From 5f36fabd794f7bdce2eadbd6563255c0dded17b3 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Wed, 21 Aug 2024 19:23:28 -0700 Subject: [PATCH] Remove system scope token usage Octavia supports the system scope and now we are enabling the new defaults by default that raise an error when system scoped tokens are used. To enable the new defaults, we need to remove the usage of system scope token from tests otherwise they fail. - https://review.opendev.org/c/openstack/octavia/+/925625 Depends-On: https://review.opendev.org/c/openstack/octavia/+/929580 Change-Id: I1bf193807eb254507626b4e7f2bb071ba46d7290 --- octavia_tempest_plugin/config.py | 2 +- octavia_tempest_plugin/tests/RBAC_tests.py | 95 +++------- .../tests/api/v2/test_amphora.py | 43 ++--- .../tests/api/v2/test_availability_zone.py | 55 ++---- .../v2/test_availability_zone_capabilities.py | 17 +- .../api/v2/test_availability_zone_profile.py | 85 +++------ .../tests/api/v2/test_flavor.py | 53 ++---- .../tests/api/v2/test_flavor_capabilities.py | 17 +- .../tests/api/v2/test_flavor_profile.py | 77 +++----- .../tests/api/v2/test_healthmonitor.py | 80 +++------ .../tests/api/v2/test_l7policy.py | 95 ++++------ .../tests/api/v2/test_l7rule.py | 98 ++++------- .../tests/api/v2/test_listener.py | 103 ++++------- .../tests/api/v2/test_load_balancer.py | 165 ++++++------------ .../tests/api/v2/test_member.py | 117 ++++--------- .../tests/api/v2/test_pool.py | 111 +++++------- .../tests/api/v2/test_provider.py | 9 +- octavia_tempest_plugin/tests/test_base.py | 5 - ...-roles-tests-default-a65a62864b93a296.yaml | 8 + zuul.d/jobs.yaml | 105 +++++++++-- zuul.d/projects.yaml | 4 +- 21 files changed, 488 insertions(+), 856 deletions(-) create mode 100644 releasenotes/notes/Make-keystone-default-roles-tests-default-a65a62864b93a296.yaml diff --git a/octavia_tempest_plugin/config.py b/octavia_tempest_plugin/config.py index 9e259d38..78f57edb 100644 --- a/octavia_tempest_plugin/config.py +++ b/octavia_tempest_plugin/config.py @@ -105,7 +105,7 @@ OctaviaGroup = [ cfg.StrOpt('provider', default='octavia', help='The provider driver to use for the tests.'), - cfg.StrOpt('RBAC_test_type', default=const.ADVANCED, + cfg.StrOpt('RBAC_test_type', default=const.KEYSTONE_DEFAULT_ROLES, choices=[const.ADVANCED, const.KEYSTONE_DEFAULT_ROLES, const.OWNERADMIN, const.NONE], help='Type of RBAC tests to run. "advanced" runs the octavia ' diff --git a/octavia_tempest_plugin/tests/RBAC_tests.py b/octavia_tempest_plugin/tests/RBAC_tests.py index 8dae024f..8fc356c8 100644 --- a/octavia_tempest_plugin/tests/RBAC_tests.py +++ b/octavia_tempest_plugin/tests/RBAC_tests.py @@ -59,17 +59,10 @@ class RBACTestsMixin(test.BaseTestCase): try: cred_obj = getattr(self, cred) except AttributeError: - # TODO(johnsom) Remove once scoped tokens is the default. - if ((cred == 'os_system_admin' or cred == 'os_system_reader') - and not CONF.enforce_scope.octavia): - LOG.info('Skipping %s allowed RBAC test because ' - 'enforce_scope.octavia is not True', cred) - continue - else: - self.fail('Credential {} "expected_allowed" for RBAC ' - 'testing was not created by tempest ' - 'credentials setup. This is likely a bug in the ' - 'test.'.format(cred)) + self.fail('Credential {} "expected_allowed" for RBAC ' + 'testing was not created by tempest ' + 'credentials setup. This is likely a bug in the ' + 'test.'.format(cred)) method = self._get_client_method(cred_obj, client_str, method_str) try: method(*args, **kwargs) @@ -155,15 +148,6 @@ class RBACTestsMixin(test.BaseTestCase): """ allowed_list = copy.deepcopy(expected_allowed) - # The legacy admin behavior changed during the sRBAC development, - # os_admin is still a valid admin [0] - # [0] https://governance.openstack.org/tc/goals/selected/ - # consistent-and-secure-rbac.html - # #legacy-admin-continues-to-work-as-it-is - # TODO(gthiemonge) we may have to revisit it in the future if the - # legacy admin scope changes. - if 'os_system_admin' in expected_allowed: - allowed_list.append('os_admin') # #### Test that disallowed credentials cannot access the API. self._check_disallowed(client_str, method_str, allowed_list, @@ -192,6 +176,8 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return self._list_get_RBAC_enforcement(client_str, method_str, expected_allowed, *args, **kwargs) @@ -214,6 +200,8 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return self._list_get_RBAC_enforcement(client_str, method_str, expected_allowed, *args, **kwargs) @@ -243,15 +231,6 @@ class RBACTestsMixin(test.BaseTestCase): """ allowed_list = copy.deepcopy(expected_allowed) - # The legacy admin behavior changed during the sRBAC development, - # os_admin is still a valid admin [0] - # [0] https://governance.openstack.org/tc/goals/selected/ - # consistent-and-secure-rbac.html - # #legacy-admin-continues-to-work-as-it-is - # TODO(gthiemonge) we may have to revisit it in the future if the - # legacy admin scope changes. - if 'os_system_admin' in expected_allowed: - allowed_list.append('os_admin') # #### Test that disallowed credentials cannot access the API. self._check_disallowed(client_str, method_str, allowed_list, @@ -281,6 +260,8 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed, status_method, obj_id, *args, **kwargs) @@ -308,6 +289,8 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed, status_method, obj_id, *args, **kwargs) @@ -335,6 +318,8 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return self._CUD_RBAC_enforcement(client_str, method_str, expected_allowed, status_method, obj_id, *args, **kwargs) @@ -367,33 +352,19 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return allowed_list = copy.deepcopy(expected_allowed) - # The legacy admin behavior changed during the sRBAC development, - # os_admin is still a valid admin [0] - # [0] https://governance.openstack.org/tc/goals/selected/ - # consistent-and-secure-rbac.html - # #legacy-admin-continues-to-work-as-it-is - # TODO(gthiemonge) we may have to revisit it in the future if the - # legacy admin scope changes. - if 'os_system_admin' in expected_allowed: - allowed_list.append('os_admin') for cred in allowed_list: try: cred_obj = getattr(self, cred) except AttributeError: - # TODO(johnsom) Remove once scoped tokens is the default. - if ((cred == 'os_system_admin' or cred == 'os_system_reader') - and not CONF.enforce_scope.octavia): - LOG.info('Skipping %s allowed RBAC test because ' - 'enforce_scope.octavia is not True', cred) - continue - else: - self.fail('Credential {} "expected_allowed" for RBAC ' - 'testing was not created by tempest ' - 'credentials setup. This is likely a bug in the ' - 'test.'.format(cred)) + self.fail('Credential {} "expected_allowed" for RBAC ' + 'testing was not created by tempest ' + 'credentials setup. This is likely a bug in the ' + 'test.'.format(cred)) method = self._get_client_method(cred_obj, client_str, method_str) try: result = method(*args, **kwargs) @@ -434,33 +405,19 @@ class RBACTestsMixin(test.BaseTestCase): correct scope for access is denied. :returns: None on success """ + if CONF.load_balancer.RBAC_test_type == constants.NONE: + return allowed_list = copy.deepcopy(expected_allowed) - # The legacy admin behavior changed during the sRBAC development, - # os_admin is still a valid admin [0] - # [0] https://governance.openstack.org/tc/goals/selected/ - # consistent-and-secure-rbac.html - # #legacy-admin-continues-to-work-as-it-is - # TODO(gthiemonge) we may have to revisit it in the future if the - # legacy admin scope changes. - if 'os_system_admin' in expected_allowed: - allowed_list.append('os_admin') for cred in allowed_list: try: cred_obj = getattr(self, cred) except AttributeError: - # TODO(johnsom) Remove once scoped tokens is the default. - if ((cred == 'os_system_admin' or cred == 'os_system_reader') - and not CONF.enforce_scope.octavia): - LOG.info('Skipping %s allowed RBAC test because ' - 'enforce_scope.octavia is not True', cred) - continue - else: - self.fail('Credential {} "expected_allowed" for RBAC ' - 'testing was not created by tempest ' - 'credentials setup. This is likely a bug in the ' - 'test.'.format(cred)) + self.fail('Credential {} "expected_allowed" for RBAC ' + 'testing was not created by tempest ' + 'credentials setup. This is likely a bug in the ' + 'test.'.format(cred)) method = self._get_client_method(cred_obj, client_str, method_str) try: result = method(*args, **kwargs) diff --git a/octavia_tempest_plugin/tests/api/v2/test_amphora.py b/octavia_tempest_plugin/tests/api/v2/test_amphora.py index 8d591cc3..06f93ace 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_amphora.py +++ b/octavia_tempest_plugin/tests/api/v2/test_amphora.py @@ -90,16 +90,9 @@ class AmphoraAPITest(test_base.LoadBalancerBaseTest): CONF.load_balancer.lb_build_timeout) # Test RBAC for list amphorae - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_list_RBAC_enforcement( - 'AmphoraClient', 'list_amphorae', expected_allowed) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_list_RBAC_enforcement( + 'AmphoraClient', 'list_amphorae', expected_allowed) # Get an actual list of the amphorae amphorae = self.lb_admin_amphora_client.list_amphorae() @@ -178,17 +171,10 @@ class AmphoraAPITest(test_base.LoadBalancerBaseTest): amphora_1 = amphorae[0] # Test RBAC for update an amphora - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'AmphoraClient', 'update_amphora_config', expected_allowed, - None, None, amphora_1[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'AmphoraClient', 'update_amphora_config', expected_allowed, + None, None, amphora_1[const.ID]) self.lb_admin_amphora_client.update_amphora_config(amphora_1[const.ID]) @@ -213,17 +199,10 @@ class AmphoraAPITest(test_base.LoadBalancerBaseTest): amphora_1 = amphorae[0] # Test RBAC for failover an amphora - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'AmphoraClient', 'amphora_failover', expected_allowed, - None, None, amphora_1[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'AmphoraClient', 'amphora_failover', expected_allowed, + None, None, amphora_1[const.ID]) self.lb_admin_amphora_client.amphora_failover(amphora_1[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py index fe800848..adcb75ad 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py +++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py @@ -105,17 +105,10 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # create an availability zone. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'AvailabilityZoneClient', 'create_availability_zone', - expected_allowed, **availability_zone_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_create_RBAC_enforcement( + 'AvailabilityZoneClient', 'create_availability_zone', + expected_allowed, **availability_zone_kwargs) # Happy path availability_zone = ( @@ -233,12 +226,12 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = [ - 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin', + 'os_admin', 'os_roles_lb_admin', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -386,12 +379,12 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = [ - 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin', + 'os_admin', 'os_roles_lb_admin', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -454,18 +447,11 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer role cannot # update availability zone details. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'AvailabilityZoneClient', 'update_availability_zone', - expected_allowed, None, None, availability_zone[const.NAME], - **availability_zone_updated_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'AvailabilityZoneClient', 'update_availability_zone', + expected_allowed, None, None, availability_zone[const.NAME], + **availability_zone_updated_kwargs) updated_availability_zone = ( self.lb_admin_availability_zone_client.update_availability_zone( @@ -531,17 +517,10 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # delete an availability zone. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'AvailabilityZoneClient', 'delete_availability_zone', - expected_allowed, None, None, availability_zone[const.NAME]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_delete_RBAC_enforcement( + 'AvailabilityZoneClient', 'delete_availability_zone', + expected_allowed, None, None, availability_zone[const.NAME]) # Happy path self.lb_admin_availability_zone_client.delete_availability_zone( diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py index 6f67d8f4..7bcb4d77 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py +++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py @@ -44,18 +44,11 @@ class AvailabilityZoneCapabilitiesAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # list provider availability zone capabilities. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_list_RBAC_enforcement( - 'AvailabilityZoneCapabilitiesClient', - 'list_availability_zone_capabilities', expected_allowed, - CONF.load_balancer.provider) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_list_RBAC_enforcement( + 'AvailabilityZoneCapabilitiesClient', + 'list_availability_zone_capabilities', expected_allowed, + CONF.load_balancer.provider) # Check for an expected availability zone capability for the # configured provider diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py index 6984420c..78e12ed7 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py +++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py @@ -76,18 +76,11 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # create an availability zone profile. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'AvailabilityZoneProfileClient', - 'create_availability_zone_profile', - expected_allowed, **availability_zone_profile_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_create_RBAC_enforcement( + 'AvailabilityZoneProfileClient', + 'create_availability_zone_profile', + expected_allowed, **availability_zone_profile_kwargs) # Happy path availability_zone_profile = ( @@ -231,17 +224,10 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # list availability zone profiles. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_list_RBAC_enforcement( - 'AvailabilityZoneProfileClient', - 'list_availability_zone_profiles', expected_allowed) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_list_RBAC_enforcement( + 'AvailabilityZoneProfileClient', + 'list_availability_zone_profiles', expected_allowed) # Check the default sort order (by ID) profiles = (self.lb_admin_availability_zone_profile_client @@ -392,18 +378,11 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # show an availability zone profile - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'AvailabilityZoneProfileClient', - 'show_availability_zone_profile', expected_allowed, - availability_zone_profile[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_show_RBAC_enforcement( + 'AvailabilityZoneProfileClient', + 'show_availability_zone_profile', expected_allowed, + availability_zone_profile[const.ID]) result = ( self.lb_admin_availability_zone_profile_client @@ -494,19 +473,12 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # update an availability zone profile. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'AvailabilityZoneProfileClient', - 'update_availability_zone_profile', expected_allowed, - None, None, availability_zone_profile[const.ID], - **availability_zone_profile_updated_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'AvailabilityZoneProfileClient', + 'update_availability_zone_profile', expected_allowed, + None, None, availability_zone_profile[const.ID], + **availability_zone_profile_updated_kwargs) result = ( self.lb_admin_availability_zone_profile_client @@ -576,18 +548,11 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # delete an availability zone profile. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'AvailabilityZoneProfileClient', - 'delete_availability_zone_profile', expected_allowed, - None, None, availability_zone_profile[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_delete_RBAC_enforcement( + 'AvailabilityZoneProfileClient', + 'delete_availability_zone_profile', expected_allowed, + None, None, availability_zone_profile[const.ID]) # Happy path (self.lb_admin_availability_zone_profile_client diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor.py b/octavia_tempest_plugin/tests/api/v2/test_flavor.py index 565ff99a..53503bd5 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_flavor.py +++ b/octavia_tempest_plugin/tests/api/v2/test_flavor.py @@ -88,17 +88,10 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # create a flavor. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'FlavorClient', 'create_flavor', - expected_allowed, None, None, **flavor_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_create_RBAC_enforcement( + 'FlavorClient', 'create_flavor', + expected_allowed, None, None, **flavor_kwargs) # Happy path flavor = self.lb_admin_flavor_client.create_flavor(**flavor_kwargs) @@ -199,12 +192,12 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = [ - 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin', + 'os_admin', 'os_roles_lb_admin', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -327,12 +320,12 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = [ - 'os_system_admin', 'os_system_reader', 'os_roles_lb_admin', + 'os_admin', 'os_roles_lb_admin', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -390,17 +383,10 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer role cannot # update flavor details. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'FlavorClient', 'update_flavor', expected_allowed, None, None, - flavor[const.ID], **flavor_updated_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'FlavorClient', 'update_flavor', expected_allowed, None, None, + flavor[const.ID], **flavor_updated_kwargs) updated_flavor = self.lb_admin_flavor_client.update_flavor( flavor[const.ID], **flavor_updated_kwargs) @@ -454,17 +440,10 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # delete a flavor. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'FlavorClient', 'delete_flavor', expected_allowed, - None, None, flavor[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_delete_RBAC_enforcement( + 'FlavorClient', 'delete_flavor', expected_allowed, + None, None, flavor[const.ID]) # Happy path self.lb_admin_flavor_client.delete_flavor(flavor[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py b/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py index 285df19a..cd2770c1 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py +++ b/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py @@ -42,18 +42,11 @@ class FlavorCapabilitiesAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # list provider flavor capabilities. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_list_RBAC_enforcement( - 'FlavorCapabilitiesClient', - 'list_flavor_capabilities', expected_allowed, - CONF.load_balancer.provider) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_list_RBAC_enforcement( + 'FlavorCapabilitiesClient', + 'list_flavor_capabilities', expected_allowed, + CONF.load_balancer.provider) # Check for an expected flavor capability for the configured provider admin_capabilities_client = self.lb_admin_flavor_capabilities_client diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py b/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py index 48ade676..0b6a1ee7 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py +++ b/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py @@ -60,17 +60,10 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # create a flavor profile - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'FlavorProfileClient', 'create_flavor_profile', - expected_allowed, None, None, **flavor_profile_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_create_RBAC_enforcement( + 'FlavorProfileClient', 'create_flavor_profile', + expected_allowed, None, None, **flavor_profile_kwargs) # Happy path flavor_profile = ( @@ -180,17 +173,10 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # list flavor profiles. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_list_RBAC_enforcement( - 'FlavorProfileClient', 'list_flavor_profiles', - expected_allowed) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_list_RBAC_enforcement( + 'FlavorProfileClient', 'list_flavor_profiles', + expected_allowed) # Check the default sort order (by ID) profiles = self.lb_admin_flavor_profile_client.list_flavor_profiles() @@ -309,17 +295,10 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # show a flavor profile. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'FlavorProfileClient', 'show_flavor_profile', - expected_allowed, flavor_profile[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_show_RBAC_enforcement( + 'FlavorProfileClient', 'show_flavor_profile', + expected_allowed, flavor_profile[const.ID]) result = ( self.lb_admin_flavor_profile_client.show_flavor_profile( @@ -387,18 +366,11 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # update a flavor profile. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'FlavorProfileClient', 'update_flavor_profile', - expected_allowed, None, None, flavor_profile[const.ID], - **flavor_profile_updated_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'FlavorProfileClient', 'update_flavor_profile', + expected_allowed, None, None, flavor_profile[const.ID], + **flavor_profile_updated_kwargs) result = self.lb_admin_flavor_profile_client.update_flavor_profile( flavor_profile[const.ID], **flavor_profile_updated_kwargs) @@ -454,17 +426,10 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # delete a flavor profile - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'FlavorProfileClient', 'delete_flavor_profile', - expected_allowed, None, None, flavor_profile[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_delete_RBAC_enforcement( + 'FlavorProfileClient', 'delete_flavor_profile', + expected_allowed, None, None, flavor_profile[const.ID]) # Happy path self.lb_admin_flavor_profile_client.delete_flavor_profile( diff --git a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py index 64368aa3..3713552f 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py +++ b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py @@ -277,22 +277,13 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot # create a healthmonitor - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'HealthMonitorClient', 'create_healthmonitor', - expected_allowed, - status_method=self.mem_lb_client.show_loadbalancer, - obj_id=self.lb_id, **hm_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_create_RBAC_enforcement( + 'HealthMonitorClient', 'create_healthmonitor', + expected_allowed, + status_method=self.mem_lb_client.show_loadbalancer, + obj_id=self.lb_id, **hm_kwargs) hm = self.mem_healthmonitor_client.create_healthmonitor(**hm_kwargs) self.addCleanup( @@ -741,10 +732,10 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] if expected_allowed: self.check_list_IDs_RBAC_enforcement( @@ -765,12 +756,12 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_observer', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -1195,10 +1186,9 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] if expected_allowed: @@ -1471,21 +1461,12 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): # Test that a user, without the loadbalancer member role, cannot # update this healthmonitor. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'HealthMonitorClient', 'update_healthmonitor', - expected_allowed, None, None, hm[const.ID], - admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'HealthMonitorClient', 'update_healthmonitor', + expected_allowed, None, None, hm[const.ID], + admin_state_up=True) # Assert we didn't go into PENDING_* hm_check = self.mem_healthmonitor_client.show_healthmonitor( @@ -1775,20 +1756,11 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot delete this # healthmonitor. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'HealthMonitorClient', 'delete_healthmonitor', - expected_allowed, None, None, hm[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'HealthMonitorClient', 'delete_healthmonitor', + expected_allowed, None, None, hm[const.ID]) self.mem_healthmonitor_client.delete_healthmonitor(hm[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py index 47b2faa1..868950fb 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py +++ b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py @@ -144,22 +144,13 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer role cannot # create a l7policy - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'L7PolicyClient', 'create_l7policy', - expected_allowed, - status_method=self.mem_lb_client.show_loadbalancer, - obj_id=self.lb_id, **l7policy_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_create_RBAC_enforcement( + 'L7PolicyClient', 'create_l7policy', + expected_allowed, + status_method=self.mem_lb_client.show_loadbalancer, + obj_id=self.lb_id, **l7policy_kwargs) l7policy = self.mem_l7policy_client.create_l7policy(**l7policy_kwargs) @@ -397,10 +388,10 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] if expected_allowed: self.check_list_IDs_RBAC_enforcement( @@ -423,12 +414,12 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_observer', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -668,22 +659,16 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the L7 policies # based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'L7PolicyClient', 'show_l7policy', - expected_allowed, l7policy[const.ID]) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'L7PolicyClient', 'show_l7policy', + expected_allowed, l7policy[const.ID]) @decorators.idempotent_id('08f73b22-550b-4e5a-b3d6-2ec03251ca13') def test_l7policy_update(self): @@ -782,21 +767,12 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): # Test that a user, without the loadbalancer member role, cannot # update this L7 policy. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'L7PolicyClient', 'update_l7policy', - expected_allowed, None, None, l7policy[const.ID], - admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'L7PolicyClient', 'update_l7policy', + expected_allowed, None, None, l7policy[const.ID], + admin_state_up=True) # Assert we didn't go into PENDING_* l7policy_check = self.mem_l7policy_client.show_l7policy( @@ -899,20 +875,11 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot delete this # L7 policy. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'L7PolicyClient', 'delete_l7policy', - expected_allowed, None, None, l7policy[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'L7PolicyClient', 'delete_l7policy', + expected_allowed, None, None, l7policy[const.ID]) self.mem_l7policy_client.delete_l7policy(l7policy[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_l7rule.py b/octavia_tempest_plugin/tests/api/v2/test_l7rule.py index c0eb1d26..0e9bb155 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_l7rule.py +++ b/octavia_tempest_plugin/tests/api/v2/test_l7rule.py @@ -142,22 +142,13 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot # create an L7 rule. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'L7RuleClient', 'create_l7rule', - expected_allowed, - status_method=self.mem_lb_client.show_loadbalancer, - obj_id=self.lb_id, **l7rule_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_create_RBAC_enforcement( + 'L7RuleClient', 'create_l7rule', + expected_allowed, + status_method=self.mem_lb_client.show_loadbalancer, + obj_id=self.lb_id, **l7rule_kwargs) l7rule = self.mem_l7rule_client.create_l7rule(**l7rule_kwargs) self.addClassResourceCleanup( @@ -359,10 +350,10 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] if expected_allowed: self.check_list_IDs_RBAC_enforcement( @@ -382,10 +373,9 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] if expected_allowed: @@ -562,23 +552,17 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the L7 rule # based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'L7RuleClient', 'show_l7rule', - expected_allowed, l7rule[const.ID], - l7policy_id=self.l7policy_id) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'L7RuleClient', 'show_l7rule', + expected_allowed, l7rule[const.ID], + l7policy_id=self.l7policy_id) @decorators.idempotent_id('f8cee23b-89b6-4f3a-a842-1463daf42cf7') def test_l7rule_update(self): @@ -650,21 +634,12 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): # Test that a user, without the loadbalancer member role, cannot # update this L7 rule. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'L7RuleClient', 'update_l7rule', - expected_allowed, None, None, l7rule[const.ID], - l7policy_id=self.l7policy_id, admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'L7RuleClient', 'update_l7rule', + expected_allowed, None, None, l7rule[const.ID], + l7policy_id=self.l7policy_id, admin_state_up=True) # Assert we didn't go into PENDING_* l7rule_check = self.mem_l7rule_client.show_l7rule( @@ -753,21 +728,12 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot delete this # L7 rule. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'L7RuleClient', 'delete_l7rule', - expected_allowed, None, None, l7rule[const.ID], - l7policy_id=self.l7policy_id) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'L7RuleClient', 'delete_l7rule', + expected_allowed, None, None, l7rule[const.ID], + l7policy_id=self.l7policy_id) self.mem_l7rule_client.delete_l7rule(l7rule[const.ID], l7policy_id=self.l7policy_id) diff --git a/octavia_tempest_plugin/tests/api/v2/test_listener.py b/octavia_tempest_plugin/tests/api/v2/test_listener.py index 06a68487..46735a57 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_listener.py +++ b/octavia_tempest_plugin/tests/api/v2/test_listener.py @@ -362,22 +362,13 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot # create a listener. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'ListenerClient', 'create_listener', - expected_allowed, - status_method=self.mem_lb_client.show_loadbalancer, - obj_id=self.lb_id, **listener_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_create_RBAC_enforcement( + 'ListenerClient', 'create_listener', + expected_allowed, + status_method=self.mem_lb_client.show_loadbalancer, + obj_id=self.lb_id, **listener_kwargs) listener = self.mem_listener_client.create_listener(**listener_kwargs) @@ -938,10 +929,10 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] if expected_allowed: self.check_list_IDs_RBAC_enforcement( @@ -963,12 +954,12 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_observer', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -1293,22 +1284,16 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the listener # based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'ListenerClient', 'show_listener', - expected_allowed, listener[const.ID]) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'ListenerClient', 'show_listener', + expected_allowed, listener[const.ID]) @decorators.idempotent_id('aaae0298-5778-4c7e-a27a-01549a71b319') def test_http_listener_update(self): @@ -1479,23 +1464,14 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot # update a listener. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'ListenerClient', 'update_listener', - expected_allowed, - status_method=self.mem_listener_client.show_listener, - obj_id=listener[const.ID], listener_id=listener[const.ID], - admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'ListenerClient', 'update_listener', + expected_allowed, + status_method=self.mem_listener_client.show_listener, + obj_id=listener[const.ID], listener_id=listener[const.ID], + admin_state_up=True) new_name = data_utils.rand_name("lb_member_listener1-UPDATED") new_description = data_utils.arbitrary_string(size=255, @@ -1713,22 +1689,13 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot # delete a listener. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'ListenerClient', 'delete_listener', - expected_allowed, - status_method=self.mem_listener_client.show_listener, - obj_id=listener[const.ID], listener_id=listener[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'ListenerClient', 'delete_listener', + expected_allowed, + status_method=self.mem_listener_client.show_listener, + obj_id=listener[const.ID], listener_id=listener[const.ID]) self.mem_listener_client.delete_listener(listener[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py index 9035260d..5159dc47 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py +++ b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py @@ -84,20 +84,11 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): lb_kwargs_with_project_id = copy.deepcopy(lb_kwargs) lb_kwargs_with_project_id[const.PROJECT_ID] = ( self.os_roles_lb_member.credentials.project_id) - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_roles_lb_member', 'os_roles_lb_member2'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member', 'os_roles_lb_member2'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member', 'os_roles_lb_member2'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'LoadbalancerClient', 'create_loadbalancer', - expected_allowed, None, None, **lb_kwargs_with_project_id) + expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_member2'] + self.check_create_RBAC_enforcement( + 'LoadbalancerClient', 'create_loadbalancer', + expected_allowed, None, None, **lb_kwargs_with_project_id) lb = self.mem_lb_client.create_loadbalancer(**lb_kwargs) @@ -188,20 +179,11 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot delete this # load balancer. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'LoadbalancerClient', 'delete_loadbalancer', - expected_allowed, None, None, lb[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'LoadbalancerClient', 'delete_loadbalancer', + expected_allowed, None, None, lb[const.ID]) self.mem_lb_client.delete_loadbalancer(lb[const.ID]) @@ -238,20 +220,11 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot delete this # load balancer. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'LoadbalancerClient', 'delete_loadbalancer', - expected_allowed, None, None, lb[const.ID], cascade=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'LoadbalancerClient', 'delete_loadbalancer', + expected_allowed, None, None, lb[const.ID], cascade=True) self.mem_lb_client.delete_loadbalancer(lb[const.ID], cascade=True) @@ -436,10 +409,10 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] if expected_allowed: self.check_list_IDs_RBAC_enforcement( @@ -460,12 +433,12 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_observer', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -632,22 +605,16 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the load # balancer based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'LoadbalancerClient', 'show_loadbalancer', - expected_allowed, lb[const.ID]) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'LoadbalancerClient', 'show_loadbalancer', + expected_allowed, lb[const.ID]) # Attempt to clean up so that one full test run doesn't start 10+ # amps before the cleanup phase fires @@ -736,21 +703,12 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that a user, without the loadbalancer member role, cannot # update this load balancer. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'LoadbalancerClient', 'update_loadbalancer', - expected_allowed, None, None, lb[const.ID], - admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'LoadbalancerClient', 'update_loadbalancer', + expected_allowed, None, None, lb[const.ID], + admin_state_up=True) # Assert we didn't go into PENDING_* lb_check = self.mem_lb_client.show_loadbalancer(lb[const.ID]) @@ -829,22 +787,16 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the load # balancer stats based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'LoadbalancerClient', 'get_loadbalancer_stats', - expected_allowed, lb[const.ID]) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'LoadbalancerClient', 'get_loadbalancer_stats', + expected_allowed, lb[const.ID]) stats = self.mem_lb_client.get_loadbalancer_stats(lb[const.ID]) @@ -900,22 +852,16 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the load # balancer status based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'LoadbalancerClient', 'get_loadbalancer_status', - expected_allowed, lb[const.ID]) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'LoadbalancerClient', 'get_loadbalancer_status', + expected_allowed, lb[const.ID]) status = self.mem_lb_client.get_loadbalancer_status(lb[const.ID]) @@ -977,17 +923,10 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the load balancer admin role cannot # failover a load balancer. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'LoadbalancerClient', 'failover_loadbalancer', - expected_allowed, None, None, lb[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin'] + self.check_update_RBAC_enforcement( + 'LoadbalancerClient', 'failover_loadbalancer', + expected_allowed, None, None, lb[const.ID]) # Assert we didn't go into PENDING_* lb = self.mem_lb_client.show_loadbalancer(lb[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_member.py b/octavia_tempest_plugin/tests/api/v2/test_member.py index ed3fba6f..fa35b035 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_member.py +++ b/octavia_tempest_plugin/tests/api/v2/test_member.py @@ -930,22 +930,13 @@ class MemberAPITest1(MemberAPITest): # Test that a user without the loadbalancer role cannot # create a member. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'MemberClient', 'create_member', - expected_allowed, - status_method=self.mem_lb_client.show_loadbalancer, - obj_id=self.lb_id, **member_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_create_RBAC_enforcement( + 'MemberClient', 'create_member', + expected_allowed, + status_method=self.mem_lb_client.show_loadbalancer, + obj_id=self.lb_id, **member_kwargs) member = self.mem_member_client.create_member(**member_kwargs) @@ -1287,10 +1278,10 @@ class MemberAPITest1(MemberAPITest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] if expected_allowed: self.check_list_IDs_RBAC_enforcement( @@ -1309,10 +1300,9 @@ class MemberAPITest1(MemberAPITest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] if expected_allowed: @@ -1874,23 +1864,16 @@ class MemberAPITest2(MemberAPITest): # Test that the appropriate users can see or not see the member # based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'MemberClient', 'show_member', - expected_allowed, member[const.ID], - pool_id=pool_id) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'MemberClient', 'show_member', expected_allowed, member[const.ID], + pool_id=pool_id) @decorators.idempotent_id('592c19c3-1e0d-4d6d-b2ff-0d39d8654c99') def test_HTTP_LC_backup_member_update(self): @@ -2348,21 +2331,12 @@ class MemberAPITest2(MemberAPITest): # Test that a user, without the loadbalancer member role, cannot # update this member. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'MemberClient', 'update_member', - expected_allowed, None, None, member[const.ID], - pool_id=pool_id, admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'MemberClient', 'update_member', + expected_allowed, None, None, member[const.ID], + pool_id=pool_id, admin_state_up=True) # Assert we didn't go into PENDING_* member_check = self.mem_member_client.show_member( @@ -2817,21 +2791,12 @@ class MemberAPITest2(MemberAPITest): # Test that a user, without the loadbalancer member role, cannot # batch update this member. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'MemberClient', 'update_members', - expected_allowed, None, None, - pool_id=pool_id, members_list=batch_update_list) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'MemberClient', 'update_members', + expected_allowed, None, None, + pool_id=pool_id, members_list=batch_update_list) # Assert we didn't go into PENDING_* member_check = self.mem_member_client.show_member( @@ -3086,21 +3051,11 @@ class MemberAPITest2(MemberAPITest): # Test that a user without the loadbalancer role cannot delete this # member. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'MemberClient', 'delete_member', - expected_allowed, None, None, member[const.ID], - pool_id=pool_id) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'MemberClient', 'delete_member', expected_allowed, None, None, + member[const.ID], pool_id=pool_id) self.mem_member_client.delete_member(member[const.ID], pool_id=pool_id) diff --git a/octavia_tempest_plugin/tests/api/v2/test_pool.py b/octavia_tempest_plugin/tests/api/v2/test_pool.py index 4e3e667c..2f623760 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_pool.py +++ b/octavia_tempest_plugin/tests/api/v2/test_pool.py @@ -408,22 +408,13 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot # create a pool. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_create_RBAC_enforcement( - 'PoolClient', 'create_pool', - expected_allowed, - status_method=self.mem_lb_client.show_loadbalancer, - obj_id=self.lb_id, **pool_kwargs) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_create_RBAC_enforcement( + 'PoolClient', 'create_pool', + expected_allowed, + status_method=self.mem_lb_client.show_loadbalancer, + obj_id=self.lb_id, **pool_kwargs) # This is a special case as the reference driver does not support # SOURCE-IP-PORT. Since it runs with not_implemented_is_error, we must @@ -763,10 +754,10 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_global_observer'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2'] - if expected_allowed: - self.check_list_RBAC_enforcement_count( - 'PoolClient', 'list_pools', expected_allowed, 0, - query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id)) +# if expected_allowed: +# self.check_list_RBAC_enforcement_count( +# 'PoolClient', 'list_pools', expected_allowed, 0, +# query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id)) # Test credentials that should see these pools can see them. expected_allowed = [] @@ -774,15 +765,15 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_member', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member', 'os_roles_lb_global_observer'] - if expected_allowed: - self.check_list_IDs_RBAC_enforcement( - 'PoolClient', 'list_pools', expected_allowed, test_ids, - query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id)) +# if expected_allowed: +# self.check_list_IDs_RBAC_enforcement( +# 'PoolClient', 'list_pools', expected_allowed, test_ids, +# query_params='loadbalancer_id={lb_id}'.format(lb_id=lb_id)) # Test that users without the lb member role cannot list pools. # Note: non-owners can still call this API, they will just get the list @@ -798,12 +789,12 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', 'os_roles_lb_observer', + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if expected_allowed: @@ -1132,22 +1123,16 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): # Test that the appropriate users can see or not see the pool # based on the API RBAC. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_global_observer', 'os_roles_lb_member'] - if expected_allowed: - self.check_show_RBAC_enforcement( - 'PoolClient', 'show_pool', - expected_allowed, pool[const.ID]) + else: + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_show_RBAC_enforcement( + 'PoolClient', 'show_pool', + expected_allowed, pool[const.ID]) @decorators.idempotent_id('d73755fe-ba3a-4248-9543-8e167a5aa7f4') def test_HTTP_LC_pool_update(self): @@ -1372,21 +1357,12 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): # Test that a user, without the loadbalancer member role, cannot # update this pool. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_update_RBAC_enforcement( - 'PoolClient', 'update_pool', - expected_allowed, None, None, pool[const.ID], - admin_state_up=True) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_update_RBAC_enforcement( + 'PoolClient', 'update_pool', + expected_allowed, None, None, pool[const.ID], + admin_state_up=True) # Assert we didn't go into PENDING_* pool_check = self.mem_pool_client.show_pool( @@ -1675,20 +1651,11 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): # Test that a user without the loadbalancer role cannot delete this # pool. - expected_allowed = [] - if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if CONF.load_balancer.RBAC_test_type == const.ADVANCED: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin', - 'os_roles_lb_member'] - if expected_allowed: - self.check_delete_RBAC_enforcement( - 'PoolClient', 'delete_pool', - expected_allowed, None, None, pool[const.ID]) + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] + self.check_delete_RBAC_enforcement( + 'PoolClient', 'delete_pool', + expected_allowed, None, None, pool[const.ID]) self.mem_pool_client.delete_pool(pool[const.ID]) diff --git a/octavia_tempest_plugin/tests/api/v2/test_provider.py b/octavia_tempest_plugin/tests/api/v2/test_provider.py index e47ae8eb..b6bf12a6 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_provider.py +++ b/octavia_tempest_plugin/tests/api/v2/test_provider.py @@ -50,14 +50,15 @@ class ProviderAPITest(test_base.LoadBalancerBaseTest): 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', - 'os_system_reader', 'os_roles_lb_observer', + 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = [ - 'os_system_admin', 'os_system_reader', 'os_roles_lb_observer', - 'os_roles_lb_global_observer', 'os_roles_lb_admin', - 'os_roles_lb_member', 'os_roles_lb_member2'] + 'os_admin', 'os_roles_lb_observer', + 'os_roles_lb_global_observer', + 'os_roles_lb_admin', 'os_roles_lb_member', + 'os_roles_lb_member2'] if expected_allowed: self.check_list_RBAC_enforcement( 'ProviderClient', 'list_providers', expected_allowed) diff --git a/octavia_tempest_plugin/tests/test_base.py b/octavia_tempest_plugin/tests/test_base.py index 7f4ae3ef..38f931c9 100644 --- a/octavia_tempest_plugin/tests/test_base.py +++ b/octavia_tempest_plugin/tests/test_base.py @@ -79,11 +79,6 @@ class LoadBalancerBaseTest(validators.ValidatorsMixin, ['lb_member', CONF.load_balancer.member_role, 'member'], ['lb_member2', CONF.load_balancer.member_role, 'member']] - # If scope enforcement is enabled, add in the system scope credentials. - # The project scope is already handled by the above credentials. - if CONF.enforce_scope.octavia: - credentials.extend(['system_admin', 'system_reader']) - # A tuple of credentials that will be allocated by tempest using the # 'credentials' list above. These are used to build RBAC test lists. allocated_creds = [] diff --git a/releasenotes/notes/Make-keystone-default-roles-tests-default-a65a62864b93a296.yaml b/releasenotes/notes/Make-keystone-default-roles-tests-default-a65a62864b93a296.yaml new file mode 100644 index 00000000..d38181a9 --- /dev/null +++ b/releasenotes/notes/Make-keystone-default-roles-tests-default-a65a62864b93a296.yaml @@ -0,0 +1,8 @@ +--- +upgrade: + - | + The default tempest tests will now expect the keystone default roles RBAC + enabled. The legacy behavior can be enabled by setting + "RBAC_test_type: advanced" in the [load_balancer] section of your + tempest.conf. This change also removes the ability to test system scoped + tokens with Octavia. diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 8af98cec..4865d1cb 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -518,23 +518,16 @@ - ^octavia_tempest_plugin/tests/spare_pool_scenario/.* # TODO: remove - job: - name: octavia-v2-dsvm-noop-api-keystone-default-roles + name: octavia-v2-dsvm-noop-api-advanced-rbac parent: octavia-v2-dsvm-noop-api vars: devstack_localrc: - OCTAVIA_USE_KEYSTONE_DEFAULT_ROLES: True + OCTAVIA_USE_ADVANCED_RBAC: True devstack_local_conf: - post-config: - $OCTAVIA_CONF: - oslo_policy: - enforce_scope: False - enforce_new_defaults: True test-config: "$TEMPEST_CONFIG": - enforce_scope: - octavia: False load_balancer: - RBAC_test_type: keystone_default_roles + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-noop-py2-api @@ -548,18 +541,36 @@ parent: octavia-v2-dsvm-noop-api nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-noop-api-stable-2024-1 parent: octavia-v2-dsvm-noop-api nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.1 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-noop-api-stable-2023-2 parent: octavia-v2-dsvm-noop-api nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2023.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-scenario-base @@ -646,6 +657,12 @@ parent: octavia-v2-dsvm-scenario nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-scenario-traffic-ops-stable-2024-2 @@ -664,6 +681,12 @@ parent: octavia-v2-dsvm-scenario nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.1 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-scenario-traffic-ops-stable-2024-1 @@ -682,6 +705,12 @@ parent: octavia-v2-dsvm-scenario nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2023.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-scenario-traffic-ops-stable-2023-2 @@ -890,18 +919,36 @@ parent: octavia-v2-dsvm-tls-barbican nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-tls-barbican-stable-2024-1 parent: octavia-v2-dsvm-tls-barbican nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.1 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-tls-barbican-stable-2023-2 parent: octavia-v2-dsvm-tls-barbican nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2023.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-dsvm-spare-pool @@ -1049,18 +1096,56 @@ parent: octavia-v2-act-stdby-dsvm-scenario nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-act-stdby-dsvm-scenario-stable-2024-1 parent: octavia-v2-act-stdby-dsvm-scenario nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2024.1 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced - job: name: octavia-v2-act-stdby-dsvm-scenario-stable-2023-2 parent: octavia-v2-act-stdby-dsvm-scenario nodeset: octavia-single-node-ubuntu-jammy override-checkout: stable/2023.2 + vars: + devstack_local_conf: + test-config: + "$TEMPEST_CONFIG": + load_balancer: + RBAC_test_type: advanced + +# Temporary job, remove once it is no longer used in octavia gates +- job: + name: octavia-v2-dsvm-noop-api-keystone-default-roles + parent: octavia-v2-dsvm-noop-api + vars: + devstack_localrc: + OCTAVIA_USE_KEYSTONE_DEFAULT_ROLES: True + devstack_local_conf: + post-config: + $OCTAVIA_CONF: + oslo_policy: + enforce_scope: True + enforce_new_defaults: True + test-config: + "$TEMPEST_CONFIG": + enforce_scope: + octavia: True + load_balancer: + RBAC_test_type: keystone_default_roles ######### Third party jobs ########## diff --git a/zuul.d/projects.yaml b/zuul.d/projects.yaml index fee26dd1..90343675 100644 --- a/zuul.d/projects.yaml +++ b/zuul.d/projects.yaml @@ -12,7 +12,7 @@ - octavia-v2-dsvm-noop-api-stable-2024-2 - octavia-v2-dsvm-noop-api-stable-2024-1 - octavia-v2-dsvm-noop-api-stable-2023-2 - - octavia-v2-dsvm-noop-api-keystone-default-roles + - octavia-v2-dsvm-noop-api-advanced-rbac - octavia-v2-dsvm-scenario-traffic-ops - octavia-v2-dsvm-scenario-non-traffic-ops - octavia-v2-dsvm-scenario-traffic-ops-stable-2024-2 @@ -60,7 +60,7 @@ - octavia-v2-dsvm-noop-api-stable-2024-2 - octavia-v2-dsvm-noop-api-stable-2024-1 - octavia-v2-dsvm-noop-api-stable-2023-2 - - octavia-v2-dsvm-noop-api-keystone-default-roles + - octavia-v2-dsvm-noop-api-advanced-rbac - octavia-v2-dsvm-scenario-traffic-ops - octavia-v2-dsvm-scenario-non-traffic-ops - octavia-v2-dsvm-scenario-traffic-ops-stable-2024-2