Merge "Adds service_providers client tests"
diff --git a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
index f45632e..17a6c74 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
@@ -21,10 +22,54 @@
class SecurityGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+ # Tests in this class will fail with a 404 from microversion 2.36,
+ # according to:
+ # https://developer.openstack.org/api-ref/compute/#security-groups-os-security-groups-deprecated
+ max_microversion = '2.35'
+
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-security-groups")
@decorators.idempotent_id('4ac58e49-48c1-4fca-a6c3-3f95fb99eb77')
- def test_server_security_groups(self):
+ def test_list_security_groups(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.security_groups_client.list_security_groups()
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('e8fe7f5a-69ee-412d-81d3-a8c7a488b54d')
+ def test_create_security_groups(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.create_security_group()['id']
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('59127e8e-302d-11e7-93ae-92361f002671')
+ def test_delete_security_groups(self):
+ sec_group_id = self.create_security_group()['id']
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.security_groups_client.delete_security_group(sec_group_id)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('3de5c6bc-b822-469e-a627-82427d38b067')
+ def test_update_security_groups(self):
+ sec_group_id = self.create_security_group()['id']
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ new_name = data_utils.rand_name()
+ new_desc = data_utils.rand_name()
+ self.security_groups_client.update_security_group(sec_group_id,
+ name=new_name,
+ description=new_desc)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('6edc0320-302d-11e7-93ae-92361f002671')
+ def test_show_security_groups(self):
+ sec_group_id = self.create_security_group()['id']
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.security_groups_client.show_security_group(sec_group_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
index 3c8ef69..3a2b5ec 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
@@ -17,11 +17,11 @@
from tempest.common import waiters
from tempest import config
-
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from tempest.lib import exceptions
+from tempest import test
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
@@ -36,14 +36,14 @@
@classmethod
def setup_clients(cls):
super(ComputeServersRbacTest, cls).setup_clients()
- cls.client = cls.servers_client
cls.networks_client = cls.os_primary.networks_client
+ cls.ports_client = cls.os_primary.ports_client
cls.subnets_client = cls.os_primary.subnets_client
@classmethod
def resource_setup(cls):
super(ComputeServersRbacTest, cls).resource_setup()
-
+ cls.server = cls.create_test_server(wait_until='ACTIVE')
# Create a volume
volume_name = data_utils.rand_name(cls.__name__ + '-volume')
name_field = 'name'
@@ -66,7 +66,8 @@
self.__class__.__name__ + '-network')
network = self.networks_client.create_network(
- **{'name': network_name})['network']
+ name=network_name, port_security_enabled=True)['network']
+ self.addCleanup(self.networks_client.delete_network, network['id'])
# Create subnet for the network
subnet_name = data_utils.rand_name(self.__class__.__name__ + '-subnet')
@@ -75,11 +76,7 @@
network_id=network['id'],
cidr=CONF.network.project_network_cidr,
ip_version=4)['subnet']
-
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.networks_client.delete_network, network['id'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.subnets_client.delete_subnet, subnet['id'])
+ self.addCleanup(self.subnets_client.delete_subnet, subnet['id'])
return network
@@ -134,6 +131,7 @@
self.create_test_server(wait_until='ACTIVE',
availability_zone=availability_zone)
+ @test.services('volume')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:create:attach_volume")
@@ -142,20 +140,18 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._create_test_server_with_volume(self.volume_id)
+ @test.services('network')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:create:attach_network")
@decorators.idempotent_id('b44cd4ff-50a4-42ce-ada3-724e213cd540')
def test_create_server_attach_network(self):
network = self._create_network_resources()
- network_id = {'uuid': network['id']}
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ network_id = {'uuid': network['id']}
server = self.create_test_server(wait_until='ACTIVE',
networks=[network_id])
- # The network resources created is for this test case only. We will
- # clean them up after this test case. In order to do that,
- # we need to clean up the server first.
self.addCleanup(waiters.wait_for_server_termination,
self.servers_client, server['id'])
self.addCleanup(self.servers_client.delete_server, server['id'])
@@ -175,13 +171,80 @@
rule="os_compute_api:servers:update")
@decorators.idempotent_id('077b17cb-5621-43b9-8adf-5725f0d7a863')
def test_update_server(self):
- server = self.create_test_server(wait_until='ACTIVE')
new_name = data_utils.rand_name(self.__class__.__name__ + '-server')
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
try:
- self.servers_client.update_server(server['id'], name=new_name)
+ self.servers_client.update_server(self.server['id'], name=new_name)
+ waiters.wait_for_server_status(self.os_admin.servers_client,
+ self.server['id'], 'ACTIVE')
except exceptions.ServerFault as e:
# Some other policy may have blocked it.
LOG.info("ServerFault exception caught. Some other policy "
"blocked updating of server")
raise rbac_exceptions.RbacActionFailed(e)
+
+
+class SecurtiyGroupsRbacTest(base.BaseV2ComputeRbacTest):
+ """Tests non-deprecated security group policies. Requires network service.
+
+ This class tests non-deprecated policies for adding and removing a security
+ group to and from a server.
+ """
+
+ @classmethod
+ def setup_credentials(cls):
+ # A network and a subnet will be created for these tests.
+ cls.set_network_resources(network=True, subnet=True)
+ super(SecurtiyGroupsRbacTest, cls).setup_credentials()
+
+ @classmethod
+ def skip_checks(cls):
+ super(SecurtiyGroupsRbacTest, cls).skip_checks()
+ # All the tests below require the network service.
+ if not test.get_service_list()['network']:
+ raise cls.skipException(
+ 'Skipped because the network service is not available')
+
+ @classmethod
+ def resource_setup(cls):
+ super(SecurtiyGroupsRbacTest, cls).resource_setup()
+ cls.server = cls.create_test_server(wait_until='ACTIVE')
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520')
+ def test_list_security_groups_by_server(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.list_security_groups_by_server(self.server['id'])
+
+ @test.attr(type=["slow"])
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('ea1ca73f-2d1d-43cb-9a46-900d7927b357')
+ def test_create_security_group_for_server(self):
+ sg_name = self.create_security_group()['name']
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.add_security_group(self.server['id'], name=sg_name)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.servers_client.remove_security_group,
+ self.server['id'], name=sg_name)
+
+ @test.attr(type=["slow"])
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('0ad2e856-e2d3-4ac5-a620-f93d0d3d2626')
+ def test_remove_security_group_from_server(self):
+ sg_name = self.create_security_group()['name']
+
+ self.servers_client.add_security_group(self.server['id'], name=sg_name)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.servers_client.remove_security_group,
+ self.server['id'], name=sg_name)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.remove_security_group(
+ self.server['id'], name=sg_name)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
index b490ebe..afa83a6 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -52,18 +52,24 @@
self.servers_client.delete_server, server['id'])
return server
- def _attach_volume(self, server):
+ def _attach_volume(self, server, volume_id=None):
+ if volume_id is None:
+ volume_id = self.volume['id']
+
self.servers_client.attach_volume(
- server['id'], volumeId=self.volume['id'],
+ server['id'], volumeId=volume_id,
device='/dev/%s' % CONF.compute.volume_device_name)
waiters.wait_for_volume_resource_status(
- self.volumes_client, self.volume['id'], 'in-use')
- self.addCleanup(self._detach_volume)
+ self.volumes_client, volume_id, 'in-use')
+ self.addCleanup(self._detach_volume, volume_id)
- def _detach_volume(self):
- self.volumes_client.detach_volume(self.volume['id'])
+ def _detach_volume(self, volume_id=None):
+ if volume_id is None:
+ volume_id = self.volume['id']
+
+ self.volumes_client.detach_volume(volume_id)
waiters.wait_for_volume_resource_status(
- self.volumes_client, self.volume['id'], 'available')
+ self.volumes_client, volume_id, 'available')
@test.services('compute')
@rbac_rule_validation.action(service="cinder", rule="volume:attach")
@@ -186,19 +192,21 @@
service="cinder",
rule="volume_extension:volume_admin_actions:force_detach")
def test_force_detach_volume_from_instance(self):
+ volume = self.create_volume()
server = self._create_server()
- self._attach_volume(server)
+ self._attach_volume(server, volume['id'])
attachment = self.volumes_client.show_volume(
- self.volume['id'])['volume']['attachments'][0]
+ volume['id'])['volume']['attachments'][0]
# Reset volume's status to error.
- self.volumes_client.reset_volume_status(self.volume['id'],
- status='error')
+ self.volumes_client.reset_volume_status(volume['id'], status='error')
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.volumes_client.force_detach_volume(
- self.volume['id'], connector=None,
+ volume['id'], connector=None,
attachment_id=attachment['attachment_id'])
+ waiters.wait_for_volume_resource_status(self.os_admin.volumes_client,
+ volume['id'], 'available')
class VolumesActionsV3RbacTest(VolumesActionsRbacTest):
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
index c39a376..25c8504 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
@@ -31,28 +31,16 @@
class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
+ def setUp(self):
+ super(VolumesBackupsRbacTest, self).setUp()
+ self.volume = self.create_volume()
+
@classmethod
def skip_checks(cls):
super(VolumesBackupsRbacTest, cls).skip_checks()
if not CONF.volume_feature_enabled.backup:
raise cls.skipException("Cinder backup feature disabled")
- @classmethod
- def resource_setup(cls):
- super(VolumesBackupsRbacTest, cls).resource_setup()
- cls.volume = cls.create_volume()
-
- def _create_backup(self, volume_id):
- backup_name = data_utils.rand_name(self.__class__.__name__ + 'backup')
- backup = self.backups_client.create_backup(
- volume_id=volume_id, name=backup_name)['backup']
- self.addCleanup(
- test_utils.call_and_ignore_notfound_exc,
- self.backups_client.delete_backup, backup['id'])
- waiters.wait_for_volume_resource_status(
- self.backups_client, backup['id'], 'available')
- return backup
-
def _decode_url(self, backup_url):
return json.loads(base64.decode_as_text(backup_url))
@@ -71,16 +59,14 @@
@decorators.idempotent_id('6887ec94-0bcf-4ab7-b30f-3808a4b5a2a5')
def test_volume_backup_create(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_backup(volume_id=self.volume['id'])
+ self.create_backup(volume_id=self.volume['id'])
@test.attr(type=["slow"])
@rbac_rule_validation.action(service="cinder",
rule="backup:get")
@decorators.idempotent_id('abd92bdd-b0fb-4dc4-9cfc-de9e968f8c8a')
def test_volume_backup_get(self):
- # Create a temp backup
- backup = self._create_backup(volume_id=self.volume['id'])
- # Get a given backup
+ backup = self.create_backup(volume_id=self.volume['id'])
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.backups_client.show_backup(backup['id'])
@@ -96,9 +82,7 @@
rule="backup:restore")
@decorators.idempotent_id('9c794bf9-2446-4f41-8fe0-80b71e757f9d')
def test_volume_backup_restore(self):
- # Create a temp backup
- backup = self._create_backup(volume_id=self.volume['id'])
- # Restore backup
+ backup = self.create_backup(volume_id=self.volume['id'])
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
restore = self.backups_client.restore_backup(backup['id'])['restore']
waiters.wait_for_volume_resource_status(
@@ -109,11 +93,17 @@
rule="backup:delete")
@decorators.idempotent_id('d5d0c6a2-413d-437e-a73f-4bf2b41a20ed')
def test_volume_backup_delete(self):
- # Create a temp backup
- backup = self._create_backup(volume_id=self.volume['id'])
+ # Do not call the create_backup in Tempest's base volume class, because
+ # it doesn't use ``test_utils.call_and_ignore_notfound_exc`` for clean
+ # up.
+ backup = self.backups_client.create_backup(
+ volume_id=self.volume['id'])['backup']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.backups_client.delete_backup, backup['id'])
+
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Delete backup
self.backups_client.delete_backup(backup['id'])
+ # Wait for deletion so error isn't thrown during clean up.
self.backups_client.wait_for_resource_deletion(backup['id'])
@test.attr(type=["slow"])
@@ -121,10 +111,7 @@
rule="backup:backup-export")
@decorators.idempotent_id('e984ec8d-e8eb-485c-98bc-f1856020303c')
def test_volume_backup_export(self):
- # Create a temp backup
- backup = self._create_backup(volume_id=self.volume['id'])
-
- # Export Backup
+ backup = self.create_backup(volume_id=self.volume['id'])
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.backups_client.export_backup(backup['id'])['backup-record']
@@ -133,16 +120,13 @@
rule="backup:backup-import")
@decorators.idempotent_id('1e70f039-4556-44cc-9cc1-edf2b7ed648b')
def test_volume_backup_import(self):
- # Create a temp backup
- backup = self._create_backup(volume_id=self.volume['id'])
- # Export a temp backup
+ backup = self.create_backup(volume_id=self.volume['id'])
export_backup = self.backups_client.export_backup(
backup['id'])['backup-record']
new_id = data_utils.rand_uuid()
new_url = self._modify_backup_url(
export_backup['backup_url'], {'id': new_id})
- # Import the temp backup
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
import_backup = self.backups_client.import_backup(
backup_service=export_backup['backup_service'],
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
index 34889cd..422a3db 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.common import waiters
from tempest import config
from tempest.lib import decorators
@@ -75,6 +76,9 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.snapshots_client.update_snapshot(
self.snapshot['id'], **params)['snapshot']
+ waiters.wait_for_volume_resource_status(
+ self.os_admin.snapshots_client,
+ self.snapshot['id'], 'available')
@rbac_rule_validation.action(service="cinder",
rule="volume:get_all_snapshots")
@@ -95,6 +99,8 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
# Delete the snapshot
self.snapshots_client.delete_snapshot(temp_snapshot['id'])
+ self.os_admin.snapshots_client.wait_for_resource_deletion(
+ temp_snapshot['id'])
class VolumesSnapshotV3RbacTest(VolumesSnapshotRbacTest):
diff --git a/releasenotes/notes/add-security-group-tests-ae5c07074e0ac849.yaml b/releasenotes/notes/add-security-group-tests-ae5c07074e0ac849.yaml
new file mode 100644
index 0000000..8d250cd
--- /dev/null
+++ b/releasenotes/notes/add-security-group-tests-ae5c07074e0ac849.yaml
@@ -0,0 +1,13 @@
+---
+features:
+ - |
+ Add security groups and server security groups
+ tests to Nova RBAC tests.
+fixes:
+ - |
+ Add microversion check to test_security_groups_rbac
+ as tests in this file will fail with a 404 after
+ 2.36.
+ - Rename test_server_security_groups to
+ test_list_security_groups to properly reflect the
+ test actually being run.
diff --git a/setup.cfg b/setup.cfg
index f76d172..6fd4b8a 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -17,7 +17,6 @@
Programming Language :: Python :: 2.7
Programming Language :: Python :: 3
Programming Language :: Python :: 3.3
- Programming Language :: Python :: 3.4
Programming Language :: Python :: 3.5
[files]