Gate fix and update compute tests to adopt new policies
Nova is moving to new policy defaults in ussuri[1] where few polciies are made more granular to adopt the new defaults. With granularity in few policies make change in policy name so we have update the patrole tests to start checking against the new policy names from ussuri onwards. This commit updates the security group and server password policy tests to move to new policies from ussuri onwards. Also add the already fixed instance action policy in reno Also fix the gate to parse the combining of deprecated rule check_str with oslo policy parser instead of string processing. Story: #2007585 Task: #39516 [1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html Change-Id: If661299231d548ce40a2e340b1ddb9ebe8d3f964
This commit is contained in:
parent
2aad808184
commit
ee53f843fc
|
@ -186,9 +186,10 @@ class PolicyAuthority(RbacAuthority):
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
LOG.warn(deprecated_msg)
|
LOG.warn(deprecated_msg)
|
||||||
check_str = '(%s) or (%s)' % (default.check_str,
|
default.check = policy.OrCheck(
|
||||||
deprecated_rule.check_str)
|
[policy._parser.parse_rule(cs) for cs in
|
||||||
return policy.RuleDefault(default.name, check_str)
|
[default.check_str,
|
||||||
|
deprecated_rule.check_str]])
|
||||||
|
|
||||||
def get_rules(self):
|
def get_rules(self):
|
||||||
rules = policy.Rules()
|
rules = policy.Rules()
|
||||||
|
@ -229,7 +230,7 @@ class PolicyAuthority(RbacAuthority):
|
||||||
# The `DocumentedRuleDefault` object has no
|
# The `DocumentedRuleDefault` object has no
|
||||||
# `deprecated_rule` attribute in Pike
|
# `deprecated_rule` attribute in Pike
|
||||||
if getattr(rule, 'deprecated_rule', False):
|
if getattr(rule, 'deprecated_rule', False):
|
||||||
rule = self._handle_deprecated_rule(rule)
|
self._handle_deprecated_rule(rule)
|
||||||
rules[rule.name] = rule.check
|
rules[rule.name] = rule.check
|
||||||
elif str(rule.check) != str(rules[rule.name]):
|
elif str(rule.check) != str(rules[rule.name]):
|
||||||
msg = ("The same policy name: %s was found in the "
|
msg = ("The same policy name: %s was found in the "
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from tempest import config
|
||||||
from tempest.lib.common.utils import data_utils
|
from tempest.lib.common.utils import data_utils
|
||||||
from tempest.lib.common.utils import test_utils
|
from tempest.lib.common.utils import test_utils
|
||||||
from tempest.lib import decorators
|
from tempest.lib import decorators
|
||||||
|
@ -20,6 +21,17 @@ from tempest.lib import decorators
|
||||||
from patrole_tempest_plugin import rbac_rule_validation
|
from patrole_tempest_plugin import rbac_rule_validation
|
||||||
from patrole_tempest_plugin.tests.api.compute import rbac_base
|
from patrole_tempest_plugin.tests.api.compute import rbac_base
|
||||||
|
|
||||||
|
CONF = config.CONF
|
||||||
|
|
||||||
|
if CONF.policy_feature_enabled.changed_nova_policies_ussuri:
|
||||||
|
_SG_LIST = "os_compute_api:os-security-groups:list"
|
||||||
|
_SG_ADD = "os_compute_api:os-security-groups:add"
|
||||||
|
_SG_REMOVE = "os_compute_api:os-security-groups:remove"
|
||||||
|
else:
|
||||||
|
_SG_LIST = "os_compute_api:os-security-groups"
|
||||||
|
_SG_ADD = "os_compute_api:os-security-groups"
|
||||||
|
_SG_REMOVE = "os_compute_api:os-security-groups"
|
||||||
|
|
||||||
|
|
||||||
class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
|
class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
|
||||||
"""Tests non-deprecated security group policies. Requires network service.
|
"""Tests non-deprecated security group policies. Requires network service.
|
||||||
|
@ -55,7 +67,7 @@ class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
|
||||||
|
|
||||||
@rbac_rule_validation.action(
|
@rbac_rule_validation.action(
|
||||||
service="nova",
|
service="nova",
|
||||||
rules=["os_compute_api:os-security-groups"])
|
rules=[_SG_LIST])
|
||||||
@decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520')
|
@decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520')
|
||||||
def test_list_security_groups_by_server(self):
|
def test_list_security_groups_by_server(self):
|
||||||
with self.override_role():
|
with self.override_role():
|
||||||
|
@ -64,7 +76,7 @@ class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
|
||||||
|
|
||||||
@rbac_rule_validation.action(
|
@rbac_rule_validation.action(
|
||||||
service="nova",
|
service="nova",
|
||||||
rules=["os_compute_api:os-security-groups"])
|
rules=[_SG_ADD])
|
||||||
@decorators.idempotent_id('ea1ca73f-2d1d-43cb-9a46-900d7927b357')
|
@decorators.idempotent_id('ea1ca73f-2d1d-43cb-9a46-900d7927b357')
|
||||||
def test_create_security_group_for_server(self):
|
def test_create_security_group_for_server(self):
|
||||||
sg_name = self.create_security_group()['name']
|
sg_name = self.create_security_group()['name']
|
||||||
|
@ -78,7 +90,7 @@ class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
|
||||||
|
|
||||||
@rbac_rule_validation.action(
|
@rbac_rule_validation.action(
|
||||||
service="nova",
|
service="nova",
|
||||||
rules=["os_compute_api:os-security-groups"])
|
rules=[_SG_REMOVE])
|
||||||
@decorators.idempotent_id('0ad2e856-e2d3-4ac5-a620-f93d0d3d2626')
|
@decorators.idempotent_id('0ad2e856-e2d3-4ac5-a620-f93d0d3d2626')
|
||||||
def test_remove_security_group_from_server(self):
|
def test_remove_security_group_from_server(self):
|
||||||
sg_name = self.create_security_group()['name']
|
sg_name = self.create_security_group()['name']
|
||||||
|
|
|
@ -36,11 +36,15 @@ if CONF.policy_feature_enabled.changed_nova_policies_ussuri:
|
||||||
_ATTACH_INTERFACES_LIST = "os_compute_api:os-attach-interfaces:list"
|
_ATTACH_INTERFACES_LIST = "os_compute_api:os-attach-interfaces:list"
|
||||||
_ATTACH_INTERFACES_SHOW = "os_compute_api:os-attach-interfaces:show"
|
_ATTACH_INTERFACES_SHOW = "os_compute_api:os-attach-interfaces:show"
|
||||||
_INSTANCE_ACTIONS_LIST = "os_compute_api:os-instance-actions:list"
|
_INSTANCE_ACTIONS_LIST = "os_compute_api:os-instance-actions:list"
|
||||||
|
_SERVER_PASSWORD_SHOW = "os_compute_api:os-server-password:show"
|
||||||
|
_SERVER_PASSWORD_CLEAR = "os_compute_api:os-server-password:clear"
|
||||||
else:
|
else:
|
||||||
_DEFERRED_FORCE = "os_compute_api:os-deferred-delete"
|
_DEFERRED_FORCE = "os_compute_api:os-deferred-delete"
|
||||||
_ATTACH_INTERFACES_LIST = "os_compute_api:os-attach-interfaces"
|
_ATTACH_INTERFACES_LIST = "os_compute_api:os-attach-interfaces"
|
||||||
_ATTACH_INTERFACES_SHOW = "os_compute_api:os-attach-interfaces"
|
_ATTACH_INTERFACES_SHOW = "os_compute_api:os-attach-interfaces"
|
||||||
_INSTANCE_ACTIONS_LIST = "os_compute_api:os-instance-actions"
|
_INSTANCE_ACTIONS_LIST = "os_compute_api:os-instance-actions"
|
||||||
|
_SERVER_PASSWORD_SHOW = "os_compute_api:os-server-password"
|
||||||
|
_SERVER_PASSWORD_CLEAR = "os_compute_api:os-server-password"
|
||||||
|
|
||||||
|
|
||||||
class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
|
class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
|
||||||
|
@ -493,7 +497,7 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
|
||||||
@decorators.idempotent_id('aaf43f78-c178-4581-ac18-14afd3f1f6ba')
|
@decorators.idempotent_id('aaf43f78-c178-4581-ac18-14afd3f1f6ba')
|
||||||
@rbac_rule_validation.action(
|
@rbac_rule_validation.action(
|
||||||
service="nova",
|
service="nova",
|
||||||
rules=["os_compute_api:os-server-password"])
|
rules=[_SERVER_PASSWORD_CLEAR])
|
||||||
def test_delete_server_password(self):
|
def test_delete_server_password(self):
|
||||||
"""Test delete server password, part of os-server-password."""
|
"""Test delete server password, part of os-server-password."""
|
||||||
with self.override_role():
|
with self.override_role():
|
||||||
|
@ -502,7 +506,7 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
|
||||||
@utils.requires_ext(extension='os-server-password', service='compute')
|
@utils.requires_ext(extension='os-server-password', service='compute')
|
||||||
@rbac_rule_validation.action(
|
@rbac_rule_validation.action(
|
||||||
service="nova",
|
service="nova",
|
||||||
rules=["os_compute_api:os-server-password"])
|
rules=[_SERVER_PASSWORD_SHOW])
|
||||||
@decorators.idempotent_id('f677971a-7d20-493c-977f-6ff0a74b5b2c')
|
@decorators.idempotent_id('f677971a-7d20-493c-977f-6ff0a74b5b2c')
|
||||||
def test_get_server_password(self):
|
def test_get_server_password(self):
|
||||||
"""Test show server password, part of os-server-password."""
|
"""Test show server password, part of os-server-password."""
|
||||||
|
|
|
@ -13,3 +13,6 @@ features:
|
||||||
- os_compute_api:os-instance-usage-audit-log
|
- os_compute_api:os-instance-usage-audit-log
|
||||||
- os_compute_api:os-agents
|
- os_compute_api:os-agents
|
||||||
- os_compute_api:os-hypervisors
|
- os_compute_api:os-hypervisors
|
||||||
|
- os_compute_api:os-instance-actions
|
||||||
|
- os_compute_api:os-security-groups
|
||||||
|
- os_compute_api:os-server-password
|
||||||
|
|
Loading…
Reference in New Issue