Set clustertemplate:publish to admin only

Set the clustertemplate:publish policy to be admin only by default - currently it is admin_or_user, which means any openstack user can create a public cluster template. Update tests for bay model and cluster template, splitting tests requiring admin credentials into a separate class. Change-Id: I0bfb57c569863f1ecf7d697cd5ac161a9a710432 Closes-Bug: #1687887
2017-05-03 11:47:05 +02:00 · 2017-05-03 11:47:05 +02:00 · 12052b1253
commit 12052b1253
parent ca964b6c91
5 changed files with 180 additions and 27 deletions
--- a/etc/magnum/policy.json
+++ b/etc/magnum/policy.json
@ -20,7 +20,7 @@
    "baymodel:get": "rule:deny_cluster_user",
    "baymodel:get_all": "rule:deny_cluster_user",
    "baymodel:update": "rule:deny_cluster_user",
-    "baymodel:publish": "rule:admin_or_owner",
+    "baymodel:publish": "rule:admin_api",

    "cluster:create": "rule:deny_cluster_user",
    "cluster:delete": "rule:deny_cluster_user",
@ -35,7 +35,7 @@
    "clustertemplate:get": "rule:deny_cluster_user",
    "clustertemplate:get_all": "rule:deny_cluster_user",
    "clustertemplate:update": "rule:deny_cluster_user",
-    "clustertemplate:publish": "rule:admin_or_owner",
+    "clustertemplate:publish": "rule:admin_api",

    "quotas:get": "rule:default",
    "quotas:get_all": "rule:admin_api",
--- a/magnum/tests/functional/api/v1/test_baymodel.py
+++ b/magnum/tests/functional/api/v1/test_baymodel.py
@ -75,11 +75,9 @@ class BayModelTest(base.BaseTempestTest):
    @testtools.testcase.attr('positive')
    def test_create_get_public_baymodel(self):
        gen_model = datagen.valid_swarm_baymodel(is_public=True)
-        resp, model = self._create_baymodel(gen_model)
-
-        resp, model = self.baymodel_client.get_baymodel(model.uuid)
-        self.assertEqual(200, resp.status)
-        self.assertTrue(model.public)
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.baymodel_client.post_baymodel, gen_model)

    @testtools.testcase.attr('positive')
    def test_update_baymodel_public_by_uuid(self):
@ -88,13 +86,9 @@ class BayModelTest(base.BaseTempestTest):
        resp, old_model = self._create_baymodel(gen_model)

        patch_model = datagen.baymodel_replace_patch_data(path, value=True)
-        resp, new_model = self.baymodel_client.patch_baymodel(
-            old_model.uuid, patch_model)
-        self.assertEqual(200, resp.status)
-
-        resp, model = self.baymodel_client.get_baymodel(new_model.uuid)
-        self.assertEqual(200, resp.status)
-        self.assertTrue(model.public)
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.baymodel_client.patch_baymodel, old_model.uuid, patch_model)

    @testtools.testcase.attr('positive')
    def test_update_baymodel_by_uuid(self):
--- a/magnum/tests/functional/api/v1/test_baymodel_admin.py
+++ b/magnum/tests/functional/api/v1/test_baymodel_admin.py
@ -0,0 +1,80 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+import testtools
+
+from magnum.tests.functional.api import base
+from magnum.tests.functional.common import datagen
+
+
+class BayModelAdminTest(base.BaseTempestTest):
+
+    """Tests for baymodel admin operations."""
+
+    def __init__(self, *args, **kwargs):
+        super(BayModelAdminTest, self).__init__(*args, **kwargs)
+        self.baymodels = []
+        self.baymodel_client = None
+        self.keypairs_client = None
+
+    def setUp(self):
+        try:
+            super(BayModelAdminTest, self).setUp()
+            (self.baymodel_client,
+             self.keypairs_client) = self.get_clients_with_new_creds(
+                 type_of_creds='admin',
+                 request_type='baymodel')
+        except Exception:
+            self.tearDown()
+            raise
+
+    def tearDown(self):
+        for baymodel_id in self.baymodels:
+            self._delete_baymodel(baymodel_id)
+            self.baymodels.remove(baymodel_id)
+        super(BayModelAdminTest, self).tearDown()
+
+    def _create_baymodel(self, baymodel_model):
+        resp, model = self.baymodel_client.post_baymodel(baymodel_model)
+        self.assertEqual(201, resp.status)
+        self.baymodels.append(model.uuid)
+        return resp, model
+
+    def _delete_baymodel(self, baymodel_id):
+        resp, model = self.baymodel_client.delete_baymodel(baymodel_id)
+        self.assertEqual(204, resp.status)
+        return resp, model
+
+    @testtools.testcase.attr('positive')
+    def test_create_get_public_baymodel(self):
+        gen_model = datagen.valid_swarm_baymodel(is_public=True)
+        resp, model = self._create_baymodel(gen_model)
+
+        resp, model = self.baymodel_client.get_baymodel(model.uuid)
+        self.assertEqual(200, resp.status)
+        self.assertTrue(model.public)
+
+    @testtools.testcase.attr('positive')
+    def test_update_baymodel_public_by_uuid(self):
+        path = "/public"
+        gen_model = datagen.baymodel_data_with_valid_keypair_image_flavor()
+        resp, old_model = self._create_baymodel(gen_model)
+
+        patch_model = datagen.baymodel_replace_patch_data(path, value=True)
+        resp, new_model = self.baymodel_client.patch_baymodel(
+            old_model.uuid, patch_model)
+        self.assertEqual(200, resp.status)
+
+        resp, model = self.baymodel_client.get_baymodel(new_model.uuid)
+        self.assertEqual(200, resp.status)
+        self.assertTrue(model.public)
--- a/magnum/tests/functional/api/v1/test_cluster_template.py
+++ b/magnum/tests/functional/api/v1/test_cluster_template.py
@ -80,12 +80,9 @@ class ClusterTemplateTest(base.BaseTempestTest):
    @testtools.testcase.attr('positive')
    def test_create_get_public_cluster_template(self):
        gen_model = datagen.valid_swarm_cluster_template(is_public=True)
-        resp, model = self._create_cluster_template(gen_model)
-
-        resp, model = \
-            self.cluster_template_client.get_cluster_template(model.uuid)
-        self.assertEqual(200, resp.status)
-        self.assertTrue(model.public)
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.cluster_template_client.post_cluster_template, gen_model)

    @testtools.testcase.attr('positive')
    def test_update_cluster_template_public_by_uuid(self):
@ -96,14 +93,10 @@ class ClusterTemplateTest(base.BaseTempestTest):

        patch_model = datagen.cluster_template_replace_patch_data(path,
                                                                  value=True)
-        resp, new_model = self.cluster_template_client.patch_cluster_template(
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.cluster_template_client.patch_cluster_template,
            old_model.uuid, patch_model)
-        self.assertEqual(200, resp.status)
-
-        resp, model = self.cluster_template_client.get_cluster_template(
-            new_model.uuid)
-        self.assertEqual(200, resp.status)
-        self.assertTrue(model.public)

    @testtools.testcase.attr('positive')
    def test_update_cluster_template_by_uuid(self):
--- a/magnum/tests/functional/api/v1/test_cluster_template_admin.py
+++ b/magnum/tests/functional/api/v1/test_cluster_template_admin.py
@ -0,0 +1,86 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+import testtools
+
+from magnum.tests.functional.api import base
+from magnum.tests.functional.common import datagen
+
+
+class ClusterTemplateAdminTest(base.BaseTempestTest):
+
+    """Tests for clustertemplate admin operations."""
+
+    def __init__(self, *args, **kwargs):
+        super(ClusterTemplateAdminTest, self).__init__(*args, **kwargs)
+        self.cluster_templates = []
+        self.cluster_template_client = None
+        self.keypairs_client = None
+
+    def setUp(self):
+        try:
+            super(ClusterTemplateAdminTest, self).setUp()
+            (self.cluster_template_client,
+             self.keypairs_client) = self.get_clients_with_new_creds(
+                 type_of_creds='admin',
+                 request_type='cluster_template')
+        except Exception:
+            self.tearDown()
+            raise
+
+    def tearDown(self):
+        for cluster_template_id in self.cluster_templates:
+            self._delete_cluster_template(cluster_template_id)
+            self.cluster_templates.remove(cluster_template_id)
+        super(ClusterTemplateAdminTest, self).tearDown()
+
+    def _create_cluster_template(self, cmodel_model):
+        resp, model = \
+            self.cluster_template_client.post_cluster_template(cmodel_model)
+        self.assertEqual(201, resp.status)
+        self.cluster_templates.append(model.uuid)
+        return resp, model
+
+    def _delete_cluster_template(self, model_id):
+        resp, model = \
+            self.cluster_template_client.delete_cluster_template(model_id)
+        self.assertEqual(204, resp.status)
+        return resp, model
+
+    @testtools.testcase.attr('positive')
+    def test_create_get_public_cluster_template(self):
+        gen_model = datagen.valid_swarm_cluster_template(is_public=True)
+        resp, model = self._create_cluster_template(gen_model)
+
+        resp, model = \
+            self.cluster_template_client.get_cluster_template(model.uuid)
+        self.assertEqual(200, resp.status)
+        self.assertTrue(model.public)
+
+    @testtools.testcase.attr('positive')
+    def test_update_cluster_template_public_by_uuid(self):
+        path = "/public"
+        gen_model = \
+            datagen.cluster_template_data_with_valid_keypair_image_flavor()
+        resp, old_model = self._create_cluster_template(gen_model)
+
+        patch_model = datagen.cluster_template_replace_patch_data(path,
+                                                                  value=True)
+        resp, new_model = self.cluster_template_client.patch_cluster_template(
+            old_model.uuid, patch_model)
+        self.assertEqual(200, resp.status)
+
+        resp, model = self.cluster_template_client.get_cluster_template(
+            new_model.uuid)
+        self.assertEqual(200, resp.status)
+        self.assertTrue(model.public)