Skip the deprecated API extensions policy tests

A new policy feature flag called
``[policy_feature_flag].removed_nova_policies_stein``
has been added to Patrole's config to handle Nova API
extension policies removed in Stein [0].

The policy feature flag is applied to tests that validate
response bodies for expected attributes previously returned
for the following policies that passed authorization:

      - os_compute_api:os-config-drive
      - os_compute_api:os-extended-availability-zone
      - os_compute_api:os-extended-status
      - os_compute_api:os-extended-volumes
      - os_compute_api:os-keypairs
      - os_compute_api:os-server-usage
      - os_compute_api:os-flavor-rxtx
      - os_compute_api:os-flavor-access (only from /flavors APIs)
      - os_compute_api:image-size

Note that not all removed policies are included above because
test coverage is missing for them (like
os_compute_api:os-security-groups).

Also fixes test flows associated with image_size tests:

* endpoints are list images with details and show image (not
  list image)
* both tests should check for OS-EXT-IMG-SIZE:size attribute

[0] https://review.openstack.org/#/c/586872/8

Story: 2003501

Change-Id: Ia6f8d255a540f7063beedd80a3ca1833f3987490
This commit is contained in:
Felipe Monteiro 2018-08-19 22:54:33 +01:00 committed by Ghanshyam Mann
parent d063b409bb
commit 6bffc5c5c6
7 changed files with 134 additions and 6 deletions

View File

@ -26,12 +26,18 @@ function install_patrole_tempest_plugin {
iniset $TEMPEST_CONFIG policy-feature-enabled volume_extension_volume_actions_attach_policy False
iniset $TEMPEST_CONFIG policy-feature-enabled volume_extension_volume_actions_reserve_policy False
iniset $TEMPEST_CONFIG policy-feature-enabled volume_extension_volume_actions_unreserve_policy False
# These policies were removed in Stein but are available in Pike.
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
fi
if [[ ${DEVSTACK_SERIES} == 'queens' ]]; then
if [[ "$RBAC_TEST_ROLE" == "member" ]]; then
RBAC_TEST_ROLE="Member"
fi
# These policies were removed in Stein but are available in Queens.
iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
fi
iniset $TEMPEST_CONFIG patrole enable_rbac True

View File

@ -160,7 +160,17 @@ was changed in a backwards-incompatible way."""),
default=True,
help="""Is the Cinder policy
"volume_extension:volume_actions:unreserve" available in the cloud? This policy
was changed in a backwards-incompatible way.""")
was changed in a backwards-incompatible way."""),
# *** Include feature flags for groups of policies below. ***
# Best practice is to capture new policies, removed policies, renamed
# policies in a group, per release.
#
# TODO(felipemonteiro): Remove these feature flags once Stein is EOL.
cfg.BoolOpt('removed_nova_policies_stein',
default=True,
help="""Are the Nova API extension policies available in the
cloud (e.g. os_compute_api:os-extended-availability-zone)? These policies were
removed in Stein because Nova API extension concept was removed in Pike."""),
]

View File

@ -13,8 +13,9 @@
# License for the specific language governing permissions and limitations
# under the License.
from tempest import config
import testtools
from tempest import config
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
@ -34,6 +35,8 @@ class FlavorAccessRbacTest(rbac_base.BaseV2ComputeRbacTest):
cls.public_flavor_id = CONF.compute.flavor_ref
cls.tenant_id = cls.os_primary.credentials.tenant_id
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('a2bd3740-765d-4c95-ac98-9e027378c75e')
@rbac_rule_validation.action(
service="nova",
@ -50,6 +53,8 @@ class FlavorAccessRbacTest(rbac_base.BaseV2ComputeRbacTest):
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('dd388146-9750-4124-82ba-62deff1052bb')
@rbac_rule_validation.action(
service="nova",

View File

@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
import testtools
from tempest.common import utils
from tempest import config
from tempest.lib import decorators
@ -33,6 +35,8 @@ class FlavorRxtxRbacTest(rbac_base.BaseV2ComputeRbacTest):
msg = "os-flavor-rxtx extension not enabled."
raise cls.skipException(msg)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('5e1fd9f0-9a08-485a-ad9c-0fc66e4d64b7')
@rbac_rule_validation.action(
service="nova",
@ -44,6 +48,8 @@ class FlavorRxtxRbacTest(rbac_base.BaseV2ComputeRbacTest):
raise rbac_exceptions.RbacMalformedResponse(
attribute='rxtx_factor')
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('70c55a07-c843-4627-a29d-ba78673c1e63')
@rbac_rule_validation.action(
service="nova",

View File

@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
import testtools
from tempest.common import image as common_image
from tempest import config
from tempest.lib.common.utils import data_utils
@ -20,6 +22,7 @@ from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base
@ -245,18 +248,67 @@ class ImageSizeRbacTest(rbac_base.BaseV2ComputeRbacTest):
# https://developer.openstack.org/api-ref/compute/#images-deprecated
max_microversion = '2.35'
@classmethod
def skip_checks(cls):
super(ImageSizeRbacTest, cls).skip_checks()
if not CONF.service_available.glance:
skip_msg = ("%s skipped as glance is not available" % cls.__name__)
raise cls.skipException(skip_msg)
@classmethod
def setup_clients(cls):
super(ImageSizeRbacTest, cls).setup_clients()
if CONF.image_feature_enabled.api_v2:
cls.glance_image_client = cls.os_primary.image_client_v2
elif CONF.image_feature_enabled.api_v1:
cls.glance_image_client = cls.os_primary.image_client
else:
raise lib_exc.InvalidConfiguration(
'Either api_v1 or api_v2 must be True in '
'[image-feature-enabled].')
@classmethod
def resource_setup(cls):
super(ImageSizeRbacTest, cls).resource_setup()
params = {'name': data_utils.rand_name(cls.__name__ + '-image')}
if CONF.image_feature_enabled.api_v1:
params = {'headers': common_image.image_meta_to_headers(**params)}
cls.image = cls.glance_image_client.create_image(**params)
cls.addClassResourceCleanup(
cls.glance_image_client.wait_for_resource_deletion,
cls.image['id'])
cls.addClassResourceCleanup(
cls.glance_image_client.delete_image, cls.image['id'])
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('fe34d2a6-5743-45bf-8f92-a1d703d7c7ab')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:image-size")
def test_list_images(self):
def test_show_image_includes_image_size(self):
with self.rbac_utils.override_role(self):
self.compute_images_client.list_images()
body = self.compute_images_client.show_image(self.image['id'])[
'image']
expected_attr = 'OS-EXT-IMG-SIZE:size'
if expected_attr not in body:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('08342c7d-297d-42ee-b398-90fce2443792')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:image-size")
def test_list_images_with_details(self):
def test_list_images_with_details_includes_image_size(self):
with self.rbac_utils.override_role(self):
self.compute_images_client.list_images(detail=True)
body = self.compute_images_client.list_images(detail=True)[
'images']
expected_attr = 'OS-EXT-IMG-SIZE:size'
if expected_attr not in body[0]:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)

View File

@ -129,6 +129,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
waiters.wait_for_server_status(
self.servers_client, self.server['id'], 'ACTIVE')
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@utils.requires_ext(extension='os-config-drive', service='compute')
@decorators.idempotent_id('2c82e819-382d-4d6f-87f0-a45954cbbc64')
@rbac_rule_validation.action(
@ -144,6 +146,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@utils.requires_ext(extension='os-config-drive', service='compute')
@decorators.idempotent_id('55c62ef7-b72b-4970-acc6-05b0a4316e5d')
@rbac_rule_validation.action(
@ -169,6 +173,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
# Force-deleting a server enforces os-deferred-delete.
self.servers_client.force_delete_server(self.server['id'])
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('d873740a-7b10-40a9-943d-7cc18115370e')
@utils.requires_ext(extension='OS-EXT-AZ', service='compute')
@rbac_rule_validation.action(
@ -185,6 +191,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('727e5360-770a-4b9c-8015-513a40216635')
@utils.requires_ext(extension='OS-EXT-AZ', service='compute')
@rbac_rule_validation.action(
@ -200,6 +208,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('4aa5d93e-4887-468a-8eb4-b6eca0ca6437')
@utils.requires_ext(extension='OS-EXT-SRV-ATTR', service='compute')
@rbac_rule_validation.action(
@ -222,6 +232,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
raise rbac_exceptions.RbacMalformedResponse(
attribute=whole_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('2ed7aee2-94b2-4a9f-ae63-a51b7f94fe30')
@utils.requires_ext(extension='OS-EXT-SRV-ATTR', service='compute')
@rbac_rule_validation.action(
@ -244,6 +256,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
raise rbac_exceptions.RbacMalformedResponse(
attribute=whole_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('82053c27-3134-4003-9b55-bc9fafdb0e3b')
@utils.requires_ext(extension='OS-EXT-STS', service='compute')
@rbac_rule_validation.action(
@ -261,6 +275,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
raise rbac_exceptions.RbacMalformedResponse(
attribute=attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('7d2620a5-eea1-4a8b-96ea-86ad77a73fc8')
@utils.requires_ext(extension='OS-EXT-STS', service='compute')
@rbac_rule_validation.action(
@ -278,6 +294,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
raise rbac_exceptions.RbacMalformedResponse(
attribute=attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('21e39cbe-6c32-48fc-80dd-3e1fece6053f')
@utils.requires_ext(extension='os-extended-volumes', service='compute')
@rbac_rule_validation.action(
@ -295,6 +313,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@decorators.idempotent_id('7f163708-0d25-4138-8512-dfdd72a92989')
@utils.requires_ext(extension='os-extended-volumes', service='compute')
@rbac_rule_validation.action(
@ -348,6 +368,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
raise rbac_exceptions.RbacMalformedResponse(
attribute='events.traceback')
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-keypairs")
@ -360,6 +382,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
raise rbac_exceptions.RbacMalformedResponse(
attribute='key_name')
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-keypairs")
@ -469,6 +493,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
with self.rbac_utils.override_role(self):
self.servers_client.show_password(self.server['id'])
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
"This API extension policy was removed in Stein")
@utils.requires_ext(extension='OS-SRV-USG', service='compute')
@rbac_rule_validation.action(
service="nova",

View File

@ -0,0 +1,23 @@
---
features:
- |
A new policy feature flag called
``[policy_feature_flag].removed_nova_policies_stein`` has been added to
Patrole's config to handle Nova API extension policies removed in Stein.
The policy feature flag is applied to tests that validate response bodies
for expected attributes previously returned for the following policies
that passed authorization:
- os_compute_api:os-config-drive
- os_compute_api:os-extended-availability-zone
- os_compute_api:os-extended-status
- os_compute_api:os-extended-volumes
- os_compute_api:os-keypairs
- os_compute_api:os-server-usage
- os_compute_api:os-flavor-rxtx
- os_compute_api:os-flavor-access (only from /flavors APIs)
- os_compute_api:image-size
Note that not all removed policies are included above because test coverage
is missing for them (like os_compute_api:os-security-groups).