Define separate inherited_roles_client for inherited roles
os-inherit APIs enables projects to inherit role assignments from either
their owning domain or projects that are higher in the hierarchy.
Currently roles_client has all the os-inherit APIs methods
but for better maintenance and readability, those should be
in separate client.
Partially implements blueprint consistent-service-method-names
Change-Id: I2d5a5699bfe85fde6219758f28f381006b21daa0
diff --git a/tempest/api/identity/admin/v3/test_inherits.py b/tempest/api/identity/admin/v3/test_inherits.py
index 76771bb..373d44b 100644
--- a/tempest/api/identity/admin/v3/test_inherits.py
+++ b/tempest/api/identity/admin/v3/test_inherits.py
@@ -68,10 +68,10 @@
name=data_utils.rand_name('Role'))['role']
self.addCleanup(self.roles_client.delete_role, src_role['id'])
# Assign role on domains user
- self.roles_client.assign_inherited_role_on_domains_user(
+ self.inherited_roles_client.create_inherited_role_on_domains_user(
self.domain['id'], self.user['id'], src_role['id'])
# list role on domains user
- roles = self.roles_client.\
+ roles = self.inherited_roles_client.\
list_inherited_project_role_for_user_on_domain(
self.domain['id'], self.user['id'])['roles']
@@ -80,10 +80,11 @@
src_role['id'])
# Check role on domains user
- self.roles_client.check_user_inherited_project_role_on_domain(
- self.domain['id'], self.user['id'], src_role['id'])
+ (self.inherited_roles_client.
+ check_user_inherited_project_role_on_domain(
+ self.domain['id'], self.user['id'], src_role['id']))
# Revoke role from domains user.
- self.roles_client.revoke_inherited_role_from_user_on_domain(
+ self.inherited_roles_client.delete_inherited_role_from_user_on_domain(
self.domain['id'], self.user['id'], src_role['id'])
@test.idempotent_id('c7a8dda2-be50-4fb4-9a9c-e830771078b1')
@@ -93,10 +94,10 @@
name=data_utils.rand_name('Role'))['role']
self.addCleanup(self.roles_client.delete_role, src_role['id'])
# Assign role on domains group
- self.roles_client.assign_inherited_role_on_domains_group(
+ self.inherited_roles_client.create_inherited_role_on_domains_group(
self.domain['id'], self.group['id'], src_role['id'])
# List role on domains group
- roles = self.roles_client.\
+ roles = self.inherited_roles_client.\
list_inherited_project_role_for_group_on_domain(
self.domain['id'], self.group['id'])['roles']
@@ -105,10 +106,11 @@
src_role['id'])
# Check role on domains group
- self.roles_client.check_group_inherited_project_role_on_domain(
- self.domain['id'], self.group['id'], src_role['id'])
+ (self.inherited_roles_client.
+ check_group_inherited_project_role_on_domain(
+ self.domain['id'], self.group['id'], src_role['id']))
# Revoke role from domains group
- self.roles_client.revoke_inherited_role_from_group_on_domain(
+ self.inherited_roles_client.delete_inherited_role_from_group_on_domain(
self.domain['id'], self.group['id'], src_role['id'])
@test.idempotent_id('18b70e45-7687-4b72-8277-b8f1a47d7591')
@@ -118,13 +120,14 @@
name=data_utils.rand_name('Role'))['role']
self.addCleanup(self.roles_client.delete_role, src_role['id'])
# Assign role on projects user
- self.roles_client.assign_inherited_role_on_projects_user(
+ self.inherited_roles_client.create_inherited_role_on_projects_user(
self.project['id'], self.user['id'], src_role['id'])
# Check role on projects user
- self.roles_client.check_user_has_flag_on_inherited_to_project(
- self.project['id'], self.user['id'], src_role['id'])
+ (self.inherited_roles_client.
+ check_user_has_flag_on_inherited_to_project(
+ self.project['id'], self.user['id'], src_role['id']))
# Revoke role from projects user
- self.roles_client.revoke_inherited_role_from_user_on_project(
+ self.inherited_roles_client.delete_inherited_role_from_user_on_project(
self.project['id'], self.user['id'], src_role['id'])
@test.idempotent_id('26021436-d5a4-4256-943c-ded01e0d4b45')
@@ -134,11 +137,13 @@
name=data_utils.rand_name('Role'))['role']
self.addCleanup(self.roles_client.delete_role, src_role['id'])
# Assign role on projects group
- self.roles_client.assign_inherited_role_on_projects_group(
+ self.inherited_roles_client.create_inherited_role_on_projects_group(
self.project['id'], self.group['id'], src_role['id'])
# Check role on projects group
- self.roles_client.check_group_has_flag_on_inherited_to_project(
- self.project['id'], self.group['id'], src_role['id'])
+ (self.inherited_roles_client.
+ check_group_has_flag_on_inherited_to_project(
+ self.project['id'], self.group['id'], src_role['id']))
# Revoke role from projects group
- self.roles_client.revoke_inherited_role_from_group_on_project(
- self.project['id'], self.group['id'], src_role['id'])
+ (self.inherited_roles_client.
+ delete_inherited_role_from_group_on_project(
+ self.project['id'], self.group['id'], src_role['id']))
diff --git a/tempest/api/identity/base.py b/tempest/api/identity/base.py
index 9e40c42..f5e4943 100644
--- a/tempest/api/identity/base.py
+++ b/tempest/api/identity/base.py
@@ -173,6 +173,7 @@
cls.users_client = cls.os_adm.users_v3_client
cls.trusts_client = cls.os_adm.trusts_client
cls.roles_client = cls.os_adm.roles_v3_client
+ cls.inherited_roles_client = cls.os_adm.inherited_roles_client
cls.token = cls.os_adm.token_v3_client
cls.endpoints_client = cls.os_adm.endpoints_v3_client
cls.regions_client = cls.os_adm.regions_client
diff --git a/tempest/clients.py b/tempest/clients.py
index f8c276a..4c677f0 100644
--- a/tempest/clients.py
+++ b/tempest/clients.py
@@ -246,6 +246,8 @@
self.auth_provider, **params_v3)
self.roles_v3_client = identity.v3.RolesClient(self.auth_provider,
**params_v3)
+ self.inherited_roles_client = identity.v3.InheritedRolesClient(
+ self.auth_provider, **params_v3)
self.identity_services_v3_client = identity.v3.ServicesClient(
self.auth_provider, **params_v3)
self.policies_client = identity.v3.PoliciesClient(self.auth_provider,
diff --git a/tempest/services/identity/v3/__init__.py b/tempest/services/identity/v3/__init__.py
index c5ab6b3..6da6dfb 100644
--- a/tempest/services/identity/v3/__init__.py
+++ b/tempest/services/identity/v3/__init__.py
@@ -24,12 +24,13 @@
from tempest.services.identity.v3.json.credentials_client import \
CredentialsClient
from tempest.services.identity.v3.json.domains_client import DomainsClient
+from tempest.services.identity.v3.json.inherited_roles_client import \
+ InheritedRolesClient
from tempest.services.identity.v3.json.roles_client import RolesClient
from tempest.services.identity.v3.json.trusts_client import TrustsClient
-
__all__ = ['EndPointsClient', 'GroupsClient', 'IdentityClient',
'PoliciesClient', 'ProjectsClient', 'RegionsClient',
'ServicesClient', 'V3TokenClient', 'UsersClient',
- 'CredentialsClient', 'DomainsClient', 'RolesClient',
- 'TrustsClient', ]
+ 'CredentialsClient', 'DomainsClient', 'InheritedRolesClient',
+ 'RolesClient', 'TrustsClient', ]
diff --git a/tempest/services/identity/v3/json/inherited_roles_client.py b/tempest/services/identity/v3/json/inherited_roles_client.py
new file mode 100644
index 0000000..691c7fd
--- /dev/null
+++ b/tempest/services/identity/v3/json/inherited_roles_client.py
@@ -0,0 +1,151 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from oslo_serialization import jsonutils as json
+
+from tempest.lib.common import rest_client
+
+
+class InheritedRolesClient(rest_client.RestClient):
+ api_version = "v3"
+
+ def create_inherited_role_on_domains_user(
+ self, domain_id, user_id, role_id):
+ """Assigns a role to a user on projects owned by a domain."""
+ resp, body = self.put(
+ "OS-INHERIT/domains/%s/users/%s/roles/%s/inherited_to_projects"
+ % (domain_id, user_id, role_id), None)
+ self.expected_success(204, resp.status)
+ return rest_client.ResponseBody(resp, body)
+
+ def delete_inherited_role_from_user_on_domain(
+ self, domain_id, user_id, role_id):
+ """Revokes an inherited project role from a user on a domain."""
+ resp, body = self.delete(
+ "OS-INHERIT/domains/%s/users/%s/roles/%s/inherited_to_projects"
+ % (domain_id, user_id, role_id))
+ self.expected_success(204, resp.status)
+ return rest_client.ResponseBody(resp, body)
+
+ def list_inherited_project_role_for_user_on_domain(
+ self, domain_id, user_id):
+ """Lists the inherited project roles on a domain for a user."""
+ resp, body = self.get(
+ "OS-INHERIT/domains/%s/users/%s/roles/inherited_to_projects"
+ % (domain_id, user_id))
+ self.expected_success(200, resp.status)
+ body = json.loads(body)
+ return rest_client.ResponseBody(resp, body)
+
+ def check_user_inherited_project_role_on_domain(
+ self, domain_id, user_id, role_id):
+ """Checks whether a user has an inherited project role on a domain."""
+ resp, body = self.head(
+ "OS-INHERIT/domains/%s/users/%s/roles/%s/inherited_to_projects"
+ % (domain_id, user_id, role_id))
+ self.expected_success(204, resp.status)
+ return rest_client.ResponseBody(resp)
+
+ def create_inherited_role_on_domains_group(
+ self, domain_id, group_id, role_id):
+ """Assigns a role to a group on projects owned by a domain."""
+ resp, body = self.put(
+ "OS-INHERIT/domains/%s/groups/%s/roles/%s/inherited_to_projects"
+ % (domain_id, group_id, role_id), None)
+ self.expected_success(204, resp.status)
+ return rest_client.ResponseBody(resp, body)
+
+ def delete_inherited_role_from_group_on_domain(
+ self, domain_id, group_id, role_id):
+ """Revokes an inherited project role from a group on a domain."""
+ resp, body = self.delete(
+ "OS-INHERIT/domains/%s/groups/%s/roles/%s/inherited_to_projects"
+ % (domain_id, group_id, role_id))
+ self.expected_success(204, resp.status)
+ return rest_client.ResponseBody(resp, body)
+
+ def list_inherited_project_role_for_group_on_domain(
+ self, domain_id, group_id):
+ """Lists the inherited project roles on a domain for a group."""
+ resp, body = self.get(
+ "OS-INHERIT/domains/%s/groups/%s/roles/inherited_to_projects"
+ % (domain_id, group_id))
+ self.expected_success(200, resp.status)
+ body = json.loads(body)
+ return rest_client.ResponseBody(resp, body)
+
+ def check_group_inherited_project_role_on_domain(
+ self, domain_id, group_id, role_id):
+ """Checks whether a group has an inherited project role on a domain."""
+ resp, body = self.head(
+ "OS-INHERIT/domains/%s/groups/%s/roles/%s/inherited_to_projects"
+ % (domain_id, group_id, role_id))
+ self.expected_success(204, resp.status)
+ return rest_client.ResponseBody(resp)
+
+ def create_inherited_role_on_projects_user(
+ self, project_id, user_id, role_id):
+ """Assigns a role to a user on projects in a subtree."""
+ resp, body = self.put(
+ "OS-INHERIT/projects/%s/users/%s/roles/%s/inherited_to_projects"
+ % (project_id, user_id, role_id), None)
+ self.expected_success(204, resp.status)
+ return rest_client.ResponseBody(resp, body)
+
+ def delete_inherited_role_from_user_on_project(
+ self, project_id, user_id, role_id):
+ """Revokes an inherited role from a user on a project."""
+ resp, body = self.delete(
+ "OS-INHERIT/projects/%s/users/%s/roles/%s/inherited_to_projects"
+ % (project_id, user_id, role_id))
+ self.expected_success(204, resp.status)
+ return rest_client.ResponseBody(resp, body)
+
+ def check_user_has_flag_on_inherited_to_project(
+ self, project_id, user_id, role_id):
+ """Checks whether a user has a role assignment"""
+ """with the inherited_to_projects flag on a project."""
+ resp, body = self.head(
+ "OS-INHERIT/projects/%s/users/%s/roles/%s/inherited_to_projects"
+ % (project_id, user_id, role_id))
+ self.expected_success(204, resp.status)
+ return rest_client.ResponseBody(resp)
+
+ def create_inherited_role_on_projects_group(
+ self, project_id, group_id, role_id):
+ """Assigns a role to a group on projects in a subtree."""
+ resp, body = self.put(
+ "OS-INHERIT/projects/%s/groups/%s/roles/%s/inherited_to_projects"
+ % (project_id, group_id, role_id), None)
+ self.expected_success(204, resp.status)
+ return rest_client.ResponseBody(resp, body)
+
+ def delete_inherited_role_from_group_on_project(
+ self, project_id, group_id, role_id):
+ """Revokes an inherited role from a group on a project."""
+ resp, body = self.delete(
+ "OS-INHERIT/projects/%s/groups/%s/roles/%s/inherited_to_projects"
+ % (project_id, group_id, role_id))
+ self.expected_success(204, resp.status)
+ return rest_client.ResponseBody(resp, body)
+
+ def check_group_has_flag_on_inherited_to_project(
+ self, project_id, group_id, role_id):
+ """Checks whether a group has a role assignment"""
+ """with the inherited_to_projects flag on a project."""
+ resp, body = self.head(
+ "OS-INHERIT/projects/%s/groups/%s/roles/%s/inherited_to_projects"
+ % (project_id, group_id, role_id))
+ self.expected_success(204, resp.status)
+ return rest_client.ResponseBody(resp)
diff --git a/tempest/services/identity/v3/json/roles_client.py b/tempest/services/identity/v3/json/roles_client.py
index 3f165fa..e8f8a5f 100644
--- a/tempest/services/identity/v3/json/roles_client.py
+++ b/tempest/services/identity/v3/json/roles_client.py
@@ -188,133 +188,3 @@
(domain_id, group_id, role_id))
self.expected_success(204, resp.status)
return rest_client.ResponseBody(resp)
-
- def assign_inherited_role_on_domains_user(
- self, domain_id, user_id, role_id):
- """Assigns a role to a user on projects owned by a domain."""
- resp, body = self.put(
- "OS-INHERIT/domains/%s/users/%s/roles/%s/inherited_to_projects"
- % (domain_id, user_id, role_id), None)
- self.expected_success(204, resp.status)
- return rest_client.ResponseBody(resp, body)
-
- def revoke_inherited_role_from_user_on_domain(
- self, domain_id, user_id, role_id):
- """Revokes an inherited project role from a user on a domain."""
- resp, body = self.delete(
- "OS-INHERIT/domains/%s/users/%s/roles/%s/inherited_to_projects"
- % (domain_id, user_id, role_id))
- self.expected_success(204, resp.status)
- return rest_client.ResponseBody(resp, body)
-
- def list_inherited_project_role_for_user_on_domain(
- self, domain_id, user_id):
- """Lists the inherited project roles on a domain for a user."""
- resp, body = self.get(
- "OS-INHERIT/domains/%s/users/%s/roles/inherited_to_projects"
- % (domain_id, user_id))
- self.expected_success(200, resp.status)
- body = json.loads(body)
- return rest_client.ResponseBody(resp, body)
-
- def check_user_inherited_project_role_on_domain(
- self, domain_id, user_id, role_id):
- """Checks whether a user has an inherited project role on a domain."""
- resp, body = self.head(
- "OS-INHERIT/domains/%s/users/%s/roles/%s/inherited_to_projects"
- % (domain_id, user_id, role_id))
- self.expected_success(204, resp.status)
- return rest_client.ResponseBody(resp)
-
- def assign_inherited_role_on_domains_group(
- self, domain_id, group_id, role_id):
- """Assigns a role to a group on projects owned by a domain."""
- resp, body = self.put(
- "OS-INHERIT/domains/%s/groups/%s/roles/%s/inherited_to_projects"
- % (domain_id, group_id, role_id), None)
- self.expected_success(204, resp.status)
- return rest_client.ResponseBody(resp, body)
-
- def revoke_inherited_role_from_group_on_domain(
- self, domain_id, group_id, role_id):
- """Revokes an inherited project role from a group on a domain."""
- resp, body = self.delete(
- "OS-INHERIT/domains/%s/groups/%s/roles/%s/inherited_to_projects"
- % (domain_id, group_id, role_id))
- self.expected_success(204, resp.status)
- return rest_client.ResponseBody(resp, body)
-
- def list_inherited_project_role_for_group_on_domain(
- self, domain_id, group_id):
- """Lists the inherited project roles on a domain for a group."""
- resp, body = self.get(
- "OS-INHERIT/domains/%s/groups/%s/roles/inherited_to_projects"
- % (domain_id, group_id))
- self.expected_success(200, resp.status)
- body = json.loads(body)
- return rest_client.ResponseBody(resp, body)
-
- def check_group_inherited_project_role_on_domain(
- self, domain_id, group_id, role_id):
- """Checks whether a group has an inherited project role on a domain."""
- resp, body = self.head(
- "OS-INHERIT/domains/%s/groups/%s/roles/%s/inherited_to_projects"
- % (domain_id, group_id, role_id))
- self.expected_success(204, resp.status)
- return rest_client.ResponseBody(resp)
-
- def assign_inherited_role_on_projects_user(
- self, project_id, user_id, role_id):
- """Assigns a role to a user on projects in a subtree."""
- resp, body = self.put(
- "OS-INHERIT/projects/%s/users/%s/roles/%s/inherited_to_projects"
- % (project_id, user_id, role_id), None)
- self.expected_success(204, resp.status)
- return rest_client.ResponseBody(resp, body)
-
- def revoke_inherited_role_from_user_on_project(
- self, project_id, user_id, role_id):
- """Revokes an inherited role from a user on a project."""
- resp, body = self.delete(
- "OS-INHERIT/projects/%s/users/%s/roles/%s/inherited_to_projects"
- % (project_id, user_id, role_id))
- self.expected_success(204, resp.status)
- return rest_client.ResponseBody(resp, body)
-
- def check_user_has_flag_on_inherited_to_project(
- self, project_id, user_id, role_id):
- """Checks whether a user has a role assignment"""
- """with the inherited_to_projects flag on a project."""
- resp, body = self.head(
- "OS-INHERIT/projects/%s/users/%s/roles/%s/inherited_to_projects"
- % (project_id, user_id, role_id))
- self.expected_success(204, resp.status)
- return rest_client.ResponseBody(resp)
-
- def assign_inherited_role_on_projects_group(
- self, project_id, group_id, role_id):
- """Assigns a role to a group on projects in a subtree."""
- resp, body = self.put(
- "OS-INHERIT/projects/%s/groups/%s/roles/%s/inherited_to_projects"
- % (project_id, group_id, role_id), None)
- self.expected_success(204, resp.status)
- return rest_client.ResponseBody(resp, body)
-
- def revoke_inherited_role_from_group_on_project(
- self, project_id, group_id, role_id):
- """Revokes an inherited role from a group on a project."""
- resp, body = self.delete(
- "OS-INHERIT/projects/%s/groups/%s/roles/%s/inherited_to_projects"
- % (project_id, group_id, role_id))
- self.expected_success(204, resp.status)
- return rest_client.ResponseBody(resp, body)
-
- def check_group_has_flag_on_inherited_to_project(
- self, project_id, group_id, role_id):
- """Checks whether a group has a role assignment"""
- """with the inherited_to_projects flag on a project."""
- resp, body = self.head(
- "OS-INHERIT/projects/%s/groups/%s/roles/%s/inherited_to_projects"
- % (project_id, group_id, role_id))
- self.expected_success(204, resp.status)
- return rest_client.ResponseBody(resp)