Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / tempest / 592148cb65fd06fd824733e13d8c10ffe9f7d281^! / .
commit592148cb65fd06fd824733e13d8c10ffe9f7d281[log] [tgz]
authorRodrigo Duarte Sousa <rduartes@redhat.com>Tue Jan 31 15:26:16 2017 -0300
committerRodrigo Duarte Sousa <rduartes@redhat.com>Wed Mar 01 19:54:11 2017 -0300
tree0b42922eb9845dcd0984654b4fb0be64db71c629
parent34a6512b77d2264dc8c911fb0af6060c605eb91f [diff]
Improve test_implied_domain_roles

This adds an assertion to verify that global roles can't imply domain
specific ones.

It is also included a new feature flag since the related bug fix
wasn't backported to Mitaka.

Change-Id: Ic7c5b93e4d679c845f546da85984517f79d1b4b7
Depends-On: I70e3ce79ee6d9b00cc48bb178bd423d0196f6588
Related-Bug: 1590578

diff --git a/tempest/api/identity/admin/v3/test_roles.py b/tempest/api/identity/admin/v3/test_roles.py
index b7b6596..9bee24a 100644
--- a/tempest/api/identity/admin/v3/test_roles.py
+++ b/tempest/api/identity/admin/v3/test_roles.py

@@ -15,11 +15,14 @@
 
 from tempest.api.identity import base
 from tempest.common.utils import data_utils
+from tempest import config
 from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators
 from tempest.lib import exceptions as lib_exc
 from tempest import test
 
+CONF = config.CONF
+
 
 class RolesV3TestJSON(base.BaseIdentityV3AdminTest):
 
@@ -348,6 +351,15 @@
         # domain role to a global one
         self._create_implied_role(domain_role1['id'], self.role['id'])
 
+        if CONF.identity_feature_enabled.forbid_global_implied_dsr:
+            # The contrary is not true: we can't create an inference rule
+            # from a global role to a domain role
+            self.assertRaises(
+                lib_exc.Forbidden,
+                self.roles_client.create_role_inference_rule,
+                self.role['id'],
+                domain_role1['id'])
+
     @decorators.idempotent_id('3859df7e-5b78-4e4d-b10e-214c8953842a')
     def test_assignments_for_domain_roles(self):
         domain_role = self.setup_test_role(domain_id=self.domain['id'])

diff --git a/tempest/config.py b/tempest/config.py
index fe8c175..213cbd7 100644
--- a/tempest/config.py
+++ b/tempest/config.py

@@ -224,6 +224,13 @@
                 deprecated_for_removal=True,
                 deprecated_reason="All supported version of OpenStack now "
                                   "supports the 'reseller' feature"),
+    # TODO(rodrigods): This is a feature flag for bug 1590578 which is fixed
+    # in Newton and Ocata. This option can be removed after Mitaka is end of
+    # life.
+    cfg.BoolOpt('forbid_global_implied_dsr',
+                default=False,
+                help='Does the environment forbid global roles implying '
+                     'domain specific ones?'),
     cfg.BoolOpt('security_compliance',
                 default=False,
                 help='Does the environment have the security compliance '