[Fix gate]: Cinder policy change handling in tests

Cinder policies are made more granular and now we need to adjust the patrole tests to handle those changed policies. This commit introduces a new flag so that we test the old policies in stable branches and new one in Xena onwards. Change-Id: I4be60e3e92704f8e55d3acdb0e025078ae5b21f1
2021-09-21 10:09:44 -05:00 · 2021-09-21 10:09:44 -05:00 · 588c33d6d7
parent f304d7aaac
commit 588c33d6d7
9 changed files with 117 additions and 21 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -84,6 +84,9 @@ function install_patrole_tempest_plugin {
       # TODO(gmann): Remove these once stable/victoria becomes EOL.
       # These policies were removed in Wallaby.
       iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_wallaby False
+
+       # TODO(gmann): Remove these once stable/xena becomes EOL.
+       iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
    fi

    if [[ ${DEVSTACK_SERIES} == 'rocky' ]]; then
@ -106,6 +109,9 @@ function install_patrole_tempest_plugin {
       # TODO(gmann): Remove these once stable/victoria becomes EOL.
       # These policies were removed in Wallaby.
       iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_wallaby False
+
+       # TODO(gmann): Remove these once stable/xena becomes EOL.
+       iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
    fi

    if [[ ${DEVSTACK_SERIES} == 'stein' ]]; then
@ -123,6 +129,8 @@ function install_patrole_tempest_plugin {
       # TODO(gmann): Remove these once stable/victoria becomes EOL.
       # These policies were removed in Wallaby.
       iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_wallaby False
+       # TODO(gmann): Remove these once stable/xena becomes EOL.
+       iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
    fi

    if [[ ${DEVSTACK_SERIES} == 'train' ]]; then
@ -132,6 +140,8 @@ function install_patrole_tempest_plugin {
       # TODO(gmann): Remove these once stable/victoria becomes EOL.
       # These policies were removed in Wallaby.
       iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_wallaby False
+       # TODO(gmann): Remove these once stable/xena becomes EOL.
+       iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
    fi

    if [[ ${DEVSTACK_SERIES} == 'ussuri' ]]; then
@ -140,14 +150,21 @@ function install_patrole_tempest_plugin {
       # TODO(gmann): Remove these once stable/victoria becomes EOL.
       # These policies were removed in Wallaby.
       iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_wallaby False
+       # TODO(gmann): Remove these once stable/xena becomes EOL.
+       iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
    fi

    if [[ ${DEVSTACK_SERIES} == 'victoria' ]]; then
       # TODO(gmann): Remove these once stable/victoria becomes EOL.
       # These policies were removed in Wallaby.
       iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_wallaby False
+       # TODO(gmann): Remove these once stable/xena becomes EOL.
+       iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
+    fi
+    if [[ ${DEVSTACK_SERIES} == 'wallaby' ]]; then
+       # TODO(gmann): Remove these once stable/xena becomes EOL.
+       iniset $TEMPEST_CONFIG policy-feature-enabled changed_cinder_policies_xena False
    fi
-
    iniset $TEMPEST_CONFIG patrole rbac_test_roles $RBAC_TEST_ROLES
 }

--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py
@ -204,7 +204,12 @@ changed in Ussuri."""),
                default=True,
                help="""Are the Nova deprecated API policies available in the
 cloud (e.g. os_compute_api:os-networks)? These policies were
-changed in Victoria.""")
+changed in Victoria."""),
+    cfg.BoolOpt('changed_cinder_policies_xena',
+                default=True,
+                help="""Are the Cinder API policies changed in the
+cloud (e.g. 'group:group_types_specs')? These policies were
+changed in Xena.""")
 ]


--- a/patrole_tempest_plugin/tests/api/volume/test_group_type_specs.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_group_type_specs.py
@ -13,11 +13,28 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

-from patrole_tempest_plugin.tests.api.volume import rbac_base
+from tempest import config
 from tempest.lib import decorators

+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
 from patrole_tempest_plugin import rbac_rule_validation

+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_cinder_policies_xena:
+    _GROUP_SPEC_SHOW = "group:group_types_specs:get"
+    _GROUP_SPEC_LIST = "group:group_types_specs:get_all"
+    _GROUP_SPEC_CREATE = "group:group_types_specs:create"
+    _GROUP_SPEC_UPDATE = "group:group_types_specs:update"
+    _GROUP_SPEC_DELETE = "group:group_types_specs:delete"
+else:
+    _GROUP_SPEC_SHOW = "group:group_types_specs"
+    _GROUP_SPEC_LIST = "group:group_types_specs"
+    _GROUP_SPEC_CREATE = "group:group_types_specs"
+    _GROUP_SPEC_UPDATE = "group:group_types_specs"
+    _GROUP_SPEC_DELETE = "group:group_types_specs"
+

 class GroupTypeSpecsRbacTest(rbac_base.BaseVolumeRbacTest):
    _api_version = 3
@ -27,7 +44,7 @@ class GroupTypeSpecsRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('b2859734-00ad-4a22-88ee-541698e90d12')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["group:group_types_specs"]
+        rules=[_GROUP_SPEC_CREATE]
    )
    def test_group_type_specs_create(self):
        # Create new group type
@ -47,7 +64,7 @@ class GroupTypeSpecsRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('469d0253-aa13-423f-8264-231ac17effbf')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["group:group_types_specs"]
+        rules=[_GROUP_SPEC_SHOW]
    )
    def test_group_type_specs_show(self):
        group_type = self.create_group_type()
@ -65,7 +82,7 @@ class GroupTypeSpecsRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('2e706a4e-dec9-46bf-9426-1c5b6f3ce102')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["group:group_types_specs"]
+        rules=[_GROUP_SPEC_UPDATE]
    )
    def test_group_type_specs_update(self):
        group_type = self.create_group_type()
@ -81,7 +98,7 @@ class GroupTypeSpecsRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('fd5e332b-fb2c-4957-ace9-11d60ddd5472')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["group:group_types_specs"]
+        rules=[_GROUP_SPEC_LIST]
    )
    def test_group_type_specs_list(self):
        group_type = self.create_group_type()
@ -92,7 +109,7 @@ class GroupTypeSpecsRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('d9639a07-e441-4576-baf6-7ec732b16572')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["group:group_types_specs"]
+        rules=[_GROUP_SPEC_DELETE]
    )
    def test_group_type_specs_delete(self):
        group_type = self.create_group_type()
--- a/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
@ -14,6 +14,7 @@
 #    under the License.

 from tempest.common import waiters
+from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators
@ -22,6 +23,17 @@ from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.volume import rbac_base

+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_cinder_policies_xena:
+    _GROUP_CREATE = "group:group_types:create"
+    _GROUP_UPDATE = "group:group_types:update"
+    _GROUP_DELETE = "group:group_types:delete"
+else:
+    _GROUP_CREATE = "group:group_types_manage"
+    _GROUP_UPDATE = "group:group_types_manage"
+    _GROUP_DELETE = "group:group_types_manage"
+

 class BaseGroupRbacTest(rbac_base.BaseVolumeRbacTest):

@ -166,7 +178,7 @@ class GroupTypesV3RbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('2820f12c-4681-4c7f-b28d-e6925637dff6')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["group:group_types_manage"])
+        rules=[_GROUP_CREATE])
    def test_create_group_type(self):
        with self.override_role():
            self.create_group_type(ignore_notfound=True)
@ -174,7 +186,7 @@ class GroupTypesV3RbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('f77f8156-4fc9-4f02-be15-8930f748e10c')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["group:group_types_manage"])
+        rules=[_GROUP_DELETE])
    def test_delete_group_type(self):
        group_type = self.create_group_type(ignore_notfound=True)

@ -184,7 +196,7 @@ class GroupTypesV3RbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('67929954-4551-4d22-b15a-27fb6e56b711')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["group:group_types_manage"])
+        rules=[_GROUP_DELETE])
    def test_update_group_type(self):
        group_type = self.create_group_type()
        update_params = {
--- a/patrole_tempest_plugin/tests/api/volume/test_quota_classes_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_quota_classes_rbac.py
@ -14,12 +14,22 @@
 #    under the License.

 from tempest.common import utils
+from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.volume import rbac_base

+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_cinder_policies_xena:
+    _QUOTA_SET_SHOW = "volume_extension:quota_classes:get"
+    _QUOTA_SET_UPDATE = "volume_extension:quota_classes:update"
+else:
+    _QUOTA_SET_SHOW = "volume_extension:quota_classes"
+    _QUOTA_SET_UPDATE = "volume_extension:quota_classes"
+

 class QuotaClassesV3RbacTest(rbac_base.BaseVolumeRbacTest):

@ -39,7 +49,7 @@ class QuotaClassesV3RbacTest(rbac_base.BaseVolumeRbacTest):

    @decorators.idempotent_id('1a060def-2b43-4534-97f5-5eadbbe8c726')
    @rbac_rule_validation.action(service="cinder",
-                                 rules=["volume_extension:quota_classes"])
+                                 rules=[_QUOTA_SET_SHOW])
    def test_show_quota_class_set(self):
        with self.override_role():
            self.quota_classes_client.show_quota_class_set(
@ -47,7 +57,7 @@ class QuotaClassesV3RbacTest(rbac_base.BaseVolumeRbacTest):

    @decorators.idempotent_id('72159478-23a7-4c75-989f-6bac609eca62')
    @rbac_rule_validation.action(service="cinder",
-                                 rules=["volume_extension:quota_classes"])
+                                 rules=[_QUOTA_SET_UPDATE])
    def test_update_quota_class_set(self):
        quota_class_set = self.quota_classes_client.show_quota_class_set(
            self.quota_name)['quota_class_set']
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
@ -23,6 +23,15 @@ from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF

+if CONF.policy_feature_enabled.changed_cinder_policies_xena:
+    _METADATA_SHOW = "volume_extension:volume_image_metadata:show"
+    _METADATA_SET = "volume_extension:volume_image_metadata:set"
+    _METADATA_REMOVE = "volume_extension:volume_image_metadata:remove"
+else:
+    _METADATA_SHOW = "volume_extension:volume_image_metadata"
+    _METADATA_SET = "volume_extension:volume_image_metadata"
+    _METADATA_REMOVE = "volume_extension:volume_image_metadata"
+

 class VolumeMetadataV3RbacTest(rbac_base.BaseVolumeRbacTest):

@ -99,7 +108,7 @@ class VolumeMetadataV3RbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('39e8f82c-f1fc-4905-bf47-177ce2f71bb9')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["volume_extension:volume_image_metadata"])
+        rules=[_METADATA_SET])
    def test_list_volumes_details_image_metadata(self):
        self.volumes_client.update_volume_image_metadata(
            self.volume['id'], image_id=self.image_id)
@ -117,7 +126,7 @@ class VolumeMetadataV3RbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('53f94d52-0dd5-42cf-a3a4-59b35150b3d5')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["volume_extension:volume_image_metadata"])
+        rules=[_METADATA_SHOW])
    def test_show_volume_details_image_metadata(self):
        self.volumes_client.update_volume_image_metadata(
            self.volume['id'], image_id=self.image_id)
@ -135,7 +144,7 @@ class VolumeMetadataV3RbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('a9d9e825-5ea3-42e6-96f3-7ac4e97b2ed0')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["volume_extension:volume_image_metadata"])
+        rules=[_METADATA_SET])
    def test_update_volume_image_metadata(self):
        with self.override_role():
            self.volumes_client.update_volume_image_metadata(
@ -146,7 +155,7 @@ class VolumeMetadataV3RbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('a41c8eed-2051-4a25-b401-df036faacbdc')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["volume_extension:volume_image_metadata"])
+        rules=[_METADATA_REMOVE])
    def test_delete_volume_image_metadata(self):
        self.volumes_client.update_volume_image_metadata(
            self.volume['id'], image_id=self.image_id)
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py
@ -14,12 +14,20 @@
 #    under the License.

 from tempest.common import utils
+from tempest import config
 from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.volume import rbac_base

+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_cinder_policies_xena:
+    _TYPE_ACCESS_LIST = "volume_extension:volume_type_access:get_all_for_type"
+else:
+    _TYPE_ACCESS_LIST = "volume_extension:volume_type_access"
+

 class VolumeTypesAccessRbacTest(rbac_base.BaseVolumeRbacTest):

@ -52,7 +60,7 @@ class VolumeTypesAccessRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('af70e6ad-e931-419f-9200-8bcc284e4e47')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["volume_extension:volume_type_access"])
+        rules=[_TYPE_ACCESS_LIST])
    def test_list_type_access(self):
        self._add_type_access()

--- a/patrole_tempest_plugin/tests/api/volume/test_volume_types_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_rbac.py
@ -13,18 +13,30 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.volume import rbac_base

+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_cinder_policies_xena:
+    _TYPE_MANAGE_CREATE = "volume_extension:type_create"
+    _TYPE_MANAGE_UPDATE = "volume_extension:type_update"
+    _TYPE_MANAGE_DELETE = "volume_extension:type_delete"
+else:
+    _TYPE_MANAGE_CREATE = "volume_extension:types_manage"
+    _TYPE_MANAGE_UPDATE = "volume_extension:types_manage"
+    _TYPE_MANAGE_DELETE = "volume_extension:types_manage"
+

 class VolumeTypesRbacTest(rbac_base.BaseVolumeRbacTest):

    @decorators.idempotent_id('e2bbf968-d947-4a15-a4da-a98c3069731e')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["volume_extension:types_manage"])
+        rules=[_TYPE_MANAGE_CREATE])
    def test_create_volume_type(self):
        with self.override_role():
            self.create_volume_type()
@ -32,7 +44,7 @@ class VolumeTypesRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('2b74ac82-e03e-4801-86f3-d05c9acfd66b')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["volume_extension:types_manage"])
+        rules=[_TYPE_MANAGE_UPDATE])
    def test_update_volume_type(self):
        volume_type = self.create_volume_type()
        with self.override_role():
@ -42,7 +54,7 @@ class VolumeTypesRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('90aec0ef-4f9b-4170-be6b-a392c12540be')
    @rbac_rule_validation.action(
        service="cinder",
-        rules=["volume_extension:types_manage"])
+        rules=[_TYPE_MANAGE_DELETE])
    def test_delete_volume_type(self):
        volume_type = self.create_volume_type()
        with self.override_role():
--- a/releasenotes/notes/changed-cinder-policies-xena-feature-flag-4b799db683e2840f.yaml
+++ b/releasenotes/notes/changed-cinder-policies-xena-feature-flag-4b799db683e2840f.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Added new feature flag called ``changed_cinder_policies_xena`` under
+    the configuration group ``[policy-feature-enabled]`` for testing Cinder
+    tests withe old and new policies.