From d278efe4d5e47df015c6497ed7331a5a5cb55567 Mon Sep 17 00:00:00 2001 From: Felipe Monteiro Date: Sun, 10 Dec 2017 23:43:01 +0000 Subject: [PATCH] Migrate to override_role for compute module (part 2) Now that override_role has supplanted switch_role (which has been deprecated) in [0], the RBAC tests need to switch to use override_role. This PS switches to override_role for the compute module. This PS handles 11 modules; 1 follow-up patch sets will handle the remaining 11 modules. This PS also removes unnecessary indexing into response bodies. [0] I670fba358bf321eae0d22d18cea6d2f530f00716 Partially Implements: blueprint rbac-utils-contextmanager Change-Id: I2a1bd0b9c929252541eec0e9e8a3ddd73cf1ab30 --- .../tests/api/compute/test_hosts_rbac.py | 4 +- .../tests/api/compute/test_hypervisor_rbac.py | 36 +++-- .../tests/api/compute/test_images_rbac.py | 64 ++++---- .../test_instance_usages_audit_log_rbac.py | 14 +- .../tests/api/compute/test_keypairs_rbac.py | 16 +- .../tests/api/compute/test_limits_rbac.py | 4 +- .../tests/api/compute/test_migrations_rbac.py | 4 +- .../api/compute/test_quota_class_sets_rbac.py | 11 +- .../tests/api/compute/test_quota_sets_rbac.py | 26 ++-- .../api/compute/test_security_groups_rbac.py | 39 ++--- .../api/compute/test_server_actions_rbac.py | 144 +++++++++--------- 11 files changed, 177 insertions(+), 185 deletions(-) diff --git a/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py index f10744c6..67d04687 100644 --- a/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py +++ b/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py @@ -34,5 +34,5 @@ class HostsRbacTest(rbac_base.BaseV2ComputeRbacTest): service="nova", rule="os_compute_api:os-hosts") def test_list_hosts(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.hosts_client.list_hosts()['hosts'] + with self.rbac_utils.override_role(self): + self.hosts_client.list_hosts() diff --git a/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py index c07ab246..cb1515f2 100644 --- a/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py +++ b/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py @@ -41,58 +41,56 @@ class HypervisorRbacTest(rbac_base.BaseV2ComputeRbacTest): service="nova", rule="os_compute_api:os-hypervisors") def test_list_hypervisors(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.hypervisor_client.list_hypervisors()['hypervisors'] + with self.rbac_utils.override_role(self): + self.hypervisor_client.list_hypervisors() @decorators.idempotent_id('36b95c7d-1085-487a-a674-b7c1ca35f520') @rbac_rule_validation.action( service="nova", rule="os_compute_api:os-hypervisors") def test_list_hypervisors_with_details(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.hypervisor_client.list_hypervisors(detail=True)['hypervisors'] + with self.rbac_utils.override_role(self): + self.hypervisor_client.list_hypervisors(detail=True) @decorators.idempotent_id('8a7f6f9e-34a6-4480-8875-bba566c3a581') @rbac_rule_validation.action( service="nova", rule="os_compute_api:os-hypervisors") def test_show_hypervisor(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.hypervisor_client.show_hypervisor( - self.hypervisor['id'])['hypervisor'] + with self.rbac_utils.override_role(self): + self.hypervisor_client.show_hypervisor(self.hypervisor['id']) @decorators.idempotent_id('b86f03cf-2e79-4d88-9eea-62f761591413') @rbac_rule_validation.action( service="nova", rule="os_compute_api:os-hypervisors") def test_list_servers_on_hypervisor(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.hypervisor_client.list_servers_on_hypervisor( - self.hypervisor['hypervisor_hostname'])['hypervisors'] + with self.rbac_utils.override_role(self): + self.hypervisor_client.list_servers_on_hypervisor( + self.hypervisor['hypervisor_hostname']) @decorators.idempotent_id('ca0e465c-6365-4a7f-ae58-6f8ddbca06c2') @rbac_rule_validation.action( service="nova", rule="os_compute_api:os-hypervisors") def test_show_hypervisor_statistics(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.hypervisor_client.\ - show_hypervisor_statistics()['hypervisor_statistics'] + with self.rbac_utils.override_role(self): + self.hypervisor_client.show_hypervisor_statistics() @decorators.idempotent_id('109b37c5-91ba-4da5-b2a2-d7618d84406d') @rbac_rule_validation.action( service="nova", rule="os_compute_api:os-hypervisors") def test_show_hypervisor_uptime(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.hypervisor_client.show_hypervisor_uptime( - self.hypervisor['id'])['hypervisor'] + with self.rbac_utils.override_role(self): + self.hypervisor_client.show_hypervisor_uptime( + self.hypervisor['id']) @decorators.idempotent_id('3dbc71c1-8f04-4674-a67c-dcb2fd99b1b4') @rbac_rule_validation.action( service="nova", rule="os_compute_api:os-hypervisors") def test_search_hypervisor(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.hypervisor_client.search_hypervisor( - self.hypervisor['hypervisor_hostname'])['hypervisors'] + with self.rbac_utils.override_role(self): + self.hypervisor_client.search_hypervisor( + self.hypervisor['hypervisor_hostname']) diff --git a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py index 0ba12820..9fb326e1 100644 --- a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py +++ b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py @@ -78,24 +78,24 @@ class ImagesRbacTest(rbac_base.BaseV2ComputeRbacTest): service="glance", rule="get_images") def test_list_images(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.compute_images_client.list_images() + with self.rbac_utils.override_role(self): + self.compute_images_client.list_images() @decorators.idempotent_id('4365ae0f-15ee-4b54-a527-1679faaed140') @rbac_rule_validation.action( service="glance", rule="get_images") def test_list_images_with_details(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.compute_images_client.list_images(detail=True) + with self.rbac_utils.override_role(self): + self.compute_images_client.list_images(detail=True) @decorators.idempotent_id('886dfcae-51bf-4610-9e52-82d7189524c2') @rbac_rule_validation.action( service="glance", rule="get_image") def test_show_image_details(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.compute_images_client.show_image(self.image['id']) + with self.rbac_utils.override_role(self): + self.compute_images_client.show_image(self.image['id']) @decorators.idempotent_id('dbe09d4c-e615-48cb-b908-a06a0f410a8e') @rbac_rule_validation.action( @@ -107,17 +107,17 @@ class ImagesRbacTest(rbac_base.BaseV2ComputeRbacTest): self.addCleanup(self.compute_images_client.delete_image_metadata_item, self.image['id'], key='foo') - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.compute_images_client.show_image_metadata_item(self.image['id'], - key='foo') + with self.rbac_utils.override_role(self): + self.compute_images_client.show_image_metadata_item( + self.image['id'], key='foo') @decorators.idempotent_id('59f66079-d564-47e8-81b0-03c2e84d339e') @rbac_rule_validation.action( service="glance", rule="get_image") def test_list_image_metadata(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.compute_images_client.list_image_metadata(self.image['id']) + with self.rbac_utils.override_role(self): + self.compute_images_client.list_image_metadata(self.image['id']) @decorators.idempotent_id('5888c7aa-0803-46d4-a3fb-5d4729465cd5') @rbac_rule_validation.action( @@ -129,20 +129,20 @@ class ImagesRbacTest(rbac_base.BaseV2ComputeRbacTest): self.addCleanup(test_utils.call_and_ignore_notfound_exc, self.glance_image_client.delete_image, image['id']) - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.compute_images_client.delete_image(image['id']) + with self.rbac_utils.override_role(self): + self.compute_images_client.delete_image(image['id']) @decorators.idempotent_id('575604aa-909f-4b1b-a5a5-cfae1f63044b') @rbac_rule_validation.action( service="glance", rule="modify_image") def test_create_image_metadata(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - # NOTE(felipemonteiro): Although the name of the client function - # appears wrong, it's actually correct: update_image_metadata does an - # http post. - self.compute_images_client.update_image_metadata(self.image['id'], - meta={'foo': 'bar'}) + with self.rbac_utils.override_role(self): + # NOTE(felipemonteiro): Although the name of the client function + # appears wrong, it's actually correct: update_image_metadata does + # an http post. + self.compute_images_client.update_image_metadata( + self.image['id'], meta={'foo': 'bar'}) self.addCleanup(self.compute_images_client.delete_image_metadata_item, self.image['id'], key='foo') @@ -151,9 +151,9 @@ class ImagesRbacTest(rbac_base.BaseV2ComputeRbacTest): service="glance", rule="modify_image") def test_update_image_metadata(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.compute_images_client.set_image_metadata(self.image['id'], - meta={'foo': 'bar'}) + with self.rbac_utils.override_role(self): + self.compute_images_client.set_image_metadata(self.image['id'], + meta={'foo': 'bar'}) self.addCleanup(self.compute_images_client.delete_image_metadata_item, self.image['id'], key='foo') @@ -162,9 +162,9 @@ class ImagesRbacTest(rbac_base.BaseV2ComputeRbacTest): service="glance", rule="modify_image") def test_update_image_metadata_item(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.compute_images_client.set_image_metadata_item( - self.image['id'], meta={'foo': 'bar'}, key='foo') + with self.rbac_utils.override_role(self): + self.compute_images_client.set_image_metadata_item( + self.image['id'], meta={'foo': 'bar'}, key='foo') self.addCleanup(self.compute_images_client.delete_image_metadata_item, self.image['id'], key='foo') @@ -179,9 +179,9 @@ class ImagesRbacTest(rbac_base.BaseV2ComputeRbacTest): self.compute_images_client.delete_image_metadata_item, self.image['id'], key='foo') - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.compute_images_client.delete_image_metadata_item(self.image['id'], - key='foo') + with self.rbac_utils.override_role(self): + self.compute_images_client.delete_image_metadata_item( + self.image['id'], key='foo') class ImageSizeRbacTest(rbac_base.BaseV2ComputeRbacTest): @@ -202,13 +202,13 @@ class ImageSizeRbacTest(rbac_base.BaseV2ComputeRbacTest): service="nova", rule="os_compute_api:image-size") def test_list_images(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.compute_images_client.list_images() + with self.rbac_utils.override_role(self): + self.compute_images_client.list_images() @decorators.idempotent_id('08342c7d-297d-42ee-b398-90fce2443792') @rbac_rule_validation.action( service="nova", rule="os_compute_api:image-size") def test_list_images_with_details(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.compute_images_client.list_images(detail=True) + with self.rbac_utils.override_role(self): + self.compute_images_client.list_images(detail=True) diff --git a/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py index 5fc4c3b9..347b7dfb 100644 --- a/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py +++ b/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py @@ -38,9 +38,9 @@ class InstanceUsagesAuditLogRbacTest(rbac_base.BaseV2ComputeRbacTest): @rbac_rule_validation.action( service="nova", rule="os_compute_api:os-instance-usage-audit-log") def test_list_instance_usage_audit_logs(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.instance_usages_audit_log_client.list_instance_usage_audit_logs() - ["instance_usage_audit_logs"] + with self.rbac_utils.override_role(self): + (self.instance_usages_audit_log_client + .list_instance_usage_audit_logs()) @decorators.idempotent_id('ded8bfbd-5d90-4a58-aee0-d31231bf3c9b') @rbac_rule_validation.action( @@ -48,7 +48,7 @@ class InstanceUsagesAuditLogRbacTest(rbac_base.BaseV2ComputeRbacTest): def test_show_instance_usage_audit_log(self): now = datetime.datetime.now() - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.instance_usages_audit_log_client.show_instance_usage_audit_log( - urllib.quote(now.strftime("%Y-%m-%d %H:%M:%S")))[ - "instance_usage_audit_log"] + with self.rbac_utils.override_role(self): + (self.instance_usages_audit_log_client. + show_instance_usage_audit_log( + urllib.quote(now.strftime("%Y-%m-%d %H:%M:%S")))) diff --git a/patrole_tempest_plugin/tests/api/compute/test_keypairs_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_keypairs_rbac.py index 8e434fc1..b359ad25 100644 --- a/patrole_tempest_plugin/tests/api/compute/test_keypairs_rbac.py +++ b/patrole_tempest_plugin/tests/api/compute/test_keypairs_rbac.py @@ -36,8 +36,8 @@ class KeypairsRbacTest(rbac_base.BaseV2ComputeRbacTest): service="nova", rule="os_compute_api:os-keypairs:create") def test_create_keypair(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self._create_keypair() + with self.rbac_utils.override_role(self): + self._create_keypair() @decorators.idempotent_id('85a5eb99-40ec-4e77-9358-bee2cdf9d7df') @rbac_rule_validation.action( @@ -45,8 +45,8 @@ class KeypairsRbacTest(rbac_base.BaseV2ComputeRbacTest): rule="os_compute_api:os-keypairs:show") def test_show_keypair(self): kp_name = self._create_keypair()['keypair']['name'] - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.keypairs_client.show_keypair(kp_name) + with self.rbac_utils.override_role(self): + self.keypairs_client.show_keypair(kp_name) @decorators.idempotent_id('6bff9f1c-b809-43c1-8d63-61fbd19d49d3') @rbac_rule_validation.action( @@ -54,13 +54,13 @@ class KeypairsRbacTest(rbac_base.BaseV2ComputeRbacTest): rule="os_compute_api:os-keypairs:delete") def test_delete_keypair(self): kp_name = self._create_keypair()['keypair']['name'] - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.keypairs_client.delete_keypair(kp_name) + with self.rbac_utils.override_role(self): + self.keypairs_client.delete_keypair(kp_name) @decorators.idempotent_id('6bb31346-ff7f-4b10-978e-170ac5fcfa3e') @rbac_rule_validation.action( service="nova", rule="os_compute_api:os-keypairs:index") def test_index_keypair(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.keypairs_client.list_keypairs() + with self.rbac_utils.override_role(self): + self.keypairs_client.list_keypairs() diff --git a/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py index ad2c5bad..9442a5ae 100644 --- a/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py +++ b/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py @@ -31,5 +31,5 @@ class LimitsRbacTest(rbac_base.BaseV2ComputeRbacTest): rule="os_compute_api:limits") @decorators.idempotent_id('3fb60f83-9a5f-4fdd-89d9-26c3710844a1') def test_show_limits(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.limits_client.show_limits() + with self.rbac_utils.override_role(self): + self.limits_client.show_limits() diff --git a/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py index 1bf46a16..1597a044 100644 --- a/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py +++ b/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py @@ -34,5 +34,5 @@ class MigrationsRbacTest(rbac_base.BaseV2ComputeRbacTest): service="nova", rule="os_compute_api:os-migrations:index") def test_list_services(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.migrations_client.list_migrations()['migrations'] + with self.rbac_utils.override_role(self): + self.migrations_client.list_migrations() diff --git a/patrole_tempest_plugin/tests/api/compute/test_quota_class_sets_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_quota_class_sets_rbac.py index 162c003e..2f867636 100644 --- a/patrole_tempest_plugin/tests/api/compute/test_quota_class_sets_rbac.py +++ b/patrole_tempest_plugin/tests/api/compute/test_quota_class_sets_rbac.py @@ -59,9 +59,8 @@ class QuotaClassesRbacTest(rbac_base.BaseV2ComputeRbacTest): service="nova", rule="os_compute_api:os-quota-class-sets:show") def test_show_quota_class_set(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.quota_classes_client.show_quota_class_set('default')[ - 'quota_class_set'] + with self.rbac_utils.override_role(self): + self.quota_classes_client.show_quota_class_set('default') @decorators.idempotent_id('81889e69-efd2-4e96-bb4c-ee3b646b9755') @rbac_rule_validation.action( @@ -75,6 +74,6 @@ class QuotaClassesRbacTest(rbac_base.BaseV2ComputeRbacTest): for quota, default in quota_class_set.items(): quota_class_set[quota] = default + 100 - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.quota_classes_client.update_quota_class_set( - self.project_id, **quota_class_set)['quota_class_set'] + with self.rbac_utils.override_role(self): + self.quota_classes_client.update_quota_class_set( + self.project_id, **quota_class_set) diff --git a/patrole_tempest_plugin/tests/api/compute/test_quota_sets_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_quota_sets_rbac.py index 60521501..ec4511aa 100644 --- a/patrole_tempest_plugin/tests/api/compute/test_quota_sets_rbac.py +++ b/patrole_tempest_plugin/tests/api/compute/test_quota_sets_rbac.py @@ -59,10 +59,10 @@ class QuotaSetsRbacTest(rbac_base.BaseV2ComputeRbacTest): default_quota_set.pop('id') new_quota_set = {'injected_file_content_bytes': 20480} - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.quotas_client.update_quota_set(self.tenant_id, - force=True, - **new_quota_set)['quota_set'] + with self.rbac_utils.override_role(self): + self.quotas_client.update_quota_set(self.tenant_id, + force=True, + **new_quota_set) self.addCleanup(self.quotas_client.update_quota_set, self.tenant_id, **default_quota_set) @@ -71,16 +71,16 @@ class QuotaSetsRbacTest(rbac_base.BaseV2ComputeRbacTest): service="nova", rule="os_compute_api:os-quota-sets:defaults") def test_show_default_quota_set(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.quotas_client.show_default_quota_set(self.tenant_id)['quota_set'] + with self.rbac_utils.override_role(self): + self.quotas_client.show_default_quota_set(self.tenant_id) @decorators.idempotent_id('e8169ac4-c402-4864-894e-aba74e3a459c') @rbac_rule_validation.action( service="nova", rule="os_compute_api:os-quota-sets:show") def test_show_quota_set(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.quotas_client.show_quota_set(self.tenant_id)['quota_set'] + with self.rbac_utils.override_role(self): + self.quotas_client.show_quota_set(self.tenant_id) @decorators.idempotent_id('4e240644-bf61-4872-9c32-8289ee2fdbbd') @rbac_rule_validation.action( @@ -94,14 +94,14 @@ class QuotaSetsRbacTest(rbac_base.BaseV2ComputeRbacTest): self.addCleanup(test_utils.call_and_ignore_notfound_exc, self.projects_client.delete_project, project_id) - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.quotas_client.delete_quota_set(project_id) + with self.rbac_utils.override_role(self): + self.quotas_client.delete_quota_set(project_id) @decorators.idempotent_id('ac9184b6-f3b3-4e17-a632-4b92c6500f86') @rbac_rule_validation.action( service="nova", rule="os_compute_api:os-quota-sets:detail") def test_show_quota_set_details(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.quotas_client.show_quota_set(self.tenant_id, - detail=True)['quota_set'] + with self.rbac_utils.override_role(self): + self.quotas_client.show_quota_set(self.tenant_id, + detail=True) diff --git a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py index 43d48c94..fa89a794 100644 --- a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py +++ b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py @@ -58,8 +58,9 @@ class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest): rule="os_compute_api:os-security-groups") @decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520') def test_list_security_groups_by_server(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.list_security_groups_by_server(self.server['id']) + with self.rbac_utils.override_role(self): + self.servers_client.list_security_groups_by_server( + self.server['id']) @rbac_rule_validation.action( service="nova", @@ -68,8 +69,9 @@ class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest): def test_create_security_group_for_server(self): sg_name = self.create_security_group()['name'] - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.add_security_group(self.server['id'], name=sg_name) + with self.rbac_utils.override_role(self): + self.servers_client.add_security_group(self.server['id'], + name=sg_name) self.addCleanup(test_utils.call_and_ignore_notfound_exc, self.servers_client.remove_security_group, self.server['id'], name=sg_name) @@ -86,9 +88,9 @@ class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest): self.servers_client.remove_security_group, self.server['id'], name=sg_name) - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.remove_security_group( - self.server['id'], name=sg_name) + with self.rbac_utils.override_role(self): + self.servers_client.remove_security_group( + self.server['id'], name=sg_name) class SecurityGroupsRbacMaxV235Test(rbac_base.BaseV2ComputeRbacTest): @@ -117,16 +119,16 @@ class SecurityGroupsRbacMaxV235Test(rbac_base.BaseV2ComputeRbacTest): rule="os_compute_api:os-security-groups") @decorators.idempotent_id('4ac58e49-48c1-4fca-a6c3-3f95fb99eb77') def test_list_security_groups(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.security_groups_client.list_security_groups() + with self.rbac_utils.override_role(self): + self.security_groups_client.list_security_groups() @rbac_rule_validation.action( service="nova", rule="os_compute_api:os-security-groups") @decorators.idempotent_id('e8fe7f5a-69ee-412d-81d3-a8c7a488b54d') def test_create_security_groups(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.create_security_group()['id'] + with self.rbac_utils.override_role(self): + self.create_security_group()['id'] @rbac_rule_validation.action( service="nova", @@ -134,8 +136,8 @@ class SecurityGroupsRbacMaxV235Test(rbac_base.BaseV2ComputeRbacTest): @decorators.idempotent_id('59127e8e-302d-11e7-93ae-92361f002671') def test_delete_security_groups(self): sec_group_id = self.create_security_group()['id'] - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.security_groups_client.delete_security_group(sec_group_id) + with self.rbac_utils.override_role(self): + self.security_groups_client.delete_security_group(sec_group_id) @rbac_rule_validation.action( service="nova", @@ -146,10 +148,9 @@ class SecurityGroupsRbacMaxV235Test(rbac_base.BaseV2ComputeRbacTest): new_name = data_utils.rand_name() new_desc = data_utils.rand_name() - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.security_groups_client.update_security_group(sec_group_id, - name=new_name, - description=new_desc) + with self.rbac_utils.override_role(self): + self.security_groups_client.update_security_group( + sec_group_id, name=new_name, description=new_desc) @rbac_rule_validation.action( service="nova", @@ -157,5 +158,5 @@ class SecurityGroupsRbacMaxV235Test(rbac_base.BaseV2ComputeRbacTest): @decorators.idempotent_id('6edc0320-302d-11e7-93ae-92361f002671') def test_show_security_groups(self): sec_group_id = self.create_security_group()['id'] - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.security_groups_client.show_security_group(sec_group_id) + with self.rbac_utils.override_role(self): + self.security_groups_client.show_security_group(sec_group_id) diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py index 2bc267b1..adb5a6c4 100644 --- a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py +++ b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py @@ -33,8 +33,6 @@ CONF = config.CONF class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): - credentials = ['primary', 'admin'] - @classmethod def resource_setup(cls): super(ServerActionsRbacTest, cls).resource_setup() @@ -60,17 +58,17 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): def _stop_server(self): self.servers_client.stop_server(self.server_id) waiters.wait_for_server_status( - self.os_admin.servers_client, self.server_id, 'SHUTOFF') + self.servers_client, self.server_id, 'SHUTOFF') def _resize_server(self, flavor): self.servers_client.resize_server(self.server_id, flavor) waiters.wait_for_server_status( - self.os_admin.servers_client, self.server_id, 'VERIFY_RESIZE') + self.servers_client, self.server_id, 'VERIFY_RESIZE') def _confirm_resize_server(self): self.servers_client.confirm_resize_server(self.server_id) waiters.wait_for_server_status( - self.os_admin.servers_client, self.server_id, 'ACTIVE') + self.servers_client, self.server_id, 'ACTIVE') def _shelve_server(self): self.servers_client.shelve_server(self.server_id) @@ -79,13 +77,13 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): self.server_id) offload_time = CONF.compute.shelved_offload_time if offload_time >= 0: - waiters.wait_for_server_status(self.os_admin.servers_client, + waiters.wait_for_server_status(self.servers_client, self.server_id, 'SHELVED_OFFLOADED', extra_timeout=offload_time) else: - waiters.wait_for_server_status(self.os_admin.servers_client, - self.server_id, 'SHELVED') + waiters.wait_for_server_status(self.servers_client, self.server_id, + 'SHELVED') def _pause_server(self): self.servers_client.pause_server(self.server_id) @@ -93,7 +91,7 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): self.servers_client.unpause_server, self.server_id) waiters.wait_for_server_status( - self.os_admin.servers_client, self.server_id, 'PAUSED') + self.servers_client, self.server_id, 'PAUSED') def _cleanup_server_actions(self, function, server_id, **kwargs): server = self.servers_client.show_server(server_id)['server'] @@ -107,8 +105,8 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): service="nova", rule="os_compute_api:os-pause-server:pause") def test_pause_server(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self._pause_server() + with self.rbac_utils.override_role(self): + self._pause_server() @decorators.idempotent_id('087008cf-82fa-4eeb-ae8b-32c4126456ad') @testtools.skipUnless(CONF.compute_feature_enabled.pause, @@ -118,18 +116,18 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): rule="os_compute_api:os-pause-server:unpause") def test_unpause_server(self): self._pause_server() - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.unpause_server(self.server_id) + with self.rbac_utils.override_role(self): + self.servers_client.unpause_server(self.server_id) waiters.wait_for_server_status( - self.os_admin.servers_client, self.server_id, 'ACTIVE') + self.servers_client, self.server_id, 'ACTIVE') @rbac_rule_validation.action( service="nova", rule="os_compute_api:servers:stop") @decorators.idempotent_id('ab4a17d2-166f-4a6d-9944-f17baa576cf2') def test_stop_server(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self._stop_server() + with self.rbac_utils.override_role(self): + self._stop_server() @decorators.attr(type='slow') @rbac_rule_validation.action( @@ -139,10 +137,10 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): def test_start_server(self): self._stop_server() - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.start_server(self.server_id) + with self.rbac_utils.override_role(self): + self.servers_client.start_server(self.server_id) waiters.wait_for_server_status( - self.os_admin.servers_client, self.server_id, 'ACTIVE') + self.servers_client, self.server_id, 'ACTIVE') @decorators.attr(type='slow') @rbac_rule_validation.action( @@ -152,8 +150,8 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): @testtools.skipUnless(CONF.compute_feature_enabled.resize, 'Resize is not available.') def test_resize_server(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self._resize_server(self.flavor_ref_alt) + with self.rbac_utils.override_role(self): + self._resize_server(self.flavor_ref_alt) @decorators.attr(type='slow') @rbac_rule_validation.action( @@ -165,10 +163,10 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): def test_revert_resize_server(self): self._resize_server(self.flavor_ref_alt) - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.revert_resize_server(self.server_id) + with self.rbac_utils.override_role(self): + self.servers_client.revert_resize_server(self.server_id) waiters.wait_for_server_status( - self.os_admin.servers_client, self.server_id, 'ACTIVE') + self.servers_client, self.server_id, 'ACTIVE') @decorators.attr(type='slow') @rbac_rule_validation.action( @@ -182,68 +180,68 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): self.addCleanup(self._confirm_resize_server) self.addCleanup(self._resize_server, self.flavor_ref) - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self._confirm_resize_server() + with self.rbac_utils.override_role(self): + self._confirm_resize_server() @rbac_rule_validation.action( service="nova", rule="os_compute_api:servers:rebuild") @decorators.idempotent_id('54b1a30b-c96c-472c-9c83-ccaf6ec7e20b') def test_rebuild_server(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.rebuild_server(self.server_id, self.image_ref) + with self.rbac_utils.override_role(self): + self.servers_client.rebuild_server(self.server_id, self.image_ref) waiters.wait_for_server_status( - self.os_admin.servers_client, self.server_id, 'ACTIVE') + self.servers_client, self.server_id, 'ACTIVE') @rbac_rule_validation.action( service="nova", rule="os_compute_api:servers:reboot") @decorators.idempotent_id('19f27856-56e1-44f8-8615-7257f6b85cbb') def test_reboot_server(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.reboot_server(self.server_id, type='HARD') + with self.rbac_utils.override_role(self): + self.servers_client.reboot_server(self.server_id, type='HARD') waiters.wait_for_server_status( - self.os_admin.servers_client, self.server_id, 'ACTIVE') + self.servers_client, self.server_id, 'ACTIVE') @rbac_rule_validation.action( service="nova", rule="os_compute_api:servers:index") @decorators.idempotent_id('631f0d86-7607-4198-8312-9da2f05464a4') def test_server_index(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.list_servers(minimal=True) + with self.rbac_utils.override_role(self): + self.servers_client.list_servers(minimal=True) @rbac_rule_validation.action( service="nova", rule="os_compute_api:servers:detail") @decorators.idempotent_id('96093480-3ce5-4a8b-b569-aed870379c24') def test_server_detail(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.list_servers(detail=True) + with self.rbac_utils.override_role(self): + self.servers_client.list_servers(detail=True) @rbac_rule_validation.action( service="nova", rule="os_compute_api:servers:detail:get_all_tenants") @decorators.idempotent_id('a9e5a1c0-acfe-49a2-b2b1-fd8b19d61f71') def test_server_detail_all_tenants(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.list_servers(detail=True, all_tenants=1) + with self.rbac_utils.override_role(self): + self.servers_client.list_servers(detail=True, all_tenants=1) @rbac_rule_validation.action( service="nova", rule="os_compute_api:servers:index:get_all_tenants") @decorators.idempotent_id('4b93ba56-69e6-41f5-82c4-84a5c4c42091') def test_server_index_all_tenants(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.list_servers(minimal=True, all_tenants=1) + with self.rbac_utils.override_role(self): + self.servers_client.list_servers(minimal=True, all_tenants=1) @rbac_rule_validation.action( service="nova", rule="os_compute_api:servers:show") @decorators.idempotent_id('eaaf4f51-31b5-497f-8f0f-f527e5f70b83') def test_show_server(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.show_server(self.server_id) + with self.rbac_utils.override_role(self): + self.servers_client.show_server(self.server_id) @utils.services('image') @rbac_rule_validation.action( @@ -251,10 +249,9 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): rule="os_compute_api:servers:create_image") @decorators.idempotent_id('ba0ac859-99f4-4055-b5e0-e0905a44d331') def test_create_image(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - - # This function will also call show image - self.create_image_from_server(self.server_id, wait_until='ACTIVE') + with self.rbac_utils.override_role(self): + # This function will also call show image + self.create_image_from_server(self.server_id, wait_until='ACTIVE') @utils.services('image', 'volume') @rbac_rule_validation.action( @@ -267,12 +264,11 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): # this test. server = self.create_test_server(volume_backed=True, wait_until='ACTIVE') - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - - # This function will also call show image. - image = self.create_image_from_server(server['id'], - wait_until='ACTIVE', - wait_for_server=False) + with self.rbac_utils.override_role(self): + # This function will also call show image. + image = self.create_image_from_server(server['id'], + wait_until='ACTIVE', + wait_for_server=False) self.addCleanup(self.compute_images_client.wait_for_resource_deletion, image['id']) self.addCleanup( @@ -289,9 +285,9 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): def test_create_backup(self): # Prioritize glance v2 over v1 for deleting/waiting for image status. if CONF.image_feature_enabled.api_v2: - glance_admin_client = self.os_admin.image_client_v2 + glance_client = self.os_primary.image_client_v2 elif CONF.image_feature_enabled.api_v1: - glance_admin_client = self.os_admin.image_client + glance_client = self.os_primary.image_client else: raise lib_exc.InvalidConfiguration( 'Either api_v1 or api_v2 must be True in ' @@ -299,10 +295,10 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): backup_name = data_utils.rand_name(self.__class__.__name__ + '-Backup') - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - resp = self.servers_client.create_backup( - self.server_id, backup_type='daily', rotation=1, - name=backup_name).response + with self.rbac_utils.override_role(self): + resp = self.servers_client.create_backup( + self.server_id, backup_type='daily', rotation=1, + name=backup_name).response # Prior to microversion 2.45, image ID must be parsed from location # header. With microversion 2.45+, image_id is returned. @@ -312,11 +308,9 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): else: image_id = data_utils.parse_image_id(resp['location']) - # Use admin credentials to wait since waiting involves show, which is - # a different policy. self.addCleanup(test_utils.call_and_ignore_notfound_exc, - glance_admin_client.delete_image, image_id) - waiters.wait_for_image_status(glance_admin_client, image_id, 'active') + glance_client.delete_image, image_id) + waiters.wait_for_image_status(glance_client, image_id, 'active') @decorators.attr(type='slow') @decorators.idempotent_id('0b70c527-af75-4bed-9ccf-4f1310a8b60f') @@ -324,8 +318,8 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): service="nova", rule="os_compute_api:os-shelve:shelve") def test_shelve_server(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self._shelve_server() + with self.rbac_utils.override_role(self): + self._shelve_server() @decorators.attr(type='slow') @decorators.idempotent_id('4b6e849a-9182-49ff-9257-e97e751b475e') @@ -334,10 +328,10 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest): rule="os_compute_api:os-shelve:unshelve") def test_unshelve_server(self): self._shelve_server() - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.servers_client.unshelve_server(self.server_id) + with self.rbac_utils.override_role(self): + self.servers_client.unshelve_server(self.server_id) waiters.wait_for_server_status( - self.os_admin.servers_client, self.server_id, 'ACTIVE') + self.servers_client, self.server_id, 'ACTIVE') class ServerActionsV214RbacTest(rbac_base.BaseV2ComputeRbacTest): @@ -361,12 +355,12 @@ class ServerActionsV214RbacTest(rbac_base.BaseV2ComputeRbacTest): # NOTE(felipemonteiro): Because evacuating a server is a risky action # to test in the gates, a 404 is coerced using a fake host. However, # the policy check is done before the 404 is thrown. - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - self.assertRaisesRegex(lib_exc.NotFound, - "Compute host %s not found." % fake_host_name, - self.servers_client.evacuate_server, - self.server_id, - host=fake_host_name) + with self.rbac_utils.override_role(self): + self.assertRaisesRegex( + lib_exc.NotFound, + "Compute host %s not found." % fake_host_name, + self.servers_client.evacuate_server, self.server_id, + host=fake_host_name) class ServerActionsV216RbacTest(rbac_base.BaseV2ComputeRbacTest): @@ -387,8 +381,8 @@ class ServerActionsV216RbacTest(rbac_base.BaseV2ComputeRbacTest): rule="os_compute_api:servers:show:host_status") @decorators.idempotent_id('736da575-86f8-4b2a-9902-dd37dc9a409b') def test_show_server_host_status(self): - self.rbac_utils.switch_role(self, toggle_rbac_role=True) - server = self.servers_client.show_server(self.server_id)['server'] + with self.rbac_utils.override_role(self): + server = self.servers_client.show_server(self.server_id)['server'] if 'host_status' not in server: raise rbac_exceptions.RbacMalformedResponse(