tests: port test_port_presence_prevents_network_rbac_policy_deletion

The test was originally implemented in this form as a tempest api test case, but there is a problem with it being part of tempest suite, because the suite should be safe to execute on a running cloud and shouldn't affect other tenants. But sharing a network with everyone (*) briefly impacts other tenants because they see a new shared network popping up for a second in their net-list. It is also an issue because if we are unlucky enough, some other tenant may start an instance without specifying a particular port or network to use, in which case there is a chance that nova allocates a port in this shared network and attach it to the instance. When the rbac test case then tries to delete the policy and the network, it fails because it's still in use. The solution is to stop testing this scenario in tempest suite, instead moving it into unit test suite. A follow-up patch in neutron-tempest-plugin will clean up the bad test case. Change-Id: I199f639c95e8ae884ede46404370d7b64da3b309 Needed-By: Iba89a53b2715cf3a9c7485f2089f27d547fea308 Related-Bug: #1753209
2018-03-15 10:13:14 -07:00 · 2018-03-15 10:13:14 -07:00 · 6c772de103
parent ecc60df945
commit 6c772de103
1 changed files with 28 additions and 4 deletions
--- a/neutron/tests/unit/db/test_rbac_db_mixin.py
+++ b/neutron/tests/unit/db/test_rbac_db_mixin.py
@ -155,20 +155,44 @@ class NetworkRbacTestcase(test_plugin.NeutronDbPluginV2TestCase):
                              self.plugin.delete_rbac_policy,
                              self.context, netrbac['id'])

-    def test_delete_networkrbac(self):
+    def test_port_presence_prevents_network_rbac_policy_deletion(self):
        with self.network() as net:
            netrbac, port = self._setup_networkrbac_and_port(
-                network=net, target_tenant='test-tenant-4')
+                network=net, target_tenant='alice')
            self.assertRaises(ext_rbac.RbacPolicyInUse,
                              self.plugin.delete_rbac_policy,
                              self.context, netrbac['id'])

-            self.plugin.delete_port(self.context, port['id'])
+            # a wildcard policy should allow the specific policy to be deleted
+            # since it allows the remaining port
+            wild_policy = self._make_networkrbac(net, '*')
+            wild_policy = self.plugin.create_rbac_policy(self.context,
+                                                         wild_policy)
            self.plugin.delete_rbac_policy(self.context, netrbac['id'])

+            # now that wildcard is the only remaining, it should be subjected
+            # to to the same restriction
+            self.assertRaises(ext_rbac.RbacPolicyInUse,
+                              self.plugin.delete_rbac_policy,
+                              self.context, wild_policy['id'])
+
+            # similarly, we can't update the policy to a different tenant
+            update_policy = {'rbac_policy': {'target_tenant': 'bob'}}
+            self.assertRaises(ext_rbac.RbacPolicyInUse,
+                              self.plugin.update_rbac_policy,
+                              self.context, wild_policy['id'],
+                              update_policy)
+
+            # after port anchor is gone, update and delete should pass
+            self.plugin.delete_port(self.context, port['id'])
+            self.plugin.update_rbac_policy(
+                self.context, wild_policy['id'], update_policy)
+            self.plugin.delete_rbac_policy(self.context, wild_policy['id'])
+
+            # check that policy is indeed gone
            self.assertRaises(ext_rbac.RbacPolicyNotFound,
                              self.plugin.get_rbac_policy,
-                              self.context, netrbac['id'])
+                              self.context, wild_policy['id'])

    def test_delete_networkrbac_self_share(self):
        net_id = 'my-network'