Set clustertemplate:publish to admin only

Set the clustertemplate:publish policy to be admin only by default -
currently it is admin_or_user, which means any openstack user can create
a public cluster template.

Update tests for bay model and cluster template, splitting tests
requiring admin credentials into a separate class.

Change-Id: I0bfb57c569863f1ecf7d697cd5ac161a9a710432
Closes-Bug: #1687887

etc/magnum/policy.json

@@ -20,7 +20,7 @@
     "baymodel:get": "rule:deny_cluster_user",
     "baymodel:get_all": "rule:deny_cluster_user",
     "baymodel:update": "rule:deny_cluster_user",
-    "baymodel:publish": "rule:admin_or_owner",
+    "baymodel:publish": "rule:admin_api",
 
     "cluster:create": "rule:deny_cluster_user",
     "cluster:delete": "rule:deny_cluster_user",
@@ -35,7 +35,7 @@
     "clustertemplate:get": "rule:deny_cluster_user",
     "clustertemplate:get_all": "rule:deny_cluster_user",
     "clustertemplate:update": "rule:deny_cluster_user",
-    "clustertemplate:publish": "rule:admin_or_owner",
+    "clustertemplate:publish": "rule:admin_api",
 
     "quotas:get": "rule:default",
     "quotas:get_all": "rule:admin_api",

magnum/tests/functional/api/v1/test_baymodel.py

@@ -75,11 +75,9 @@ class BayModelTest(base.BaseTempestTest):
     @testtools.testcase.attr('positive')
     def test_create_get_public_baymodel(self):
         gen_model = datagen.valid_swarm_baymodel(is_public=True)
-        resp, model = self._create_baymodel(gen_model)
+        self.assertRaises(
-
+            exceptions.Forbidden,
-        resp, model = self.baymodel_client.get_baymodel(model.uuid)
+            self.baymodel_client.post_baymodel, gen_model)
-        self.assertEqual(200, resp.status)
-        self.assertTrue(model.public)
 
     @testtools.testcase.attr('positive')
     def test_update_baymodel_public_by_uuid(self):
@@ -88,13 +86,9 @@ class BayModelTest(base.BaseTempestTest):
         resp, old_model = self._create_baymodel(gen_model)
 
         patch_model = datagen.baymodel_replace_patch_data(path, value=True)
-        resp, new_model = self.baymodel_client.patch_baymodel(
+        self.assertRaises(
-            old_model.uuid, patch_model)
+            exceptions.Forbidden,
-        self.assertEqual(200, resp.status)
+            self.baymodel_client.patch_baymodel, old_model.uuid, patch_model)
-
-        resp, model = self.baymodel_client.get_baymodel(new_model.uuid)
-        self.assertEqual(200, resp.status)
-        self.assertTrue(model.public)
 
     @testtools.testcase.attr('positive')
     def test_update_baymodel_by_uuid(self):

magnum/tests/functional/api/v1/test_baymodel_admin.py

@@ -0,0 +1,80 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+import testtools
+
+from magnum.tests.functional.api import base
+from magnum.tests.functional.common import datagen
+
+
+class BayModelAdminTest(base.BaseTempestTest):
+
+    """Tests for baymodel admin operations."""
+
+    def __init__(self, *args, **kwargs):
+        super(BayModelAdminTest, self).__init__(*args, **kwargs)
+        self.baymodels = []
+        self.baymodel_client = None
+        self.keypairs_client = None
+
+    def setUp(self):
+        try:
+            super(BayModelAdminTest, self).setUp()
+            (self.baymodel_client,
+             self.keypairs_client) = self.get_clients_with_new_creds(
+                 type_of_creds='admin',
+                 request_type='baymodel')
+        except Exception:
+            self.tearDown()
+            raise
+
+    def tearDown(self):
+        for baymodel_id in self.baymodels:
+            self._delete_baymodel(baymodel_id)
+            self.baymodels.remove(baymodel_id)
+        super(BayModelAdminTest, self).tearDown()
+
+    def _create_baymodel(self, baymodel_model):
+        resp, model = self.baymodel_client.post_baymodel(baymodel_model)
+        self.assertEqual(201, resp.status)
+        self.baymodels.append(model.uuid)
+        return resp, model
+
+    def _delete_baymodel(self, baymodel_id):
+        resp, model = self.baymodel_client.delete_baymodel(baymodel_id)
+        self.assertEqual(204, resp.status)
+        return resp, model
+
+    @testtools.testcase.attr('positive')
+    def test_create_get_public_baymodel(self):
+        gen_model = datagen.valid_swarm_baymodel(is_public=True)
+        resp, model = self._create_baymodel(gen_model)
+
+        resp, model = self.baymodel_client.get_baymodel(model.uuid)
+        self.assertEqual(200, resp.status)
+        self.assertTrue(model.public)
+
+    @testtools.testcase.attr('positive')
+    def test_update_baymodel_public_by_uuid(self):
+        path = "/public"
+        gen_model = datagen.baymodel_data_with_valid_keypair_image_flavor()
+        resp, old_model = self._create_baymodel(gen_model)
+
+        patch_model = datagen.baymodel_replace_patch_data(path, value=True)
+        resp, new_model = self.baymodel_client.patch_baymodel(
+            old_model.uuid, patch_model)
+        self.assertEqual(200, resp.status)
+
+        resp, model = self.baymodel_client.get_baymodel(new_model.uuid)
+        self.assertEqual(200, resp.status)
+        self.assertTrue(model.public)

magnum/tests/functional/api/v1/test_cluster_template.py

@@ -80,12 +80,9 @@ class ClusterTemplateTest(base.BaseTempestTest):
     @testtools.testcase.attr('positive')
     def test_create_get_public_cluster_template(self):
         gen_model = datagen.valid_swarm_cluster_template(is_public=True)
-        resp, model = self._create_cluster_template(gen_model)
+        self.assertRaises(
-
+            exceptions.Forbidden,
-        resp, model = \
+            self.cluster_template_client.post_cluster_template, gen_model)
-            self.cluster_template_client.get_cluster_template(model.uuid)
-        self.assertEqual(200, resp.status)
-        self.assertTrue(model.public)
 
     @testtools.testcase.attr('positive')
     def test_update_cluster_template_public_by_uuid(self):
@@ -96,14 +93,10 @@ class ClusterTemplateTest(base.BaseTempestTest):
 
         patch_model = datagen.cluster_template_replace_patch_data(path,
                                                                   value=True)
-        resp, new_model = self.cluster_template_client.patch_cluster_template(
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.cluster_template_client.patch_cluster_template,
             old_model.uuid, patch_model)
-        self.assertEqual(200, resp.status)
-
-        resp, model = self.cluster_template_client.get_cluster_template(
-            new_model.uuid)
-        self.assertEqual(200, resp.status)
-        self.assertTrue(model.public)
 
     @testtools.testcase.attr('positive')
     def test_update_cluster_template_by_uuid(self):

magnum/tests/functional/api/v1/test_cluster_template_admin.py

@@ -0,0 +1,86 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+import testtools
+
+from magnum.tests.functional.api import base
+from magnum.tests.functional.common import datagen
+
+
+class ClusterTemplateAdminTest(base.BaseTempestTest):
+
+    """Tests for clustertemplate admin operations."""
+
+    def __init__(self, *args, **kwargs):
+        super(ClusterTemplateAdminTest, self).__init__(*args, **kwargs)
+        self.cluster_templates = []
+        self.cluster_template_client = None
+        self.keypairs_client = None
+
+    def setUp(self):
+        try:
+            super(ClusterTemplateAdminTest, self).setUp()
+            (self.cluster_template_client,
+             self.keypairs_client) = self.get_clients_with_new_creds(
+                 type_of_creds='admin',
+                 request_type='cluster_template')
+        except Exception:
+            self.tearDown()
+            raise
+
+    def tearDown(self):
+        for cluster_template_id in self.cluster_templates:
+            self._delete_cluster_template(cluster_template_id)
+            self.cluster_templates.remove(cluster_template_id)
+        super(ClusterTemplateAdminTest, self).tearDown()
+
+    def _create_cluster_template(self, cmodel_model):
+        resp, model = \
+            self.cluster_template_client.post_cluster_template(cmodel_model)
+        self.assertEqual(201, resp.status)
+        self.cluster_templates.append(model.uuid)
+        return resp, model
+
+    def _delete_cluster_template(self, model_id):
+        resp, model = \
+            self.cluster_template_client.delete_cluster_template(model_id)
+        self.assertEqual(204, resp.status)
+        return resp, model
+
+    @testtools.testcase.attr('positive')
+    def test_create_get_public_cluster_template(self):
+        gen_model = datagen.valid_swarm_cluster_template(is_public=True)
+        resp, model = self._create_cluster_template(gen_model)
+
+        resp, model = \
+            self.cluster_template_client.get_cluster_template(model.uuid)
+        self.assertEqual(200, resp.status)
+        self.assertTrue(model.public)
+
+    @testtools.testcase.attr('positive')
+    def test_update_cluster_template_public_by_uuid(self):
+        path = "/public"
+        gen_model = \
+            datagen.cluster_template_data_with_valid_keypair_image_flavor()
+        resp, old_model = self._create_cluster_template(gen_model)
+
+        patch_model = datagen.cluster_template_replace_patch_data(path,
+                                                                  value=True)
+        resp, new_model = self.cluster_template_client.patch_cluster_template(
+            old_model.uuid, patch_model)
+        self.assertEqual(200, resp.status)
+
+        resp, model = self.cluster_template_client.get_cluster_template(
+            new_model.uuid)
+        self.assertEqual(200, resp.status)
+        self.assertTrue(model.public)