Patrole project is not active anymore and its gate is broken.
We waited for couple of cycle to see if there is any interest
in this project and anyone can maintain it. But we did not get any
new maintainers and current QA team does not have bandwidth/interest
to continue maintaining it.
This project was for RBAc testing which is moving towards unit/functional
tests on service side as well as tempest plugins tests.
In QA 2023.2 PTG, we decided to retire this project
- https://etherpad.opendev.org/p/qa-bobcat-ptg
Change-Id: I7721cf06104e5871ec27cdd87d4608dace60a8b7
This PS updates Tempest to 30.0.0. Due to
55414580c2
some refactoring was required around wait_for_interface_detach.
Additionally, the variables:
min_microversion
max_microversion
needed to be renamed to:
volume_min_microversion
volume_max_microversion
for volume related tests. See:
https://review.opendev.org/c/openstack/tempest/+/813676
Change-Id: Ie2183fdd2812d5d2fdfdc0815bf96e5c47a9f1e8
This patch makes sure that test_show_auto_allocated_topology
deletes resources that are created during its execution.
Before, the test didn't clean the following resources:
- network: auto_allocated_network
- subnets: auto_allocated_subnet_v4 & auto_allocated_subnet_v6
- router: auto_allocated_router
Story: 2007941
Task: 40406
Change-Id: I8cc77f7d47918d8329298ee32733d569294f11b7
Cinder policies are made more granular and now we need
to adjust the patrole tests to handle those changed policies.
This commit introduces a new flag so that we test the old
policies in stable branches and new one in Xena onwards.
Change-Id: I4be60e3e92704f8e55d3acdb0e025078ae5b21f1
1. Image update member test is failing because image owner
itself try to update the image member status but only
admin or that member can update it. Fixing this test.
2. Network tests are failing to create public network
on vxlan or so, fixing those with right parameters.
3. Volume type extra type specs is facing the race condition,
where same name specs is created for all the test which update
delete it. But still it fails so skipping this test too for now.
4. Skipping volume detach test for now, basically squashing
https://review.opendev.org/c/openstack/patrole/+/800594
Story: 2009210
Task: 43272
Story: 2009050
Task: 42820
Change-Id: I5fbcaf219d23d5c94a180c3447ca851d844e1dca
1) Updated class level create_backup function to wait for resource delete
2) Switched the wait_for_resource_deletion handler before delete_backup,
the clean_up function uses list pop() to perform cleanup. The backup
has to be deleted before the wait_handler is called
Depends-On https://review.opendev.org/c/openstack/tempest/+/781142https://storyboard.openstack.org/#!/story/2008683
Change-Id: I6ebc6dcb729baa775e36026081cd8bbf0d5c203f
The previous code doesn't support PreProvisionedCredentialProvider, it
was getting admin credentials from tempest config file which are not set
when using test_accounts_file.
Change-Id: Ia34d08ad659b095a114c27d6d596507f7922149a
stable/stein is not suported in Patrole now, so
let's remove their jobs from master gate.
In order to pass the CI, the following changes are also made:
* Added skip for Nova policy
"os_compute_api:os-admin-actions:reset_network", which was removed in
https://review.opendev.org/c/openstack/nova/+/749315
* Removed openstack-tox-lower-constraints job for now until we have a
solution.
Change-Id: Id73342c24342637edc37104f2112235a2edcac39
Patrole network tests fail when pre-provisioned credentials are
used (Could not find user).
This is caused by missing 'user_id' and 'tenant_id' parameters
in the client manager.
The reason why this happens only with network tests is because
when client manager from neutron_tempest_plugin is created
the set_auth() function which refills the credentials is not
called (in contrast with tempest's get_client_manager() function
where the set_auth() function is called).
This patch makes sure that client manager contains 'user_id'
and 'tenant_id' by refilling the credentials using the set_auth()
function.
Closes-Bug: 1846410
Change-Id: I01ea0da7e43923f50053d41ac069f3f913d5b728
This patch set adds a new feature flag called
``removed_nova_policies_wallaby`` under the configuration
group ``[policy-feature-enabled]`` for skipping Nova
tests whose policies were removed in Wallaby. This feature flag
is currently applied to os-agents which is removed in nova
recently - https://review.opendev.org/#/c/749309
Change-Id: Iaa0ddbdca454b93bd8373ce749603f28c5c59180
The test test_delete_auto_allocated_topology is the only
test in patrole that does a Skip test exception in the test_ method
so I had to add support to the rbac_rule_validation decorator
so the framework would allow the skip exception to be thrown
through the decorator and make it through to the unittest
framework as a skip. Let me know if anyone has a better
way to do this. I am just trying to get all of the gates running.
FYI I am down to one testing in multinode that is only
supported by system scoped token in Nova so I think that
we will have to wait until tempest supports scope token and
then when patrole support them we should be able to get all
voting gate and non voting gates to work.
https://storyboard.openstack.org/#!/story/2008018
Change-Id: Id8a599c8754dfc10ffa5fa18c232a9afff180a8e
Story: 2008018
Task: 40670
the bug is due to a nova api that is allowed with a system scoped
token and patrole does not support them at this time.
https://storyboard.openstack.org/#!/story/2008051
Closes-Bug:2008051
Change-Id: I6963fdff199fca342620ab15948ce2c1d29c2c7a
Removed -testproject from identity project created using
setup_test_project since rand_name it already has tempest-
in front of the name. Adding -testproject to a project
provides no additional value on a name with restricted size limit.
Also removing -test_domain and -test_update_domain sufix from
domain name since they have a 64 char limit also.
remove -IdentityCosumer from test test_oauth_consumers_rbac.py.
Our downstream tooling we replace tempest- with shorter word
and unique id to find project, global and orphaned project resources
in test and production site. This will allow us to find resource
leaks and submit upstream corrections.
Change-Id: Ic4014938c4a2dae64892954d8638f9d8d519a234
Now that we no longer support py27, we can use the standard library
unittest.mock module instead of the third party mock lib.
Change-Id: I017716842c61b814bbe16cc2b8788f160f4ad9cd
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.
With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.
This commit updates the security group and server password
policy tests to move to new policies from ussuri onwards.
Also add the already fixed instance action policy in reno
Also fix the gate to parse the combining of deprecated rule
check_str with oslo policy parser instead of string processing.
Story: #2007585
Task: #39516
[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html
Change-Id: If661299231d548ce40a2e340b1ddb9ebe8d3f964
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Update hacking extension for newer flake8. Remove vi header check, this
is enabled as H106 already.
Fix problems found.
Change-Id: Ie4ccf0a1075995f5624a838388b6b0b46343129a
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.
With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.
This commit updates the hypervisors policy tests
to move to new policies from ussuri onwards.
[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html
Change-Id: Ic540a42be0b05fc7c53c7ca78f6ff8e5725340e1
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.
With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.
This commit updates the os-instance-usage-audit-log and os-agents tests
to move to new policies from ussuri onwards.
[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html
Change-Id: I9eb2964c0ffb7022d52fc94c97bbd25c76b6d6d8
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.
With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.
This commit updates the os-deferred_delete and os-attach-interfaces
tests to move to new policies from ussuri onwards.
[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html
Change-Id: I399e9e2bf944cfbba4b47f05ba2f529cbc1b9ea1
'test_delete_flavor_service_profile' no longer has to be skipped as
Launchpad bug 1843290 is now fixed.
Change-Id: Ibe3ddbb18c289662940f442d6d75236f04a6b2cb
When using an immutable user source, test should skip if the
test tries to modify the user source. This includes creating,
updating and deleting users. A similar change was merged here:
https://review.opendev.org/#/c/670590/
Change-Id: If7c6ae7fc57a4ac256cf668c4075ee86143202ea
The patrole-admin and patrole-member gates are broken because they
are trying to test a policy action ('os_compute_api:os-services') that
was changed in the Ussuri release. This commit adds a new policy feature
flag so that this policy test is backwards compatible.
Change-Id: Ia80279ae8ffcc17f10bed05338c41d0c23eea063
"raise" is missing before cls.skipException in
test_auto_allocated_topology_rbac.py, this is to fix it.
Change-Id: I8a516bcc2899a38e82f56d955f40364d5dd7929f
This commit skips 'test_delete_flavor_service_profile' until
https://bugs.launchpad.net/neutron/+bug/1843290 is resolved. Once
the bug is fixed, a new commit will be made to unskip this test.
Change-Id: Iec98f28994e05623fe6c93fe3c7cc26199e99643
Recent changes in Keystone to move trust enforcement [0] to default
policies is currently breaking several voting gates in Patrole.
This commit updates the trusts_rbac tests to account for these changes.
Additionally, 'test_list_trusts' is updated so that it does indeed test
'identity:list_trusts'. If a 'trustor_user_id' or 'trustee_user_id' is passed
into list_trusts() then a different policy action will be enforced. A future
commit will add tests for the actions added here [1].
Added new feature flag called ``keystone_policy_enforcement_train`` under
the configuration group ``[policy-feature-enabled]`` to make ``test_list_trusts``
test backwards compatible, test the current release, and test the correct policy
action. The Keystone Trust API is enforced differently depending on passed arguments.
The new feature flag is needed so that all the voting gates pass, otherwise the
'test_list_trusts' is not backwards compatible and would not test the correct
policy action in the current release.
[0] https://review.opendev.org/#/q/topic:trust-policies+(status:open+OR+status:merged)
[1] https://review.opendev.org/#/c/675807/10/keystone/common/policies/trust.py
Change-Id: Ia5661e12977b26e1c16f09a074d1a805263c6c22
The 'patrole-multinode-admin' non-voting gate seems to consistently
fail ServerVolumeAttachmentRbacTest tearDownClass. The failure is coming
from 'test_update_volume_attachment' with the following error message:
Invalid volume: Volume status must be available or error or error_restoring
or error_extending or error_managing and must not be migrating, attached,
belong to a group, have snapshots or be disassociated from snapshots after
volume transfer.'}
The fix is to detach the volume and wait until the detached volume reaches
the 'available' state.
Change-Id: I195115c0d61d15a62cabf3f2b736affbd855cefd
The 'test_list_l3_agents_on_router' test leaves behind a router as a
resource leak. A class resource cleanup is added so that the router
is not left behind once the test runs.
Change-Id: Id393ea75e59fe26da598723993593f6759d594f5
New Trusts policy actions were added in Train [0]. This commit adds tests
for the following new policy actions:
- 'identity:list_trusts_for_trustor'
- 'identity:list_trusts_for_trustee'
[0] https://review.opendev.org/#/c/675807/10/keystone/common/policies/trust.py
Change-Id: Iea1a40992f4ab1c8deb4a88587d2662475ad6b26
The IdentityPolicyAssociationRbacTest,
IdentityEndpointsV3RbacTest and EndpointFilterProjectsV3RbacTest
test cases were leaking region resources on the endpoint create
and just using tempest- in the region description.
The following changes to fix the leaks and make them easier to
find in the future, if they happen.
1) move setup_test_endpoint to the v3 class to have access to the
region client and get the region id created when the endpoint
created so I can add it to the resource clean-up.
2) add a rand_name for the region id not just the description
so we know that tempest- created it.
Change-Id: I3bd5bf02ef6d434ccba65a5a732e550b007a2309