Merge "feature flag: Policy feature enabled config group"

devstack/plugin.sh

@@ -10,16 +10,25 @@
 XTRACE=$(set +o | grep xtrace)
 set -o xtrace
 
-function install_patrole_tempest_plugin() {
-    if is_service_enabled tempest; then
-        setup_package $PATROLE_DIR -e
+function install_patrole_tempest_plugin {
+    setup_package $PATROLE_DIR -e
 
-        if [[ "$RBAC_TEST_ROLE" == "member" ]]; then
-            RBAC_TEST_ROLE="Member"
-        fi
+    if [[ "$RBAC_TEST_ROLE" == "member" ]]; then
+        RBAC_TEST_ROLE="Member"
+    fi
 
-        iniset $TEMPEST_CONFIG patrole enable_rbac True
-        iniset $TEMPEST_CONFIG patrole rbac_test_role $RBAC_TEST_ROLE
+    iniset $TEMPEST_CONFIG patrole enable_rbac True
+    iniset $TEMPEST_CONFIG patrole rbac_test_role $RBAC_TEST_ROLE
+
+    if [[ ${DEVSTACK_SERIES} == 'pike' ]]; then
+        # Policies used by Patrole testing that were changed in a backwards-incompatible way.
+        # TODO(fmontei): Remove these once stable/pike becomes EOL.
+        iniset $TEMPEST_CONFIG policy-feature-enabled create_port_fixed_ips_ip_address_policy False
+        iniset $TEMPEST_CONFIG policy-feature-enabled update_port_fixed_ips_ip_address_policy False
+        iniset $TEMPEST_CONFIG policy-feature-enabled limits_extension_used_limits_policy False
+        iniset $TEMPEST_CONFIG policy-feature-enabled volume_extension_volume_actions_attach_policy False
+        iniset $TEMPEST_CONFIG policy-feature-enabled volume_extension_volume_actions_reserve_policy False
+        iniset $TEMPEST_CONFIG policy-feature-enabled volume_extension_volume_actions_unreserve_policy False
     fi
 }
 

etc/patrole.conf.sample

@@ -100,3 +100,46 @@
 # is logged. This is combined withreport_log_name to generate the full
 # path. (string value)
 #report_log_path = .
+
+
+[policy-feature-enabled]
+
+#
+# From patrole.config
+#
+
+# Is the Neutron policy
+# "create_port:fixed_ips:ip_address" available in the cloud? This
+# policy was
+# changed in a backwards-incompatible way. (boolean value)
+#create_port_fixed_ips_ip_address_policy = true
+
+# Is the Neutron policy
+# "update_port:fixed_ips:ip_address" available in the cloud? This
+# policy was
+# changed in a backwards-incompatible way. (boolean value)
+#update_port_fixed_ips_ip_address_policy = true
+
+# Is the Cinder policy
+# "limits_extension:used_limits" available in the cloud? This policy
+# was
+# changed in a backwards-incompatible way. (boolean value)
+#limits_extension_used_limits_policy = true
+
+# Is the Cinder policy
+# "volume_extension:volume_actions:attach" available in the cloud?
+# This policy
+# was changed in a backwards-incompatible way. (boolean value)
+#volume_extension_volume_actions_attach_policy = true
+
+# Is the Cinder policy
+# "volume_extension:volume_actions:reserve" available in the cloud?
+# This policy
+# was changed in a backwards-incompatible way. (boolean value)
+#volume_extension_volume_actions_reserve_policy = true
+
+# Is the Cinder policy
+# "volume_extension:volume_actions:unreserve" available in the cloud?
+# This policy
+# was changed in a backwards-incompatible way. (boolean value)
+#volume_extension_volume_actions_unreserve_policy = true

patrole_tempest_plugin/config.py

@@ -94,6 +94,7 @@ allowed_role = the Keystone role that is allowed to perform the API
 patrole_log_group = cfg.OptGroup(
     name='patrole_log', title='Patrole Logging Options')
 
+
 PatroleLogGroup = [
     cfg.BoolOpt('enable_reporting',
                 default=False,
@@ -112,6 +113,47 @@ PatroleLogGroup = [
 ]
 
 
+policy_feature_enabled = cfg.OptGroup(
+    name='policy-feature-enabled',
+    title='Feature Flags for New or Changed Policies')
+
+
+PolicyFeatureEnabledGroup = [
+    # TODO(felipemonteiro): The 6 feature flags below should be removed after
+    # Pike is EOL.
+    cfg.BoolOpt('create_port_fixed_ips_ip_address_policy',
+                default=True,
+                help="""Is the Neutron policy
+"create_port:fixed_ips:ip_address" available in the cloud? This policy was
+changed in a backwards-incompatible way."""),
+    cfg.BoolOpt('update_port_fixed_ips_ip_address_policy',
+                default=True,
+                help="""Is the Neutron policy
+"update_port:fixed_ips:ip_address" available in the cloud? This policy was
+changed in a backwards-incompatible way."""),
+    cfg.BoolOpt('limits_extension_used_limits_policy',
+                default=True,
+                help="""Is the Cinder policy
+"limits_extension:used_limits" available in the cloud? This policy was
+changed in a backwards-incompatible way."""),
+    cfg.BoolOpt('volume_extension_volume_actions_attach_policy',
+                default=True,
+                help="""Is the Cinder policy
+"volume_extension:volume_actions:attach" available in the cloud? This policy
+was changed in a backwards-incompatible way."""),
+    cfg.BoolOpt('volume_extension_volume_actions_reserve_policy',
+                default=True,
+                help="""Is the Cinder policy
+"volume_extension:volume_actions:reserve" available in the cloud? This policy
+was changed in a backwards-incompatible way."""),
+    cfg.BoolOpt('volume_extension_volume_actions_unreserve_policy',
+                default=True,
+                help="""Is the Cinder policy
+"volume_extension:volume_actions:unreserve" available in the cloud? This policy
+was changed in a backwards-incompatible way.""")
+]
+
+
 def list_opts():
     """Return a list of oslo.config options available.
 
@@ -120,7 +162,9 @@ def list_opts():
     """
     opt_list = [
         (patrole_group, PatroleGroup),
-        (patrole_log_group, PatroleLogGroup)
+        (patrole_log_group, PatroleLogGroup),
+        (policy_feature_enabled, PolicyFeatureEnabledGroup)
+
     ]
 
     return opt_list

patrole_tempest_plugin/plugin.py

@@ -21,7 +21,7 @@ from oslo_concurrency import lockutils
 from tempest import config
 from tempest.test_discover import plugins
 
-from patrole_tempest_plugin import config as project_config
+from patrole_tempest_plugin import config as pconfig
 
 RBACLOG = logging.getLogger('rbac_reporting')
 
@@ -64,16 +64,23 @@ class PatroleTempestPlugin(plugins.TempestPlugin):
     def register_opts(self, conf):
         config.register_opt_group(
             conf,
-            project_config.patrole_group,
-            project_config.PatroleGroup)
+            pconfig.patrole_group,
+            pconfig.PatroleGroup)
         config.register_opt_group(
             conf,
-            project_config.patrole_log_group,
-            project_config.PatroleLogGroup)
+            pconfig.patrole_log_group,
+            pconfig.PatroleLogGroup)
+        config.register_opt_group(
+            conf,
+            pconfig.policy_feature_enabled,
+            pconfig.PolicyFeatureEnabledGroup)
 
         if conf.patrole_log.enable_reporting:
             self._configure_per_test_logging(conf)
 
     def get_opt_lists(self):
-        return [(project_config.patrole_group.name,
-                 project_config.PatroleGroup)]
+        return [
+            (pconfig.patrole_group.name, pconfig.PatroleGroup),
+            (pconfig.policy_feature_enabled.name,
+                pconfig.PolicyFeatureEnabledGroup)
+        ]

patrole_tempest_plugin/tests/api/network/test_ports_rbac.py

@@ -15,6 +15,7 @@
 #
 
 import netaddr
+import testtools
 
 from tempest.common import utils
 from tempest.common.utils import net_utils
@@ -106,6 +107,9 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
         with self.rbac_utils.override_role(self):
             self.create_port(**post_body)
 
+    @testtools.skipUnless(
+        CONF.policy_feature_enabled.create_port_fixed_ips_ip_address_policy,
+        '"create_port:fixed_ips:ip_address" must be available in the cloud.')
     @rbac_rule_validation.action(service="neutron",
                                  rule="create_port:fixed_ips:ip_address")
     @decorators.idempotent_id('2551e10d-006a-413c-925a-8c6f834c09ac')
@@ -268,6 +272,9 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
         self.addCleanup(self.ports_client.update_port, self.port['id'],
                         mac_address=original_mac_address)
 
+    @testtools.skipUnless(
+        CONF.policy_feature_enabled.update_port_fixed_ips_ip_address_policy,
+        '"update_port:fixed_ips:ip_address" must be available in the cloud.')
     @rbac_rule_validation.action(service="neutron",
                                  rule="update_port:fixed_ips:ip_address")
     @decorators.idempotent_id('c091c825-532b-4c6f-a14f-affd3259c1c3')

patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py

@@ -13,16 +13,24 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import testtools
+
+from tempest import config
 from tempest.lib import decorators
 
 from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.volume import rbac_base
 
+CONF = config.CONF
+
 
 class LimitsV3RbacTest(rbac_base.BaseVolumeRbacTest):
     _api_version = 3
 
+    @testtools.skipUnless(
+        CONF.policy_feature_enabled.limits_extension_used_limits_policy,
+        '"limits_extension:used_limits" must be available in the cloud.')
     @decorators.idempotent_id('dab04510-5b86-4479-a633-6e496ff405af')
     @rbac_rule_validation.action(service="cinder",
                                  rule="limits_extension:used_limits")

patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py

@@ -13,6 +13,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import testtools
+
 from tempest.common import compute
 from tempest.common import utils
 from tempest.common import waiters
@@ -65,6 +67,11 @@ class VolumesActionsV3RbacTest(rbac_base.BaseVolumeRbacTest):
         waiters.wait_for_volume_resource_status(
             self.volumes_client, volume_id, 'available')
 
+    @testtools.skipUnless(
+        CONF.policy_feature_enabled
+        .volume_extension_volume_actions_attach_policy,
+        '"volume_extension:volume_actions:attach" must be available in the '
+        'cloud.')
     @utils.services('compute')
     @rbac_rule_validation.action(
         service="cinder",
@@ -151,6 +158,11 @@ class VolumesActionsV3RbacTest(rbac_base.BaseVolumeRbacTest):
             self.volumes_client.set_bootable_volume(self.volume['id'],
                                                     bootable=True)
 
+    @testtools.skipUnless(
+        CONF.policy_feature_enabled
+        .volume_extension_volume_actions_reserve_policy,
+        '"volume_extension:volume_actions:reserve" must be available in the '
+        'cloud.')
     @decorators.idempotent_id('41566922-75a1-4484-99c7-9c8782ee99ac')
     @rbac_rule_validation.action(
         service="cinder",
@@ -159,6 +171,11 @@ class VolumesActionsV3RbacTest(rbac_base.BaseVolumeRbacTest):
         with self.rbac_utils.override_role(self):
             self.volumes_client.reserve_volume(self.volume['id'])
 
+    @testtools.skipUnless(
+        CONF.policy_feature_enabled
+        .volume_extension_volume_actions_unreserve_policy,
+        '"volume_extension:volume_actions:unreserve" must be available in the '
+        'cloud.')
     @decorators.idempotent_id('e5fa9564-77d9-4e57-b0c0-3e0ae4d08535')
     @rbac_rule_validation.action(
         service="cinder",

releasenotes/notes/backwards-incompatible-rule-feature-flag-ebe8b44c0aa663a8.yaml

@@ -0,0 +1,16 @@
+---
+features:
+  - |
+    A new configuration group ``[policy_feature_enabled]`` has been added to
+    Patrole which will be responsible for collecting the feature flags to be
+    used for newly introduced policies or policies that were changed in a
+    backwards-incompatible way.
+
+    * create_port_fixed_ips_ip_address_policy (Neutron)
+    * update_port_fixed_ips_ip_address_policy (Neutron)
+    * limits_extension_used_limits_policy (Cinder)
+    * volume_extension_volume_actions_attach_policy (Cinder)
+    * volume_extension_volume_actions_reserve_policy (Cinder)
+    * volume_extension_volume_actions_unreserve_policy (Cinder)
+
+    These feature flags will be supported until Pike release cycle is EOL.