Merge "Gate fix and update compute tests to adopt new policies"

patrole_tempest_plugin/policy_authority.py

@@ -186,9 +186,10 @@ class PolicyAuthority(RbacAuthority):
             }
         )
         LOG.warn(deprecated_msg)
-        check_str = '(%s) or (%s)' % (default.check_str,
-                                      deprecated_rule.check_str)
-        return policy.RuleDefault(default.name, check_str)
+        default.check = policy.OrCheck(
+            [policy._parser.parse_rule(cs) for cs in
+                [default.check_str,
+                 deprecated_rule.check_str]])
 
     def get_rules(self):
         rules = policy.Rules()
@@ -229,7 +230,7 @@ class PolicyAuthority(RbacAuthority):
                             # The `DocumentedRuleDefault` object has no
                             # `deprecated_rule` attribute in Pike
                             if getattr(rule, 'deprecated_rule', False):
-                                rule = self._handle_deprecated_rule(rule)
+                                self._handle_deprecated_rule(rule)
                         rules[rule.name] = rule.check
                     elif str(rule.check) != str(rules[rule.name]):
                         msg = ("The same policy name: %s was found in the "

patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py

@@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators
@@ -20,6 +21,17 @@ from tempest.lib import decorators
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.compute import rbac_base
 
+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_nova_policies_ussuri:
+    _SG_LIST = "os_compute_api:os-security-groups:list"
+    _SG_ADD = "os_compute_api:os-security-groups:add"
+    _SG_REMOVE = "os_compute_api:os-security-groups:remove"
+else:
+    _SG_LIST = "os_compute_api:os-security-groups"
+    _SG_ADD = "os_compute_api:os-security-groups"
+    _SG_REMOVE = "os_compute_api:os-security-groups"
+
 
 class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
     """Tests non-deprecated security group policies. Requires network service.
@@ -55,7 +67,7 @@ class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
 
     @rbac_rule_validation.action(
         service="nova",
-        rules=["os_compute_api:os-security-groups"])
+        rules=[_SG_LIST])
     @decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520')
     def test_list_security_groups_by_server(self):
         with self.override_role():
@@ -64,7 +76,7 @@ class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
 
     @rbac_rule_validation.action(
         service="nova",
-        rules=["os_compute_api:os-security-groups"])
+        rules=[_SG_ADD])
     @decorators.idempotent_id('ea1ca73f-2d1d-43cb-9a46-900d7927b357')
     def test_create_security_group_for_server(self):
         sg_name = self.create_security_group()['name']
@@ -78,7 +90,7 @@ class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
 
     @rbac_rule_validation.action(
         service="nova",
-        rules=["os_compute_api:os-security-groups"])
+        rules=[_SG_REMOVE])
     @decorators.idempotent_id('0ad2e856-e2d3-4ac5-a620-f93d0d3d2626')
     def test_remove_security_group_from_server(self):
         sg_name = self.create_security_group()['name']

patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py

@@ -36,11 +36,15 @@ if CONF.policy_feature_enabled.changed_nova_policies_ussuri:
     _ATTACH_INTERFACES_LIST = "os_compute_api:os-attach-interfaces:list"
     _ATTACH_INTERFACES_SHOW = "os_compute_api:os-attach-interfaces:show"
     _INSTANCE_ACTIONS_LIST = "os_compute_api:os-instance-actions:list"
+    _SERVER_PASSWORD_SHOW = "os_compute_api:os-server-password:show"
+    _SERVER_PASSWORD_CLEAR = "os_compute_api:os-server-password:clear"
 else:
     _DEFERRED_FORCE = "os_compute_api:os-deferred-delete"
     _ATTACH_INTERFACES_LIST = "os_compute_api:os-attach-interfaces"
     _ATTACH_INTERFACES_SHOW = "os_compute_api:os-attach-interfaces"
     _INSTANCE_ACTIONS_LIST = "os_compute_api:os-instance-actions"
+    _SERVER_PASSWORD_SHOW = "os_compute_api:os-server-password"
+    _SERVER_PASSWORD_CLEAR = "os_compute_api:os-server-password"
 
 
 class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
@@ -493,7 +497,7 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
     @decorators.idempotent_id('aaf43f78-c178-4581-ac18-14afd3f1f6ba')
     @rbac_rule_validation.action(
         service="nova",
-        rules=["os_compute_api:os-server-password"])
+        rules=[_SERVER_PASSWORD_CLEAR])
     def test_delete_server_password(self):
         """Test delete server password, part of os-server-password."""
         with self.override_role():
@@ -502,7 +506,7 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
     @utils.requires_ext(extension='os-server-password', service='compute')
     @rbac_rule_validation.action(
         service="nova",
-        rules=["os_compute_api:os-server-password"])
+        rules=[_SERVER_PASSWORD_SHOW])
     @decorators.idempotent_id('f677971a-7d20-493c-977f-6ff0a74b5b2c')
     def test_get_server_password(self):
         """Test show server password, part of os-server-password."""

releasenotes/notes/adopt_nova_new_policies-c61d1c3751ff1bf9.yaml

@@ -13,3 +13,6 @@ features:
       - os_compute_api:os-instance-usage-audit-log
       - os_compute_api:os-agents
       - os_compute_api:os-hypervisors
+      - os_compute_api:os-instance-actions
+      - os_compute_api:os-security-groups
+      - os_compute_api:os-server-password