openstack/heat
Code Issues Proposed changes
4107b52123
heat/heat_integrationtests/functional/test_conditional_exposure.py

158 lines
5.3 KiB
Python
Raw Normal View History

Add functional test for resource exposure These simple tests check that Sahara resources can not be created and are not listed in the resource-type-list. If we ever decide to install Sahara on the Heat functional tests gate, tests should be changed to use other not installed but in principle supported service and resources, as these tests will be skipped in this case. Related blueprint keystone-based-resource-availability Change-Id: I6e692587f49b6c34c5e99b8d26bb6e60b7ce7af5
2015-07-16 09:47:20 +00:00
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from heatclient import exc
import keystoneclient
Add config entries to skip integration tests This adds options to skip scenario and functional tests. You can either skip the complete set of tests or list of specific tests. Following new config options are added: `skip_scenario_tests` - Skip all scenario tests `skip_functional_tests` - Skip all functional tests `skip_functional_test_list` - List of functional tests to skip `skip_scenario_test_list` - List of scenario tests to skip `skip_test_stack_action_list` - List of actions in tests to skip Change-Id: I7a5233f5db1f065ccee5a97408c72203c108a656 Depends-On: I25c5e853f0499b88f2803b077d19e132140908f1
2015-07-31 13:01:45 +05:30
from heat_integrationtests.functional import functional_base
Add functional test for resource exposure These simple tests check that Sahara resources can not be created and are not listed in the resource-type-list. If we ever decide to install Sahara on the Heat functional tests gate, tests should be changed to use other not installed but in principle supported service and resources, as these tests will be skipped in this case. Related blueprint keystone-based-resource-availability Change-Id: I6e692587f49b6c34c5e99b8d26bb6e60b7ce7af5
2015-07-16 09:47:20 +00:00
Assert DELETE_COMPLETE on all stack delete cleanup Currently stacks are deleted on integration test cleanup but no polling is done for DELETE_COMPLETE, so the test will pass even though the stack may be in a DELETE_FAILED state. This change uses _stack_delete for all cleanup stack deleting, which polls for complete. Change-Id: Ic44b27130596cf3fa8616608a091b683ea131e0b Closes-Bug: #1486303
2015-08-19 13:37:08 +12:00
class ServiceBasedExposureTest(functional_base.FunctionalTestsBase):
Add functional test for resource exposure These simple tests check that Sahara resources can not be created and are not listed in the resource-type-list. If we ever decide to install Sahara on the Heat functional tests gate, tests should be changed to use other not installed but in principle supported service and resources, as these tests will be skipped in this case. Related blueprint keystone-based-resource-availability Change-Id: I6e692587f49b6c34c5e99b8d26bb6e60b7ce7af5
2015-07-16 09:47:20 +00:00
# NOTE(pas-ha) if we ever decide to install Sahara on Heat
# functional gate, this must be changed to other not-installed
# but in principle supported service
unavailable_service = 'Sahara'
unavailable_template = """
heat_template_version: 2015-10-15
Don't use hardcoded flavors in tests Use config values instead. Change-Id: I5755ddc628e08a4336debef4022bebf1542b0200
2016-12-06 12:11:48 +05:30
parameters:
instance_type:
type: string
Add functional test for resource exposure These simple tests check that Sahara resources can not be created and are not listed in the resource-type-list. If we ever decide to install Sahara on the Heat functional tests gate, tests should be changed to use other not installed but in principle supported service and resources, as these tests will be skipped in this case. Related blueprint keystone-based-resource-availability Change-Id: I6e692587f49b6c34c5e99b8d26bb6e60b7ce7af5
2015-07-16 09:47:20 +00:00
resources:
not_available:
type: OS::Sahara::NodeGroupTemplate
properties:
plugin_name: fake
hadoop_version: 0.1
Don't use hardcoded flavors in tests Use config values instead. Change-Id: I5755ddc628e08a4336debef4022bebf1542b0200
2016-12-06 12:11:48 +05:30
flavor: {get_param: instance_type}
Add functional test for resource exposure These simple tests check that Sahara resources can not be created and are not listed in the resource-type-list. If we ever decide to install Sahara on the Heat functional tests gate, tests should be changed to use other not installed but in principle supported service and resources, as these tests will be skipped in this case. Related blueprint keystone-based-resource-availability Change-Id: I6e692587f49b6c34c5e99b8d26bb6e60b7ce7af5
2015-07-16 09:47:20 +00:00
node_processes: []
"""
def setUp(self):
super(ServiceBasedExposureTest, self).setUp()
# check that Sahara endpoint is available
if self._is_sahara_deployed():
self.skipTest("Sahara is actually deployed, "
"can not run negative tests on "
"Sahara resources availability.")
def _is_sahara_deployed(self):
try:
Accommodate v2 and v3 auth for integration tests devstack has moved default Keystone API version to v3[1]. [1] https://github.com/openstack-dev/devstack/commit/f4ce44bf3fbf06e53c2ae3ec6aa4996831cf4605 Though the above patch has been reverted, this would help if devstack removes v2 support in the future. Change-Id: I393750d00b3712a015e48a3cf38ab5f95bb61dae Closes-Bug: #1539692
2016-01-29 22:23:21 +05:30
self.identity_client.get_endpoint_url('data-processing',
self.conf.region)
Add functional test for resource exposure These simple tests check that Sahara resources can not be created and are not listed in the resource-type-list. If we ever decide to install Sahara on the Heat functional tests gate, tests should be changed to use other not installed but in principle supported service and resources, as these tests will be skipped in this case. Related blueprint keystone-based-resource-availability Change-Id: I6e692587f49b6c34c5e99b8d26bb6e60b7ce7af5
2015-07-16 09:47:20 +00:00
except keystoneclient.exceptions.EndpointNotFound:
return False
return True
def test_unavailable_resources_not_listed(self):
resources = self.client.resource_types.list()
self.assertFalse(any(self.unavailable_service in r.resource_type
for r in resources))
def test_unavailable_resources_not_created(self):
stack_name = self._stack_rand_name()
Don't use hardcoded flavors in tests Use config values instead. Change-Id: I5755ddc628e08a4336debef4022bebf1542b0200
2016-12-06 12:11:48 +05:30
parameters = {'instance_type': self.conf.minimal_instance_type}
Add functional test for resource exposure These simple tests check that Sahara resources can not be created and are not listed in the resource-type-list. If we ever decide to install Sahara on the Heat functional tests gate, tests should be changed to use other not installed but in principle supported service and resources, as these tests will be skipped in this case. Related blueprint keystone-based-resource-availability Change-Id: I6e692587f49b6c34c5e99b8d26bb6e60b7ce7af5
2015-07-16 09:47:20 +00:00
ex = self.assertRaises(exc.HTTPBadRequest,
self.client.stacks.create,
stack_name=stack_name,
Don't use hardcoded flavors in tests Use config values instead. Change-Id: I5755ddc628e08a4336debef4022bebf1542b0200
2016-12-06 12:11:48 +05:30
parameters=parameters,
Add functional test for resource exposure These simple tests check that Sahara resources can not be created and are not listed in the resource-type-list. If we ever decide to install Sahara on the Heat functional tests gate, tests should be changed to use other not installed but in principle supported service and resources, as these tests will be skipped in this case. Related blueprint keystone-based-resource-availability Change-Id: I6e692587f49b6c34c5e99b8d26bb6e60b7ce7af5
2015-07-16 09:47:20 +00:00
template=self.unavailable_template)
Encode exception message in tests assertIn is failing on exception messages as apparently they are bytes in Python3. Let's encode it before the check. Change-Id: I886a9458e72aa1ffdb2cc6dcf20331f468778032
2017-02-01 14:24:31 +01:00
self.assertIn('ResourceTypeUnavailable', ex.message.decode('utf-8'))
self.assertIn('OS::Sahara::NodeGroupTemplate',
ex.message.decode('utf-8'))
Add resource_type-specific policies Heat's `policy.json` now can contain policies of the following schema: "resource_types:<resource_type>": "rule" This will allow cloud admins to control resource access utilizing user roles, names, tenants and any other oslo.policy-supported rules. Basic usage is to facilitate fail-early for stacks with resources that a given user will not be able to actually create due to role restrictions. Default policy is 'allow to everyone' (who has passed previous policy checks on REST API layer). Resource types that the user will not be able to use due to resources policy restrictions are hidden from `resource-type-list`. Current operations that are prohibited if the user does not pass policy check for a particular "forbidden" resource: - show resource type for forbidden resource type - show resource template for forbidden resource type - create a stack containing a forbidden resource - delete a stack containing a forbidden resource - update a stack that already has a forbidden resource - update a stack initroducing a new forbidden resource - restore a stack snapshot to a stack that currently has forbidden resource Not yet prohibited, need to be fixed: - restore a stack snapshot that will create a forbidden resource As first step (and for testing purposes) OS::Nova::Flavor is forbidden to create for non-admin users. Simple functional test using this resource is added. Change-Id: I337306c4f1624552a2631e0ffbb43f0d3102813d Implements blueprint conditional-resource-exposure
2015-08-20 14:39:14 +00:00
class RoleBasedExposureTest(functional_base.FunctionalTestsBase):
Adds default policy rule for resources limited to administrator Adds default policy rule for resources which are limited to administrator, to forbid non-admin to create these resources at the very start. Change-Id: I9e1ef86f0c44bce5bde3f9e26e1f2b9cb3aef06d Closes-Bug: #1582187
2016-05-17 16:55:45 +08:00
Add resource_type-specific policies Heat's `policy.json` now can contain policies of the following schema: "resource_types:<resource_type>": "rule" This will allow cloud admins to control resource access utilizing user roles, names, tenants and any other oslo.policy-supported rules. Basic usage is to facilitate fail-early for stacks with resources that a given user will not be able to actually create due to role restrictions. Default policy is 'allow to everyone' (who has passed previous policy checks on REST API layer). Resource types that the user will not be able to use due to resources policy restrictions are hidden from `resource-type-list`. Current operations that are prohibited if the user does not pass policy check for a particular "forbidden" resource: - show resource type for forbidden resource type - show resource template for forbidden resource type - create a stack containing a forbidden resource - delete a stack containing a forbidden resource - update a stack that already has a forbidden resource - update a stack initroducing a new forbidden resource - restore a stack snapshot to a stack that currently has forbidden resource Not yet prohibited, need to be fixed: - restore a stack snapshot that will create a forbidden resource As first step (and for testing purposes) OS::Nova::Flavor is forbidden to create for non-admin users. Simple functional test using this resource is added. Change-Id: I337306c4f1624552a2631e0ffbb43f0d3102813d Implements blueprint conditional-resource-exposure
2015-08-20 14:39:14 +00:00
fl_tmpl = """
heat_template_version: 2015-10-15
resources:
not4everyone:
type: OS::Nova::Flavor
properties:
ram: 20000
vcpus: 10
"""
Adds default policy rule for resources limited to administrator Adds default policy rule for resources which are limited to administrator, to forbid non-admin to create these resources at the very start. Change-Id: I9e1ef86f0c44bce5bde3f9e26e1f2b9cb3aef06d Closes-Bug: #1582187
2016-05-17 16:55:45 +08:00
cvt_tmpl = """
heat_template_version: 2015-10-15
resources:
cvt:
type: OS::Cinder::VolumeType
properties:
name: cvt_test
"""
host_aggr_tmpl = """
heat_template_version: 2015-10-15
parameters:
az:
type: string
default: nova
resources:
cvt:
type: OS::Nova::HostAggregate
properties:
name: aggregate_test
availability_zone: {get_param: az}
"""
scenarios = [
('r_nova_flavor', dict(
stack_name='s_nova_flavor',
template=fl_tmpl,
forbidden_r_type="OS::Nova::Flavor",
test_creation=True)),
('r_nova_host_aggregate', dict(
stack_name='s_nova_ost_aggregate',
template=host_aggr_tmpl,
forbidden_r_type="OS::Nova::HostAggregate",
test_creation=True)),
('r_cinder_vtype', dict(
stack_name='s_cinder_vtype',
template=cvt_tmpl,
forbidden_r_type="OS::Cinder::VolumeType",
test_creation=True)),
('r_cinder_vtype_encrypt', dict(
forbidden_r_type="OS::Cinder::EncryptedVolumeType",
test_creation=False)),
('r_neutron_qos', dict(
forbidden_r_type="OS::Neutron::QoSPolicy",
test_creation=False)),
('r_neutron_qos_bandwidth_limit', dict(
forbidden_r_type="OS::Neutron::QoSBandwidthLimitRule",
test_creation=False)),
('r_manila_share_type', dict(
forbidden_r_type="OS::Manila::ShareType",
test_creation=False))
]
def test_non_admin_forbidden_create_resources(self):
"""Fail to create resource w/o admin role.
Add resource_type-specific policies Heat's `policy.json` now can contain policies of the following schema: "resource_types:<resource_type>": "rule" This will allow cloud admins to control resource access utilizing user roles, names, tenants and any other oslo.policy-supported rules. Basic usage is to facilitate fail-early for stacks with resources that a given user will not be able to actually create due to role restrictions. Default policy is 'allow to everyone' (who has passed previous policy checks on REST API layer). Resource types that the user will not be able to use due to resources policy restrictions are hidden from `resource-type-list`. Current operations that are prohibited if the user does not pass policy check for a particular "forbidden" resource: - show resource type for forbidden resource type - show resource template for forbidden resource type - create a stack containing a forbidden resource - delete a stack containing a forbidden resource - update a stack that already has a forbidden resource - update a stack initroducing a new forbidden resource - restore a stack snapshot to a stack that currently has forbidden resource Not yet prohibited, need to be fixed: - restore a stack snapshot that will create a forbidden resource As first step (and for testing purposes) OS::Nova::Flavor is forbidden to create for non-admin users. Simple functional test using this resource is added. Change-Id: I337306c4f1624552a2631e0ffbb43f0d3102813d Implements blueprint conditional-resource-exposure
2015-08-20 14:39:14 +00:00
Integration tests job runs as normal OpenStack user,
Adds default policy rule for resources limited to administrator Adds default policy rule for resources which are limited to administrator, to forbid non-admin to create these resources at the very start. Change-Id: I9e1ef86f0c44bce5bde3f9e26e1f2b9cb3aef06d Closes-Bug: #1582187
2016-05-17 16:55:45 +08:00
and the resources above are configured to require
Add resource_type-specific policies Heat's `policy.json` now can contain policies of the following schema: "resource_types:<resource_type>": "rule" This will allow cloud admins to control resource access utilizing user roles, names, tenants and any other oslo.policy-supported rules. Basic usage is to facilitate fail-early for stacks with resources that a given user will not be able to actually create due to role restrictions. Default policy is 'allow to everyone' (who has passed previous policy checks on REST API layer). Resource types that the user will not be able to use due to resources policy restrictions are hidden from `resource-type-list`. Current operations that are prohibited if the user does not pass policy check for a particular "forbidden" resource: - show resource type for forbidden resource type - show resource template for forbidden resource type - create a stack containing a forbidden resource - delete a stack containing a forbidden resource - update a stack that already has a forbidden resource - update a stack initroducing a new forbidden resource - restore a stack snapshot to a stack that currently has forbidden resource Not yet prohibited, need to be fixed: - restore a stack snapshot that will create a forbidden resource As first step (and for testing purposes) OS::Nova::Flavor is forbidden to create for non-admin users. Simple functional test using this resource is added. Change-Id: I337306c4f1624552a2631e0ffbb43f0d3102813d Implements blueprint conditional-resource-exposure
2015-08-20 14:39:14 +00:00
admin role in default policy file of Heat.
"""
Adds default policy rule for resources limited to administrator Adds default policy rule for resources which are limited to administrator, to forbid non-admin to create these resources at the very start. Change-Id: I9e1ef86f0c44bce5bde3f9e26e1f2b9cb3aef06d Closes-Bug: #1582187
2016-05-17 16:55:45 +08:00
if self.test_creation:
ex = self.assertRaises(exc.Forbidden,
self.client.stacks.create,
stack_name=self.stack_name,
template=self.template)
Encode exception message in tests assertIn is failing on exception messages as apparently they are bytes in Python3. Let's encode it before the check. Change-Id: I886a9458e72aa1ffdb2cc6dcf20331f468778032
2017-02-01 14:24:31 +01:00
self.assertIn(self.forbidden_r_type, ex.message.decode('utf-8'))
Add resource_type-specific policies Heat's `policy.json` now can contain policies of the following schema: "resource_types:<resource_type>": "rule" This will allow cloud admins to control resource access utilizing user roles, names, tenants and any other oslo.policy-supported rules. Basic usage is to facilitate fail-early for stacks with resources that a given user will not be able to actually create due to role restrictions. Default policy is 'allow to everyone' (who has passed previous policy checks on REST API layer). Resource types that the user will not be able to use due to resources policy restrictions are hidden from `resource-type-list`. Current operations that are prohibited if the user does not pass policy check for a particular "forbidden" resource: - show resource type for forbidden resource type - show resource template for forbidden resource type - create a stack containing a forbidden resource - delete a stack containing a forbidden resource - update a stack that already has a forbidden resource - update a stack initroducing a new forbidden resource - restore a stack snapshot to a stack that currently has forbidden resource Not yet prohibited, need to be fixed: - restore a stack snapshot that will create a forbidden resource As first step (and for testing purposes) OS::Nova::Flavor is forbidden to create for non-admin users. Simple functional test using this resource is added. Change-Id: I337306c4f1624552a2631e0ffbb43f0d3102813d Implements blueprint conditional-resource-exposure
2015-08-20 14:39:14 +00:00
def test_forbidden_resource_not_listed(self):
resources = self.client.resource_types.list()
Adds default policy rule for resources limited to administrator Adds default policy rule for resources which are limited to administrator, to forbid non-admin to create these resources at the very start. Change-Id: I9e1ef86f0c44bce5bde3f9e26e1f2b9cb3aef06d Closes-Bug: #1582187
2016-05-17 16:55:45 +08:00
self.assertNotIn(self.forbidden_r_type,
Add resource_type-specific policies Heat's `policy.json` now can contain policies of the following schema: "resource_types:<resource_type>": "rule" This will allow cloud admins to control resource access utilizing user roles, names, tenants and any other oslo.policy-supported rules. Basic usage is to facilitate fail-early for stacks with resources that a given user will not be able to actually create due to role restrictions. Default policy is 'allow to everyone' (who has passed previous policy checks on REST API layer). Resource types that the user will not be able to use due to resources policy restrictions are hidden from `resource-type-list`. Current operations that are prohibited if the user does not pass policy check for a particular "forbidden" resource: - show resource type for forbidden resource type - show resource template for forbidden resource type - create a stack containing a forbidden resource - delete a stack containing a forbidden resource - update a stack that already has a forbidden resource - update a stack initroducing a new forbidden resource - restore a stack snapshot to a stack that currently has forbidden resource Not yet prohibited, need to be fixed: - restore a stack snapshot that will create a forbidden resource As first step (and for testing purposes) OS::Nova::Flavor is forbidden to create for non-admin users. Simple functional test using this resource is added. Change-Id: I337306c4f1624552a2631e0ffbb43f0d3102813d Implements blueprint conditional-resource-exposure
2015-08-20 14:39:14 +00:00
(r.resource_type for r in resources))
Copy Permalink