Fix gate for multiple issues
1. To have mock installed for unit tests
unit tests jobs use tempest version released in pypi
which has use of mock but in recent changed mock requirement
is removed from requirements file and it end up failing.
- https://zuul.opendev.org/t/openstack/build/c3a33c501c054db9b1eecedb7d4b2c48
Let's add mock into the requirement file to be installed for unit tests
job until we bump the min version of tempest to latest.
2. Nova policy granular work
https://review.opendev.org/#/q/topic:bp/policy-defaults-refresh-deprecated-apis+(status:open+OR+status:merged)
Adding new flag to handle the policy changed in Victoria.
Depends-On: https://review.opendev.org/#/c/745158/
Change-Id: I3683cca390b44146c217ce8600f63a9894057058
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 9daf285..32c6562 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -47,6 +47,7 @@
# TODO(rb560u): Remove this once stable/pike becomes EOL.
# These policies were removed in Ussuri but are available in Pike.
iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_ussuri False
+ iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_victoria False
fi
if [[ ${DEVSTACK_SERIES} == 'queens' ]]; then
@@ -74,6 +75,7 @@
# TODO(rb560u): Remove this once stable/queens becomes EOL.
# These policies were removed in Ussuri but are available in Queens.
iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_ussuri False
+ iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_victoria False
fi
if [[ ${DEVSTACK_SERIES} == 'rocky' ]]; then
@@ -91,6 +93,7 @@
# TODO(rb560u): Remove this once stable/rocky becomes EOL.
# These policies were removed in Ussuri but are available in Rocky.
iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_ussuri False
+ iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_victoria False
fi
if [[ ${DEVSTACK_SERIES} == 'stein' ]]; then
@@ -103,11 +106,18 @@
# TODO(rb560u): Remove this once stable/stein becomes EOL.
# These policies were removed in Ussuri but are available in Stein.
iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_ussuri False
+ iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_victoria False
fi
if [[ ${DEVSTACK_SERIES} == 'train' ]]; then
# Remove this once stable/train becomes EOL.
iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_ussuri False
+ iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_victoria False
+ fi
+
+ if [[ ${DEVSTACK_SERIES} == 'ussuri' ]]; then
+ # Remove this once stable/ussuri becomes EOL.
+ iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_victoria False
fi
iniset $TEMPEST_CONFIG patrole rbac_test_roles $RBAC_TEST_ROLES
diff --git a/lower-constraints.txt b/lower-constraints.txt
index a442ffc..c874f08 100644
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@@ -26,6 +26,7 @@
linecache2==1.0.0
MarkupSafe==1.0
mccabe==0.2.1
+mock==2.0.0
monotonic==1.4
mox3==0.25.0
msgpack==0.5.6
diff --git a/patrole_tempest_plugin/config.py b/patrole_tempest_plugin/config.py
index b087148..41d824d 100644
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py
@@ -194,7 +194,12 @@
default=True,
help="""Are the Nova API policies available in the
cloud (e.g. os_compute_api:os-services)? These policies were
-changed in Ussuri.""")
+changed in Ussuri."""),
+ cfg.BoolOpt('changed_nova_policies_victoria',
+ default=True,
+ help="""Are the Nova deprecated API policies available in the
+cloud (e.g. os_compute_api:os-networks)? These policies were
+changed in Victoria.""")
]
diff --git a/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
index 1dbf792..5a598e0 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
@@ -14,11 +14,21 @@
# under the License.
from tempest.common import utils
+from tempest import config
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base
+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_nova_policies_victoria:
+ _HOSTS_LIST = "os_compute_api:os-hosts:list"
+ _HOSTS_SHOW = "os_compute_api:os-hosts:show"
+else:
+ _HOSTS_LIST = "os_compute_api:os-hosts"
+ _HOSTS_SHOW = "os_compute_api:os-hosts"
+
class HostsRbacTest(rbac_base.BaseV2ComputeRbacTest):
# These tests will fail with a 404 starting from microversion 2.43:
@@ -36,7 +46,7 @@
@decorators.idempotent_id('035b7935-2fae-4218-8d37-27fa83097494')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-hosts"])
+ rules=[_HOSTS_LIST])
def test_list_hosts(self):
with self.override_role():
self.hosts_client.list_hosts()
@@ -44,7 +54,7 @@
@decorators.idempotent_id('bc10d8b4-d2c3-4d4e-9d2b-31d1bd3e1b51')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-hosts"])
+ rules=[_HOSTS_SHOW])
def test_show_host_details(self):
hosts = self.hosts_client.list_hosts()['hosts']
hosts = [host for host in hosts if host['service'] == 'compute']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
index f81262a..cf19bef 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
@@ -32,6 +32,19 @@
_SG_ADD = "os_compute_api:os-security-groups"
_SG_REMOVE = "os_compute_api:os-security-groups"
+if CONF.policy_feature_enabled.changed_nova_policies_victoria:
+ _SG_GET = "os_compute_api:os-security-groups:get"
+ _SG_SHOW = "os_compute_api:os-security-groups:show"
+ _SG_CREATE = "os_compute_api:os-security-groups:create"
+ _SG_UPDATE = "os_compute_api:os-security-groups:update"
+ _SG_DELETE = "os_compute_api:os-security-groups:delete"
+else:
+ _SG_GET = "os_compute_api:os-security-groups"
+ _SG_SHOW = "os_compute_api:os-security-groups"
+ _SG_CREATE = "os_compute_api:os-security-groups"
+ _SG_UPDATE = "os_compute_api:os-security-groups"
+ _SG_DELETE = "os_compute_api:os-security-groups"
+
class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
"""Tests non-deprecated security group policies. Requires network service.
@@ -128,7 +141,7 @@
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-security-groups"])
+ rules=[_SG_GET])
@decorators.idempotent_id('4ac58e49-48c1-4fca-a6c3-3f95fb99eb77')
def test_list_security_groups(self):
with self.override_role():
@@ -136,7 +149,7 @@
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-security-groups"])
+ rules=[_SG_CREATE])
@decorators.idempotent_id('e8fe7f5a-69ee-412d-81d3-a8c7a488b54d')
def test_create_security_groups(self):
with self.override_role():
@@ -144,7 +157,7 @@
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-security-groups"])
+ rules=[_SG_DELETE])
@decorators.idempotent_id('59127e8e-302d-11e7-93ae-92361f002671')
def test_delete_security_groups(self):
sec_group_id = self.create_security_group()['id']
@@ -153,7 +166,7 @@
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-security-groups"])
+ rules=[_SG_UPDATE])
@decorators.idempotent_id('3de5c6bc-b822-469e-a627-82427d38b067')
def test_update_security_groups(self):
sec_group_id = self.create_security_group()['id']
@@ -166,7 +179,7 @@
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-security-groups"])
+ rules=[_SG_SHOW])
@decorators.idempotent_id('6edc0320-302d-11e7-93ae-92361f002671')
def test_show_security_groups(self):
sec_group_id = self.create_security_group()['id']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
index 95544b4..a39b367 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
@@ -46,6 +46,11 @@
_SERVER_PASSWORD_SHOW = "os_compute_api:os-server-password"
_SERVER_PASSWORD_CLEAR = "os_compute_api:os-server-password"
+if CONF.policy_feature_enabled.changed_nova_policies_victoria:
+ _MULTINIC_ADD = "os_compute_api:os-multinic:add"
+else:
+ _MULTINIC_ADD = "os_compute_api:os-multinic"
+
class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
"""Test multiple policy actions that require a server to be created.
@@ -763,7 +768,7 @@
"Interface attachment is not available.")
@utils.requires_ext(extension='os-multinic', service='compute')
@rbac_rule_validation.action(
- service="nova", rules=["os_compute_api:os-multinic"])
+ service="nova", rules=[_MULTINIC_ADD])
@decorators.idempotent_id('bd3e2c74-130a-40f0-8085-124d93fe67da')
def test_add_fixed_ip(self):
"""Test add fixed ip to server network, part of os-multinic."""
@@ -797,5 +802,7 @@
if fixed_ip is not None:
break
# Remove the fixed IP from server.
- self.servers_client.remove_fixed_ip(self.server['id'],
- address=fixed_ip)
+ # TODO(gmann): separate the remve fixded ip test as it has
+ # separate policy now.
+ # self.servers_client.remove_fixed_ip(self.server['id'],
+ # address=fixed_ip)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
index f41253d..a71901c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
@@ -23,6 +23,11 @@
CONF = config.CONF
+if CONF.policy_feature_enabled.changed_nova_policies_victoria:
+ _TENANT_NET_LIST = "os_compute_api:os-tenant-networks:list"
+else:
+ _TENANT_NET_LIST = "os_compute_api:os-tenant-networks"
+
class TenantNetworksRbacTest(rbac_base.BaseV2ComputeRbacTest):
@@ -54,7 +59,7 @@
@decorators.idempotent_id('42b39ba1-14aa-4799-9518-34367d0da67a')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-tenant-networks"])
+ rules=[_TENANT_NET_LIST])
def test_list_show_tenant_networks(self):
with self.override_role():
self.tenant_networks_client.list_tenant_networks()
diff --git a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
index 97b2579..1d1b06a 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
@@ -25,6 +25,25 @@
CONF = config.CONF
+if CONF.policy_feature_enabled.changed_nova_policies_victoria:
+ _VOLUME_LIST = "os_compute_api:os-volumes:list"
+ _VOLUME_CREATE = "os_compute_api:os-volumes:create"
+ _VOLUME_SHOW = "os_compute_api:os-volumes:show"
+ _VOLUME_DELETE = "os_compute_api:os-volumes:delete"
+ _SNAPSHOT_LIST = "os_compute_api:os-volumes:snapshots:list"
+ _SNAPSHOT_CREATE = "os_compute_api:os-volumes:snapshots:create"
+ _SNAPSHOT_SHOW = "os_compute_api:os-volumes:snapshots:show"
+ _SNAPSHOT_DELETE = "os_compute_api:os-volumes:snapshots:delete"
+else:
+ _VOLUME_LIST = "os_compute_api:os-volumes"
+ _VOLUME_CREATE = "os_compute_api:os-volumes"
+ _VOLUME_SHOW = "os_compute_api:os-volumes"
+ _VOLUME_DELETE = "os_compute_api:os-volumes"
+ _SNAPSHOT_LIST = "os_compute_api:os-volumes"
+ _SNAPSHOT_CREATE = "os_compute_api:os-volumes"
+ _SNAPSHOT_SHOW = "os_compute_api:os-volumes"
+ _SNAPSHOT_DELETE = "os_compute_api:os-volumes"
+
class VolumeRbacTest(rbac_base.BaseV2ComputeRbacTest):
"""RBAC tests for the Nova Volume client."""
@@ -60,7 +79,7 @@
@decorators.idempotent_id('2402013e-a624-43e3-9518-44a5d1dbb32d')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-volumes"])
+ rules=[_VOLUME_CREATE])
def test_create_volume(self):
with self.override_role():
volume = self.volumes_extensions_client.create_volume(
@@ -73,7 +92,7 @@
@decorators.idempotent_id('69b3888c-dff2-47b0-9fa4-0672619c9054')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-volumes"])
+ rules=[_VOLUME_LIST])
def test_list_volumes(self):
with self.override_role():
self.volumes_extensions_client.list_volumes()
@@ -81,7 +100,7 @@
@decorators.idempotent_id('4ba0a820-040f-488b-86bb-be2e920ea12c')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-volumes"])
+ rules=[_VOLUME_SHOW])
def test_show_volume(self):
with self.override_role():
self.volumes_extensions_client.show_volume(self.volume['id'])
@@ -89,7 +108,7 @@
@decorators.idempotent_id('6e7870f2-1bb2-4b58-96f8-6782071ef327')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-volumes"])
+ rules=[_VOLUME_DELETE])
def test_delete_volume(self):
volume = self.create_volume()
with self.override_role():
@@ -98,7 +117,7 @@
@decorators.idempotent_id('0c3eaa4f-69d6-4a13-9dda-19585f36b1c1')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-volumes"])
+ rules=[_SNAPSHOT_CREATE])
def test_create_snapshot(self):
s_name = data_utils.rand_name(self.__class__.__name__ + '-Snapshot')
with self.override_role():
@@ -110,7 +129,7 @@
@decorators.idempotent_id('e944e816-416c-11e7-a919-92ebcb67fe33')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-volumes"])
+ rules=[_SNAPSHOT_LIST])
def test_list_snapshots(self):
with self.override_role():
self.snapshots_extensions_client.list_snapshots()
@@ -118,7 +137,7 @@
@decorators.idempotent_id('19c2e6bd-585b-472f-a8d7-71ea9299c655')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-volumes"])
+ rules=[_SNAPSHOT_SHOW])
def test_show_snapshot(self):
s_name = data_utils.rand_name(self.__class__.__name__ + '-Snapshot')
snapshot = self.snapshots_extensions_client.create_snapshot(
@@ -131,7 +150,7 @@
@decorators.idempotent_id('f4f5635c-416c-11e7-a919-92ebcb67fe33')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-volumes"])
+ rules=[_SNAPSHOT_DELETE])
def test_delete_snapshot(self):
s_name = data_utils.rand_name(self.__class__.__name__ + '-Snapshot')
snapshot = self.snapshots_extensions_client.create_snapshot(
diff --git a/patrole_tempest_plugin/tests/api/image/test_images_rbac.py b/patrole_tempest_plugin/tests/api/image/test_images_rbac.py
index 3e8abdb..00292b9 100644
--- a/patrole_tempest_plugin/tests/api/image/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/test_images_rbac.py
@@ -15,12 +15,15 @@
import six
+from oslo_log import log as logging
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.image import rbac_base
+LOG = logging.getLogger(__name__)
+
class BasicOperationsImagesRbacTest(rbac_base.BaseV2ImageRbacTest):
@@ -38,7 +41,10 @@
return image
def _upload_image(self, image_id):
- image_file = six.BytesIO(data_utils.random_bytes())
+ file_content = data_utils.random_bytes()
+ LOG.debug("Image file content type %s",
+ type(file_content))
+ image_file = six.BytesIO(file_content)
return self.image_client.store_image_file(image_id, image_file)
@rbac_rule_validation.action(service="glance",
diff --git a/releasenotes/notes/changed-nova-policies-victoria-7a5f123238b099d9.yaml b/releasenotes/notes/changed-nova-policies-victoria-7a5f123238b099d9.yaml
new file mode 100644
index 0000000..8540fe7
--- /dev/null
+++ b/releasenotes/notes/changed-nova-policies-victoria-7a5f123238b099d9.yaml
@@ -0,0 +1,13 @@
+---
+features:
+ - |
+ A new policy feature flag called
+ ``[policy_feature_flag].changed_nova_policies_victoria`` has been added to
+ Patrole's config to handle Nova policies changed in Victoria. The policy
+ feature flag is applied to tests that use policies changed in Victoria,
+ including the following:
+
+ - os_compute_api:os-hosts
+ - os_compute_api:os-tenant-networks
+ - os_compute_api:os-volumes
+ - os_compute_api:os-security-groups
diff --git a/test-requirements.txt b/test-requirements.txt
index f90ecc3..11f4a60 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -8,3 +8,4 @@
nosexcover>=1.0.10 # BSD
oslotest>=3.2.0 # Apache-2.0
bandit>=1.5 # Apache-2.0
+mock>=2.0.0 # BSD