classmethod
+ def setup_clients(cls):
+ super(ServersAdminRbacTest, cls).setup_clients()
+ cls.client = cls.servers_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(ServersAdminRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+
+ @classmethod
+ def resource_setup(cls):
+ super(ServersAdminRbacTest, cls).resource_setup()
+ cls.server_id = cls.create_test_server(wait_until='ACTIVE')['id']
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:reset_state")
+ @decorators.idempotent_id('ae84dd0b-f364-462e-b565-3457f9c019ef')
+ def test_reset_server_state(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.reset_state(self.server_id, state='error')
+ self.addCleanup(self.client.reset_state,
+ self.server_id,
+ state='active')
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:inject_network_info")
+ @decorators.idempotent_id('ce48c340-51c1-4cff-9b6e-0cc5ef008630')
+ def test_inject_network_info(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.inject_network_info(self.server_id)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:reset_network")
+ @decorators.idempotent_id('2911a242-15c4-4fcb-80d5-80a8930661b0')
+ def test_reset_network(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.reset_network(self.server_id)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:discoverable")
+ @decorators.idempotent_id('e9d2991f-a05e-4116-881b-e2a82bb173cf')
+ def test_admin_actions_discoverable(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.extensions_client.show_extension('os-admin-actions')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py
new file mode 100644
index 0000000..b1e1b11
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py
@@ -0,0 +1,130 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class AggregatesRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(AggregatesRbacTest, self).tearDown()
+
+ @classmethod
+ def skip_checks(cls):
+ super(AggregatesRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+
+ @classmethod
+ def setup_clients(cls):
+ super(AggregatesRbacTest, cls).setup_clients()
+ cls.hosts_client = cls.os.hosts_client
+
+ def _create_aggregate(self):
+ agg_name = data_utils.rand_name('aggregate')
+ aggregate = self.aggregates_client.create_aggregate(name=agg_name)
+ aggregate_id = aggregate['aggregate']['id']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.aggregates_client.delete_aggregate,
+ aggregate_id)
+ return aggregate_id
+
+ def _add_host_to_aggregate(self, aggregate_id):
+ host_name = self.hosts_client.list_hosts()['hosts'][0]['host_name']
+ self.aggregates_client.add_host(aggregate_id, host=host_name)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.aggregates_client.remove_host,
+ aggregate_id,
+ host=host_name)
+ return host_name
+
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-aggregates:create")
+ @decorators.idempotent_id('ba754393-896e-434a-9704-452ff4a84f3f')
+ def test_create_aggregate_rbac(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_aggregate()
+
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-aggregates:show")
+ @decorators.idempotent_id('8fb0b749-b120-4727-b3fb-bcfa3fa6f55b')
+ def test_show_aggregate_rbac(self):
+ aggregate_id = self._create_aggregate()
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.aggregates_client.show_aggregate(aggregate_id)
+
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-aggregates:index")
+ @decorators.idempotent_id('146284da-5dd6-4c97-b598-42b480f014c6')
+ def test_list_aggregate_rbac(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.aggregates_client.list_aggregates()['aggregates']
+
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-aggregates:update")
+ @decorators.idempotent_id('c94e0d69-99b6-477e-b301-2cd0e9d0ad81')
+ def test_update_aggregate_rbac(self):
+ aggregate_id = self._create_aggregate()
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ new_name = data_utils.rand_name('aggregate')
+ self.aggregates_client.update_aggregate(aggregate_id, name=new_name)
+
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-aggregates:delete")
+ @decorators.idempotent_id('5a50c5a6-0f12-4405-a1ce-2288ae895ea6')
+ def test_delete_aggregate_rbac(self):
+ aggregate_id = self._create_aggregate()
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.aggregates_client.delete_aggregate(aggregate_id)
+
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-aggregates:add_host")
+ @decorators.idempotent_id('97e6e9df-5291-4faa-8147-755b2d1f1ce2')
+ def test_add_host_to_aggregate_rbac(self):
+ aggregate_id = self._create_aggregate()
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._add_host_to_aggregate(aggregate_id)
+
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-aggregates:remove_host")
+ @decorators.idempotent_id('5b035a25-75d2-4d72-b4d6-0f0337335628')
+ def test_remove_host_from_aggregate_rbac(self):
+ aggregate_id = self._create_aggregate()
+ host_name = self._add_host_to_aggregate(aggregate_id)
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.aggregates_client.remove_host(aggregate_id, host=host_name)
+
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-aggregates:set_metadata")
+ @decorators.idempotent_id('ed6f3849-065c-4ae9-a81e-6ad7ed0d3d9d')
+ def test_set_metadata_on_aggregate_rbac(self):
+ aggregate_id = self._create_aggregate()
+ rand_key = data_utils.rand_name('key')
+ rand_val = data_utils.rand_name('val')
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.aggregates_client.set_metadata(
+ aggregate_id,
+ metadata={rand_key: rand_val})
diff --git a/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
new file mode 100644
index 0000000..8465add
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
@@ -0,0 +1,49 @@
+# Copyright 2017 AT&T Corporation.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class NovaAvailabilityZoneRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(NovaAvailabilityZoneRbacTest, self).tearDown()
+
+ @classmethod
+ def skip_checks(cls):
+ super(NovaAvailabilityZoneRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+
+ @rbac_rule_validation.action(service="nova", rule="os_compute_api:"
+ "os-availability-zone:list")
+ @decorators.idempotent_id('cd34e7ea-d26e-4fa3-a8d0-f8883726ce3d')
+ def test_get_availability_zone_list_rbac(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.os.availability_zone_client.list_availability_zones()
+
+ @rbac_rule_validation.action(service="nova", rule="os_compute_api:"
+ "os-availability-zone:detail")
+ @decorators.idempotent_id('2f61c191-6ece-4f21-b487-39d749e3d38e')
+ def test_get_availability_zone_list_detail_rbac(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.os.availability_zone_client.list_availability_zones(detail=True)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py
new file mode 100644
index 0000000..ccd3873
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py
@@ -0,0 +1,57 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class FloatingIpsBulkRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ # Tests will fail with a 404 starting from microversion 2.36, according to:
+ # https://developer.openstack.org/api-ref/
+ # compute/?expanded=list-floating-ips-detail
+ max_microversion = '2.35'
+
+ @classmethod
+ def setup_clients(cls):
+ super(FloatingIpsBulkRbacTest, cls).setup_clients()
+ cls.client = cls.os.floating_ips_bulk_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(FloatingIpsBulkRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-floating-ips-bulk', 'compute'):
+ msg = "%s skipped as os-floating-ips-bulk extension not enabled." \
+ % cls.__name__
+ raise cls.skipException(msg)
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(FloatingIpsBulkRbacTest, self).tearDown()
+
+ @decorators.idempotent_id('3b5c8a02-005d-4256-8a95-6fa2f389c6cf')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-floating-ips-bulk")
+ def test_list_floating_ips_bulk(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_floating_ips_bulk()['floating_ip_info']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
new file mode 100644
index 0000000..ea5a346
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
@@ -0,0 +1,57 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class FloatingIpsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ # Tests will fail with a 404 starting from microversion 2.36, according to:
+ # https://developer.openstack.org/api-ref/
+ # compute/?expanded=list-floating-ip-addresses-detail
+ max_microversion = '2.35'
+
+ @classmethod
+ def setup_clients(cls):
+ super(FloatingIpsRbacTest, cls).setup_clients()
+ cls.client = cls.floating_ips_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(FloatingIpsRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-floating-ips', 'compute'):
+ msg = "%s skipped as os-floating-ips extension not enabled." \
+ % cls.__name__
+ raise cls.skipException(msg)
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(FloatingIpsRbacTest, self).tearDown()
+
+ @decorators.idempotent_id('ac1b3053-f755-4cda-85a0-30e88b88d7ba')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-floating-ips")
+ def test_list_floating_ips(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_floating_ips()['floating_ips']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py
new file mode 100644
index 0000000..b37f74f
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py
@@ -0,0 +1,50 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+
+class InstanceUsagesAuditLogAdminRbacTest(
+ rbac_base.BaseV2ComputeAdminRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(InstanceUsagesAuditLogAdminRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-instance-usage-audit-log',
+ 'compute'):
+ msg = "os-instance-usage-audit-log extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def setup_clients(cls):
+ super(InstanceUsagesAuditLogAdminRbacTest, cls).setup_clients()
+ cls.client = cls.instance_usages_audit_log_client
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(InstanceUsagesAuditLogAdminRbacTest, self).tearDown()
+
+ @decorators.idempotent_id('c80246c0-5c13-4ab0-97ba-91551cd53dc1')
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-instance-usage-audit-log")
+ def test_list_instance_usage_audit_logs(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_instance_usage_audit_logs()
+ ["instance_usage_audit_logs"]
diff --git a/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
new file mode 100644
index 0000000..1bb5100
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
@@ -0,0 +1,65 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_config import cfg
+
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = cfg.CONF
+
+
+class TenantNetworksRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ # Tests will fail with a 404 starting from microversion 2.36, according to:
+ # https://developer.openstack.org/api-ref/
+ # compute/?expanded=list-project-networks-detail
+ max_microversion = '2.35'
+
+ @classmethod
+ def setup_clients(cls):
+ super(TenantNetworksRbacTest, cls).setup_clients()
+ cls.client = cls.os.tenant_networks_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(TenantNetworksRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-tenant-networks', 'compute'):
+ msg = "os-tenant-networks extension not enabled."
+ raise cls.skipException(msg)
+ if not CONF.service_available.neutron:
+ raise cls.skipException(
+ '%s skipped as Neutron is required' % cls.__name__)
+
+ @classmethod
+ def setup_credentials(cls):
+ cls.set_network_resources(network=True)
+ super(TenantNetworksRbacTest, cls).setup_credentials()
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(TenantNetworksRbacTest, self).tearDown()
+
+ @decorators.idempotent_id('42b39ba1-14aa-4799-9518-34367d0da67a')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-tenant-networks")
+ def test_list_show_tenant_networks(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_tenant_networks()['networks']
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
index 1e29023..a830493 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
@@ -57,3 +57,23 @@
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.services_client.delete_service, service['id'])
return service
+
+ def _setup_test_project(self):
+ """Set up a test project."""
+ project = self.projects_client.create_project(
+ name=data_utils.rand_name('test_project'),
+ description=data_utils.rand_name('desc'))['project']
+ # Delete the project at the end of the test
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.projects_client.delete_project, project['id'])
+ return project
+
+ def _create_test_user(self, **kwargs):
+ if kwargs['password'] is None:
+ user_password = data_utils.rand_password()
+ kwargs['password'] = user_password
+ user = self.users_client.create_user(**kwargs)['user']
+ # Delete the user at the end of the test
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.users_client.delete_user, user['id'])
+ return user
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
index 45abe9f..3428e7f 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
@@ -14,6 +14,7 @@
# under the License.
from tempest.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
@@ -44,7 +45,9 @@
blob=blob,
type='ec2')['credential']
- self.addCleanup(self.creds_client.delete_credential, credential['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.creds_client.delete_credential, credential['id'])
+
return (project_id, credential)
@rbac_rule_validation.action(service="keystone",
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
index 9af2ccf..c347e56 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
@@ -54,7 +54,7 @@
RBAC test for Keystone: identity:update_project
"""
- project = self.setup_test_project()
+ project = self._setup_test_project()
rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_projects_client \
@@ -69,7 +69,7 @@
RBAC test for Keystone: identity:delete_project
"""
- project = self.setup_test_project()
+ project = self._setup_test_project()
rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_projects_client.delete_project(project['id'])
@@ -82,7 +82,7 @@
RBAC test for Keystone: identity:get_project
"""
- project = self.setup_test_project()
+ project = self._setup_test_project()
rbac_utils.switch_role(self, switchToRbacRole=True)
self.non_admin_projects_client.show_project(project['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
index eb5c42a..3faa696 100644
--- a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
@@ -97,6 +97,7 @@
return network
def _update_network(self,
+ net_id=None,
admin=None,
shared_network=None,
router_external=None,
@@ -104,7 +105,8 @@
segments=None):
# update a network that has been created during class setup
- net_id = self.admin_network['id']
+ if not net_id:
+ net_id = self.admin_network['id']
post_body = {}
updated_network = None
@@ -180,20 +182,6 @@
@rbac_rule_validation.action(
service="neutron",
- rule="create_network:provider:physical_network")
- @decorators.idempotent_id('f458033b-2d52-4fd1-86db-e31e111d6fac')
- def test_create_network_provider_physical_network(self):
-
- """Create Provider Physical Network Test
-
- RBAC test for the neutron create_network:provider:physical_network
- """
- rbac_utils.switch_role(self, switchToRbacRole=True)
- self._create_network(provider_network_type='flat',
- provider_physical_network='ph-eth0')
-
- @rbac_rule_validation.action(
- service="neutron",
rule="create_network:provider:segmentation_id")
@decorators.idempotent_id('b9decb7b-68ef-4504-b99b-41edbf7d2af5')
def test_create_network_provider_segmentation_id(self):
@@ -249,13 +237,9 @@
RBAC test for the neutron update_network:router:external policy
"""
+ network = self._create_network()
rbac_utils.switch_role(self, switchToRbacRole=True)
- updated_network = self._update_network(router_external=True)
- self.assertEqual(updated_network['router:external'], True)
-
- # Revert back to False
- updated_network = self._update_network(router_external=False)
- self.assertEqual(updated_network['router:external'], False)
+ self._update_network(net_id=network['id'], router_external=True)
@rbac_rule_validation.action(service="neutron",
rule="get_network")
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
index 5d889e8..093e2bc 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
@@ -46,7 +46,7 @@
# Test volume reset status : available->error->available
rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.reset_volume_status(volume['id'], status='error')
- self.client.reset_volume_status(volume['id'], status='availble')
+ self.client.reset_volume_status(volume['id'], status='available')
@rbac_rule_validation.action(
service="cinder",