Add feature flag for Keystone policies removed in Stein

This patch set adds a new feature flag called ``removed_keystone_policies_stein`` under the configuration group ``[policy-feature-enabled]`` for skipping Keystone tests whose policies were removed in Stein. This feature flag is currently applied to credentials-related policies, e.g.: identity:[create|update|get|delete]_credential More info on removed Keystone policies: https://review.openstack.org/#/c/597187/16 Change-Id: Ibd16e658d0e1367b46a2d6730f2b6970a95ae221
2018-10-31 01:21:48 -04:00 · 2018-10-31 01:21:48 -04:00 · c38aca7587
parent f63a834531
commit c38aca7587
4 changed files with 29 additions and 7 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -27,10 +27,10 @@ function install_patrole_tempest_plugin {
        iniset $TEMPEST_CONFIG policy-feature-enabled volume_extension_volume_actions_reserve_policy False
        iniset $TEMPEST_CONFIG policy-feature-enabled volume_extension_volume_actions_unreserve_policy False

+        # TODO(cl566n): Remove these once stable/pike becomes EOL.
        # These policies were removed in Stein but are available in Pike.
        iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
-
-        # TODO(cl566n): Policies used by Patrole testing. Remove these once stable/pike becomes EOL.
+        iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
        iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
    fi

@ -39,16 +39,17 @@ function install_patrole_tempest_plugin {
            RBAC_TEST_ROLE="Member"
        fi

+        # TODO(cl566n): Remove these once stable/queens becomes EOL.
        # These policies were removed in Stein but are available in Queens.
        iniset $TEMPEST_CONFIG policy-feature-enabled removed_nova_policies_stein False
-
-        # TODO(cl566n): Policies used by Patrole testing. Remove these once stable/queens becomes EOL.
+        iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
        iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
    fi

    if [[ ${DEVSTACK_SERIES} == 'rocky' ]]; then
        # TODO(cl566n): Policies used by Patrole testing. Remove these once stable/rocky becomes EOL.
        iniset $TEMPEST_CONFIG policy-feature-enabled added_cinder_policies_stein False
+        iniset $TEMPEST_CONFIG policy-feature-enabled removed_keystone_policies_stein False
    fi

    iniset $TEMPEST_CONFIG patrole rbac_test_role $RBAC_TEST_ROLE
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py
@ -162,11 +162,16 @@ was changed in a backwards-incompatible way."""),
                help="""Are the Nova API extension policies available in the
 cloud (e.g. os_compute_api:os-extended-availability-zone)? These policies were
 removed in Stein because Nova API extension concept was removed in Pike."""),
+    cfg.BoolOpt('removed_keystone_policies_stein',
+                default=True,
+                help="""Are the obsolete Keystone policies available in the
+cloud (e.g. identity:[create|update|get|delete]_credential)? These policies
+were removed in Stein."""),
    cfg.BoolOpt('added_cinder_policies_stein',
                default=True,
-                help="""Are the Cinder API extension policies available in the
-cloud (e.g. [create|update|get|delete]_encryption_policy)? These policies are
-added in Stein.""")
+                help="""Are the Cinder Stein policies available in the cloud
+(e.g. [create|update|get|delete]_encryption_policy)? These policies are added
+in Stein.""")
 ]


--- a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
@ -13,13 +13,21 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+import testtools
+
+from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.identity import rbac_base

+CONF = config.CONF

+
+@testtools.skipIf(
+    CONF.policy_feature_enabled.removed_keystone_policies_stein,
+    "This policy is unavailable in Stein so cannot be tested.")
 class IdentityCredentialsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):

    def _create_user_project_and_credential(self):
--- a/releasenotes/notes/removed-keystone-policies-stein-feature-flag-6cfebbf64ed525d7.yaml
+++ b/releasenotes/notes/removed-keystone-policies-stein-feature-flag-6cfebbf64ed525d7.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Added new feature flag called ``removed_keystone_policies_stein`` under
+    the configuration group ``[policy-feature-enabled]`` for skipping Keystone
+    tests whose policies were removed in Stein. This feature flag is currently
+    applied to credentials-related policies, e.g.:
+    identity:[create|update|get|delete]_credential