diff --git a/octavia_tempest_plugin/config.py b/octavia_tempest_plugin/config.py index 9e259d38..78f57edb 100644 --- a/octavia_tempest_plugin/config.py +++ b/octavia_tempest_plugin/config.py @@ -105,7 +105,7 @@ OctaviaGroup = [ cfg.StrOpt('provider', default='octavia', help='The provider driver to use for the tests.'), - cfg.StrOpt('RBAC_test_type', default=const.ADVANCED, + cfg.StrOpt('RBAC_test_type', default=const.KEYSTONE_DEFAULT_ROLES, choices=[const.ADVANCED, const.KEYSTONE_DEFAULT_ROLES, const.OWNERADMIN, const.NONE], help='Type of RBAC tests to run. "advanced" runs the octavia ' diff --git a/octavia_tempest_plugin/tests/RBAC_tests.py b/octavia_tempest_plugin/tests/RBAC_tests.py index 8dae024f..8fc356c8 100644 --- a/octavia_tempest_plugin/tests/RBAC_tests.py +++ b/octavia_tempest_plugin/tests/RBAC_tests.py @@ -59,17 +59,10 @@ class RBACTestsMixin(test.BaseTestCase): try: cred_obj = getattr(self, cred) except AttributeError: - # TODO(johnsom) Remove once scoped tokens is the default. - if ((cred == 'os_system_admin' or cred == 'os_system_reader') - and not CONF.enforce_scope.octavia): - LOG.info('Skipping %s allowed RBAC test because ' - 'enforce_scope.octavia is not True', cred) - continue - else: - self.fail('Credential {} "expected_allowed" for RBAC ' - 'testing was not created by tempest ' - 'credentials setup. This is likely a bug in the ' - 'test.'.format(cred)) + self.fail('Credential {} "expected_allowed" for RBAC ' + 'testing was not created by tempest ' + 'credentials setup. This is likely a bug in the ' + 'test.'.format(cred)) method = self._get_client_method(cred_obj, client_str, method_str) try: method(*args, **kwargs) @@ -155,15 +148,6 @@ class RBACTestsMixin(test.BaseTestCase): """ allowed_list = copy.deepcopy(expected_allowed) - # The legacy admin behavior changed during the sRBAC development, - # os_admin is still a valid admin [0] - # [0] https://governance.openstack.org/tc/goals/selected/ - # consistent-and-secure-rbac.html - # #legacy-admin-continues-to-work-as-it-is - # TODO(gthiemonge) we may have to revisit it in the future if the - # legacy admin scope changes. - if 'os_system_admin' in expected_allowed: - allowed_list.append('os_admin') # #### Test that disallowed credentials cannot access the API. self._check_disallowed(client_str, method_str, allowed_list, @@ -192,6 +176,8 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return self._list_get_RBAC_enforcement(client_str, method_str, expected_allowed, *args, **kwargs) @@ -214,6 +200,8 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return self._list_get_RBAC_enforcement(client_str, method_str, expected_allowed, *args, **kwargs) @@ -243,15 +231,6 @@ class RBACTestsMixin(test.BaseTestCase): """ allowed_list = copy.deepcopy(expected_allowed) - # The legacy admin behavior changed during the sRBAC development, - # os_admin is still a valid admin [0] - # [0] https://governance.openstack.org/tc/goals/selected/ - # consistent-and-secure-rbac.html - # #legacy-admin-continues-to-work-as-it-is - # TODO(gthiemonge) we may have to revisit it in the future if the - # legacy admin scope changes. - if 'os_system_admin' in expected_allowed: - allowed_list.append('os_admin') # #### Test that disallowed credentials cannot access the API. self._check_disallowed(client_str, method_str, allowed_list, @@ -281,6 +260,8 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed, status_method, obj_id, *args, **kwargs) @@ -308,6 +289,8 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed, status_method, obj_id, *args, **kwargs) @@ -335,6 +318,8 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed, status_method, obj_id, *args, **kwargs) @@ -367,33 +352,19 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return allowed_list = copy.deepcopy(expected_allowed) - # The legacy admin behavior changed during the sRBAC development, - # os_admin is still a valid admin [0] - # [0] https://governance.openstack.org/tc/goals/selected/ - # consistent-and-secure-rbac.html - # #legacy-admin-continues-to-work-as-it-is - # TODO(gthiemonge) we may have to revisit it in the future if the - # legacy admin scope changes. - if 'os_system_admin' in expected_allowed: - allowed_list.append('os_admin') for cred in allowed_list: try: cred_obj = getattr(self, cred) except AttributeError: - # TODO(johnsom) Remove once scoped tokens is the default. - if ((cred == 'os_system_admin' or cred == 'os_system_reader') - and not CONF.enforce_scope.octavia): - LOG.info('Skipping %s allowed RBAC test because ' - 'enforce_scope.octavia is not True', cred) - continue - else: - self.fail('Credential {} "expected_allowed" for RBAC ' - 'testing was not created by tempest ' - 'credentials setup. This is likely a bug in the ' - 'test.'.format(cred)) + self.fail('Credential {} "expected_allowed" for RBAC ' + 'testing was not created by tempest ' + 'credentials setup. This is likely a bug in the ' + 'test.'.format(cred)) method = self._get_client_method(cred_obj, client_str, method_str) try: result = method(*args, **kwargs) @@ -434,33 +405,19 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return allowed_list = copy.deepcopy(expected_allowed) - # The legacy admin behavior changed during the sRBAC development, - # os_admin is still a valid admin [0] - # [0] https://governance.openstack.org/tc/goals/selected/ - # consistent-and-secure-rbac.html - # #legacy-admin-continues-to-work-as-it-is - # TODO(gthiemonge) we may have to revisit it in the future if the - # legacy admin scope changes. - if 'os_system_admin' in expected_allowed: - allowed_list.append('os_admin') for cred in allowed_list: try: cred_obj = getattr(self, cred) except AttributeError: - # TODO(johnsom) Remove once scoped tokens is the default. - if ((cred == 'os_system_admin' or cred == 'os_system_reader') - and not CONF.enforce_scope.octavia): - LOG.info('Skipping %s allowed RBAC test because ' - 'enforce_scope.octavia is not True', cred) - continue - else: - self.fail('Credential {} "expected_allowed" for RBAC ' - 'testing was not created by tempest ' - 'credentials setup. This is likely a bug in the ' - 'test.'.format(cred)) + self.fail('Credential {} "expected_allowed" for RBAC ' + 'testing was not created by tempest ' + 'credentials setup. This is likely a bug in the ' + 'test.'.format(cred)) method = self._get_client_method(cred_obj, client_str, method_str) try: result = method(*args, **kwargs) diff --git a/octavia_tempest_plugin/tests/api/v2/test_amphora.py b/octavia_tempest_plugin/tests/api/v2/test_amphora.py index 8d591cc3..06f93ace 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_amphora.py +++ b/octavia_tempest_plugin/tests/api/v2/test_amphora.py @@ -90,16 +90,9 @@ class AmphoraAPITest(test_base.LoadBalancerBaseTest): CONF.load_balancer.lb_build_timeout) # Test RBAC for list amphorae - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_list_RBAC_enforcement( - 'AmphoraClient', 'list_amphorae', expected_allowed) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_list_RBAC_enforcement( + 'AmphoraClient', 'list_amphorae', expected_allowed) # Get an actual list of the amphorae amphorae = self.lb_admin_amphora_client.list_amphorae() @@ -178,17 +171,10 @@ class AmphoraAPITest(test_base.LoadBalancerBaseTest): amphora_1 = amphorae[0] # Test RBAC for update an amphora - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'AmphoraClient', 'update_amphora_config', expected_allowed, - None, None, amphora_1[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'AmphoraClient', 'update_amphora_config', expected_allowed, + None, None, amphora_1[const.ID]) self.lb_admin_amphora_client.update_amphora_config(amphora_1[const.ID]) @@ -213,17 +199,10 @@ class AmphoraAPITest(test_base.LoadBalancerBaseTest): amphora_1 = amphorae[0] # Test RBAC for failover an amphora - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'AmphoraClient', 'amphora_failover', expected_allowed, - None, None, amphora_1[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'AmphoraClient', 'amphora_failover', expected_allowed, + None, None, amphora_1[const.ID]) self.lb_admin_amphora_client.amphora_failover(amphora_1[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py index fe800848..adcb75ad 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py +++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py @@ -105,17 +105,10 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # create an availability zone. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'AvailabilityZoneClient', 'create_availability_zone', - expected_allowed, **availability_zone_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_create_RBAC_enforcement( + 'AvailabilityZoneClient', 'create_availability_zone', + expected_allowed, **availability_zone_kwargs) # Happy path availability_zone = ( @@ -233,12 +226,12 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = [ - 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin', + 'os_admin', 'os_roles_lb_admin', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -386,12 +379,12 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = [ - 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin', + 'os_admin', 'os_roles_lb_admin', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -454,18 +447,11 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer role cannot # update availability zone details. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'AvailabilityZoneClient', 'update_availability_zone', - expected_allowed, None, None, availability_zone[const.NAME], - **availability_zone_updated_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'AvailabilityZoneClient', 'update_availability_zone', + expected_allowed, None, None, availability_zone[const.NAME], + **availability_zone_updated_kwargs) updated_availability_zone = ( self.lb_admin_availability_zone_client.update_availability_zone( @@ -531,17 +517,10 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # delete an availability zone. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'AvailabilityZoneClient', 'delete_availability_zone', - expected_allowed, None, None, availability_zone[const.NAME]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_delete_RBAC_enforcement( + 'AvailabilityZoneClient', 'delete_availability_zone', + expected_allowed, None, None, availability_zone[const.NAME]) # Happy path self.lb_admin_availability_zone_client.delete_availability_zone( diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py index 6f67d8f4..7bcb4d77 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py +++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py @@ -44,18 +44,11 @@ class AvailabilityZoneCapabilitiesAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # list provider availability zone capabilities. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_list_RBAC_enforcement( - 'AvailabilityZoneCapabilitiesClient', - 'list_availability_zone_capabilities', expected_allowed, - CONF.load_balancer.provider) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_list_RBAC_enforcement( + 'AvailabilityZoneCapabilitiesClient', + 'list_availability_zone_capabilities', expected_allowed, + CONF.load_balancer.provider) # Check for an expected availability zone capability for the # configured provider diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py index 6984420c..78e12ed7 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py +++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py @@ -76,18 +76,11 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # create an availability zone profile. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'AvailabilityZoneProfileClient', - 'create_availability_zone_profile', - expected_allowed, **availability_zone_profile_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_create_RBAC_enforcement( + 'AvailabilityZoneProfileClient', + 'create_availability_zone_profile', + expected_allowed, **availability_zone_profile_kwargs) # Happy path availability_zone_profile = ( @@ -231,17 +224,10 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # list availability zone profiles. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_list_RBAC_enforcement( - 'AvailabilityZoneProfileClient', - 'list_availability_zone_profiles', expected_allowed) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_list_RBAC_enforcement( + 'AvailabilityZoneProfileClient', + 'list_availability_zone_profiles', expected_allowed) # Check the default sort order (by ID) profiles = (self.lb_admin_availability_zone_profile_client @@ -392,18 +378,11 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # show an availability zone profile - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'AvailabilityZoneProfileClient', - 'show_availability_zone_profile', expected_allowed, - availability_zone_profile[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_show_RBAC_enforcement( + 'AvailabilityZoneProfileClient', + 'show_availability_zone_profile', expected_allowed, + availability_zone_profile[const.ID]) result = ( self.lb_admin_availability_zone_profile_client @@ -494,19 +473,12 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # update an availability zone profile. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'AvailabilityZoneProfileClient', - 'update_availability_zone_profile', expected_allowed, - None, None, availability_zone_profile[const.ID], - **availability_zone_profile_updated_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'AvailabilityZoneProfileClient', + 'update_availability_zone_profile', expected_allowed, + None, None, availability_zone_profile[const.ID], + **availability_zone_profile_updated_kwargs) result = ( self.lb_admin_availability_zone_profile_client @@ -576,18 +548,11 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # delete an availability zone profile. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'AvailabilityZoneProfileClient', - 'delete_availability_zone_profile', expected_allowed, - None, None, availability_zone_profile[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_delete_RBAC_enforcement( + 'AvailabilityZoneProfileClient', + 'delete_availability_zone_profile', expected_allowed, + None, None, availability_zone_profile[const.ID]) # Happy path (self.lb_admin_availability_zone_profile_client diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor.py b/octavia_tempest_plugin/tests/api/v2/test_flavor.py index 565ff99a..53503bd5 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_flavor.py +++ b/octavia_tempest_plugin/tests/api/v2/test_flavor.py @@ -88,17 +88,10 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # create a flavor. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'FlavorClient', 'create_flavor', - expected_allowed, None, None, **flavor_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_create_RBAC_enforcement( + 'FlavorClient', 'create_flavor', + expected_allowed, None, None, **flavor_kwargs) # Happy path flavor = self.lb_admin_flavor_client.create_flavor(**flavor_kwargs) @@ -199,12 +192,12 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = [ - 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin', + 'os_admin', 'os_roles_lb_admin', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -327,12 +320,12 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = [ - 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin', + 'os_admin', 'os_roles_lb_admin', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -390,17 +383,10 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer role cannot # update flavor details. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'FlavorClient', 'update_flavor', expected_allowed, None, None, - flavor[const.ID], **flavor_updated_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'FlavorClient', 'update_flavor', expected_allowed, None, None, + flavor[const.ID], **flavor_updated_kwargs) updated_flavor = self.lb_admin_flavor_client.update_flavor( flavor[const.ID], **flavor_updated_kwargs) @@ -454,17 +440,10 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # delete a flavor. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'FlavorClient', 'delete_flavor', expected_allowed, - None, None, flavor[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_delete_RBAC_enforcement( + 'FlavorClient', 'delete_flavor', expected_allowed, + None, None, flavor[const.ID]) # Happy path self.lb_admin_flavor_client.delete_flavor(flavor[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py b/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py index 285df19a..cd2770c1 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py +++ b/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py @@ -42,18 +42,11 @@ class FlavorCapabilitiesAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # list provider flavor capabilities. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_list_RBAC_enforcement( - 'FlavorCapabilitiesClient', - 'list_flavor_capabilities', expected_allowed, - CONF.load_balancer.provider) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_list_RBAC_enforcement( + 'FlavorCapabilitiesClient', + 'list_flavor_capabilities', expected_allowed, + CONF.load_balancer.provider) # Check for an expected flavor capability for the configured provider admin_capabilities_client = self.lb_admin_flavor_capabilities_client diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py b/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py index 48ade676..0b6a1ee7 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py +++ b/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py @@ -60,17 +60,10 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # create a flavor profile - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'FlavorProfileClient', 'create_flavor_profile', - expected_allowed, None, None, **flavor_profile_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_create_RBAC_enforcement( + 'FlavorProfileClient', 'create_flavor_profile', + expected_allowed, None, None, **flavor_profile_kwargs) # Happy path flavor_profile = ( @@ -180,17 +173,10 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # list flavor profiles. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_list_RBAC_enforcement( - 'FlavorProfileClient', 'list_flavor_profiles', - expected_allowed) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_list_RBAC_enforcement( + 'FlavorProfileClient', 'list_flavor_profiles', + expected_allowed) # Check the default sort order (by ID) profiles = self.lb_admin_flavor_profile_client.list_flavor_profiles() @@ -309,17 +295,10 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # show a flavor profile. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'FlavorProfileClient', 'show_flavor_profile', - expected_allowed, flavor_profile[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_show_RBAC_enforcement( + 'FlavorProfileClient', 'show_flavor_profile', + expected_allowed, flavor_profile[const.ID]) result = ( self.lb_admin_flavor_profile_client.show_flavor_profile( @@ -387,18 +366,11 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # update a flavor profile. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'FlavorProfileClient', 'update_flavor_profile', - expected_allowed, None, None, flavor_profile[const.ID], - **flavor_profile_updated_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'FlavorProfileClient', 'update_flavor_profile', + expected_allowed, None, None, flavor_profile[const.ID], + **flavor_profile_updated_kwargs) result = self.lb_admin_flavor_profile_client.update_flavor_profile( flavor_profile[const.ID], **flavor_profile_updated_kwargs) @@ -454,17 +426,10 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # delete a flavor profile - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'FlavorProfileClient', 'delete_flavor_profile', - expected_allowed, None, None, flavor_profile[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_delete_RBAC_enforcement( + 'FlavorProfileClient', 'delete_flavor_profile', + expected_allowed, None, None, flavor_profile[const.ID]) # Happy path self.lb_admin_flavor_profile_client.delete_flavor_profile( diff --git a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py index 64368aa3..3713552f 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py +++ b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py @@ -277,22 +277,13 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot # create a healthmonitor - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'HealthMonitorClient', 'create_healthmonitor', - expected_allowed, - status_method=self.mem_lb_client.show_loadbalancer, - obj_id=self.lb_id, **hm_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_create_RBAC_enforcement( + 'HealthMonitorClient', 'create_healthmonitor', + expected_allowed, + status_method=self.mem_lb_client.show_loadbalancer, + obj_id=self.lb_id, **hm_kwargs) hm = self.mem_healthmonitor_client.create_healthmonitor(**hm_kwargs) self.addCleanup( @@ -741,10 +732,10 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] if expected_allowed: self.check_list_IDs_RBAC_enforcement( @@ -765,12 +756,12 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_observer', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -1195,10 +1186,9 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] if expected_allowed: @@ -1471,21 +1461,12 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): # Test that a user, without the loadbalancer member role, cannot # update this healthmonitor. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'HealthMonitorClient', 'update_healthmonitor', - expected_allowed, None, None, hm[const.ID], - admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'HealthMonitorClient', 'update_healthmonitor', + expected_allowed, None, None, hm[const.ID], + admin_state_up=True) # Assert we didn't go into PENDING_* hm_check = self.mem_healthmonitor_client.show_healthmonitor( @@ -1775,20 +1756,11 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot delete this # healthmonitor. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'HealthMonitorClient', 'delete_healthmonitor', - expected_allowed, None, None, hm[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'HealthMonitorClient', 'delete_healthmonitor', + expected_allowed, None, None, hm[const.ID]) self.mem_healthmonitor_client.delete_healthmonitor(hm[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py index 47b2faa1..868950fb 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py +++ b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py @@ -144,22 +144,13 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer role cannot # create a l7policy - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'L7PolicyClient', 'create_l7policy', - expected_allowed, - status_method=self.mem_lb_client.show_loadbalancer, - obj_id=self.lb_id, **l7policy_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_create_RBAC_enforcement( + 'L7PolicyClient', 'create_l7policy', + expected_allowed, + status_method=self.mem_lb_client.show_loadbalancer, + obj_id=self.lb_id, **l7policy_kwargs) l7policy = self.mem_l7policy_client.create_l7policy(**l7policy_kwargs) @@ -397,10 +388,10 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] if expected_allowed: self.check_list_IDs_RBAC_enforcement( @@ -423,12 +414,12 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_observer', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -668,22 +659,16 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the L7 policies # based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'L7PolicyClient', 'show_l7policy', - expected_allowed, l7policy[const.ID]) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'L7PolicyClient', 'show_l7policy', + expected_allowed, l7policy[const.ID]) @decorators.idempotent_id('08f73b22-550b-4e5a-b3d6-2ec03251ca13') def test_l7policy_update(self): @@ -782,21 +767,12 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): # Test that a user, without the loadbalancer member role, cannot # update this L7 policy. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'L7PolicyClient', 'update_l7policy', - expected_allowed, None, None, l7policy[const.ID], - admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'L7PolicyClient', 'update_l7policy', + expected_allowed, None, None, l7policy[const.ID], + admin_state_up=True) # Assert we didn't go into PENDING_* l7policy_check = self.mem_l7policy_client.show_l7policy( @@ -899,20 +875,11 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot delete this # L7 policy. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'L7PolicyClient', 'delete_l7policy', - expected_allowed, None, None, l7policy[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'L7PolicyClient', 'delete_l7policy', + expected_allowed, None, None, l7policy[const.ID]) self.mem_l7policy_client.delete_l7policy(l7policy[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_l7rule.py b/octavia_tempest_plugin/tests/api/v2/test_l7rule.py index c0eb1d26..0e9bb155 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_l7rule.py +++ b/octavia_tempest_plugin/tests/api/v2/test_l7rule.py @@ -142,22 +142,13 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot # create an L7 rule. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'L7RuleClient', 'create_l7rule', - expected_allowed, - status_method=self.mem_lb_client.show_loadbalancer, - obj_id=self.lb_id, **l7rule_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_create_RBAC_enforcement( + 'L7RuleClient', 'create_l7rule', + expected_allowed, + status_method=self.mem_lb_client.show_loadbalancer, + obj_id=self.lb_id, **l7rule_kwargs) l7rule = self.mem_l7rule_client.create_l7rule(**l7rule_kwargs) self.addClassResourceCleanup( @@ -359,10 +350,10 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] if expected_allowed: self.check_list_IDs_RBAC_enforcement( @@ -382,10 +373,9 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] if expected_allowed: @@ -562,23 +552,17 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the L7 rule # based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'L7RuleClient', 'show_l7rule', - expected_allowed, l7rule[const.ID], - l7policy_id=self.l7policy_id) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'L7RuleClient', 'show_l7rule', + expected_allowed, l7rule[const.ID], + l7policy_id=self.l7policy_id) @decorators.idempotent_id('f8cee23b-89b6-4f3a-a842-1463daf42cf7') def test_l7rule_update(self): @@ -650,21 +634,12 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): # Test that a user, without the loadbalancer member role, cannot # update this L7 rule. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'L7RuleClient', 'update_l7rule', - expected_allowed, None, None, l7rule[const.ID], - l7policy_id=self.l7policy_id, admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'L7RuleClient', 'update_l7rule', + expected_allowed, None, None, l7rule[const.ID], + l7policy_id=self.l7policy_id, admin_state_up=True) # Assert we didn't go into PENDING_* l7rule_check = self.mem_l7rule_client.show_l7rule( @@ -753,21 +728,12 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot delete this # L7 rule. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'L7RuleClient', 'delete_l7rule', - expected_allowed, None, None, l7rule[const.ID], - l7policy_id=self.l7policy_id) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'L7RuleClient', 'delete_l7rule', + expected_allowed, None, None, l7rule[const.ID], + l7policy_id=self.l7policy_id) self.mem_l7rule_client.delete_l7rule(l7rule[const.ID], l7policy_id=self.l7policy_id) diff --git a/octavia_tempest_plugin/tests/api/v2/test_listener.py b/octavia_tempest_plugin/tests/api/v2/test_listener.py index 06a68487..46735a57 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_listener.py +++ b/octavia_tempest_plugin/tests/api/v2/test_listener.py @@ -362,22 +362,13 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot # create a listener. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'ListenerClient', 'create_listener', - expected_allowed, - status_method=self.mem_lb_client.show_loadbalancer, - obj_id=self.lb_id, **listener_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_create_RBAC_enforcement( + 'ListenerClient', 'create_listener', + expected_allowed, + status_method=self.mem_lb_client.show_loadbalancer, + obj_id=self.lb_id, **listener_kwargs) listener = self.mem_listener_client.create_listener(**listener_kwargs) @@ -938,10 +929,10 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] if expected_allowed: self.check_list_IDs_RBAC_enforcement( @@ -963,12 +954,12 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_observer', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -1293,22 +1284,16 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the listener # based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'ListenerClient', 'show_listener', - expected_allowed, listener[const.ID]) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'ListenerClient', 'show_listener', + expected_allowed, listener[const.ID]) @decorators.idempotent_id('aaae0298-5778-4c7e-a27a-01549a71b319') def test_http_listener_update(self): @@ -1479,23 +1464,14 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot # update a listener. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'ListenerClient', 'update_listener', - expected_allowed, - status_method=self.mem_listener_client.show_listener, - obj_id=listener[const.ID], listener_id=listener[const.ID], - admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'ListenerClient', 'update_listener', + expected_allowed, + status_method=self.mem_listener_client.show_listener, + obj_id=listener[const.ID], listener_id=listener[const.ID], + admin_state_up=True) new_name = data_utils.rand_name("lb_member_listener1-UPDATED") new_description = data_utils.arbitrary_string(size=255, @@ -1713,22 +1689,13 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot # delete a listener. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'ListenerClient', 'delete_listener', - expected_allowed, - status_method=self.mem_listener_client.show_listener, - obj_id=listener[const.ID], listener_id=listener[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'ListenerClient', 'delete_listener', + expected_allowed, + status_method=self.mem_listener_client.show_listener, + obj_id=listener[const.ID], listener_id=listener[const.ID]) self.mem_listener_client.delete_listener(listener[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py index 9035260d..5159dc47 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py +++ b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py @@ -84,20 +84,11 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): lb_kwargs_with_project_id = copy.deepcopy(lb_kwargs) lb_kwargs_with_project_id[const.PROJECT_ID] = ( self.os_roles_lb_member.credentials.project_id) - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_roles_lb_member', 'os_roles_lb_member2'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member', 'os_roles_lb_member2'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member', 'os_roles_lb_member2'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'LoadbalancerClient', 'create_loadbalancer', - expected_allowed, None, None, **lb_kwargs_with_project_id) + expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_member2'] + self.check_create_RBAC_enforcement( + 'LoadbalancerClient', 'create_loadbalancer', + expected_allowed, None, None, **lb_kwargs_with_project_id) lb = self.mem_lb_client.create_loadbalancer(**lb_kwargs) @@ -188,20 +179,11 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot delete this # load balancer. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'LoadbalancerClient', 'delete_loadbalancer', - expected_allowed, None, None, lb[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'LoadbalancerClient', 'delete_loadbalancer', + expected_allowed, None, None, lb[const.ID]) self.mem_lb_client.delete_loadbalancer(lb[const.ID]) @@ -238,20 +220,11 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot delete this # load balancer. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'LoadbalancerClient', 'delete_loadbalancer', - expected_allowed, None, None, lb[const.ID], cascade=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'LoadbalancerClient', 'delete_loadbalancer', + expected_allowed, None, None, lb[const.ID], cascade=True) self.mem_lb_client.delete_loadbalancer(lb[const.ID], cascade=True) @@ -436,10 +409,10 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] if expected_allowed: self.check_list_IDs_RBAC_enforcement( @@ -460,12 +433,12 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_observer', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -632,22 +605,16 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the load # balancer based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'LoadbalancerClient', 'show_loadbalancer', - expected_allowed, lb[const.ID]) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'LoadbalancerClient', 'show_loadbalancer', + expected_allowed, lb[const.ID]) # Attempt to clean up so that one full test run doesn't start 10+ # amps before the cleanup phase fires @@ -736,21 +703,12 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that a user, without the loadbalancer member role, cannot # update this load balancer. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'LoadbalancerClient', 'update_loadbalancer', - expected_allowed, None, None, lb[const.ID], - admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'LoadbalancerClient', 'update_loadbalancer', + expected_allowed, None, None, lb[const.ID], + admin_state_up=True) # Assert we didn't go into PENDING_* lb_check = self.mem_lb_client.show_loadbalancer(lb[const.ID]) @@ -829,22 +787,16 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the load # balancer stats based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'LoadbalancerClient', 'get_loadbalancer_stats', - expected_allowed, lb[const.ID]) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'LoadbalancerClient', 'get_loadbalancer_stats', + expected_allowed, lb[const.ID]) stats = self.mem_lb_client.get_loadbalancer_stats(lb[const.ID]) @@ -900,22 +852,16 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the load # balancer status based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'LoadbalancerClient', 'get_loadbalancer_status', - expected_allowed, lb[const.ID]) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'LoadbalancerClient', 'get_loadbalancer_status', + expected_allowed, lb[const.ID]) status = self.mem_lb_client.get_loadbalancer_status(lb[const.ID]) @@ -977,17 +923,10 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # failover a load balancer. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'LoadbalancerClient', 'failover_loadbalancer', - expected_allowed, None, None, lb[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'LoadbalancerClient', 'failover_loadbalancer', + expected_allowed, None, None, lb[const.ID]) # Assert we didn't go into PENDING_* lb = self.mem_lb_client.show_loadbalancer(lb[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_member.py b/octavia_tempest_plugin/tests/api/v2/test_member.py index ed3fba6f..fa35b035 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_member.py +++ b/octavia_tempest_plugin/tests/api/v2/test_member.py @@ -930,22 +930,13 @@ class MemberAPITest1(MemberAPITest): # Test that a user without the loadbalancer role cannot # create a member. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'MemberClient', 'create_member', - expected_allowed, - status_method=self.mem_lb_client.show_loadbalancer, - obj_id=self.lb_id, **member_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_create_RBAC_enforcement( + 'MemberClient', 'create_member', + expected_allowed, + status_method=self.mem_lb_client.show_loadbalancer, + obj_id=self.lb_id, **member_kwargs) member = self.mem_member_client.create_member(**member_kwargs) @@ -1287,10 +1278,10 @@ class MemberAPITest1(MemberAPITest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] if expected_allowed: self.check_list_IDs_RBAC_enforcement( @@ -1309,10 +1300,9 @@ class MemberAPITest1(MemberAPITest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] if expected_allowed: @@ -1874,23 +1864,16 @@ class MemberAPITest2(MemberAPITest): # Test that the appropriate users can see or not see the member # based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'MemberClient', 'show_member', - expected_allowed, member[const.ID], - pool_id=pool_id) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'MemberClient', 'show_member', expected_allowed, member[const.ID], + pool_id=pool_id) @decorators.idempotent_id('592c19c3-1e0d-4d6d-b2ff-0d39d8654c99') def test_HTTP_LC_backup_member_update(self): @@ -2348,21 +2331,12 @@ class MemberAPITest2(MemberAPITest): # Test that a user, without the loadbalancer member role, cannot # update this member. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'MemberClient', 'update_member', - expected_allowed, None, None, member[const.ID], - pool_id=pool_id, admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'MemberClient', 'update_member', + expected_allowed, None, None, member[const.ID], + pool_id=pool_id, admin_state_up=True) # Assert we didn't go into PENDING_* member_check = self.mem_member_client.show_member( @@ -2817,21 +2791,12 @@ class MemberAPITest2(MemberAPITest): # Test that a user, without the loadbalancer member role, cannot # batch update this member. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'MemberClient', 'update_members', - expected_allowed, None, None, - pool_id=pool_id, members_list=batch_update_list) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'MemberClient', 'update_members', + expected_allowed, None, None, + pool_id=pool_id, members_list=batch_update_list) # Assert we didn't go into PENDING_* member_check = self.mem_member_client.show_member( @@ -3086,21 +3051,11 @@ class MemberAPITest2(MemberAPITest): # Test that a user without the loadbalancer role cannot delete this # member. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'MemberClient', 'delete_member', - expected_allowed, None, None, member[const.ID], - pool_id=pool_id) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'MemberClient', 'delete_member', expected_allowed, None, None, + member[const.ID], pool_id=pool_id) self.mem_member_client.delete_member(member[const.ID], pool_id=pool_id) diff --git a/octavia_tempest_plugin/tests/api/v2/test_pool.py b/octavia_tempest_plugin/tests/api/v2/test_pool.py index 4e3e667c..2f623760 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_pool.py +++ b/octavia_tempest_plugin/tests/api/v2/test_pool.py @@ -408,22 +408,13 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot # create a pool. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'PoolClient', 'create_pool', - expected_allowed, - status_method=self.mem_lb_client.show_loadbalancer, - obj_id=self.lb_id, **pool_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_create_RBAC_enforcement( + 'PoolClient', 'create_pool', + expected_allowed, + status_method=self.mem_lb_client.show_loadbalancer, + obj_id=self.lb_id, **pool_kwargs) # This is a special case as the reference driver does not support # SOURCE-IP-PORT. Since it runs with not_implemented_is_error, we must @@ -763,10 +754,10 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_global_observer'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2'] - if expected_allowed: - self.check_list_RBAC_enforcement_count( - 'PoolClient', 'list_pools', expected_allowed, 0, - query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id)) +# if expected_allowed: +# self.check_list_RBAC_enforcement_count( +# 'PoolClient', 'list_pools', expected_allowed, 0, +# query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id)) # Test credentials that should see these pools can see them. expected_allowed = [] @@ -774,15 +765,15 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] - if expected_allowed: - self.check_list_IDs_RBAC_enforcement( - 'PoolClient', 'list_pools', expected_allowed, test_ids, - query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id)) +# if expected_allowed: +# self.check_list_IDs_RBAC_enforcement( +# 'PoolClient', 'list_pools', expected_allowed, test_ids, +# query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id)) # Test that users without the lb member role cannot list pools. # Note: non-owners can still call this API, they will just get the list @@ -798,12 +789,12 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_observer', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -1132,22 +1123,16 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the pool # based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'PoolClient', 'show_pool', - expected_allowed, pool[const.ID]) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'PoolClient', 'show_pool', + expected_allowed, pool[const.ID]) @decorators.idempotent_id('d73755fe-ba3a-4248-9543-8e167a5aa7f4') def test_HTTP_LC_pool_update(self): @@ -1372,21 +1357,12 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): # Test that a user, without the loadbalancer member role, cannot # update this pool. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'PoolClient', 'update_pool', - expected_allowed, None, None, pool[const.ID], - admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'PoolClient', 'update_pool', + expected_allowed, None, None, pool[const.ID], + admin_state_up=True) # Assert we didn't go into PENDING_* pool_check = self.mem_pool_client.show_pool( @@ -1675,20 +1651,11 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot delete this # pool. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'PoolClient', 'delete_pool', - expected_allowed, None, None, pool[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'PoolClient', 'delete_pool', + expected_allowed, None, None, pool[const.ID]) self.mem_pool_client.delete_pool(pool[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_provider.py b/octavia_tempest_plugin/tests/api/v2/test_provider.py index e47ae8eb..b6bf12a6 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_provider.py +++ b/octavia_tempest_plugin/tests/api/v2/test_provider.py @@ -50,14 +50,15 @@ class ProviderAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = [ - 'os_system_admin', 'os_system_reader', 'os_roles_lb_observer', - 'os_roles_lb_global_observer', 'os_roles_lb_admin', - 'os_roles_lb_member', 'os_roles_lb_member2'] + 'os_admin', 'os_roles_lb_observer', + 'os_roles_lb_global_observer', + 'os_roles_lb_admin', 'os_roles_lb_member', + 'os_roles_lb_member2'] if expected_allowed: self.check_list_RBAC_enforcement( 'ProviderClient', 'list_providers', expected_allowed) diff --git a/octavia_tempest_plugin/tests/test_base.py b/octavia_tempest_plugin/tests/test_base.py index 7f4ae3ef..38f931c9 100644 --- a/octavia_tempest_plugin/tests/test_base.py +++ b/octavia_tempest_plugin/tests/test_base.py @@ -79,11 +79,6 @@ class LoadBalancerBaseTest(validators.ValidatorsMixin, ['lb_member', CONF.load_balancer.member_role, 'member'], ['lb_member2', CONF.load_balancer.member_role, 'member']] - # If scope enforcement is enabled, add in the system scope credentials. - # The project scope is already handled by the above credentials. - if CONF.enforce_scope.octavia: - credentials.extend(['system_admin', 'system_reader']) - # A tuple of credentials that will be allocated by tempest using the # 'credentials' list above. These are used to build RBAC test lists. allocated_creds = [] diff --git a/releasenotes/notes/Make-keystone-default-roles-tests-default-a65a62864b93a296.yaml b/releasenotes/notes/Make-keystone-default-roles-tests-default-a65a62864b93a296.yaml new file mode 100644 index 00000000..d38181a9 --- /dev/null +++ b/releasenotes/notes/Make-keystone-default-roles-tests-default-a65a62864b93a296.yaml @@ -0,0 +1,8 @@ +--- +upgrade: + - | + The default tempest tests will now expect the keystone default roles RBAC + enabled. The legacy behavior can be enabled by setting + "RBAC_test_type: advanced" in the [load_balancer] section of your + tempest.conf. This change also removes the ability to test system scoped + tokens with Octavia. diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 8af98cec..4865d1cb 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -518,23 +518,16 @@ - ^octavia_tempest_plugin/tests/spare_pool_scenario/.* # TODO: remove - job: - name: octavia-v2-dsvm-noop-api-keystone-default-roles + name: octavia-v2-dsvm-noop-api-advanced-rbac parent: octavia-v2-dsvm-noop-api vars: devstack_localrc: - OCTAVIA_USE_KEYSTONE_DEFAULT_ROLES: True + OCTAVIA_USE_ADVANCED_RBAC: True devstack_local_conf: - post-config: - $OCTAVIA_CONF: - oslo_policy: - enforce_scope: False - enforce_new_defaults: True test-config: "$TEMPEST_CONFIG": - enforce_scope: - octavia: False load_balancer: - RBAC_test_type: keystone_default_roles + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-noop-py2-api @@ -548,18 +541,36 @@ parent: octavia-v2-dsvm-noop-api nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-noop-api-stable-2024-1 parent: octavia-v2-dsvm-noop-api nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.1 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-noop-api-stable-2023-2 parent: octavia-v2-dsvm-noop-api nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2023.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-scenario-base @@ -646,6 +657,12 @@ parent: octavia-v2-dsvm-scenario nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-scenario-traffic-ops-stable-2024-2 @@ -664,6 +681,12 @@ parent: octavia-v2-dsvm-scenario nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.1 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-scenario-traffic-ops-stable-2024-1 @@ -682,6 +705,12 @@ parent: octavia-v2-dsvm-scenario nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2023.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-scenario-traffic-ops-stable-2023-2 @@ -890,18 +919,36 @@ parent: octavia-v2-dsvm-tls-barbican nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-tls-barbican-stable-2024-1 parent: octavia-v2-dsvm-tls-barbican nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.1 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-tls-barbican-stable-2023-2 parent: octavia-v2-dsvm-tls-barbican nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2023.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-spare-pool @@ -1049,18 +1096,56 @@ parent: octavia-v2-act-stdby-dsvm-scenario nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-act-stdby-dsvm-scenario-stable-2024-1 parent: octavia-v2-act-stdby-dsvm-scenario nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.1 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-act-stdby-dsvm-scenario-stable-2023-2 parent: octavia-v2-act-stdby-dsvm-scenario nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2023.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced + +# Temporary job, remove once it is no longer used in octavia gates +- job: + name: octavia-v2-dsvm-noop-api-keystone-default-roles + parent: octavia-v2-dsvm-noop-api + vars: + devstack_localrc: + OCTAVIA_USE_KEYSTONE_DEFAULT_ROLES: True + devstack_local_conf: + post-config: + $OCTAVIA_CONF: + oslo_policy: + enforce_scope: True + enforce_new_defaults: True + test-config: + "$TEMPEST_CONFIG": + enforce_scope: + octavia: True + load_balancer: + RBAC_test_type: keystone_default_roles ######### Third party jobs ########## diff --git a/zuul.d/projects.yaml b/zuul.d/projects.yaml index fee26dd1..90343675 100644 --- a/zuul.d/projects.yaml +++ b/zuul.d/projects.yaml @@ -12,7 +12,7 @@ - octavia-v2-dsvm-noop-api-stable-2024-2 - octavia-v2-dsvm-noop-api-stable-2024-1 - octavia-v2-dsvm-noop-api-stable-2023-2 - - octavia-v2-dsvm-noop-api-keystone-default-roles + - octavia-v2-dsvm-noop-api-advanced-rbac - octavia-v2-dsvm-scenario-traffic-ops - octavia-v2-dsvm-scenario-non-traffic-ops - octavia-v2-dsvm-scenario-traffic-ops-stable-2024-2 @@ -60,7 +60,7 @@ - octavia-v2-dsvm-noop-api-stable-2024-2 - octavia-v2-dsvm-noop-api-stable-2024-1 - octavia-v2-dsvm-noop-api-stable-2023-2 - - octavia-v2-dsvm-noop-api-keystone-default-roles + - octavia-v2-dsvm-noop-api-advanced-rbac - octavia-v2-dsvm-scenario-traffic-ops - octavia-v2-dsvm-scenario-non-traffic-ops - octavia-v2-dsvm-scenario-traffic-ops-stable-2024-2