Merge "Remove Cinder v2 RBAC tests"
diff --git a/.mailmap b/.mailmap
index 516ae6f..47612b3 100644
--- a/.mailmap
+++ b/.mailmap
@@ -1,3 +1,5 @@
# Format is:
# <preferred e-mail> <other e-mail 1>
# <preferred e-mail> <other e-mail 2>
+Felipe Monteiro <felipe.carneiro.monteiro@gmail.com> <fm577c@att.com>
+Felipe Monteiro <felipe.carneiro.monteiro@gmail.com> <felipe.monteiro@att.com>
diff --git a/README.rst b/README.rst
index 6110dda..f4ab65c 100644
--- a/README.rst
+++ b/README.rst
@@ -16,6 +16,35 @@
Patrole currently offers testing for the following OpenStack services: Nova,
Neutron, Glance, Cinder and Keystone.
+Patrole is currently undergoing heavy development. As more projects move
+toward policy in code, Patrole will align its testing with the appropriate
+documentation.
+
+Design Principles
+-----------------
+
+Patrole borrows some design principles from Tempest, but not all, as its
+testing scope is confined to policies.
+
+* *Stability*. Patrole uses OpenStack public interfaces. Tests in Patrole
+ should only touch public OpenStack APIs.
+* *Atomicity*. Patrole tests should be atomic: they should test policies in
+ isolation. Unlike Tempest, a Patrole test strives to only call a single
+ endpoint at a time.
+* *Holistic coverage*. Patrole strives for complete coverage of the OpenStack
+ API. Additionally, Patrole strives to test the API-to-policy mapping
+ contained in each project's policy in code documentation.
+* *Self-contained*. Patrole should attempt to clean up after itself; whenever
+ possible we should tear down resources when done.
+
+ .. note::
+
+ Patrole modifies roles dynamically in the background, which affects
+ pre-provisioned credentials. Work is currently underway to clean up
+ modifications made to pre-provisioned credentials.
+
+* *Self-tested*. Patrole should be self-tested.
+
Features
--------
* Validation of default policy definitions located in policy.json files.
diff --git a/patrole_tempest_plugin/tests/api/compute/test_fixed_ips_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_fixed_ips_rbac.py
new file mode 100644
index 0000000..dd32187
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_fixed_ips_rbac.py
@@ -0,0 +1,78 @@
+# Copyright 2017 NEC Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class FixedIpsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ # Tests will fail with a 404 starting from microversion 2.36:
+ # See the following link for details:
+ # https://developer.openstack.org/api-ref/compute/#fixed-ips-os-fixed-ips-deprecated
+ max_microversion = '2.35'
+
+ @classmethod
+ def skip_checks(cls):
+ super(FixedIpsRbacTest, cls).skip_checks()
+ if CONF.service_available.neutron:
+ msg = ("%s skipped as neutron is available" % cls.__name__)
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(FixedIpsRbacTest, cls).resource_setup()
+ server = cls.create_test_server(wait_until='ACTIVE')
+ server = cls.servers_client.show_server(server['id'])['server']
+ cls.ip = None
+ for ip_set in server['addresses']:
+ for ip in server['addresses'][ip_set]:
+ if ip['OS-EXT-IPS:type'] == 'fixed':
+ cls.ip = ip['addr']
+ break
+ if cls.ip:
+ break
+ if cls.ip is None:
+ raise cls.skipException("No fixed ip found for server: %s"
+ % server['id'])
+
+ @decorators.idempotent_id('c89391f7-4844-4a70-a116-37c1336efb99')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-fixed-ips")
+ def test_show_fixed_ip_details(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.fixed_ips_client.show_fixed_ip(self.ip)
+
+ @decorators.idempotent_id('f0314501-735d-4315-9856-959e01e82f0d')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-fixed-ips")
+ def test_set_reserve(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.fixed_ips_client.reserve_fixed_ip(self.ip, reserve="None")
+
+ @decorators.idempotent_id('866a6fdc-a237-4502-9bf2-52fe82aba356')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-fixed-ips")
+ def test_set_unreserve(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.fixed_ips_client.reserve_fixed_ip(self.ip, unreserve="None")
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
index be5cedb..2bc267b 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
@@ -87,11 +87,42 @@
waiters.wait_for_server_status(self.os_admin.servers_client,
self.server_id, 'SHELVED')
+ def _pause_server(self):
+ self.servers_client.pause_server(self.server_id)
+ self.addCleanup(self._cleanup_server_actions,
+ self.servers_client.unpause_server,
+ self.server_id)
+ waiters.wait_for_server_status(
+ self.os_admin.servers_client, self.server_id, 'PAUSED')
+
def _cleanup_server_actions(self, function, server_id, **kwargs):
server = self.servers_client.show_server(server_id)['server']
if server['status'] != 'ACTIVE':
function(server_id, **kwargs)
+ @decorators.idempotent_id('117f4ff2-8544-437b-824f-5e41cb6640ee')
+ @testtools.skipUnless(CONF.compute_feature_enabled.pause,
+ 'Pause is not available.')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-pause-server:pause")
+ def test_pause_server(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self._pause_server()
+
+ @decorators.idempotent_id('087008cf-82fa-4eeb-ae8b-32c4126456ad')
+ @testtools.skipUnless(CONF.compute_feature_enabled.pause,
+ 'Pause is not available.')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-pause-server:unpause")
+ def test_unpause_server(self):
+ self._pause_server()
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.unpause_server(self.server_id)
+ waiters.wait_for_server_status(
+ self.os_admin.servers_client, self.server_id, 'ACTIVE')
+
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:stop")
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_auth_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_auth_rbac.py
index bc096ce..6a26f2b 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_auth_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_auth_rbac.py
@@ -26,8 +26,8 @@
https://github.com/openstack/keystone/blob/master/keystone/common/policies/auth.py
"""
- # TODO(felipemonteiro): Add tests for identity:get_auth_catalog and
- # identity:get_auth_domains once the endpoints are implemented in Tempest's
+ # TODO(felipemonteiro): Add tests for identity:get_auth_catalog
+ # once the endpoints are implemented in Tempest's
# identity v3 client.
@decorators.idempotent_id('2a9fbf7f-6feb-4161-ae4b-faf7d6421b1a')
@@ -36,3 +36,10 @@
def test_list_auth_projects(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.identity_client.list_auth_projects()['projects']
+
+ @decorators.idempotent_id('6a40af0d-7265-4657-b6b2-87a2828e263e')
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_auth_domains")
+ def test_list_auth_domain(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.identity_client.list_auth_domains()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py
index 82feff9..3639520 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py
@@ -127,3 +127,11 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.trusts_client.show_trust_role(
self.trust['id'], self.delegated_role_id)['role']
+
+ @decorators.idempotent_id('0184e0fb-641e-4b52-ab73-81c1ce6ca5c1')
+ @rbac_rule_validation.action(
+ service="keystone",
+ rule="identity:get_trust")
+ def test_show_trust(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.trusts_client.show_trust(self.trust['id'])
diff --git a/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py
new file mode 100644
index 0000000..fa92cad
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py
@@ -0,0 +1,30 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+
+class LimitsV3RbacTest(rbac_base.BaseVolumeRbacTest):
+ _api_version = 3
+
+ @decorators.idempotent_id('dab04510-5b86-4479-a633-6e496ff405af')
+ @rbac_rule_validation.action(service="cinder",
+ rule="limits_extension:used_limits")
+ def test_show_limits(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_limits_client.show_limits()
diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py
index 7444c35..1aeff4b 100644
--- a/releasenotes/source/conf.py
+++ b/releasenotes/source/conf.py
@@ -58,15 +58,13 @@
project = u'Patrole Release Notes'
copyright = u'2017, Patrole Developers'
-# The version info for the project you're documenting, acts as replacement for
-# |version| and |release|, also used in various other places throughout the
-# built documents.
-#
-from patrole_tempest_plugin.version import version_info as patrole_version
+# Release do not need a version number in the title, they
+# cover multiple versions.
+
# The full version, including alpha/beta/rc tags.
-release = patrole_version.version_string_with_vcs()
+release = ''
# The short X.Y version.
-version = patrole_version.canonical_version_string()
+version = ''
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
diff --git a/requirements.txt b/requirements.txt
index 0e46596..ba2f2d5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -6,5 +6,5 @@
oslo.log>=3.30.0 # Apache-2.0
oslo.config>=4.6.0 # Apache-2.0
oslo.policy>=1.23.0 # Apache-2.0
-tempest>=16.1.0 # Apache-2.0
+tempest>=17.1.0 # Apache-2.0
stevedore>=1.20.0 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index 1953685..a8a3044 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -14,4 +14,4 @@
oslotest>=1.10.0 # Apache-2.0
oslo.policy>=1.23.0 # Apache-2.0
oslo.log>=3.30.0 # Apache-2.0
-tempest>=16.1.0 # Apache-2.0
+tempest>=17.1.0 # Apache-2.0