Gate fix and update compute tests to adopt new policies

Nova is moving to new policy defaults in ussuri[1] where few polciies are made more granular to adopt the new defaults. With granularity in few policies make change in policy name so we have update the patrole tests to start checking against the new policy names from ussuri onwards. This commit updates the security group and server password policy tests to move to new policies from ussuri onwards. Also add the already fixed instance action policy in reno Also fix the gate to parse the combining of deprecated rule check_str with oslo policy parser instead of string processing. Story: #2007585 Task: #39516 [1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html Change-Id: If661299231d548ce40a2e340b1ddb9ebe8d3f964
2020-04-16 11:52:57 -05:00 · 2020-04-16 11:52:57 -05:00 · ee53f843fc
parent 2aad808184
commit ee53f843fc
4 changed files with 29 additions and 9 deletions
--- a/patrole_tempest_plugin/policy_authority.py
+++ b/patrole_tempest_plugin/policy_authority.py
@ -186,9 +186,10 @@ class PolicyAuthority(RbacAuthority):
            }
        )
        LOG.warn(deprecated_msg)
-        check_str = '(%s) or (%s)' % (default.check_str,
-                                      deprecated_rule.check_str)
-        return policy.RuleDefault(default.name, check_str)
+        default.check = policy.OrCheck(
+            [policy._parser.parse_rule(cs) for cs in
+                [default.check_str,
+                 deprecated_rule.check_str]])

    def get_rules(self):
        rules = policy.Rules()
@ -229,7 +230,7 @@ class PolicyAuthority(RbacAuthority):
                            # The `DocumentedRuleDefault` object has no
                            # `deprecated_rule` attribute in Pike
                            if getattr(rule, 'deprecated_rule', False):
-                                rule = self._handle_deprecated_rule(rule)
+                                self._handle_deprecated_rule(rule)
                        rules[rule.name] = rule.check
                    elif str(rule.check) != str(rules[rule.name]):
                        msg = ("The same policy name: %s was found in the "
--- a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators
@ -20,6 +21,17 @@ from tempest.lib import decorators
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.compute import rbac_base

+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_nova_policies_ussuri:
+    _SG_LIST = "os_compute_api:os-security-groups:list"
+    _SG_ADD = "os_compute_api:os-security-groups:add"
+    _SG_REMOVE = "os_compute_api:os-security-groups:remove"
+else:
+    _SG_LIST = "os_compute_api:os-security-groups"
+    _SG_ADD = "os_compute_api:os-security-groups"
+    _SG_REMOVE = "os_compute_api:os-security-groups"
+

 class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
    """Tests non-deprecated security group policies. Requires network service.
@ -55,7 +67,7 @@ class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):

    @rbac_rule_validation.action(
        service="nova",
-        rules=["os_compute_api:os-security-groups"])
+        rules=[_SG_LIST])
    @decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520')
    def test_list_security_groups_by_server(self):
        with self.override_role():
@ -64,7 +76,7 @@ class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):

    @rbac_rule_validation.action(
        service="nova",
-        rules=["os_compute_api:os-security-groups"])
+        rules=[_SG_ADD])
    @decorators.idempotent_id('ea1ca73f-2d1d-43cb-9a46-900d7927b357')
    def test_create_security_group_for_server(self):
        sg_name = self.create_security_group()['name']
@ -78,7 +90,7 @@ class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):

    @rbac_rule_validation.action(
        service="nova",
-        rules=["os_compute_api:os-security-groups"])
+        rules=[_SG_REMOVE])
    @decorators.idempotent_id('0ad2e856-e2d3-4ac5-a620-f93d0d3d2626')
    def test_remove_security_group_from_server(self):
        sg_name = self.create_security_group()['name']
--- a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
@ -36,11 +36,15 @@ if CONF.policy_feature_enabled.changed_nova_policies_ussuri:
    _ATTACH_INTERFACES_LIST = "os_compute_api:os-attach-interfaces:list"
    _ATTACH_INTERFACES_SHOW = "os_compute_api:os-attach-interfaces:show"
    _INSTANCE_ACTIONS_LIST = "os_compute_api:os-instance-actions:list"
+    _SERVER_PASSWORD_SHOW = "os_compute_api:os-server-password:show"
+    _SERVER_PASSWORD_CLEAR = "os_compute_api:os-server-password:clear"
 else:
    _DEFERRED_FORCE = "os_compute_api:os-deferred-delete"
    _ATTACH_INTERFACES_LIST = "os_compute_api:os-attach-interfaces"
    _ATTACH_INTERFACES_SHOW = "os_compute_api:os-attach-interfaces"
    _INSTANCE_ACTIONS_LIST = "os_compute_api:os-instance-actions"
+    _SERVER_PASSWORD_SHOW = "os_compute_api:os-server-password"
+    _SERVER_PASSWORD_CLEAR = "os_compute_api:os-server-password"


 class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
@ -493,7 +497,7 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
    @decorators.idempotent_id('aaf43f78-c178-4581-ac18-14afd3f1f6ba')
    @rbac_rule_validation.action(
        service="nova",
-        rules=["os_compute_api:os-server-password"])
+        rules=[_SERVER_PASSWORD_CLEAR])
    def test_delete_server_password(self):
        """Test delete server password, part of os-server-password."""
        with self.override_role():
@ -502,7 +506,7 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
    @utils.requires_ext(extension='os-server-password', service='compute')
    @rbac_rule_validation.action(
        service="nova",
-        rules=["os_compute_api:os-server-password"])
+        rules=[_SERVER_PASSWORD_SHOW])
    @decorators.idempotent_id('f677971a-7d20-493c-977f-6ff0a74b5b2c')
    def test_get_server_password(self):
        """Test show server password, part of os-server-password."""
--- a/releasenotes/notes/adopt_nova_new_policies-c61d1c3751ff1bf9.yaml
+++ b/releasenotes/notes/adopt_nova_new_policies-c61d1c3751ff1bf9.yaml
@ -13,3 +13,6 @@ features:
      - os_compute_api:os-instance-usage-audit-log
      - os_compute_api:os-agents
      - os_compute_api:os-hypervisors
+      - os_compute_api:os-instance-actions
+      - os_compute_api:os-security-groups
+      - os_compute_api:os-server-password