Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / f8923d1ddfd2608a5f402c7014f9e95321c43caa^! / .
commitf8923d1ddfd2608a5f402c7014f9e95321c43caa[log] [tgz]
authorRick Bartra <rb560u@att.com>Thu Jan 02 17:25:30 2020 -0500
committerRick Bartra <rb560u@att.com>Mon Jan 06 14:31:29 2020 -0500
treef93b64231eb5cafce6a8b22f638e5d2b2f462735
parent45f01b741754f91023f7038851fc018c8fbd538d [diff]
fix: admin and member gates are broken

The patrole-admin and patrole-member gates are broken because they
are trying to test a policy action ('os_compute_api:os-services') that
was changed in the Ussuri release. This commit adds a new policy feature
flag so that this policy test is backwards compatible.

Change-Id: Ia80279ae8ffcc17f10bed05338c41d0c23eea063

diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index f60f0f4..8fa1d2c 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh

@@ -43,6 +43,10 @@
        # The Keystone Trust API is enforced differently depending on passed
        # arguments
        iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
+
+       # TODO(rb560u): Remove this once stable/pike becomes EOL.
+       # These policies were removed in Ussuri but are available in Pike.
+       iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_ussuri False
     fi
 
     if [[ ${DEVSTACK_SERIES} == 'queens' ]]; then
@@ -66,6 +70,10 @@
        # The Keystone Trust API is enforced differently depending on passed
        # arguments
        iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
+
+       # TODO(rb560u): Remove this once stable/queens becomes EOL.
+       # These policies were removed in Ussuri but are available in Queens.
+       iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_ussuri False
     fi
 
     if [[ ${DEVSTACK_SERIES} == 'rocky' ]]; then
@@ -78,6 +86,10 @@
        # The Keystone Trust API is enforced differently depending on passed
        # arguments
        iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
+
+       # TODO(rb560u): Remove this once stable/rocky becomes EOL.
+       # These policies were removed in Ussuri but are available in Rocky.
+       iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_ussuri False
     fi
 
     if [[ ${DEVSTACK_SERIES} == 'stein' ]]; then
@@ -86,6 +98,10 @@
        # The Keystone Trust API is enforced differently depending on passed
        # arguments
        iniset $TEMPEST_CONFIG policy-feature-enabled keystone_policy_enforcement_train False
+
+       # TODO(rb560u): Remove this once stable/stein becomes EOL.
+       # These policies were removed in Ussuri but are available in Stein.
+       iniset $TEMPEST_CONFIG policy-feature-enabled changed_nova_policies_ussuri False
     fi
 
     iniset $TEMPEST_CONFIG patrole rbac_test_roles $RBAC_TEST_ROLES

diff --git a/patrole_tempest_plugin/config.py b/patrole_tempest_plugin/config.py
index 5eab0e3..b087148 100644
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py

@@ -189,7 +189,12 @@
                 default=True,
                 help="""Is the cloud running the Train release or newer? If
 so, the Keystone Trust API is enforced differently depending on passed
-arguments""")
+arguments"""),
+    cfg.BoolOpt('changed_nova_policies_ussuri',
+                default=True,
+                help="""Are the Nova API policies available in the
+cloud (e.g. os_compute_api:os-services)? These policies were
+changed in Ussuri.""")
 ]
 
 

diff --git a/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
index dd7a4c3..da4923d 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py

@@ -14,11 +14,19 @@
 #    under the License.
 
 from tempest.common import utils
+from tempest import config
 from tempest.lib import decorators
 
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.compute import rbac_base
 
+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_nova_policies_ussuri:
+    _OS_COMPUTE_API_OS_SERVICES = "os_compute_api:os-services:list"
+else:
+    _OS_COMPUTE_API_OS_SERVICES = "os_compute_api:os-services"
+
 
 class ServicesRbacTest(rbac_base.BaseV2ComputeRbacTest):
 
@@ -31,7 +39,7 @@
 
     @rbac_rule_validation.action(
         service="nova",
-        rules=["os_compute_api:os-services"])
+        rules=[_OS_COMPUTE_API_OS_SERVICES])
     @decorators.idempotent_id('7472261b-9c6d-453a-bcb3-aecaa29ad281')
     def test_list_services(self):
         with self.override_role():

diff --git a/releasenotes/notes/changed_nova_policies_ussuri-177582b3ded63411.yaml b/releasenotes/notes/changed_nova_policies_ussuri-177582b3ded63411.yaml
new file mode 100644
index 0000000..5362f04
--- /dev/null
+++ b/releasenotes/notes/changed_nova_policies_ussuri-177582b3ded63411.yaml

@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    A new policy feature flag called
+    ``[policy_feature_flag].changed_nova_policies_ussuri`` has been added to
+    Patrole's config to handle Nova policies changed in Ussuri. The policy
+    feature flag is applied to tests that use policies changed in Ussuri,
+    including the following:
+
+      - os_compute_api:os-services
+
+    Note that not all changed policies are included above because test coverage
+    is missing for them.