e9dfe5ddaa
This patch implements the project scoped rbac policies for a system and project scoped deployment of ironic. Because of the nature of Ports and Portgroups, along with the subcontroller resources, this change was a little more invasive than was originally anticipated. In that process, along with some discussion in the #openstack-ironic IRC channel, that it would be most security concious to respond only with 404s if the user simply does not have access to the underlying node object. In essence, their view of the universe has been restricted as they have less acess rights, and we appropriately enforce that. Not expecting that, or not conciously being aware of that, can quickly lead to confusion though. Possibly a day or more of Julia's life as well, but it comes down to perceptions and awareness. Change-Id: I68c5f2bae76ca313ba77285747dc6b1bc8b623b9
2468 lines
66 KiB
YAML
2468 lines
66 KiB
YAML
# A few ground rules how these tests are basically formatted:
|
|
#
|
|
# Because role permissions cascade. admin has member, and reader. etc.
|
|
# it doesn't make sense to explicitly check if admin or member *CAN*
|
|
# read an endpoint. The reader check should validate that they can
|
|
# unless there is a specific somehow restricted endpoint. In those
|
|
# cases, explicit tests should be added, but we're not really aware
|
|
# of any at this time. The approach is otherwise a bit of a shotgun
|
|
# approach. We're attempting to test owner, lessee, and a third party
|
|
# project scoped admin token in an attempt to try and cover all of our
|
|
# cases and permutations.
|
|
#
|
|
# A few differences from the system scoped tests. Project scoped API
|
|
# requests should return different filtered views. This means we need
|
|
# to actually count when we're doing GET requests on main controller
|
|
# endpoints. Not a big deal, but it helps make sure things are behaving
|
|
# as expected.
|
|
#
|
|
# One note regarding return codes. Third party admin, should mainly get
|
|
# 404 return codes as opposed to 403. Because their view is filtered,
|
|
# They can't find the resources to attempt to edit. This is a huge
|
|
# distinction because we also don't want to leak that something exists
|
|
# from a security point of view. If we don't return 404, and they get 403,
|
|
# they can determine that something is special, something is different,
|
|
# and from there try to determine *what* it is. The key in their case
|
|
# is the ID values, but they don't know that from the outside.
|
|
# This is also why thid party admins should get 200s and empty lists,
|
|
# again the database query should be filtered. Third party admin,
|
|
# in essence serves as the primary negative test.
|
|
#
|
|
# Conventions. This file uses *can* and *cannot* along with the
|
|
# personal, an owner or lessee of either, admin, member, or reader
|
|
# rights, along with a third party admin in the name to hopefully
|
|
# provide clear insight into *what* and *what is not* allowed.
|
|
|
|
values:
|
|
skip_reason: "These are fake reference values for YAML templating"
|
|
# Project scoped admin token
|
|
owner_admin_headers: &owner_admin_headers
|
|
X-Auth-Token: 'owner-admin-token'
|
|
X-Roles: admin,member,reader
|
|
X-Project-Id: 70e5e25a-2ca2-4cb1-8ae8-7d8739cee205
|
|
# Project scoped other member token.
|
|
owner_member_headers: &owner_member_headers
|
|
X-Auth-Token: 'owner-member-token'
|
|
X-Roles: member,reader
|
|
X-Project-Id: 70e5e25a-2ca2-4cb1-8ae8-7d8739cee205
|
|
# Project scoped reader Token
|
|
owner_reader_headers: &owner_reader_headers
|
|
X-Auth-Token: 'owner-reader-token'
|
|
X-Roles: reader
|
|
X-Project-Id: 70e5e25a-2ca2-4cb1-8ae8-7d8739cee205
|
|
lessee_admin_headers: &lessee_admin_headers
|
|
X-Auth-Token: 'lessee-admin-token'
|
|
X-Project-Id: f11853c7-fa9c-4db3-a477-c9d8e0dbbf13
|
|
X-Roles: admin,member,reader
|
|
lessee_member_headers: &lessee_member_headers
|
|
X-Auth-Token: 'lessee-member-token'
|
|
X-Project-Id: f11853c7-fa9c-4db3-a477-c9d8e0dbbf13
|
|
X-Roles: member,reader
|
|
lessee_reader_headers: &lessee_reader_headers
|
|
X-Auth-Token: 'lessee-reader-token'
|
|
X-Project-Id: f11853c7-fa9c-4db3-a477-c9d8e0dbbf13
|
|
X-Roles: reader
|
|
third_party_admin_headers: &third_party_admin_headers
|
|
X-Auth-Token: 'third-party-admin-token'
|
|
X-Project-Id: ae64129e-b188-4662-b014-4127f4366ee6
|
|
X-Roles: admin,member,reader
|
|
owner_project_id: &owner_project_id 70e5e25a-2ca2-4cb1-8ae8-7d8739cee205
|
|
lessee_project_id: &lessee_project_id f11853c7-fa9c-4db3-a477-c9d8e0dbbf13
|
|
owned_node_ident: &owned_node_ident f11853c7-fa9c-4db3-a477-c9d8e0dbbf13
|
|
lessee_node_ident: &lessee_node_ident 38d5abed-c585-4fce-a57e-a2ffc2a2ec6f
|
|
|
|
# Nodes - https://docs.openstack.org/api-ref/baremetal/?expanded=#nodes-nodes
|
|
|
|
# Based on nodes_post_admin test.
|
|
owner_admin_cannot_post_nodes:
|
|
path: '/v1/nodes'
|
|
method: post
|
|
headers: *owner_admin_headers
|
|
body: &node_post_body
|
|
name: node
|
|
driver: fake-driverz
|
|
assert_status: 500
|
|
|
|
lessee_admin_cannot_post_nodes:
|
|
path: '/v1/nodes'
|
|
method: post
|
|
headers: *lessee_admin_headers
|
|
body: *node_post_body
|
|
assert_status: 500
|
|
|
|
third_party_admin_cannot_post_nodes:
|
|
path: '/v1/nodes'
|
|
method: post
|
|
headers: *third_party_admin_headers
|
|
body: *node_post_body
|
|
assert_status: 500
|
|
|
|
# Based on nodes_post_member
|
|
owner_member_cannot_post_nodes:
|
|
path: '/v1/nodes'
|
|
method: post
|
|
headers: *owner_member_headers
|
|
body: *node_post_body
|
|
assert_status: 500
|
|
|
|
# Based on nodes_post_reader
|
|
owner_reader_cannot_post_reader:
|
|
path: '/v1/nodes'
|
|
method: post
|
|
headers: *owner_reader_headers
|
|
body: *node_post_body
|
|
assert_status: 500
|
|
|
|
# Based on nodes_get_admin
|
|
# TODO: Create 3 nodes, 2 owned, 1 leased where it is also owned.
|
|
owner_admin_can_get_node:
|
|
path: '/v1/nodes'
|
|
method: get
|
|
headers: *owner_admin_headers
|
|
assert_list_length:
|
|
nodes: 2
|
|
assert_status: 200
|
|
|
|
owner_member_can_get_node:
|
|
path: '/v1/nodes'
|
|
method: get
|
|
headers: *owner_member_headers
|
|
assert_list_length:
|
|
nodes: 2
|
|
assert_status: 200
|
|
|
|
owner_reader_can_get_node:
|
|
path: '/v1/nodes'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_list_length:
|
|
nodes: 2
|
|
assert_status: 200
|
|
|
|
lessee_admin_can_get_node:
|
|
path: '/v1/nodes'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_list_length:
|
|
nodes: 1
|
|
assert_status: 200
|
|
|
|
lessee_member_can_get_node:
|
|
path: '/v1/nodes'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_list_length:
|
|
nodes: 1
|
|
assert_status: 200
|
|
|
|
lessee_reader_can_get_node:
|
|
path: '/v1/nodes'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_list_length:
|
|
nodes: 1
|
|
assert_status: 200
|
|
|
|
# Tests that no nodes are associated and thus the API
|
|
# should return an empty list.
|
|
third_party_admin_cannot_get_node:
|
|
path: '/v1/nodes'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_list_length:
|
|
nodes: 0
|
|
assert_status: 200
|
|
|
|
# Based on nodes_get_node_admin
|
|
|
|
owner_reader_can_get_their_node:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
|
|
owner_reader_cannot_get_other_node:
|
|
# Not the owner's node, one they cannot
|
|
# see.
|
|
path: '/v1/nodes/{node_ident}'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 404
|
|
|
|
lessee_reader_can_get_their_node:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
|
|
lessee_reader_cant_get_other_node:
|
|
# Not the lessee's node, one which
|
|
# exists but that they cannot see.
|
|
path: '/v1/nodes/{node_ident}'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 404
|
|
|
|
third_party_admin_cant_get_node:
|
|
path: '/v1/nodes/{node_ident}'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 404
|
|
|
|
# Node body filter thresholds before detailed listing
|
|
# Represents checks for baremetal:node:get:filter_threshold
|
|
# which means anyone who is NOT a SYSTEM_READER by default
|
|
# will have additional checks examine if they can view fields.
|
|
|
|
owner_reader_can_get_restricted_fields:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
assert_dict_contains:
|
|
last_error: 'meow'
|
|
reservation: 'lolcats'
|
|
driver_internal_info:
|
|
private_state: "secret value"
|
|
driver_info:
|
|
foo: "bar"
|
|
fake_password: "******"
|
|
|
|
lessee_reader_cannot_get_restricted_fields:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
assert_dict_contains:
|
|
last_error: "** Value Redacted - Requires baremetal:node:get:last_error permission. **"
|
|
reservation: "** Redacted - requires baremetal:node:get:reservation permission. **"
|
|
driver_internal_info:
|
|
content: '** Redacted - Requires baremetal:node:get:driver_internal_info permission. **'
|
|
driver_info:
|
|
content: '** Redacted - requires baremetal:node:get:driver_info permission. **'
|
|
|
|
owner_reader_can_get_detail:
|
|
path: '/v1/nodes/detail'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_list_length:
|
|
nodes: 2
|
|
assert_status: 200
|
|
|
|
lessee_reader_can_get_detail:
|
|
path: '/v1/nodes/detail'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_list_length:
|
|
nodes: 1
|
|
assert_status: 200
|
|
|
|
third_party_admin_cannot_get_detail:
|
|
path: '/v1/nodes/detail'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_list_length:
|
|
nodes: 0
|
|
assert_status: 200
|
|
|
|
# Node /extra is baremetal:node:update_extra
|
|
|
|
owner_admin_can_patch_node_extra:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: patch
|
|
headers: *owner_admin_headers
|
|
body: &extra_patch
|
|
- op: replace
|
|
path: /extra
|
|
value: {'test': 'testing'}
|
|
assert_status: 503
|
|
|
|
owner_member_can_patch_node_extra:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: patch
|
|
headers: *owner_member_headers
|
|
body: *extra_patch
|
|
assert_status: 503
|
|
|
|
owner_reader_cannot_patch_node_extra:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: patch
|
|
headers: *owner_reader_headers
|
|
body: *extra_patch
|
|
assert_status: 403
|
|
|
|
lessee_admin_can_patch_node_extra:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_admin_headers
|
|
body: *extra_patch
|
|
assert_status: 503
|
|
|
|
lessee_member_can_patch_node_extra:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_member_headers
|
|
body: *extra_patch
|
|
assert_status: 503
|
|
|
|
lessee_reader_cannot_patch_node_extra:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_reader_headers
|
|
body: *extra_patch
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_patch_node_extra:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: patch
|
|
headers: *third_party_admin_headers
|
|
body: *extra_patch
|
|
assert_status: 404
|
|
|
|
owner_admin_can_change_drivers:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: patch
|
|
headers: *owner_admin_headers
|
|
body:
|
|
- op: replace
|
|
path: /driver
|
|
value: fake-hardware
|
|
- op: replace
|
|
path: /power_interface
|
|
value: fake
|
|
assert_status: 503
|
|
|
|
owner_member_can_patch_all_the_things:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: patch
|
|
headers: *owner_member_headers
|
|
body: &patch_all_the_things
|
|
- op: replace
|
|
path: /instance_info
|
|
value: {'test': 'testing'}
|
|
- op: replace
|
|
path: /driver_info
|
|
value: {'test': 'testing'}
|
|
- op: replace
|
|
path: /properties
|
|
value: {'test': 'testing'}
|
|
- op: replace
|
|
path: /network_data
|
|
value:
|
|
links: []
|
|
networks: []
|
|
services: []
|
|
- op: replace
|
|
path: /name
|
|
value: 'meow-node-1'
|
|
- op: replace
|
|
path: /retired
|
|
value: true
|
|
- op: replace
|
|
path: /retired_reason
|
|
value: "43"
|
|
assert_status: 503
|
|
|
|
owner_member_can_change_lessee:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: patch
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
body:
|
|
- op: replace
|
|
path: /lessee
|
|
value: "198566a5-a609-4463-9800-e8920be7c2fa"
|
|
|
|
lessee_admin_cannot_change_lessee:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
body:
|
|
- op: replace
|
|
path: /lessee
|
|
value: "1234"
|
|
|
|
lessee_admin_cannot_change_owner:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_admin_headers
|
|
body:
|
|
- op: replace
|
|
path: /owner
|
|
value: "1234"
|
|
assert_status: 403
|
|
|
|
owner_admin_can_change_lessee:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: patch
|
|
headers: *owner_admin_headers
|
|
body:
|
|
- op: replace
|
|
path: /lessee
|
|
value: "1234"
|
|
assert_status: 503
|
|
|
|
owner_admin_cannot_change_owner:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: patch
|
|
headers: *owner_admin_headers
|
|
body:
|
|
- op: replace
|
|
path: /owner
|
|
value: "1234"
|
|
assert_status: 403
|
|
|
|
# This is not an explicitly restricted item, it falls
|
|
# to generalized update capability, which oddly makes
|
|
# a lot of sense in this case. It is a flag to prevent
|
|
# accidential erasure/removal of the node.
|
|
|
|
lessee_member_can_set_protected:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_member_headers
|
|
body:
|
|
- op: replace
|
|
path: /protected
|
|
value: true
|
|
assert_status: 503
|
|
|
|
lessee_member_cannot_patch_instance_info:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_member_headers
|
|
body:
|
|
- op: replace
|
|
path: /instance_info
|
|
value: {'test': 'testing'}
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_patch_driver_info:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_member_headers
|
|
body:
|
|
- op: replace
|
|
path: /driver_info
|
|
value: {'test': 'testing'}
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_patch_properties:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_member_headers
|
|
body:
|
|
- op: replace
|
|
path: /properties
|
|
value: {'test': 'testing'}
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_patch_network_data:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_member_headers
|
|
body:
|
|
- op: replace
|
|
path: /network_data
|
|
value:
|
|
links: []
|
|
networks: []
|
|
services: []
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_patch_name:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_member_headers
|
|
body:
|
|
- op: replace
|
|
path: /name
|
|
value: 'meow-node-1'
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_patch_retired:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_member_headers
|
|
body:
|
|
- op: replace
|
|
path: /retired
|
|
value: true
|
|
- op: replace
|
|
path: /retired_reason
|
|
value: "43"
|
|
assert_status: 403
|
|
|
|
owner_admin_can_patch_node_instance_info:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: patch
|
|
headers: *owner_admin_headers
|
|
body: &instance_info_patch
|
|
- op: replace
|
|
path: /instance_info
|
|
value: {'test': 'testing'}
|
|
assert_status: 503
|
|
|
|
owner_member_can_patch_node_instance_info:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: patch
|
|
headers: *owner_member_headers
|
|
body: *instance_info_patch
|
|
assert_status: 503
|
|
|
|
owner_reader_can_patch_node_instance_info:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: patch
|
|
headers: *owner_reader_headers
|
|
body: *instance_info_patch
|
|
assert_status: 403
|
|
|
|
lessee_admin_can_patch_node_instance_info:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_admin_headers
|
|
body: *instance_info_patch
|
|
assert_status: 503
|
|
|
|
lessee_member_cannot_patch_node_instance_info:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_member_headers
|
|
body: *instance_info_patch
|
|
assert_status: 403
|
|
|
|
lessee_reader_can_patch_node_instance_info:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: patch
|
|
headers: *lessee_reader_headers
|
|
body: *instance_info_patch
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_patch_node_instance_info:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: patch
|
|
headers: *third_party_admin_headers
|
|
body: *instance_info_patch
|
|
assert_status: 404
|
|
|
|
owner_admin_cannot_delete_nodes:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: delete
|
|
headers: *owner_admin_headers
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_delete_nodes:
|
|
path: '/v1/nodes/{lessee_node_ident}'
|
|
method: delete
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_delete_nodes:
|
|
path: '/v1/nodes/{owner_node_ident}'
|
|
method: delete
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# TODO(TheJulia): Specific field restrictions based on permissions,
|
|
# are in the spec, but still need to be implemented test wise.
|
|
# We should likely do that *AS* we put that code in.
|
|
|
|
# Node Management - https://docs.openstack.org/api-ref/baremetal/?expanded=#node-management-nodes
|
|
# NOTE(TheJulia): Most management methods call into the conductor as they
|
|
# require a task, which means they generally return 503 when the conductor
|
|
# is mocked.
|
|
|
|
owner_admin_can_validate_node:
|
|
path: '/v1/nodes/{owner_node_ident}/validate'
|
|
method: get
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
|
|
lessee_admin_can_validate_node:
|
|
path: '/v1/nodes/{lessee_node_ident}/validate'
|
|
method: get
|
|
headers: *lessee_admin_headers
|
|
assert_status: 503
|
|
|
|
owner_member_can_validate_node:
|
|
path: '/v1/nodes/{owner_node_ident}/validate'
|
|
method: get
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
|
|
lessee_member_cannot_validate_node:
|
|
path: '/v1/nodes/{lessee_node_ident}/validate'
|
|
method: get
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_validate_node:
|
|
path: '/v1/nodes/{owner_node_ident}/validate'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
owner_admin_can_set_maintenance:
|
|
path: '/v1/nodes/{owner_node_ident}/maintenance'
|
|
method: put
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
|
|
# should we really allow this? they could desync with nova if they can do this...
|
|
lessee_admin_can_set_maintenance:
|
|
path: '/v1/nodes/{lessee_node_ident}/maintenance'
|
|
method: put
|
|
headers: *lessee_admin_headers
|
|
assert_status: 503
|
|
|
|
owner_member_can_set_maintenance:
|
|
path: '/v1/nodes/{owner_node_ident}/maintenance'
|
|
method: put
|
|
headers: *owner_member_headers
|
|
assert_status: 503
|
|
|
|
lessee_member_cannot_set_maintenance:
|
|
path: '/v1/nodes/{lessee_node_ident}/maintenance'
|
|
method: put
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_set_maintenance:
|
|
path: '/v1/nodes/{owner_node_ident}/maintenance'
|
|
method: put
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
owner_admin_can_unset_maintenance:
|
|
path: '/v1/nodes/{owner_node_ident}/maintenance'
|
|
method: delete
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
|
|
lessee_admin_can_unset_maintenance:
|
|
path: '/v1/nodes/{lessee_node_ident}/maintenance'
|
|
method: delete
|
|
headers: *lessee_admin_headers
|
|
assert_status: 503
|
|
|
|
owner_member_can_unset_maintnenance:
|
|
path: '/v1/nodes/{owner_node_ident}/maintenance'
|
|
method: delete
|
|
headers: *owner_member_headers
|
|
assert_status: 503
|
|
|
|
lessee_member_cannot_unset_maintenance:
|
|
path: '/v1/nodes/{lessee_node_ident}/maintenance'
|
|
method: delete
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_unset_maintenance:
|
|
path: '/v1/nodes/{node_ident}/maintenance'
|
|
method: delete
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# Get/set supported boot devices
|
|
|
|
owner_admin_can_set_boot_device:
|
|
path: '/v1/nodes/{owner_node_ident}/management/boot_device'
|
|
method: put
|
|
headers: *owner_admin_headers
|
|
body: &boot_device_body
|
|
boot_device: pxe
|
|
assert_status: 503
|
|
|
|
lessee_admin_cannot_set_boot_device:
|
|
path: '/v1/nodes/{lessee_node_ident}/management/boot_device'
|
|
method: put
|
|
headers: *lessee_admin_headers
|
|
body: *boot_device_body
|
|
assert_status: 403
|
|
|
|
owner_member_cannot_set_boot_device:
|
|
path: '/v1/nodes/{owner_node_ident}/management/boot_device'
|
|
method: put
|
|
headers: *owner_member_headers
|
|
body: *boot_device_body
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_set_boot_device:
|
|
path: '/v1/nodes/{lessee_node_ident}/management/boot_device'
|
|
method: put
|
|
headers: *lessee_member_headers
|
|
body: *boot_device_body
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_set_boot_device:
|
|
path: '/v1/nodes/{owner_node_ident}/management/boot_device'
|
|
method: put
|
|
headers: *third_party_admin_headers
|
|
body: *boot_device_body
|
|
assert_status: 404
|
|
|
|
owner_admin_can_get_boot_device:
|
|
path: '/v1/nodes/{owner_node_ident}/management/boot_device'
|
|
method: get
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
|
|
lessee_admin_cannot_get_boot_device:
|
|
path: '/v1/nodes/{lessee_node_ident}/management/boot_device'
|
|
method: get
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
owner_member_cannot_get_boot_device:
|
|
path: '/v1/nodes/{owner_node_ident}/management/boot_device'
|
|
method: get
|
|
headers: *owner_member_headers
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_get_boot_device:
|
|
path: '/v1/nodes/{lessee_node_ident}/management/boot_device'
|
|
method: get
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
owner_reader_cannot_get_boot_device:
|
|
path: '/v1/nodes/{owner_node_ident}/management/boot_device'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 403
|
|
|
|
lessee_reader_cannot_get_boot_device:
|
|
path: '/v1/nodes/{lessee_node_ident}/management/boot_device'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_get_boot_device:
|
|
path: '/v1/nodes/{node_ident}/management/boot_device'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
owner_admin_can_get_supported_boot_devices:
|
|
path: '/v1/nodes/{owner_node_ident}/management/boot_device/supported'
|
|
method: get
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
|
|
owner_member_cannot_get_supported_boot_devices:
|
|
path: '/v1/nodes/{owner_node_ident}/management/boot_device/supported'
|
|
method: get
|
|
headers: *owner_member_headers
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_get_supported_boot_devices:
|
|
path: '/v1/nodes/{lessee_node_ident}/management/boot_device/supported'
|
|
method: get
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_get_supported_boot_devices:
|
|
path: '/v1/nodes/{owner_node_ident}/management/boot_device/supported'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# Non masking interrupt
|
|
|
|
owner_admin_can_send_non_masking_interrupt:
|
|
path: '/v1/nodes/{owner_node_ident}/management/inject_nmi'
|
|
method: put
|
|
headers: *owner_admin_headers
|
|
body: {}
|
|
assert_status: 503
|
|
|
|
lessee_admin_cannot_send_non_masking_interrupt:
|
|
path: '/v1/nodes/{lessee_node_ident}/management/inject_nmi'
|
|
method: put
|
|
headers: *lessee_admin_headers
|
|
body: {}
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_send_non_masking_interrupt:
|
|
path: '/v1/nodes/{node_ident}/management/inject_nmi'
|
|
method: put
|
|
headers: *third_party_admin_headers
|
|
body: {}
|
|
assert_status: 404
|
|
|
|
# States
|
|
|
|
owner_reader_get_states:
|
|
path: '/v1/nodes/{owner_node_ident}/states'
|
|
method: get
|
|
headers: *owner_admin_headers
|
|
assert_status: 200
|
|
|
|
lessee_reader_get_states:
|
|
path: '/v1/nodes/{lessee_node_ident}/states'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
|
|
third_part_admin_cannot_get_states:
|
|
path: '/v1/nodes/{node_ident}/states'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# Power states
|
|
|
|
owner_admin_can_put_power_state_change:
|
|
path: '/v1/nodes/{owner_node_ident}/states/power'
|
|
method: put
|
|
headers: *owner_admin_headers
|
|
body: &power_body
|
|
target: "power on"
|
|
assert_status: 503
|
|
|
|
lessee_admin_can_put_power_state_change:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/power'
|
|
method: put
|
|
headers: *lessee_admin_headers
|
|
body: *power_body
|
|
assert_status: 503
|
|
|
|
owner_member_can_put_power_state_change:
|
|
path: '/v1/nodes/{owner_node_ident}/states/power'
|
|
method: put
|
|
headers: *owner_member_headers
|
|
body: *power_body
|
|
assert_status: 503
|
|
|
|
lessee_member_can_put_power_state_change:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/power'
|
|
method: put
|
|
headers: *lessee_member_headers
|
|
body: *power_body
|
|
assert_status: 503
|
|
|
|
owner_reader_cannot_put_power_state_change:
|
|
path: '/v1/nodes/{owner_node_ident}/states/power'
|
|
method: put
|
|
headers: *owner_reader_headers
|
|
body: *power_body
|
|
assert_status: 403
|
|
|
|
lessee_reader_cannot_put_power_state_change:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/power'
|
|
method: put
|
|
headers: *lessee_reader_headers
|
|
body: *power_body
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_put_power_state_change:
|
|
path: '/v1/nodes/{node_ident}/states/power'
|
|
method: put
|
|
headers: *third_party_admin_headers
|
|
body: *power_body
|
|
assert_status: 404
|
|
|
|
# Provision states
|
|
|
|
owner_admin_can_change_provision_state:
|
|
path: '/v1/nodes/{owner_node_ident}/states/provision'
|
|
method: put
|
|
headers: *owner_admin_headers
|
|
body: &provision_body
|
|
target: deploy
|
|
assert_status: 503
|
|
|
|
owner_member_can_change_provision_state:
|
|
path: '/v1/nodes/{owner_node_ident}/states/provision'
|
|
method: put
|
|
headers: *owner_member_headers
|
|
body: *provision_body
|
|
assert_status: 503
|
|
|
|
lessee_admin_can_change_provision_state:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/provision'
|
|
method: put
|
|
headers: *lessee_admin_headers
|
|
body: *provision_body
|
|
assert_status: 503
|
|
|
|
lessee_member_cannot_change_provision_state:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/provision'
|
|
method: put
|
|
headers: *lessee_member_headers
|
|
body: *provision_body
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_change_provision_state:
|
|
path: '/v1/nodes/{owner_node_ident}/states/provision'
|
|
method: put
|
|
headers: *lessee_member_headers
|
|
body: *provision_body
|
|
assert_status: 404
|
|
|
|
# Raid configuration
|
|
|
|
owner_admin_can_set_raid_config:
|
|
path: '/v1/nodes/{owner_node_ident}/states/raid'
|
|
method: put
|
|
headers: *owner_admin_headers
|
|
body: &raid_body
|
|
target_raid_config:
|
|
logical_disks:
|
|
- size_gb: 500
|
|
is_root_volume: true
|
|
raid_level: 1
|
|
assert_status: 503
|
|
|
|
lessee_admin_cannot_set_raid_config:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/raid'
|
|
method: put
|
|
headers: *lessee_admin_headers
|
|
body: *raid_body
|
|
assert_status: 403
|
|
|
|
owner_member_can_set_raid_config:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/raid'
|
|
method: put
|
|
headers: *owner_member_headers
|
|
body: *raid_body
|
|
assert_status: 503
|
|
|
|
lessee_member_cannot_set_raid_config:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/raid'
|
|
method: put
|
|
headers: *lessee_admin_headers
|
|
body: *raid_body
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_set_raid_config:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/raid'
|
|
method: put
|
|
headers: *third_party_admin_headers
|
|
body: *raid_body
|
|
assert_status: 404
|
|
|
|
# Console
|
|
|
|
owner_admin_can_get_console:
|
|
path: '/v1/nodes/{owner_node_ident}/states/console'
|
|
method: get
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
|
|
lessee_admin_cannot_get_console:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/console'
|
|
method: get
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
|
|
owner_member_can_get_console:
|
|
path: '/v1/nodes/{owner_node_ident}/states/console'
|
|
method: get
|
|
headers: *owner_member_headers
|
|
assert_status: 503
|
|
|
|
lessee_member_cannot_get_console:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/console'
|
|
method: get
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
owner_reader_cannot_get_console:
|
|
path: '/v1/nodes/{owner_node_ident}/states/console'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 403
|
|
|
|
lessee_reader_cannot_get_console:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/console'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_get_console:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/console'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
owner_admin_can_set_console:
|
|
path: '/v1/nodes/{owner_node_ident}/states/console'
|
|
method: put
|
|
headers: *owner_admin_headers
|
|
body: &console_body_put
|
|
enabled: true
|
|
assert_status: 503
|
|
|
|
lessee_admin_cannot_set_console:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/console'
|
|
method: put
|
|
headers: *lessee_admin_headers
|
|
body: *console_body_put
|
|
assert_status: 403
|
|
|
|
owner_member_can_set_console:
|
|
path: '/v1/nodes/{owner_node_ident}/states/console'
|
|
method: put
|
|
headers: *owner_member_headers
|
|
body: *console_body_put
|
|
assert_status: 503
|
|
|
|
lessee_member_cannot_set_console:
|
|
path: '/v1/nodes/{lessee_node_ident}/states/console'
|
|
method: put
|
|
headers: *lessee_member_headers
|
|
body: *console_body_put
|
|
assert_status: 403
|
|
|
|
# Vendor Passthru - https://docs.openstack.org/api-ref/baremetal/?expanded=#node-vendor-passthru-nodes
|
|
|
|
# owner/lessee vendor passthru methods inaccessible
|
|
|
|
# Based on nodes_vendor_passthru_methods_*
|
|
|
|
owner_admin_cannot_get_vendor_passthru_methods:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru/methods'
|
|
method: get
|
|
headers: *owner_admin_headers
|
|
assert_status: 403
|
|
|
|
owner_member_cannot_get_vendor_passthru_methods:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru/methods'
|
|
method: get
|
|
headers: *owner_member_headers
|
|
assert_status: 403
|
|
|
|
owner_reader_cannot_get_vendor_passthru_methods:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru/methods'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_get_vendor_passthru_methods:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru/methods'
|
|
method: get
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_get_vendor_passthru_methods:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru/methods'
|
|
method: get
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
lessee_reader_cannot_get_vendor_passthru_methods:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru/methods'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 403
|
|
|
|
# Get vendor passthru method tests
|
|
owner_admin_cannot_get_vendor_passthru:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru?method=test'
|
|
method: get
|
|
headers: *owner_admin_headers
|
|
assert_status: 403
|
|
|
|
owner_member_cannot_get_vendor_passthru:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru?method=test'
|
|
method: get
|
|
headers: *owner_member_headers
|
|
assert_status: 403
|
|
|
|
owner_reader_cannot_get_vendor_passthru:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru?method=test'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_get_vendor_passthru:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru?method=test'
|
|
method: get
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_get_vendor_passthru:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru?method=test'
|
|
method: get
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
lessee_reader_cannot_get_vendor_passthru:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru?method=test'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 403
|
|
|
|
# Post vendor passthru method tests
|
|
|
|
owner_admin_cannot_post_vendor_passthru:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru?method=test'
|
|
method: post
|
|
headers: *owner_admin_headers
|
|
assert_status: 403
|
|
|
|
owner_member_cannot_post_vendor_passthru:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru?method=test'
|
|
method: post
|
|
headers: *owner_member_headers
|
|
assert_status: 403
|
|
|
|
owner_reader_cannot_post_vendor_passthru:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru?method=test'
|
|
method: post
|
|
headers: *owner_reader_headers
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_post_vendor_passthru:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru?method=test'
|
|
method: post
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_post_vendor_passthru:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru?method=test'
|
|
method: post
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
lessee_reader_cannot_post_vendor_passthru:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru?method=test'
|
|
method: post
|
|
headers: *lessee_reader_headers
|
|
assert_status: 403
|
|
|
|
# Put vendor passthru method tests
|
|
|
|
owner_admin_cannot_put_vendor_passthru:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru?method=test'
|
|
method: put
|
|
headers: *owner_admin_headers
|
|
assert_status: 403
|
|
|
|
owner_member_cannot_put_vendor_passthru:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru?method=test'
|
|
method: put
|
|
headers: *owner_member_headers
|
|
assert_status: 403
|
|
|
|
owner_reader_cannot_put_vendor_passthru:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru?method=test'
|
|
method: put
|
|
headers: *owner_reader_headers
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_put_vendor_passthru:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru?method=test'
|
|
method: put
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_put_vendor_passthru:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru?method=test'
|
|
method: put
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
lessee_reader_cannot_put_vendor_passthru:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru?method=test'
|
|
method: put
|
|
headers: *lessee_reader_headers
|
|
assert_status: 403
|
|
|
|
# Delete vendor passthru methods tests
|
|
|
|
owner_admin_cannot_delete_vendor_passthru:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru?method=test'
|
|
method: delete
|
|
headers: *owner_admin_headers
|
|
assert_status: 403
|
|
|
|
owner_member_cannot_delete_vendor_passthru:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru?method=test'
|
|
method: delete
|
|
headers: *owner_member_headers
|
|
assert_status: 403
|
|
|
|
owner_reader_cannot_delete_vendor_passthru:
|
|
path: '/v1/nodes/{owner_node_ident}/vendor_passthru?method=test'
|
|
method: delete
|
|
headers: *owner_reader_headers
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_delete_vendor_passthru:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru?method=test'
|
|
method: delete
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_delete_vendor_passthru:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru?method=test'
|
|
method: delete
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
lessee_reader_cannot_delete_vendor_passthru:
|
|
path: '/v1/nodes/{lessee_node_ident}/vendor_passthru?method=test'
|
|
method: delete
|
|
headers: *lessee_reader_headers
|
|
assert_status: 403
|
|
|
|
# Node Traits - https://docs.openstack.org/api-ref/baremetal/#node-traits-nodes
|
|
|
|
owner_reader_get_traits:
|
|
path: '/v1/nodes/{owner_node_ident}/traits'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
|
|
lessee_reader_get_traits:
|
|
path: '/v1/nodes/{lessee_node_ident}/traits'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
|
|
third_party_admin_cannot_get_traits:
|
|
path: '/v1/nodes/{lessee_node_ident}/traits'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
owner_admin_can_put_traits:
|
|
path: '/v1/nodes/{owner_node_ident}/traits'
|
|
method: put
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
body: &traits_body
|
|
traits:
|
|
- CUSTOM_TRAIT1
|
|
- HW_CPU_X86_VMX
|
|
|
|
owner_member_cannot_put_traits:
|
|
path: '/v1/nodes/{owner_node_ident}/traits'
|
|
method: put
|
|
headers: *owner_member_headers
|
|
assert_status: 403
|
|
body: *traits_body
|
|
|
|
lessee_admin_cannot_put_traits:
|
|
path: '/v1/nodes/{lessee_node_ident}/traits'
|
|
method: put
|
|
headers: *owner_member_headers
|
|
assert_status: 403
|
|
body: *traits_body
|
|
|
|
lessee_member_cannot_put_traits:
|
|
path: '/v1/nodes/{lessee_node_ident}/traits'
|
|
method: put
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
body: *traits_body
|
|
|
|
third_party_admin_cannot_put_traits:
|
|
path: '/v1/nodes/{lessee_node_ident}/traits'
|
|
method: put
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
body: *traits_body
|
|
|
|
owner_admin_can_delete_traits:
|
|
path: '/v1/nodes/{owner_node_ident}/traits/{trait}'
|
|
method: delete
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
|
|
owner_member_cannot_delete_traits:
|
|
path: '/v1/nodes/{owner_node_ident}/traits/{trait}'
|
|
method: delete
|
|
headers: *owner_member_headers
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_delete_traits:
|
|
path: '/v1/nodes/{lessee_node_ident}/traits/{trait}'
|
|
method: delete
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_delete_traits:
|
|
path: '/v1/nodes/{lessee_node_ident}/traits/{trait}'
|
|
method: delete
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_delete_traits:
|
|
path: '/v1/nodes/{lessee_node_ident}/traits/{trait}'
|
|
method: delete
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
owner_admin_can_put_custom_traits:
|
|
path: '/v1/nodes/{owner_node_ident}/traits/CUSTOM_TRAIT2'
|
|
method: put
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
skip_reason: policy not implemented
|
|
|
|
owner_member_can_put_custom_traits:
|
|
path: '/v1/nodes/{owner_node_ident}/traits/CUSTOM_TRAIT2'
|
|
method: put
|
|
headers: *owner_member_headers
|
|
assert_status: 503
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_admin_cannot_put_custom_traits:
|
|
path: '/v1/nodes/{lessee_node_ident}/traits/CUSTOM_TRAIT2'
|
|
method: put
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_put_custom_traits:
|
|
path: '/v1/nodes/{lessee_node_ident}/traits/CUSTOM_TRAIT2'
|
|
method: put
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_put_custom_traits:
|
|
path: '/v1/nodes/{lessee_node_ident}/traits/CUSTOM_TRAIT2'
|
|
method: put
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# VIFS - https://docs.openstack.org/api-ref/baremetal/#vifs-virtual-interfaces-of-nodes
|
|
# TODO(TheJulia): VIFS will need fairly exhaustive testing given the use path.
|
|
# i.e. ensure user has rights to a vif and all.
|
|
|
|
# Based on nodes_vifs_* tests.
|
|
|
|
owner_reader_get_vifs:
|
|
path: '/v1/nodes/{owner_node_ident}/vifs'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 503
|
|
|
|
lessee_reader_get_vifs:
|
|
path: '/v1/nodes/{lessee_node_ident}/vifs'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 503
|
|
|
|
third_party_admin_cannot_get_vifs:
|
|
path: '/v1/nodes/{owner_node_ident}/vifs'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
owner_admin_can_post_vifs:
|
|
path: '/v1/nodes/{owner_node_ident}/vifs'
|
|
method: post
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
body: &vif_body
|
|
id: ee21d58f-5de2-4956-85ff-33935ea1ca00
|
|
|
|
lessee_admin_can_post_vifs:
|
|
path: '/v1/nodes/{lessee_node_ident}/vifs'
|
|
method: post
|
|
headers: *lessee_admin_headers
|
|
assert_status: 503
|
|
body: *vif_body
|
|
|
|
owner_member_can_post_vifs:
|
|
path: '/v1/nodes/{owner_node_ident}/vifs'
|
|
method: post
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
body: *vif_body
|
|
|
|
lessee_member_cannot_post_vifs:
|
|
path: '/v1/nodes/{lessee_node_ident}/vifs'
|
|
method: post
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
body: *vif_body
|
|
|
|
owner_reader_cannot_post_vifs:
|
|
path: '/v1/nodes/{owner_node_ident}/vifs'
|
|
method: post
|
|
headers: *owner_reader_headers
|
|
assert_status: 403
|
|
body: *vif_body
|
|
|
|
lessee_reader_cannot_post_vifs:
|
|
path: '/v1/nodes/{lessee_node_ident}/vifs'
|
|
method: post
|
|
headers: *lessee_reader_headers
|
|
assert_status: 403
|
|
body: *vif_body
|
|
|
|
third_party_admin_cannot_post_vifs:
|
|
path: '/v1/nodes/{owner_node_ident}/vifs'
|
|
method: post
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
body: *vif_body
|
|
|
|
owner_admin_delete_vifs:
|
|
path: '/v1/nodes/{owner_node_ident}/vifs/{vif_ident}'
|
|
method: delete
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
|
|
lessee_admin_can_delete_vifs:
|
|
path: '/v1/nodes/{lessee_node_ident}/vifs/{vif_ident}'
|
|
method: delete
|
|
headers: *lessee_admin_headers
|
|
assert_status: 503
|
|
|
|
owner_member_can_delete_vifs:
|
|
path: '/v1/nodes/{owner_node_ident}/vifs/{vif_ident}'
|
|
method: delete
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
|
|
lessee_member_cannot_delete_vifs:
|
|
path: '/v1/nodes/{lessee_node_ident}/vifs/{vif_ident}'
|
|
method: delete
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_delete_vifs:
|
|
path: '/v1/nodes/{owner_node_ident}/vifs/{vif_ident}'
|
|
method: delete
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# Indicators - https://docs.openstack.org/api-ref/baremetal/#indicators-management
|
|
owner_readers_can_get_indicators:
|
|
path: '/v1/nodes/{owner_node_ident}/management/indicators'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 503
|
|
|
|
lesse_readers_can_get_indicators:
|
|
path: '/v1/nodes/{lessee_node_ident}/management/indicators'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 503
|
|
|
|
third_party_admin_cannot_get_indicators:
|
|
path: '/v1/nodes/{owner_node_ident}/management/indicators'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
owner_reader_can_get_indicator_status:
|
|
path: '/v1/nodes/{owner_node_ident}/management/indicators/{ind_component}/{ind_ident}'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
skip_reason: API appears to be broken and should be patched outside of this work.
|
|
|
|
lessee_reader_not_get_indicator_status:
|
|
path: '/v1/nodes/{lessee_node_ident}/management/indicators/{ind_component}/{ind_ident}'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
skip_reason: API appears to be broken and should be patched outside of this work.
|
|
|
|
owner_member_can_set_indicator:
|
|
path: '/v1/nodes/{owner_node_ident}/management/indicators/{ind_component}/{ind_ident}'
|
|
method: put
|
|
headers: *owner_member_headers
|
|
assert_status: 503
|
|
|
|
lessee_member_cannot_set_indicator:
|
|
path: '/v1/nodes/{lessee_node_ident}/management/indicators/{ind_component}/{ind_ident}'
|
|
method: put
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_set_indicator:
|
|
path: '/v1/nodes/{node_ident}/management/indicators/{ind_component}/{ind_ident}'
|
|
method: put
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# Portgroups - https://docs.openstack.org/api-ref/baremetal/#portgroups-portgroups
|
|
|
|
# Based on portgroups_* tests
|
|
|
|
owner_reader_can_list_portgroups:
|
|
path: '/v1/portgroups'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
assert_list_length:
|
|
portgroups: 2
|
|
|
|
lessee_reader_can_list_portgroups:
|
|
path: '/v1/portgroups'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
assert_list_length:
|
|
portgroups: 1
|
|
|
|
third_party_admin_cannot_list_portgroups:
|
|
path: '/v1/portgroups'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 200
|
|
assert_list_length:
|
|
portgroups: 0
|
|
|
|
owner_reader_can_read_portgroup:
|
|
path: '/v1/portgroups/{owner_portgroup_ident}'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
|
|
lessee_reader_can_read_portgroup:
|
|
path: '/v1/portgroups/{lessee_portgroup_ident}'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
|
|
third_party_admin_cannot_read_portgroup:
|
|
path: '/v1/portgroups/{owner_portgroup_ident}'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# NB: Ports have to be posted with a node UUID to associate to,
|
|
# so that seems policy-check-able.
|
|
owner_admin_can_add_portgroup:
|
|
path: '/v1/portgroups'
|
|
method: post
|
|
headers: *owner_admin_headers
|
|
body: &owner_portgroup_body
|
|
node_uuid: 1ab63b9e-66d7-4cd7-8618-dddd0f9f7881
|
|
assert_status: 201
|
|
|
|
owner_member_cannot_add_portgroup:
|
|
path: '/v1/portgroups'
|
|
method: post
|
|
headers: *owner_member_headers
|
|
body: *owner_portgroup_body
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_add_portgroup:
|
|
path: '/v1/portgroups'
|
|
method: post
|
|
headers: *lessee_admin_headers
|
|
body: &lessee_portgroup_body
|
|
node_uuid: 38d5abed-c585-4fce-a57e-a2ffc2a2ec6f
|
|
assert_status: 403
|
|
|
|
# TODO, likely will need separate port/port groups established for the tests
|
|
|
|
lessee_member_cannot_add_portgroup:
|
|
path: '/v1/portgroups'
|
|
method: post
|
|
headers: *lessee_member_headers
|
|
body: *lessee_portgroup_body
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_add_portgroup:
|
|
path: '/v1/portgroups'
|
|
method: post
|
|
headers: *third_party_admin_headers
|
|
body: *lessee_portgroup_body
|
|
assert_status: 403
|
|
|
|
owner_admin_can_modify_portgroup:
|
|
path: '/v1/portgroups/{owner_portgroup_ident}'
|
|
method: patch
|
|
headers: *owner_admin_headers
|
|
body: &portgroup_patch_body
|
|
- op: replace
|
|
path: /extra
|
|
value: {'test': 'testing'}
|
|
assert_status: 503
|
|
|
|
owner_member_cannot_modify_portgroup:
|
|
path: '/v1/portgroups/{owner_portgroup_ident}'
|
|
method: patch
|
|
headers: *owner_member_headers
|
|
body: *portgroup_patch_body
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_modify_portgroup:
|
|
path: '/v1/portgroups/{lessee_portgroup_ident}'
|
|
method: patch
|
|
headers: *lessee_admin_headers
|
|
body: *portgroup_patch_body
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_modify_portgroup:
|
|
path: '/v1/portgroups/{lessee_portgroup_ident}'
|
|
method: patch
|
|
headers: *lessee_member_headers
|
|
body: *portgroup_patch_body
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_modify_portgroup:
|
|
path: '/v1/portgroups/{lessee_portgroup_ident}'
|
|
method: patch
|
|
headers: *third_party_admin_headers
|
|
body: *portgroup_patch_body
|
|
assert_status: 404
|
|
|
|
owner_admin_can_delete_portgroup:
|
|
path: '/v1/portgroups/{owner_portgroup_ident}'
|
|
method: delete
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
|
|
owner_member_cannot_delete_portgroup:
|
|
path: '/v1/portgroups/{owner_portgroup_ident}'
|
|
method: delete
|
|
headers: *owner_member_headers
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_delete_portgroup:
|
|
path: '/v1/portgroups/{lessee_portgroup_ident}'
|
|
method: delete
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_delete_portgroup:
|
|
path: '/v1/portgroups/{lessee_portgroup_ident}'
|
|
method: delete
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_delete_portgroup:
|
|
path: '/v1/portgroups/{lessee_portgroup_ident}'
|
|
method: delete
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# Portgroups by node - https://docs.openstack.org/api-ref/baremetal/#listing-portgroups-by-node-nodes-portgroups
|
|
|
|
owner_reader_can_get_node_portgroups:
|
|
path: '/v1/nodes/{owner_node_ident}/portgroups'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
|
|
lessee_reader_can_get_node_porgtroups:
|
|
path: '/v1/nodes/{lessee_node_ident}/portgroups'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
|
|
third_party_admin_cannot_get_portgroups:
|
|
path: '/v1/nodes/{lessee_node_ident}/portgroups'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# Ports - https://docs.openstack.org/api-ref/baremetal/#ports-ports
|
|
|
|
# Based on ports_* tests
|
|
|
|
owner_reader_can_list_ports:
|
|
path: '/v1/ports'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
# Two ports owned, one on the leased node. 1 invisible.
|
|
assert_list_length:
|
|
ports: 3
|
|
|
|
lessee_reader_can_list_ports:
|
|
path: '/v1/ports'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
assert_list_length:
|
|
ports: 1
|
|
|
|
third_party_admin_cannot_list_ports:
|
|
path: '/v1/ports'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 200
|
|
assert_list_length:
|
|
ports: 0
|
|
|
|
owner_reader_can_read_port:
|
|
path: '/v1/ports/{owner_port_ident}'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
|
|
lessee_reader_can_read_port:
|
|
path: '/v1/ports/{lessee_port_ident}'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
|
|
third_party_admin_cannot_read_port:
|
|
path: '/v1/ports/{other_port_ident}'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# NB: Ports have to be posted with a node UUID to associate to,
|
|
# so that seems policy-check-able.
|
|
owner_admin_can_add_ports:
|
|
path: '/v1/ports'
|
|
method: post
|
|
headers: *owner_admin_headers
|
|
body: &owner_port_body
|
|
node_uuid: 1ab63b9e-66d7-4cd7-8618-dddd0f9f7881
|
|
address: 00:01:02:03:04:05
|
|
assert_status: 503
|
|
|
|
owner_admin_cannot_add_ports_to_other_nodes:
|
|
path: '/v1/ports'
|
|
method: post
|
|
headers: *owner_admin_headers
|
|
body:
|
|
node_uuid: 573208e5-cd41-4e26-8f06-ef44022b3793
|
|
address: 09:01:02:03:04:09
|
|
assert_status: 403
|
|
|
|
owner_member_cannot_add_port:
|
|
path: '/v1/ports'
|
|
method: post
|
|
headers: *owner_member_headers
|
|
body: *owner_port_body
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_add_port:
|
|
path: '/v1/ports'
|
|
method: post
|
|
headers: *lessee_admin_headers
|
|
body: &lessee_port_body
|
|
node_uuid: 38d5abed-c585-4fce-a57e-a2ffc2a2ec6f
|
|
address: 00:01:02:03:04:05
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_add_port:
|
|
path: '/v1/ports'
|
|
method: post
|
|
headers: *lessee_member_headers
|
|
body: *lessee_port_body
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_add_port:
|
|
path: '/v1/ports'
|
|
method: post
|
|
headers: *third_party_admin_headers
|
|
body: *lessee_port_body
|
|
assert_status: 403
|
|
|
|
owner_admin_can_modify_port:
|
|
path: '/v1/ports/{owner_port_ident}'
|
|
method: patch
|
|
headers: *owner_admin_headers
|
|
body: &port_patch_body
|
|
- op: replace
|
|
path: /extra
|
|
value: {'test': 'testing'}
|
|
assert_status: 503
|
|
|
|
owner_member_cannot_modify_port:
|
|
path: '/v1/ports/{owner_port_ident}'
|
|
method: patch
|
|
headers: *owner_member_headers
|
|
body: *port_patch_body
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_modify_port:
|
|
path: '/v1/ports/{lessee_port_ident}'
|
|
method: patch
|
|
headers: *lessee_admin_headers
|
|
body: *port_patch_body
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_modify_port:
|
|
path: '/v1/ports/{lessee_port_ident}'
|
|
method: patch
|
|
headers: *lessee_member_headers
|
|
body: *port_patch_body
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_modify_port:
|
|
path: '/v1/ports/{lessee_port_ident}'
|
|
method: patch
|
|
headers: *third_party_admin_headers
|
|
body: *port_patch_body
|
|
assert_status: 404
|
|
|
|
owner_admin_can_delete_port:
|
|
path: '/v1/ports/{owner_port_ident}'
|
|
method: delete
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
|
|
owner_member_cannot_delete_port:
|
|
path: '/v1/ports/{owner_port_ident}'
|
|
method: delete
|
|
headers: *owner_member_headers
|
|
assert_status: 403
|
|
|
|
lessee_admin_cannot_delete_port:
|
|
path: '/v1/ports/{lessee_port_ident}'
|
|
method: delete
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
|
|
lessee_member_cannot_delete_port:
|
|
path: '/v1/ports/{lessee_port_ident}'
|
|
method: delete
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
|
|
third_party_admin_cannot_delete_port:
|
|
path: '/v1/ports/{lessee_port_ident}'
|
|
method: delete
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# Ports by node - https://docs.openstack.org/api-ref/baremetal/#listing-ports-by-node-nodes-ports
|
|
|
|
owner_reader_can_get_node_ports:
|
|
path: '/v1/nodes/{owner_node_ident}/ports'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
assert_list_length:
|
|
ports: 2
|
|
|
|
lessee_reader_can_get_node_port:
|
|
path: '/v1/nodes/{lessee_node_ident}/ports'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
assert_list_length:
|
|
ports: 1
|
|
|
|
third_party_admin_cannot_get_ports:
|
|
path: '/v1/nodes/{lessee_node_ident}/ports'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# Ports by portgroup - https://docs.openstack.org/api-ref/baremetal/#listing-ports-by-portgroup-portgroup-ports
|
|
|
|
# Based on portgroups_ports_get* tests
|
|
|
|
owner_reader_can_get_ports_by_portgroup:
|
|
path: '/v1/portgroups/{owner_portgroup_ident}/ports'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
|
|
lessee_reader_can_get_ports_by_portgroup:
|
|
path: '/v1/portgroups/{lessee_portgroup_ident}/ports'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
|
|
third_party_admin_cannot_get_ports_by_portgroup:
|
|
path: '/v1/portgroups/{other_portgroup_ident}/ports'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# Volume(s) - https://docs.openstack.org/api-ref/baremetal/#volume-volume
|
|
# TODO(TheJulia): volumes will likely need some level of exhaustive testing.
|
|
# i.e. ensure that the volume is permissible. However this may not be possible
|
|
# here.
|
|
|
|
# Volume connectors
|
|
|
|
owner_reader_can_list_volume_connectors:
|
|
path: '/v1/volume/connectors'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
assert_list_length:
|
|
connectors: 2
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_reader_can_list_volume_connectors:
|
|
path: '/v1/volume/connectors'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
assert_list_length:
|
|
connectors: 1
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_get_connector_list:
|
|
path: '/v1/volume/targets'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 200
|
|
assert_list_length:
|
|
connectors: 0
|
|
skip_reason: policy not implemented
|
|
|
|
owner_admin_can_post_volume_connector:
|
|
path: '/v1/volume/connectors'
|
|
method: post
|
|
headers: *owner_reader_headers
|
|
assert_status: 400
|
|
body: &volume_connector_body
|
|
node_uuid: 68a552fb-dcd2-43bf-9302-e4c93287be16
|
|
type: ip
|
|
connector_id: 192.168.1.100
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_admin_cannot_post_volume_connector:
|
|
path: '/v1/volume/connectors'
|
|
method: post
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
body: *volume_connector_body
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_post_volume_connector:
|
|
path: '/v1/volume/connectors'
|
|
method: post
|
|
headers: *third_party_admin_headers
|
|
assert_status: 403
|
|
body: *volume_connector_body
|
|
skip_reason: policy not implemented
|
|
|
|
owner_reader_can_get_volume_connector:
|
|
path: '/v1/volume/connectors/{volume_connector_ident}'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_reader_can_get_volume_connector:
|
|
path: '/v1/volume/connectors/{volume_connector_ident}'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_get_volume_connector:
|
|
path: '/v1/volume/connectors/{volume_connector_ident}'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_member_cannot_patch_volume_connectors:
|
|
path: '/v1/volume/connectors/{volume_connector_ident}'
|
|
method: patch
|
|
headers: *lessee_member_headers
|
|
body: &connector_patch_body
|
|
- op: replace
|
|
path: /extra
|
|
value: {'test': 'testing'}
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
owner_admin_can_patch_volume_connectors:
|
|
path: '/v1/volume/connectors/{volume_connector_ident}'
|
|
method: patch
|
|
headers: *owner_member_headers
|
|
body: *connector_patch_body
|
|
assert_status: 503
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_admin_cannot_patch_volume_connectors:
|
|
path: '/v1/volume/connectors/{volume_connector_ident}'
|
|
method: patch
|
|
headers: *owner_member_headers
|
|
body: *connector_patch_body
|
|
assert_status: 503
|
|
skip_reason: policy not implemented
|
|
|
|
owner_member_can_patch_volume_connectors:
|
|
path: '/v1/volume/connectors/{volume_connector_ident}'
|
|
method: patch
|
|
headers: *owner_member_headers
|
|
body: *connector_patch_body
|
|
assert_status: 503
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_member_cannot_patch_volume_connectors:
|
|
path: '/v1/volume/connectors/{volume_connector_ident}'
|
|
method: patch
|
|
headers: *lessee_member_headers
|
|
body: *connector_patch_body
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_patch_volume_connectors:
|
|
path: '/v1/volume/connectors/{volume_connector_ident}'
|
|
method: patch
|
|
headers: *third_party_admin_headers
|
|
body: *connector_patch_body
|
|
assert_status: 404
|
|
skip_reason: policy not implemented
|
|
|
|
owner_admin_can_delete_volume_connectors:
|
|
path: '/v1/volume/connectors/{volume_connector_ident}'
|
|
method: delete
|
|
headers: *owner_reader_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_admin_cannot_delete_volume_connectors:
|
|
path: '/v1/volume/connectors/{volume_connector_ident}'
|
|
method: delete
|
|
headers: *lessee_reader_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_delete_volume_connector:
|
|
path: '/v1/volume/connectors/{volume_connector_ident}'
|
|
method: delete
|
|
headers: *third_party_admin_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
# Volume targets
|
|
|
|
# TODO(TheJulia): Create at least 3 targets.
|
|
owner_reader_can_get_targets:
|
|
path: '/v1/volume/targets'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
assert_list_length:
|
|
targets: 2
|
|
skip_reason: policy not implemented
|
|
|
|
lesse_reader_can_get_targets:
|
|
path: '/v1/volume/targets'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
assert_list_length:
|
|
targets: 1
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_get_target_list:
|
|
path: '/v1/volume/targets'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 200
|
|
assert_list_length:
|
|
targets: 0
|
|
skip_reason: policy not implemented
|
|
|
|
owner_reader_can_get_volume_target:
|
|
path: '/v1/volume/targets/{volume_target_ident}'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_reader_can_get_volume_target:
|
|
path: '/v1/volume/targets/{volume_target_ident}'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_get_volume_target:
|
|
path: '/v1/volume/targets/{volume_target_ident}'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
skip_reason: policy not implemented
|
|
|
|
owner_admin_create_volume_target:
|
|
path: '/v1/volume/targets'
|
|
method: post
|
|
headers: *owner_admin_headers
|
|
assert_status: 400
|
|
body: &volume_target_body
|
|
node_uuid: 68a552fb-dcd2-43bf-9302-e4c93287be16
|
|
volume_type: iscsi
|
|
boot_index: 0
|
|
volume_id: 'test-id'
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_admin_create_volume_target:
|
|
path: '/v1/volume/targets'
|
|
method: post
|
|
headers: *owner_admin_headers
|
|
assert_status: 400
|
|
body: *volume_target_body
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_create_volume_target:
|
|
path: '/v1/volume/targets'
|
|
method: post
|
|
headers: *owner_admin_headers
|
|
assert_status: 400
|
|
body: *volume_target_body
|
|
skip_reason: policy not implemented
|
|
|
|
owner_member_can_patch_volume_target:
|
|
path: '/v1/volume/targets/{volume_target_ident}'
|
|
method: patch
|
|
body: &volume_target_patch
|
|
- op: replace
|
|
path: /extra
|
|
value: {'test': 'testing'}
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_member_can_patch_volume_target:
|
|
path: '/v1/volume/targets/{volume_target_ident}'
|
|
method: patch
|
|
body: *volume_target_patch
|
|
headers: *lessee_member_headers
|
|
assert_status: 503
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_patch_volume_target:
|
|
path: '/v1/volume/targets/{volume_target_ident}'
|
|
method: patch
|
|
body: *volume_target_patch
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
skip_reason: policy not implemented
|
|
|
|
owner_admin_can_delete_volume_target:
|
|
path: '/v1/volume/targets/{volume_target_ident}'
|
|
method: delete
|
|
headers: *owner_admin_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_admin_can_delete_volume_target:
|
|
path: '/v1/volume/targets/{volume_target_ident}'
|
|
method: delete
|
|
headers: *lessee_admin_headers
|
|
assert_status: 201
|
|
skip_reason: policy not implemented
|
|
|
|
owner_member_cannot_delete_volume_target:
|
|
path: '/v1/volume/targets/{volume_target_ident}'
|
|
method: delete
|
|
headers: *owner_member_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_member_cannot_delete_volume_target:
|
|
path: '/v1/volume/targets/{volume_target_ident}'
|
|
method: delete
|
|
headers: *lessee_member_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_delete_volume_target:
|
|
path: '/v1/volume/targets/{volume_target_ident}'
|
|
method: delete
|
|
headers: *third_party_admin_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
# Get Volumes by Node - https://docs.openstack.org/api-ref/baremetal/#listing-volume-resources-by-node-nodes-volume
|
|
|
|
owner_reader_can_get_volume_connectors:
|
|
path: '/v1/nodes/{node_ident}/volume/connectors'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_reader_can_get_node_volume_connectors:
|
|
path: '/v1/nodes/{node_ident}/volume/connectors'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_get_node_volume_connectors:
|
|
path: '/v1/nodes/{node_ident}/volume/connectors'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 200
|
|
skip_reason: policy not implemented
|
|
|
|
owner_reader_can_get_node_volume_targets:
|
|
path: '/v1/nodes/{node_ident}/volume/targets'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_reader_can_get_node_volume_targets:
|
|
path: '/v1/nodes/{node_ident}/volume/targets'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
skip_reason: policy not implemented
|
|
|
|
third_part_admin_cannot_read_node_volume_targets:
|
|
path: '/v1/nodes/{node_ident}/volume/targets'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 404
|
|
skip_reason: policy not implemented
|
|
|
|
# Drivers - https://docs.openstack.org/api-ref/baremetal/#drivers-drivers
|
|
|
|
# This is a system scoped endpoint, everything should fail in this section.
|
|
|
|
owner_reader_cannot_get_drivers:
|
|
path: '/v1/drivers'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 500
|
|
|
|
lessee_reader_cannot_get_drivers:
|
|
path: '/v1/drivers'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 500
|
|
|
|
third_party_admin_cannot_get_drivers:
|
|
path: '/v1/drivers'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 500
|
|
|
|
# Driver vendor passthru - https://docs.openstack.org/api-ref/baremetal/#driver-vendor-passthru-drivers
|
|
|
|
# This is a system scoped endpoint, everything should fail in this section.
|
|
|
|
owner_reader_cannot_get_drivers_vendor_passthru:
|
|
path: '/v1/drivers/{driver_name}/vendor_passthru/methods'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_reader_cannot_get_drivers_vendor_passthru:
|
|
path: '/v1/drivers/{driver_name}/vendor_passthru/methods'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_get_drivers_vendor_passthru:
|
|
path: '/v1/drivers/{driver_name}/vendor_passthru/methods'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
# Node Bios - https://docs.openstack.org/api-ref/baremetal/#node-bios-nodes
|
|
|
|
owner_reader_can_get_bios_setttings:
|
|
path: '/v1/nodes/{owner_node_ident}/bios'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
|
|
lessee_reader_can_get_bios_settings:
|
|
path: '/v1/nodes/{lessee_node_ident}/bios'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
|
|
third_party_admin_cannot_get_bios_settings:
|
|
path: '/v1/nodes/{owner_node_ident}/bios'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
|
|
# Conductors - https://docs.openstack.org/api-ref/baremetal/#allocations-allocations
|
|
|
|
# This is a system scoped endpoint, everything should fail in this section.
|
|
|
|
owner_reader_cannot_get_conductors:
|
|
path: '/v1/conductors'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 500
|
|
|
|
lessee_reader_cannot_get_conductors:
|
|
path: '/v1/conductors'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 500
|
|
|
|
third_party_admin_cannot_get_conductors:
|
|
path: '/v1/conductors'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 500
|
|
|
|
# Allocations - https://docs.openstack.org/api-ref/baremetal/#allocations-allocations
|
|
|
|
# This is a system scoped endpoint, everything should fail in this section.
|
|
|
|
owner_reader_cannot_get_allocations:
|
|
path: '/v1/allocations'
|
|
method: get
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_reader_cannot_get_allocations:
|
|
path: '/v1/allocations'
|
|
method: get
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_get_allocations:
|
|
path: '/v1/allocations'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_create_allocation:
|
|
path: '/v1/allocations'
|
|
method: post
|
|
headers: *third_party_admin_headers
|
|
body: &allocation_body
|
|
resource_class: CUSTOM_TEST
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_read_an_allocation:
|
|
path: '/v1/allocations/{allocation_ident}'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_patch_an_allocation:
|
|
path: '/v1/allocations/{allocation_ident}'
|
|
method: patch
|
|
headers: *third_party_admin_headers
|
|
body:
|
|
- op: replace
|
|
path: /extra
|
|
value: {'test': 'testing'}
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_delete_an_allocation:
|
|
path: '/v1/allocations/{allocation_ident}'
|
|
method: delete
|
|
headers: *third_party_admin_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
# Allocations ( Node level) - https://docs.openstack.org/api-ref/baremetal/#node-allocation-allocations-nodes
|
|
|
|
owner_reader_can_read_node_allocation:
|
|
path: '/v1/nodes/{owner_node_ident}/allocation'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 200
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_reader_can_read_node_allocation:
|
|
path: '/v1/nodes/{lessee_node_ident}/allocation'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 200
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_read_node_allocation:
|
|
path: '/v1/nodes/{owner_node_ident}/allocation'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 404
|
|
skip_reason: policy not implemented
|
|
|
|
owner_admin_can_delete_allocation:
|
|
path: '/v1/nodes/{owner_node_ident}/allocation'
|
|
method: delete
|
|
headers: *owner_admin_headers
|
|
assert_status: 503
|
|
skip_reason: policy not implemented
|
|
|
|
lessee_admin_cannot_delete_allocation:
|
|
path: '/v1/nodes/{allocated_node_ident}/allocation'
|
|
method: delete
|
|
headers: *lessee_admin_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
third_party_admin_cannot_delete_allocation:
|
|
path: '/v1/nodes/{allocated_node_ident}/allocation'
|
|
method: delete
|
|
headers: *third_party_admin_headers
|
|
assert_status: 403
|
|
skip_reason: policy not implemented
|
|
|
|
# Deploy Templates - https://docs.openstack.org/api-ref/baremetal/#deploy-templates-deploy-templates
|
|
|
|
# This is a system scoped endpoint, everything should fail in this section
|
|
# with a status of 500..
|
|
|
|
owner_reader_cannot_get_deploy_templates:
|
|
path: '/v1/deploy_templates'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 500
|
|
|
|
lessee_reader_cannot_get_deploy_templates:
|
|
path: '/v1/deploy_templates'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 500
|
|
|
|
third_party_admin_cannot_get_deploy_templates:
|
|
path: '/v1/deploy_templates'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 500
|
|
|
|
third_party_admin_cannot_post_deploy_template:
|
|
path: '/v1/deploy_templates'
|
|
method: post
|
|
body:
|
|
name: 'CUSTOM_TEST_TEMPLATE'
|
|
steps:
|
|
- interface: 'deploy'
|
|
step: 'noop'
|
|
args: {}
|
|
priority: 0
|
|
headers: *third_party_admin_headers
|
|
assert_status: 500
|
|
|
|
# Chassis endpoints - https://docs.openstack.org/api-ref/baremetal/#chassis-chassis
|
|
|
|
# This is a system scoped endpoint, everything should fail in this section.
|
|
|
|
owner_reader_cannot_access_chassis:
|
|
path: '/v1/chassis'
|
|
method: get
|
|
headers: *owner_reader_headers
|
|
assert_status: 500
|
|
|
|
lessee_reader_cannot_access_chassis:
|
|
path: '/v1/chassis'
|
|
method: get
|
|
headers: *lessee_reader_headers
|
|
assert_status: 500
|
|
|
|
third_party_admin_cannot_access_chassis:
|
|
path: '/v1/chassis'
|
|
method: get
|
|
headers: *third_party_admin_headers
|
|
assert_status: 500
|
|
|
|
third_party_admin_cannot_create_chassis:
|
|
path: '/v1/chassis'
|
|
method: post
|
|
headers: *third_party_admin_headers
|
|
body:
|
|
description: 'test-chassis'
|
|
assert_status: 500
|