openstack/octavia-tempest-plugin
Code Issues Proposed changes

Remove system scope token usage

Browse Source 
Octavia supports the system scope and now we are enabling the new defaults
by default that raise an error when system scoped tokens are used.

To enable the new defaults, we need to remove the usage of system
scope token from tests otherwise they fail.

- https://review.opendev.org/c/openstack/octavia/+/925625

Depends-On: https://review.opendev.org/c/openstack/octavia/+/929580
Change-Id: I1bf193807eb254507626b4e7f2bb071ba46d7290
This commit is contained in:
Ghanshyam Mann 2024-08-21 19:23:28 -07:00 committed by Takashi Kajinami
parent c32430072e
commit 5f36fabd79
21 changed files with 488 additions and 856 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
octavia_tempest_plugin/config.py
View File

@ -105,7 +105,7 @@ OctaviaGroup = [
cfg.StrOpt('provider',
default='octavia',
help='The provider driver to use for the tests.'),
cfg.StrOpt('RBAC_test_type', default=const.ADVANCED,
cfg.StrOpt('RBAC_test_type', default=const.KEYSTONE_DEFAULT_ROLES,
choices=[const.ADVANCED, const.KEYSTONE_DEFAULT_ROLES,
const.OWNERADMIN, const.NONE],
help='Type of RBAC tests to run. "advanced" runs the octavia '

95
octavia_tempest_plugin/tests/RBAC_tests.py
View File

@ -59,17 +59,10 @@ class RBACTestsMixin(test.BaseTestCase):
try:
cred_obj = getattr(self, cred)
except AttributeError:
# TODO(johnsom) Remove once scoped tokens is the default.
if ((cred == 'os_system_admin' or cred == 'os_system_reader')
and not CONF.enforce_scope.octavia):
LOG.info('Skipping %s allowed RBAC test because '
'enforce_scope.octavia is not True', cred)
continue
else:
self.fail('Credential {} "expected_allowed" for RBAC '
'testing was not created by tempest '
'credentials setup. This is likely a bug in the '
'test.'.format(cred))
self.fail('Credential {} "expected_allowed" for RBAC '
'testing was not created by tempest '
'credentials setup. This is likely a bug in the '
'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
try:
method(*args, **kwargs)
@ -155,15 +148,6 @@ class RBACTestsMixin(test.BaseTestCase):
"""
allowed_list = copy.deepcopy(expected_allowed)
# The legacy admin behavior changed during the sRBAC development,
# os_admin is still a valid admin [0]
# [0] https://governance.openstack.org/tc/goals/selected/
# consistent-and-secure-rbac.html
# #legacy-admin-continues-to-work-as-it-is
# TODO(gthiemonge) we may have to revisit it in the future if the
# legacy admin scope changes.
if 'os_system_admin' in expected_allowed:
allowed_list.append('os_admin')
# #### Test that disallowed credentials cannot access the API.
self._check_disallowed(client_str, method_str, allowed_list,
@ -192,6 +176,8 @@ class RBACTestsMixin(test.BaseTestCase):
correct scope for access is denied.
:returns: None on success
"""
if CONF.load_balancer.RBAC_test_type == constants.NONE:
return
self._list_get_RBAC_enforcement(client_str, method_str,
expected_allowed, *args, **kwargs)
@ -214,6 +200,8 @@ class RBACTestsMixin(test.BaseTestCase):
correct scope for access is denied.
:returns: None on success
"""
if CONF.load_balancer.RBAC_test_type == constants.NONE:
return
self._list_get_RBAC_enforcement(client_str, method_str,
expected_allowed, *args, **kwargs)
@ -243,15 +231,6 @@ class RBACTestsMixin(test.BaseTestCase):
"""
allowed_list = copy.deepcopy(expected_allowed)
# The legacy admin behavior changed during the sRBAC development,
# os_admin is still a valid admin [0]
# [0] https://governance.openstack.org/tc/goals/selected/
# consistent-and-secure-rbac.html
# #legacy-admin-continues-to-work-as-it-is
# TODO(gthiemonge) we may have to revisit it in the future if the
# legacy admin scope changes.
if 'os_system_admin' in expected_allowed:
allowed_list.append('os_admin')
# #### Test that disallowed credentials cannot access the API.
self._check_disallowed(client_str, method_str, allowed_list,
@ -281,6 +260,8 @@ class RBACTestsMixin(test.BaseTestCase):
correct scope for access is denied.
:returns: None on success
"""
if CONF.load_balancer.RBAC_test_type == constants.NONE:
return
self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed,
status_method, obj_id, *args, **kwargs)
@ -308,6 +289,8 @@ class RBACTestsMixin(test.BaseTestCase):
correct scope for access is denied.
:returns: None on success
"""
if CONF.load_balancer.RBAC_test_type == constants.NONE:
return
self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed,
status_method, obj_id, *args, **kwargs)
@ -335,6 +318,8 @@ class RBACTestsMixin(test.BaseTestCase):
correct scope for access is denied.
:returns: None on success
"""
if CONF.load_balancer.RBAC_test_type == constants.NONE:
return
self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed,
status_method, obj_id, *args, **kwargs)
@ -367,33 +352,19 @@ class RBACTestsMixin(test.BaseTestCase):
correct scope for access is denied.
:returns: None on success
"""
if CONF.load_balancer.RBAC_test_type == constants.NONE:
return
allowed_list = copy.deepcopy(expected_allowed)
# The legacy admin behavior changed during the sRBAC development,
# os_admin is still a valid admin [0]
# [0] https://governance.openstack.org/tc/goals/selected/
# consistent-and-secure-rbac.html
# #legacy-admin-continues-to-work-as-it-is
# TODO(gthiemonge) we may have to revisit it in the future if the
# legacy admin scope changes.
if 'os_system_admin' in expected_allowed:
allowed_list.append('os_admin')
for cred in allowed_list:
try:
cred_obj = getattr(self, cred)
except AttributeError:
# TODO(johnsom) Remove once scoped tokens is the default.
if ((cred == 'os_system_admin' or cred == 'os_system_reader')
and not CONF.enforce_scope.octavia):
LOG.info('Skipping %s allowed RBAC test because '
'enforce_scope.octavia is not True', cred)
continue
else:
self.fail('Credential {} "expected_allowed" for RBAC '
'testing was not created by tempest '
'credentials setup. This is likely a bug in the '
'test.'.format(cred))
self.fail('Credential {} "expected_allowed" for RBAC '
'testing was not created by tempest '
'credentials setup. This is likely a bug in the '
'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
try:
result = method(*args, **kwargs)
@ -434,33 +405,19 @@ class RBACTestsMixin(test.BaseTestCase):
correct scope for access is denied.
:returns: None on success
"""
if CONF.load_balancer.RBAC_test_type == constants.NONE:
return
allowed_list = copy.deepcopy(expected_allowed)
# The legacy admin behavior changed during the sRBAC development,
# os_admin is still a valid admin [0]
# [0] https://governance.openstack.org/tc/goals/selected/
# consistent-and-secure-rbac.html
# #legacy-admin-continues-to-work-as-it-is
# TODO(gthiemonge) we may have to revisit it in the future if the
# legacy admin scope changes.
if 'os_system_admin' in expected_allowed:
allowed_list.append('os_admin')
for cred in allowed_list:
try:
cred_obj = getattr(self, cred)
except AttributeError:
# TODO(johnsom) Remove once scoped tokens is the default.
if ((cred == 'os_system_admin' or cred == 'os_system_reader')
and not CONF.enforce_scope.octavia):
LOG.info('Skipping %s allowed RBAC test because '
'enforce_scope.octavia is not True', cred)
continue
else:
self.fail('Credential {} "expected_allowed" for RBAC '
'testing was not created by tempest '
'credentials setup. This is likely a bug in the '
'test.'.format(cred))
self.fail('Credential {} "expected_allowed" for RBAC '
'testing was not created by tempest '
'credentials setup. This is likely a bug in the '
'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
try:
result = method(*args, **kwargs)

43
octavia_tempest_plugin/tests/api/v2/test_amphora.py
View File

@ -90,16 +90,9 @@ class AmphoraAPITest(test_base.LoadBalancerBaseTest):
CONF.load_balancer.lb_build_timeout)
# Test RBAC for list amphorae
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_list_RBAC_enforcement(
'AmphoraClient', 'list_amphorae', expected_allowed)
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_list_RBAC_enforcement(
'AmphoraClient', 'list_amphorae', expected_allowed)
# Get an actual list of the amphorae
amphorae = self.lb_admin_amphora_client.list_amphorae()
@ -178,17 +171,10 @@ class AmphoraAPITest(test_base.LoadBalancerBaseTest):
amphora_1 = amphorae[0]
# Test RBAC for update an amphora
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_update_RBAC_enforcement(
'AmphoraClient', 'update_amphora_config', expected_allowed,
None, None, amphora_1[const.ID])
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_update_RBAC_enforcement(
'AmphoraClient', 'update_amphora_config', expected_allowed,
None, None, amphora_1[const.ID])
self.lb_admin_amphora_client.update_amphora_config(amphora_1[const.ID])
@ -213,17 +199,10 @@ class AmphoraAPITest(test_base.LoadBalancerBaseTest):
amphora_1 = amphorae[0]
# Test RBAC for failover an amphora
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_update_RBAC_enforcement(
'AmphoraClient', 'amphora_failover', expected_allowed,
None, None, amphora_1[const.ID])
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_update_RBAC_enforcement(
'AmphoraClient', 'amphora_failover', expected_allowed,
None, None, amphora_1[const.ID])
self.lb_admin_amphora_client.amphora_failover(amphora_1[const.ID])

55
octavia_tempest_plugin/tests/api/v2/test_availability_zone.py
View File

@ -105,17 +105,10 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# create an availability zone.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_create_RBAC_enforcement(
'AvailabilityZoneClient', 'create_availability_zone',
expected_allowed, **availability_zone_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_create_RBAC_enforcement(
'AvailabilityZoneClient', 'create_availability_zone',
expected_allowed, **availability_zone_kwargs)
# Happy path
availability_zone = (
@ -233,12 +226,12 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest):
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
'os_system_admin', 'os_system_reader', 'os_roles_lb_admin',
'os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@ -386,12 +379,12 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest):
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
'os_system_admin', 'os_system_reader', 'os_roles_lb_admin',
'os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@ -454,18 +447,11 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer role cannot
# update availability zone details.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_update_RBAC_enforcement(
'AvailabilityZoneClient', 'update_availability_zone',
expected_allowed, None, None, availability_zone[const.NAME],
**availability_zone_updated_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_update_RBAC_enforcement(
'AvailabilityZoneClient', 'update_availability_zone',
expected_allowed, None, None, availability_zone[const.NAME],
**availability_zone_updated_kwargs)
updated_availability_zone = (
self.lb_admin_availability_zone_client.update_availability_zone(
@ -531,17 +517,10 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# delete an availability zone.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_delete_RBAC_enforcement(
'AvailabilityZoneClient', 'delete_availability_zone',
expected_allowed, None, None, availability_zone[const.NAME])
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_delete_RBAC_enforcement(
'AvailabilityZoneClient', 'delete_availability_zone',
expected_allowed, None, None, availability_zone[const.NAME])
# Happy path
self.lb_admin_availability_zone_client.delete_availability_zone(

17
octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py
View File

@ -44,18 +44,11 @@ class AvailabilityZoneCapabilitiesAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# list provider availability zone capabilities.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_list_RBAC_enforcement(
'AvailabilityZoneCapabilitiesClient',
'list_availability_zone_capabilities', expected_allowed,
CONF.load_balancer.provider)
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_list_RBAC_enforcement(
'AvailabilityZoneCapabilitiesClient',
'list_availability_zone_capabilities', expected_allowed,
CONF.load_balancer.provider)
# Check for an expected availability zone capability for the
# configured provider

85
octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py
View File

@ -76,18 +76,11 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# create an availability zone profile.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_create_RBAC_enforcement(
'AvailabilityZoneProfileClient',
'create_availability_zone_profile',
expected_allowed, **availability_zone_profile_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_create_RBAC_enforcement(
'AvailabilityZoneProfileClient',
'create_availability_zone_profile',
expected_allowed, **availability_zone_profile_kwargs)
# Happy path
availability_zone_profile = (
@ -231,17 +224,10 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# list availability zone profiles.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_list_RBAC_enforcement(
'AvailabilityZoneProfileClient',
'list_availability_zone_profiles', expected_allowed)
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_list_RBAC_enforcement(
'AvailabilityZoneProfileClient',
'list_availability_zone_profiles', expected_allowed)
# Check the default sort order (by ID)
profiles = (self.lb_admin_availability_zone_profile_client
@ -392,18 +378,11 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# show an availability zone profile
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_show_RBAC_enforcement(
'AvailabilityZoneProfileClient',
'show_availability_zone_profile', expected_allowed,
availability_zone_profile[const.ID])
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_show_RBAC_enforcement(
'AvailabilityZoneProfileClient',
'show_availability_zone_profile', expected_allowed,
availability_zone_profile[const.ID])
result = (
self.lb_admin_availability_zone_profile_client
@ -494,19 +473,12 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# update an availability zone profile.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_update_RBAC_enforcement(
'AvailabilityZoneProfileClient',
'update_availability_zone_profile', expected_allowed,
None, None, availability_zone_profile[const.ID],
**availability_zone_profile_updated_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_update_RBAC_enforcement(
'AvailabilityZoneProfileClient',
'update_availability_zone_profile', expected_allowed,
None, None, availability_zone_profile[const.ID],
**availability_zone_profile_updated_kwargs)
result = (
self.lb_admin_availability_zone_profile_client
@ -576,18 +548,11 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# delete an availability zone profile.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_delete_RBAC_enforcement(
'AvailabilityZoneProfileClient',
'delete_availability_zone_profile', expected_allowed,
None, None, availability_zone_profile[const.ID])
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_delete_RBAC_enforcement(
'AvailabilityZoneProfileClient',
'delete_availability_zone_profile', expected_allowed,
None, None, availability_zone_profile[const.ID])
# Happy path
(self.lb_admin_availability_zone_profile_client

53
octavia_tempest_plugin/tests/api/v2/test_flavor.py
View File

@ -88,17 +88,10 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# create a flavor.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_create_RBAC_enforcement(
'FlavorClient', 'create_flavor',
expected_allowed, None, None, **flavor_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_create_RBAC_enforcement(
'FlavorClient', 'create_flavor',
expected_allowed, None, None, **flavor_kwargs)
# Happy path
flavor = self.lb_admin_flavor_client.create_flavor(**flavor_kwargs)
@ -199,12 +192,12 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest):
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
'os_system_admin', 'os_system_reader', 'os_roles_lb_admin',
'os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@ -327,12 +320,12 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest):
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
'os_system_admin', 'os_system_reader', 'os_roles_lb_admin',
'os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@ -390,17 +383,10 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer role cannot
# update flavor details.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_update_RBAC_enforcement(
'FlavorClient', 'update_flavor', expected_allowed, None, None,
flavor[const.ID], **flavor_updated_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_update_RBAC_enforcement(
'FlavorClient', 'update_flavor', expected_allowed, None, None,
flavor[const.ID], **flavor_updated_kwargs)
updated_flavor = self.lb_admin_flavor_client.update_flavor(
flavor[const.ID], **flavor_updated_kwargs)
@ -454,17 +440,10 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# delete a flavor.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_delete_RBAC_enforcement(
'FlavorClient', 'delete_flavor', expected_allowed,
None, None, flavor[const.ID])
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_delete_RBAC_enforcement(
'FlavorClient', 'delete_flavor', expected_allowed,
None, None, flavor[const.ID])
# Happy path
self.lb_admin_flavor_client.delete_flavor(flavor[const.ID])

17
octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py
View File

@ -42,18 +42,11 @@ class FlavorCapabilitiesAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# list provider flavor capabilities.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_list_RBAC_enforcement(
'FlavorCapabilitiesClient',
'list_flavor_capabilities', expected_allowed,
CONF.load_balancer.provider)
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_list_RBAC_enforcement(
'FlavorCapabilitiesClient',
'list_flavor_capabilities', expected_allowed,
CONF.load_balancer.provider)
# Check for an expected flavor capability for the configured provider
admin_capabilities_client = self.lb_admin_flavor_capabilities_client

77
octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py
View File

@ -60,17 +60,10 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# create a flavor profile
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_create_RBAC_enforcement(
'FlavorProfileClient', 'create_flavor_profile',
expected_allowed, None, None, **flavor_profile_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_create_RBAC_enforcement(
'FlavorProfileClient', 'create_flavor_profile',
expected_allowed, None, None, **flavor_profile_kwargs)
# Happy path
flavor_profile = (
@ -180,17 +173,10 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# list flavor profiles.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_list_RBAC_enforcement(
'FlavorProfileClient', 'list_flavor_profiles',
expected_allowed)
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_list_RBAC_enforcement(
'FlavorProfileClient', 'list_flavor_profiles',
expected_allowed)
# Check the default sort order (by ID)
profiles = self.lb_admin_flavor_profile_client.list_flavor_profiles()
@ -309,17 +295,10 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# show a flavor profile.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_show_RBAC_enforcement(
'FlavorProfileClient', 'show_flavor_profile',
expected_allowed, flavor_profile[const.ID])
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_show_RBAC_enforcement(
'FlavorProfileClient', 'show_flavor_profile',
expected_allowed, flavor_profile[const.ID])
result = (
self.lb_admin_flavor_profile_client.show_flavor_profile(
@ -387,18 +366,11 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# update a flavor profile.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_update_RBAC_enforcement(
'FlavorProfileClient', 'update_flavor_profile',
expected_allowed, None, None, flavor_profile[const.ID],
**flavor_profile_updated_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_update_RBAC_enforcement(
'FlavorProfileClient', 'update_flavor_profile',
expected_allowed, None, None, flavor_profile[const.ID],
**flavor_profile_updated_kwargs)
result = self.lb_admin_flavor_profile_client.update_flavor_profile(
flavor_profile[const.ID], **flavor_profile_updated_kwargs)
@ -454,17 +426,10 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# delete a flavor profile
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_delete_RBAC_enforcement(
'FlavorProfileClient', 'delete_flavor_profile',
expected_allowed, None, None, flavor_profile[const.ID])
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_delete_RBAC_enforcement(
'FlavorProfileClient', 'delete_flavor_profile',
expected_allowed, None, None, flavor_profile[const.ID])
# Happy path
self.lb_admin_flavor_profile_client.delete_flavor_profile(

80
octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py
View File

@ -277,22 +277,13 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the loadbalancer role cannot
# create a healthmonitor
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_create_RBAC_enforcement(
'HealthMonitorClient', 'create_healthmonitor',
expected_allowed,
status_method=self.mem_lb_client.show_loadbalancer,
obj_id=self.lb_id, **hm_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_create_RBAC_enforcement(
'HealthMonitorClient', 'create_healthmonitor',
expected_allowed,
status_method=self.mem_lb_client.show_loadbalancer,
obj_id=self.lb_id, **hm_kwargs)
hm = self.mem_healthmonitor_client.create_healthmonitor(**hm_kwargs)
self.addCleanup(
@ -741,10 +732,10 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest):
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@ -765,12 +756,12 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest):
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_observer',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@ -1195,10 +1186,9 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest):
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
@ -1471,21 +1461,12 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest):
# Test that a user, without the loadbalancer member role, cannot
# update this healthmonitor.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_update_RBAC_enforcement(
'HealthMonitorClient', 'update_healthmonitor',
expected_allowed, None, None, hm[const.ID],
admin_state_up=True)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_update_RBAC_enforcement(
'HealthMonitorClient', 'update_healthmonitor',
expected_allowed, None, None, hm[const.ID],
admin_state_up=True)
# Assert we didn't go into PENDING_*
hm_check = self.mem_healthmonitor_client.show_healthmonitor(
@ -1775,20 +1756,11 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the loadbalancer role cannot delete this
# healthmonitor.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_delete_RBAC_enforcement(
'HealthMonitorClient', 'delete_healthmonitor',
expected_allowed, None, None, hm[const.ID])
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_delete_RBAC_enforcement(
'HealthMonitorClient', 'delete_healthmonitor',
expected_allowed, None, None, hm[const.ID])
self.mem_healthmonitor_client.delete_healthmonitor(hm[const.ID])

95
octavia_tempest_plugin/tests/api/v2/test_l7policy.py
View File

@ -144,22 +144,13 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer role cannot
# create a l7policy
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_create_RBAC_enforcement(
'L7PolicyClient', 'create_l7policy',
expected_allowed,
status_method=self.mem_lb_client.show_loadbalancer,
obj_id=self.lb_id, **l7policy_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_create_RBAC_enforcement(
'L7PolicyClient', 'create_l7policy',
expected_allowed,
status_method=self.mem_lb_client.show_loadbalancer,
obj_id=self.lb_id, **l7policy_kwargs)
l7policy = self.mem_l7policy_client.create_l7policy(**l7policy_kwargs)
@ -397,10 +388,10 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest):
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@ -423,12 +414,12 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest):
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_observer',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@ -668,22 +659,16 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest):
# Test that the appropriate users can see or not see the L7 policies
# based on the API RBAC.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
self.check_show_RBAC_enforcement(
'L7PolicyClient', 'show_l7policy',
expected_allowed, l7policy[const.ID])
else:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_show_RBAC_enforcement(
'L7PolicyClient', 'show_l7policy',
expected_allowed, l7policy[const.ID])
@decorators.idempotent_id('08f73b22-550b-4e5a-b3d6-2ec03251ca13')
def test_l7policy_update(self):
@ -782,21 +767,12 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest):
# Test that a user, without the loadbalancer member role, cannot
# update this L7 policy.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_update_RBAC_enforcement(
'L7PolicyClient', 'update_l7policy',
expected_allowed, None, None, l7policy[const.ID],
admin_state_up=True)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_update_RBAC_enforcement(
'L7PolicyClient', 'update_l7policy',
expected_allowed, None, None, l7policy[const.ID],
admin_state_up=True)
# Assert we didn't go into PENDING_*
l7policy_check = self.mem_l7policy_client.show_l7policy(
@ -899,20 +875,11 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the loadbalancer role cannot delete this
# L7 policy.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_delete_RBAC_enforcement(
'L7PolicyClient', 'delete_l7policy',
expected_allowed, None, None, l7policy[const.ID])
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_delete_RBAC_enforcement(
'L7PolicyClient', 'delete_l7policy',
expected_allowed, None, None, l7policy[const.ID])
self.mem_l7policy_client.delete_l7policy(l7policy[const.ID])

98
octavia_tempest_plugin/tests/api/v2/test_l7rule.py
View File

@ -142,22 +142,13 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the loadbalancer role cannot
# create an L7 rule.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_create_RBAC_enforcement(
'L7RuleClient', 'create_l7rule',
expected_allowed,
status_method=self.mem_lb_client.show_loadbalancer,
obj_id=self.lb_id, **l7rule_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_create_RBAC_enforcement(
'L7RuleClient', 'create_l7rule',
expected_allowed,
status_method=self.mem_lb_client.show_loadbalancer,
obj_id=self.lb_id, **l7rule_kwargs)
l7rule = self.mem_l7rule_client.create_l7rule(**l7rule_kwargs)
self.addClassResourceCleanup(
@ -359,10 +350,10 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest):
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@ -382,10 +373,9 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest):
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
@ -562,23 +552,17 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest):
# Test that the appropriate users can see or not see the L7 rule
# based on the API RBAC.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
self.check_show_RBAC_enforcement(
'L7RuleClient', 'show_l7rule',
expected_allowed, l7rule[const.ID],
l7policy_id=self.l7policy_id)
else:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_show_RBAC_enforcement(
'L7RuleClient', 'show_l7rule',
expected_allowed, l7rule[const.ID],
l7policy_id=self.l7policy_id)
@decorators.idempotent_id('f8cee23b-89b6-4f3a-a842-1463daf42cf7')
def test_l7rule_update(self):
@ -650,21 +634,12 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest):
# Test that a user, without the loadbalancer member role, cannot
# update this L7 rule.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_update_RBAC_enforcement(
'L7RuleClient', 'update_l7rule',
expected_allowed, None, None, l7rule[const.ID],
l7policy_id=self.l7policy_id, admin_state_up=True)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_update_RBAC_enforcement(
'L7RuleClient', 'update_l7rule',
expected_allowed, None, None, l7rule[const.ID],
l7policy_id=self.l7policy_id, admin_state_up=True)
# Assert we didn't go into PENDING_*
l7rule_check = self.mem_l7rule_client.show_l7rule(
@ -753,21 +728,12 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the loadbalancer role cannot delete this
# L7 rule.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_delete_RBAC_enforcement(
'L7RuleClient', 'delete_l7rule',
expected_allowed, None, None, l7rule[const.ID],
l7policy_id=self.l7policy_id)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_delete_RBAC_enforcement(
'L7RuleClient', 'delete_l7rule',
expected_allowed, None, None, l7rule[const.ID],
l7policy_id=self.l7policy_id)
self.mem_l7rule_client.delete_l7rule(l7rule[const.ID],
l7policy_id=self.l7policy_id)

103
octavia_tempest_plugin/tests/api/v2/test_listener.py
View File

@ -362,22 +362,13 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the loadbalancer role cannot
# create a listener.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_create_RBAC_enforcement(
'ListenerClient', 'create_listener',
expected_allowed,
status_method=self.mem_lb_client.show_loadbalancer,
obj_id=self.lb_id, **listener_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_create_RBAC_enforcement(
'ListenerClient', 'create_listener',
expected_allowed,
status_method=self.mem_lb_client.show_loadbalancer,
obj_id=self.lb_id, **listener_kwargs)
listener = self.mem_listener_client.create_listener(**listener_kwargs)
@ -938,10 +929,10 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest):
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@ -963,12 +954,12 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest):
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_observer',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@ -1293,22 +1284,16 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest):
# Test that the appropriate users can see or not see the listener
# based on the API RBAC.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
self.check_show_RBAC_enforcement(
'ListenerClient', 'show_listener',
expected_allowed, listener[const.ID])
else:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_show_RBAC_enforcement(
'ListenerClient', 'show_listener',
expected_allowed, listener[const.ID])
@decorators.idempotent_id('aaae0298-5778-4c7e-a27a-01549a71b319')
def test_http_listener_update(self):
@ -1479,23 +1464,14 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the loadbalancer role cannot
# update a listener.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_update_RBAC_enforcement(
'ListenerClient', 'update_listener',
expected_allowed,
status_method=self.mem_listener_client.show_listener,
obj_id=listener[const.ID], listener_id=listener[const.ID],
admin_state_up=True)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_update_RBAC_enforcement(
'ListenerClient', 'update_listener',
expected_allowed,
status_method=self.mem_listener_client.show_listener,
obj_id=listener[const.ID], listener_id=listener[const.ID],
admin_state_up=True)
new_name = data_utils.rand_name("lb_member_listener1-UPDATED")
new_description = data_utils.arbitrary_string(size=255,
@ -1713,22 +1689,13 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the loadbalancer role cannot
# delete a listener.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_update_RBAC_enforcement(
'ListenerClient', 'delete_listener',
expected_allowed,
status_method=self.mem_listener_client.show_listener,
obj_id=listener[const.ID], listener_id=listener[const.ID])
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_update_RBAC_enforcement(
'ListenerClient', 'delete_listener',
expected_allowed,
status_method=self.mem_listener_client.show_listener,
obj_id=listener[const.ID], listener_id=listener[const.ID])
self.mem_listener_client.delete_listener(listener[const.ID])

165
octavia_tempest_plugin/tests/api/v2/test_load_balancer.py
View File

@ -84,20 +84,11 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest):
lb_kwargs_with_project_id = copy.deepcopy(lb_kwargs)
lb_kwargs_with_project_id[const.PROJECT_ID] = (
self.os_roles_lb_member.credentials.project_id)
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
self.check_create_RBAC_enforcement(
'LoadbalancerClient', 'create_loadbalancer',
expected_allowed, None, None, **lb_kwargs_with_project_id)
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_roles_lb_member', 'os_roles_lb_member2']
self.check_create_RBAC_enforcement(
'LoadbalancerClient', 'create_loadbalancer',
expected_allowed, None, None, **lb_kwargs_with_project_id)
lb = self.mem_lb_client.create_loadbalancer(**lb_kwargs)
@ -188,20 +179,11 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the loadbalancer role cannot delete this
# load balancer.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_delete_RBAC_enforcement(
'LoadbalancerClient', 'delete_loadbalancer',
expected_allowed, None, None, lb[const.ID])
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_delete_RBAC_enforcement(
'LoadbalancerClient', 'delete_loadbalancer',
expected_allowed, None, None, lb[const.ID])
self.mem_lb_client.delete_loadbalancer(lb[const.ID])
@ -238,20 +220,11 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the loadbalancer role cannot delete this
# load balancer.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_delete_RBAC_enforcement(
'LoadbalancerClient', 'delete_loadbalancer',
expected_allowed, None, None, lb[const.ID], cascade=True)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_delete_RBAC_enforcement(
'LoadbalancerClient', 'delete_loadbalancer',
expected_allowed, None, None, lb[const.ID], cascade=True)
self.mem_lb_client.delete_loadbalancer(lb[const.ID], cascade=True)
@ -436,10 +409,10 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest):
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@ -460,12 +433,12 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest):
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_observer',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@ -632,22 +605,16 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest):
# Test that the appropriate users can see or not see the load
# balancer based on the API RBAC.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
self.check_show_RBAC_enforcement(
'LoadbalancerClient', 'show_loadbalancer',
expected_allowed, lb[const.ID])
else:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_show_RBAC_enforcement(
'LoadbalancerClient', 'show_loadbalancer',
expected_allowed, lb[const.ID])
# Attempt to clean up so that one full test run doesn't start 10+
# amps before the cleanup phase fires
@ -736,21 +703,12 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest):
# Test that a user, without the loadbalancer member role, cannot
# update this load balancer.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_update_RBAC_enforcement(
'LoadbalancerClient', 'update_loadbalancer',
expected_allowed, None, None, lb[const.ID],
admin_state_up=True)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_update_RBAC_enforcement(
'LoadbalancerClient', 'update_loadbalancer',
expected_allowed, None, None, lb[const.ID],
admin_state_up=True)
# Assert we didn't go into PENDING_*
lb_check = self.mem_lb_client.show_loadbalancer(lb[const.ID])
@ -829,22 +787,16 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest):
# Test that the appropriate users can see or not see the load
# balancer stats based on the API RBAC.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
self.check_show_RBAC_enforcement(
'LoadbalancerClient', 'get_loadbalancer_stats',
expected_allowed, lb[const.ID])
else:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_show_RBAC_enforcement(
'LoadbalancerClient', 'get_loadbalancer_stats',
expected_allowed, lb[const.ID])
stats = self.mem_lb_client.get_loadbalancer_stats(lb[const.ID])
@ -900,22 +852,16 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest):
# Test that the appropriate users can see or not see the load
# balancer status based on the API RBAC.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
self.check_show_RBAC_enforcement(
'LoadbalancerClient', 'get_loadbalancer_status',
expected_allowed, lb[const.ID])
else:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_show_RBAC_enforcement(
'LoadbalancerClient', 'get_loadbalancer_status',
expected_allowed, lb[const.ID])
status = self.mem_lb_client.get_loadbalancer_status(lb[const.ID])
@ -977,17 +923,10 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the load balancer admin role cannot
# failover a load balancer.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
self.check_update_RBAC_enforcement(
'LoadbalancerClient', 'failover_loadbalancer',
expected_allowed, None, None, lb[const.ID])
expected_allowed = ['os_admin', 'os_roles_lb_admin']
self.check_update_RBAC_enforcement(
'LoadbalancerClient', 'failover_loadbalancer',
expected_allowed, None, None, lb[const.ID])
# Assert we didn't go into PENDING_*
lb = self.mem_lb_client.show_loadbalancer(lb[const.ID])

117
octavia_tempest_plugin/tests/api/v2/test_member.py
View File

@ -930,22 +930,13 @@ class MemberAPITest1(MemberAPITest):
# Test that a user without the loadbalancer role cannot
# create a member.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_create_RBAC_enforcement(
'MemberClient', 'create_member',
expected_allowed,
status_method=self.mem_lb_client.show_loadbalancer,
obj_id=self.lb_id, **member_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_create_RBAC_enforcement(
'MemberClient', 'create_member',
expected_allowed,
status_method=self.mem_lb_client.show_loadbalancer,
obj_id=self.lb_id, **member_kwargs)
member = self.mem_member_client.create_member(**member_kwargs)
@ -1287,10 +1278,10 @@ class MemberAPITest1(MemberAPITest):
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
@ -1309,10 +1300,9 @@ class MemberAPITest1(MemberAPITest):
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
@ -1874,23 +1864,16 @@ class MemberAPITest2(MemberAPITest):
# Test that the appropriate users can see or not see the member
# based on the API RBAC.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
self.check_show_RBAC_enforcement(
'MemberClient', 'show_member',
expected_allowed, member[const.ID],
pool_id=pool_id)
else:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_show_RBAC_enforcement(
'MemberClient', 'show_member', expected_allowed, member[const.ID],
pool_id=pool_id)
@decorators.idempotent_id('592c19c3-1e0d-4d6d-b2ff-0d39d8654c99')
def test_HTTP_LC_backup_member_update(self):
@ -2348,21 +2331,12 @@ class MemberAPITest2(MemberAPITest):
# Test that a user, without the loadbalancer member role, cannot
# update this member.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_update_RBAC_enforcement(
'MemberClient', 'update_member',
expected_allowed, None, None, member[const.ID],
pool_id=pool_id, admin_state_up=True)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_update_RBAC_enforcement(
'MemberClient', 'update_member',
expected_allowed, None, None, member[const.ID],
pool_id=pool_id, admin_state_up=True)
# Assert we didn't go into PENDING_*
member_check = self.mem_member_client.show_member(
@ -2817,21 +2791,12 @@ class MemberAPITest2(MemberAPITest):
# Test that a user, without the loadbalancer member role, cannot
# batch update this member.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_update_RBAC_enforcement(
'MemberClient', 'update_members',
expected_allowed, None, None,
pool_id=pool_id, members_list=batch_update_list)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_update_RBAC_enforcement(
'MemberClient', 'update_members',
expected_allowed, None, None,
pool_id=pool_id, members_list=batch_update_list)
# Assert we didn't go into PENDING_*
member_check = self.mem_member_client.show_member(
@ -3086,21 +3051,11 @@ class MemberAPITest2(MemberAPITest):
# Test that a user without the loadbalancer role cannot delete this
# member.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_delete_RBAC_enforcement(
'MemberClient', 'delete_member',
expected_allowed, None, None, member[const.ID],
pool_id=pool_id)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_delete_RBAC_enforcement(
'MemberClient', 'delete_member', expected_allowed, None, None,
member[const.ID], pool_id=pool_id)
self.mem_member_client.delete_member(member[const.ID],
pool_id=pool_id)

111
octavia_tempest_plugin/tests/api/v2/test_pool.py
View File

@ -408,22 +408,13 @@ class PoolAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the loadbalancer role cannot
# create a pool.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_create_RBAC_enforcement(
'PoolClient', 'create_pool',
expected_allowed,
status_method=self.mem_lb_client.show_loadbalancer,
obj_id=self.lb_id, **pool_kwargs)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_create_RBAC_enforcement(
'PoolClient', 'create_pool',
expected_allowed,
status_method=self.mem_lb_client.show_loadbalancer,
obj_id=self.lb_id, **pool_kwargs)
# This is a special case as the reference driver does not support
# SOURCE-IP-PORT. Since it runs with not_implemented_is_error, we must
@ -763,10 +754,10 @@ class PoolAPITest(test_base.LoadBalancerBaseTest):
'os_roles_lb_global_observer']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2']
if expected_allowed:
self.check_list_RBAC_enforcement_count(
'PoolClient', 'list_pools', expected_allowed, 0,
query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id))
# if expected_allowed:
# self.check_list_RBAC_enforcement_count(
# 'PoolClient', 'list_pools', expected_allowed, 0,
# query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id))
# Test credentials that should see these pools can see them.
expected_allowed = []
@ -774,15 +765,15 @@ class PoolAPITest(test_base.LoadBalancerBaseTest):
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member',
'os_roles_lb_global_observer']
if expected_allowed:
self.check_list_IDs_RBAC_enforcement(
'PoolClient', 'list_pools', expected_allowed, test_ids,
query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id))
# if expected_allowed:
# self.check_list_IDs_RBAC_enforcement(
# 'PoolClient', 'list_pools', expected_allowed, test_ids,
# query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id))
# Test that users without the lb member role cannot list pools.
# Note: non-owners can still call this API, they will just get the list
@ -798,12 +789,12 @@ class PoolAPITest(test_base.LoadBalancerBaseTest):
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_observer',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if expected_allowed:
@ -1132,22 +1123,16 @@ class PoolAPITest(test_base.LoadBalancerBaseTest):
# Test that the appropriate users can see or not see the pool
# based on the API RBAC.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_global_observer',
'os_roles_lb_member']
if expected_allowed:
self.check_show_RBAC_enforcement(
'PoolClient', 'show_pool',
expected_allowed, pool[const.ID])
else:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_show_RBAC_enforcement(
'PoolClient', 'show_pool',
expected_allowed, pool[const.ID])
@decorators.idempotent_id('d73755fe-ba3a-4248-9543-8e167a5aa7f4')
def test_HTTP_LC_pool_update(self):
@ -1372,21 +1357,12 @@ class PoolAPITest(test_base.LoadBalancerBaseTest):
# Test that a user, without the loadbalancer member role, cannot
# update this pool.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_update_RBAC_enforcement(
'PoolClient', 'update_pool',
expected_allowed, None, None, pool[const.ID],
admin_state_up=True)
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_update_RBAC_enforcement(
'PoolClient', 'update_pool',
expected_allowed, None, None, pool[const.ID],
admin_state_up=True)
# Assert we didn't go into PENDING_*
pool_check = self.mem_pool_client.show_pool(
@ -1675,20 +1651,11 @@ class PoolAPITest(test_base.LoadBalancerBaseTest):
# Test that a user without the loadbalancer role cannot delete this
# pool.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if expected_allowed:
self.check_delete_RBAC_enforcement(
'PoolClient', 'delete_pool',
expected_allowed, None, None, pool[const.ID])
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
self.check_delete_RBAC_enforcement(
'PoolClient', 'delete_pool',
expected_allowed, None, None, pool[const.ID])
self.mem_pool_client.delete_pool(pool[const.ID])

9
octavia_tempest_plugin/tests/api/v2/test_provider.py
View File

@ -50,14 +50,15 @@ class ProviderAPITest(test_base.LoadBalancerBaseTest):
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = [
'os_system_admin', 'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_global_observer', 'os_roles_lb_admin',
'os_roles_lb_member', 'os_roles_lb_member2']
'os_admin', 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_admin', 'os_roles_lb_member',
'os_roles_lb_member2']
if expected_allowed:
self.check_list_RBAC_enforcement(
'ProviderClient', 'list_providers', expected_allowed)

5
octavia_tempest_plugin/tests/test_base.py
View File

@ -79,11 +79,6 @@ class LoadBalancerBaseTest(validators.ValidatorsMixin,
['lb_member', CONF.load_balancer.member_role, 'member'],
['lb_member2', CONF.load_balancer.member_role, 'member']]
# If scope enforcement is enabled, add in the system scope credentials.
# The project scope is already handled by the above credentials.
if CONF.enforce_scope.octavia:
credentials.extend(['system_admin', 'system_reader'])
# A tuple of credentials that will be allocated by tempest using the
# 'credentials' list above. These are used to build RBAC test lists.
allocated_creds = []

8
releasenotes/notes/Make-keystone-default-roles-tests-default-a65a62864b93a296.yaml Normal file
View File

@ -0,0 +1,8 @@
---
upgrade:
- |
The default tempest tests will now expect the keystone default roles RBAC
enabled. The legacy behavior can be enabled by setting
"RBAC_test_type: advanced" in the [load_balancer] section of your
tempest.conf. This change also removes the ability to test system scoped
tokens with Octavia.

105
zuul.d/jobs.yaml
View File

@ -518,23 +518,16 @@
- ^octavia_tempest_plugin/tests/spare_pool_scenario/.* # TODO: remove
- job:
name: octavia-v2-dsvm-noop-api-keystone-default-roles
name: octavia-v2-dsvm-noop-api-advanced-rbac
parent: octavia-v2-dsvm-noop-api
vars:
devstack_localrc:
OCTAVIA_USE_KEYSTONE_DEFAULT_ROLES: True
OCTAVIA_USE_ADVANCED_RBAC: True
devstack_local_conf:
post-config:
$OCTAVIA_CONF:
oslo_policy:
enforce_scope: False
enforce_new_defaults: True
test-config:
"$TEMPEST_CONFIG":
enforce_scope:
octavia: False
load_balancer:
RBAC_test_type: keystone_default_roles
RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-noop-py2-api
@ -548,18 +541,36 @@
parent: octavia-v2-dsvm-noop-api
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.2
vars:
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
load_balancer:
RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-noop-api-stable-2024-1
parent: octavia-v2-dsvm-noop-api
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.1
vars:
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
load_balancer:
RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-noop-api-stable-2023-2
parent: octavia-v2-dsvm-noop-api
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2023.2
vars:
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
load_balancer:
RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-scenario-base
@ -646,6 +657,12 @@
parent: octavia-v2-dsvm-scenario
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.2
vars:
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
load_balancer:
RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-scenario-traffic-ops-stable-2024-2
@ -664,6 +681,12 @@
parent: octavia-v2-dsvm-scenario
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.1
vars:
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
load_balancer:
RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-scenario-traffic-ops-stable-2024-1
@ -682,6 +705,12 @@
parent: octavia-v2-dsvm-scenario
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2023.2
vars:
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
load_balancer:
RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-scenario-traffic-ops-stable-2023-2
@ -890,18 +919,36 @@
parent: octavia-v2-dsvm-tls-barbican
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.2
vars:
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
load_balancer:
RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-tls-barbican-stable-2024-1
parent: octavia-v2-dsvm-tls-barbican
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.1
vars:
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
load_balancer:
RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-tls-barbican-stable-2023-2
parent: octavia-v2-dsvm-tls-barbican
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2023.2
vars:
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
load_balancer:
RBAC_test_type: advanced
- job:
name: octavia-v2-dsvm-spare-pool
@ -1049,18 +1096,56 @@
parent: octavia-v2-act-stdby-dsvm-scenario
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.2
vars:
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
load_balancer:
RBAC_test_type: advanced
- job:
name: octavia-v2-act-stdby-dsvm-scenario-stable-2024-1
parent: octavia-v2-act-stdby-dsvm-scenario
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2024.1
vars:
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
load_balancer:
RBAC_test_type: advanced
- job:
name: octavia-v2-act-stdby-dsvm-scenario-stable-2023-2
parent: octavia-v2-act-stdby-dsvm-scenario
nodeset: octavia-single-node-ubuntu-jammy
override-checkout: stable/2023.2
vars:
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
load_balancer:
RBAC_test_type: advanced
# Temporary job, remove once it is no longer used in octavia gates
- job:
name: octavia-v2-dsvm-noop-api-keystone-default-roles
parent: octavia-v2-dsvm-noop-api
vars:
devstack_localrc:
OCTAVIA_USE_KEYSTONE_DEFAULT_ROLES: True
devstack_local_conf:
post-config:
$OCTAVIA_CONF:
oslo_policy:
enforce_scope: True
enforce_new_defaults: True
test-config:
"$TEMPEST_CONFIG":
enforce_scope:
octavia: True
load_balancer:
RBAC_test_type: keystone_default_roles
######### Third party jobs ##########

4
zuul.d/projects.yaml
View File

@ -12,7 +12,7 @@
- octavia-v2-dsvm-noop-api-stable-2024-2
- octavia-v2-dsvm-noop-api-stable-2024-1
- octavia-v2-dsvm-noop-api-stable-2023-2
- octavia-v2-dsvm-noop-api-keystone-default-roles
- octavia-v2-dsvm-noop-api-advanced-rbac
- octavia-v2-dsvm-scenario-traffic-ops
- octavia-v2-dsvm-scenario-non-traffic-ops
- octavia-v2-dsvm-scenario-traffic-ops-stable-2024-2
@ -60,7 +60,7 @@
- octavia-v2-dsvm-noop-api-stable-2024-2
- octavia-v2-dsvm-noop-api-stable-2024-1
- octavia-v2-dsvm-noop-api-stable-2023-2
- octavia-v2-dsvm-noop-api-keystone-default-roles
- octavia-v2-dsvm-noop-api-advanced-rbac
- octavia-v2-dsvm-scenario-traffic-ops
- octavia-v2-dsvm-scenario-non-traffic-ops
- octavia-v2-dsvm-scenario-traffic-ops-stable-2024-2