Add RBAC test for force-deleting a backup

This patch adds a new test for force-deleting a backup in test_volumes_backup_rbac, which tests the cinder policy action: "volume_extension:backup_admin_actions:force_delete". This patch also corrects the currently wrong policy action for the test test_snapshot_force_delete from "volume_extension:volume_admin_actions:force_delete" to "volume_extension:snapshot_admin_actions:force_delete". (The ``_force_delete`` function in the cinder admin actions API enforces the policy action corresponding to the resource name [0][1]). [0] https://github.com/openstack/cinder/blob/master/cinder/api/contrib/admin_actions.py#L133 [1] https://github.com/openstack/cinder/blob/master/cinder/api/contrib/admin_actions.py#L82 Change-Id: Icecf2152fe84da2847ae677a74a4d183eb4cd88b
2017-04-30 03:51:08 +01:00 · 2017-04-30 03:51:08 +01:00 · b45a05e8be
parent edcdbecd6b
commit b45a05e8be
3 changed files with 32 additions and 19 deletions
--- a/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
@ -13,8 +13,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

-from oslo_log import log as logging
-
 from tempest import config
 from tempest.lib import decorators

@ -22,7 +20,6 @@ from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
-LOG = logging.getLogger(__name__)


 class SnapshotsActionsRbacTest(rbac_base.BaseVolumeRbacTest):
@ -41,9 +38,7 @@ class SnapshotsActionsRbacTest(rbac_base.BaseVolumeRbacTest):
    @classmethod
    def resource_setup(cls):
        super(SnapshotsActionsRbacTest, cls).resource_setup()
-        # Create a volume
        cls.volume = cls.create_volume()
-        # Create a snapshot
        cls.snapshot = cls.create_snapshot(volume_id=cls.volume['id'])
        cls.snapshot_id = cls.snapshot['id']

@ -52,22 +47,17 @@ class SnapshotsActionsRbacTest(rbac_base.BaseVolumeRbacTest):
        rule="volume_extension:snapshot_admin_actions:reset_status")
    @decorators.idempotent_id('ea430145-34ef-408d-b678-95d5ae5f46eb')
    def test_reset_snapshot_status(self):
-        # Reset snapshot status to error
        status = 'error'
        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-        self.client.\
-            reset_snapshot_status(self.snapshot['id'], status)
+        self.client.reset_snapshot_status(self.snapshot['id'], status)

    @rbac_rule_validation.action(
        service="cinder",
-        rule="volume_extension:volume_admin_actions:force_delete")
+        rule="volume_extension:snapshot_admin_actions:force_delete")
    @decorators.idempotent_id('a8b0f7d8-4c00-4645-b8d5-33ab4eecc6cb')
    def test_snapshot_force_delete(self):
-        # Test force delete of snapshot
-        # Create snapshot,
-        # and force delete temp snapshot
        temp_snapshot = self.create_snapshot(self.volume['id'])
-        # Force delete the snapshot
+
        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
        self.client.force_delete_snapshot(temp_snapshot['id'])
        self.client.wait_for_resource_deletion(temp_snapshot['id'])
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
@ -65,7 +65,7 @@ class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
        backup.update(changes)
        return self._encode_backup(backup)

-    @test.attr(type="slow")
+    @test.attr(type=["slow"])
    @rbac_rule_validation.action(service="cinder",
                                 rule="backup:create")
    @decorators.idempotent_id('6887ec94-0bcf-4ab7-b30f-3808a4b5a2a5')
@ -73,7 +73,7 @@ class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
        self._create_backup(volume_id=self.volume['id'])

-    @test.attr(type="slow")
+    @test.attr(type=["slow"])
    @rbac_rule_validation.action(service="cinder",
                                 rule="backup:get")
    @decorators.idempotent_id('abd92bdd-b0fb-4dc4-9cfc-de9e968f8c8a')
@ -91,7 +91,7 @@ class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
        self.backups_client.list_backups()

-    @test.attr(type="slow")
+    @test.attr(type=["slow"])
    @rbac_rule_validation.action(service="cinder",
                                 rule="backup:restore")
    @decorators.idempotent_id('9c794bf9-2446-4f41-8fe0-80b71e757f9d')
@ -104,7 +104,7 @@ class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
        waiters.wait_for_volume_resource_status(
            self.backups_client, restore['backup_id'], 'available')

-    @test.attr(type="slow")
+    @test.attr(type=["slow"])
    @rbac_rule_validation.action(service="cinder",
                                 rule="backup:delete")
    @decorators.idempotent_id('d5d0c6a2-413d-437e-a73f-4bf2b41a20ed')
@ -116,7 +116,19 @@ class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
        self.backups_client.delete_backup(backup['id'])
        self.backups_client.wait_for_resource_deletion(backup['id'])

-    @test.attr(type='slow')
+    @decorators.idempotent_id('48325aaa-13f5-4ba3-96a3-24b6c9d77b6d')
+    @test.attr(type=["slow"])
+    @rbac_rule_validation.action(
+        service="cinder",
+        rule="volume_extension:backup_admin_actions:force_delete")
+    def test_volume_backup_force_delete(self):
+        backup = self._create_backup(volume_id=self.volume['id'])
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.backups_client.force_delete_backup(backup['id'])
+        self.backups_client.wait_for_resource_deletion(backup['id'])
+
+    @test.attr(type=["slow"])
    @rbac_rule_validation.action(service="cinder",
                                 rule="backup:backup-export")
    @decorators.idempotent_id('e984ec8d-e8eb-485c-98bc-f1856020303c')
@ -128,7 +140,7 @@ class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
        self.backups_client.export_backup(backup['id'])['backup-record']

-    @test.attr(type='slow')
+    @test.attr(type=["slow"])
    @rbac_rule_validation.action(service="cinder",
                                 rule="backup:backup-import")
    @decorators.idempotent_id('1e70f039-4556-44cc-9cc1-edf2b7ed648b')
--- a/releasenotes/notes/add-force-delete-backup-test-7e896affd1471328.yaml
+++ b/releasenotes/notes/add-force-delete-backup-test-7e896affd1471328.yaml
@ -0,0 +1,11 @@
+---
+features:
+  - |
+    Added an RBAC test for force-deleting a backup which enforces the cinder
+    policy action: "volume_extension:backup_admin_actions:force_delete".
+fixes:
+  - |
+    Corrected the policy action in the ``rbac_rule_validation`` decorator
+    for the test ``test_snapshot_force_delete`` from
+    "volume_extension:volume_admin_actions:force_delete" to
+    "volume_extension:snapshot_admin_actions:force_delete".