Gate fix and update compute tests to adopt new policies
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.
With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.
This commit updates the security group and server password
policy tests to move to new policies from ussuri onwards.
Also add the already fixed instance action policy in reno
Also fix the gate to parse the combining of deprecated rule
check_str with oslo policy parser instead of string processing.
Story: #2007585
Task: #39516
[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html
Change-Id: If661299231d548ce40a2e340b1ddb9ebe8d3f964
diff --git a/patrole_tempest_plugin/policy_authority.py b/patrole_tempest_plugin/policy_authority.py
index 1defa6d..afa358a 100644
--- a/patrole_tempest_plugin/policy_authority.py
+++ b/patrole_tempest_plugin/policy_authority.py
@@ -186,9 +186,10 @@
}
)
LOG.warn(deprecated_msg)
- check_str = '(%s) or (%s)' % (default.check_str,
- deprecated_rule.check_str)
- return policy.RuleDefault(default.name, check_str)
+ default.check = policy.OrCheck(
+ [policy._parser.parse_rule(cs) for cs in
+ [default.check_str,
+ deprecated_rule.check_str]])
def get_rules(self):
rules = policy.Rules()
@@ -229,7 +230,7 @@
# The `DocumentedRuleDefault` object has no
# `deprecated_rule` attribute in Pike
if getattr(rule, 'deprecated_rule', False):
- rule = self._handle_deprecated_rule(rule)
+ self._handle_deprecated_rule(rule)
rules[rule.name] = rule.check
elif str(rule.check) != str(rules[rule.name]):
msg = ("The same policy name: %s was found in the "
diff --git a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
index 471d7da..f81262a 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
@@ -20,6 +21,17 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base
+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_nova_policies_ussuri:
+ _SG_LIST = "os_compute_api:os-security-groups:list"
+ _SG_ADD = "os_compute_api:os-security-groups:add"
+ _SG_REMOVE = "os_compute_api:os-security-groups:remove"
+else:
+ _SG_LIST = "os_compute_api:os-security-groups"
+ _SG_ADD = "os_compute_api:os-security-groups"
+ _SG_REMOVE = "os_compute_api:os-security-groups"
+
class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
"""Tests non-deprecated security group policies. Requires network service.
@@ -55,7 +67,7 @@
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-security-groups"])
+ rules=[_SG_LIST])
@decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520')
def test_list_security_groups_by_server(self):
with self.override_role():
@@ -64,7 +76,7 @@
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-security-groups"])
+ rules=[_SG_ADD])
@decorators.idempotent_id('ea1ca73f-2d1d-43cb-9a46-900d7927b357')
def test_create_security_group_for_server(self):
sg_name = self.create_security_group()['name']
@@ -78,7 +90,7 @@
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-security-groups"])
+ rules=[_SG_REMOVE])
@decorators.idempotent_id('0ad2e856-e2d3-4ac5-a620-f93d0d3d2626')
def test_remove_security_group_from_server(self):
sg_name = self.create_security_group()['name']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
index 7bdd3da..95544b4 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
@@ -36,11 +36,15 @@
_ATTACH_INTERFACES_LIST = "os_compute_api:os-attach-interfaces:list"
_ATTACH_INTERFACES_SHOW = "os_compute_api:os-attach-interfaces:show"
_INSTANCE_ACTIONS_LIST = "os_compute_api:os-instance-actions:list"
+ _SERVER_PASSWORD_SHOW = "os_compute_api:os-server-password:show"
+ _SERVER_PASSWORD_CLEAR = "os_compute_api:os-server-password:clear"
else:
_DEFERRED_FORCE = "os_compute_api:os-deferred-delete"
_ATTACH_INTERFACES_LIST = "os_compute_api:os-attach-interfaces"
_ATTACH_INTERFACES_SHOW = "os_compute_api:os-attach-interfaces"
_INSTANCE_ACTIONS_LIST = "os_compute_api:os-instance-actions"
+ _SERVER_PASSWORD_SHOW = "os_compute_api:os-server-password"
+ _SERVER_PASSWORD_CLEAR = "os_compute_api:os-server-password"
class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
@@ -493,7 +497,7 @@
@decorators.idempotent_id('aaf43f78-c178-4581-ac18-14afd3f1f6ba')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-server-password"])
+ rules=[_SERVER_PASSWORD_CLEAR])
def test_delete_server_password(self):
"""Test delete server password, part of os-server-password."""
with self.override_role():
@@ -502,7 +506,7 @@
@utils.requires_ext(extension='os-server-password', service='compute')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-server-password"])
+ rules=[_SERVER_PASSWORD_SHOW])
@decorators.idempotent_id('f677971a-7d20-493c-977f-6ff0a74b5b2c')
def test_get_server_password(self):
"""Test show server password, part of os-server-password."""