Commit Graph

983 Commits

Author SHA1 Message Date
Ghanshyam Mann b540700061 Retire patrole
Patrole project is not active anymore and its gate is broken.
We waited for couple of cycle to see if there is any interest
in this project and anyone can maintain it. But we did not get any
new maintainers and current QA team does not have bandwidth/interest
to continue maintaining it.

This project was for RBAc testing which is moving towards unit/functional
tests on service side as well as tempest plugins tests.

In QA 2023.2 PTG, we decided to retire this project

- https://etherpad.opendev.org/p/qa-bobcat-ptg

Change-Id: I7721cf06104e5871ec27cdd87d4608dace60a8b7
2023-04-10 22:29:00 -05:00
Zuul aa7bc0dd9a Merge "Add cleanup for test_show_auto_allocated_topology test" 2022-04-25 07:46:36 +00:00
Ritchie, Frank (fr801x) f7d47d9c44 Update tempest to 30.0.0
This PS updates Tempest to 30.0.0. Due to

55414580c2

some refactoring was required around wait_for_interface_detach.

Additionally, the variables:

min_microversion
max_microversion

needed to be renamed to:

volume_min_microversion
volume_max_microversion

for volume related tests. See:

https://review.opendev.org/c/openstack/tempest/+/813676

Change-Id: Ie2183fdd2812d5d2fdfdc0815bf96e5c47a9f1e8
2022-04-01 16:46:31 -04:00
Lukas Piwowarski 4769f92f6b Add cleanup for test_show_auto_allocated_topology test
This patch makes sure that test_show_auto_allocated_topology
deletes resources that are created during its execution.

Before, the test didn't clean the following resources:
- network: auto_allocated_network
- subnets: auto_allocated_subnet_v4 & auto_allocated_subnet_v6
- router: auto_allocated_router

Story: 2007941
Task: 40406
Change-Id: I8cc77f7d47918d8329298ee32733d569294f11b7
2021-11-03 11:18:22 +01:00
Ghanshyam Mann 588c33d6d7 [Fix gate]: Cinder policy change handling in tests
Cinder policies are made more granular and now we need
to adjust the patrole tests to handle those changed policies.

This commit introduces a new flag so that we test the old
policies in stable branches and new one in Xena onwards.

Change-Id: I4be60e3e92704f8e55d3acdb0e025078ae5b21f1
2021-09-21 22:38:37 +00:00
Ghanshyam Mann 8cac133b6a Fix gate: fix the failing network, image, volume RBAC test
1. Image update member test is failing because image owner
itself try to update the image member status but only
admin or that member can update it. Fixing this test.

2. Network tests are failing to create public network
on vxlan or so, fixing those with right parameters.

3. Volume type extra type specs is facing the race condition,
where same name specs is created for all the test which update
delete it. But still it fails so skipping this test too for now.

4. Skipping volume detach test for now, basically squashing
https://review.opendev.org/c/openstack/patrole/+/800594

Story: 2009210
Task: 43272
Story: 2009050
Task: 42820

Change-Id: I5fbcaf219d23d5c94a180c3447ca851d844e1dca
2021-09-11 03:58:10 +00:00
Sam Kumar f4bae14ce9 Fixed issue with backup delete
1) Updated class level create_backup function to wait for resource delete
2) Switched the wait_for_resource_deletion handler before delete_backup,
   the clean_up function uses list pop() to perform cleanup. The backup
   has to be deleted before the wait_handler is called

Depends-On https://review.opendev.org/c/openstack/tempest/+/781142

https://storyboard.openstack.org/#!/story/2008683

Change-Id: I6ebc6dcb729baa775e36026081cd8bbf0d5c203f
2021-04-02 19:50:03 +00:00
Ghanshyam Mann f64b81ed69 Fix gate for handling of deprecated rules and image client
oslo.policy has made the changes to not modify the
rule check
- https://review.opendev.org/c/openstack/oslo.policy/+/774112

Patrole code for handling the deprecated code needs to make
changes to work with latest oslo policy.

Also fix the image namespace clients to be admin which were
recently changed in Tempest side
- https://review.opendev.org/c/openstack/tempest/+/780108

Change-Id: I93d74d71a3e085ab4f08053db83354e86f3f2d14
2021-03-23 21:15:54 +00:00
Zuul 0bfba962e8 Merge "Reuse tempest to create admin client manager" 2021-01-26 02:32:36 +00:00
Zuul 7dbfe24945 Merge "Restore test user's original roles during clean up" 2021-01-26 00:27:57 +00:00
Zuul 428f6dc102 Merge "Remove the tests for unsupported Nova APIs" 2021-01-25 17:41:57 +00:00
Lingxian Kong 27f671f1a2 Reuse tempest to create admin client manager
The previous code doesn't support PreProvisionedCredentialProvider, it
was getting admin credentials from tempest config file which are not set
when using test_accounts_file.

Change-Id: Ia34d08ad659b095a114c27d6d596507f7922149a
2021-01-16 23:45:24 +13:00
Lingxian Kong b73e1088e0 Restore test user's original roles during clean up
Depends-On: https://review.opendev.org/c/openstack/patrole/+/770867
Change-Id: I965d9e280ef0a85dfe6b2e4000eb47e1d06fed77
2021-01-16 10:42:30 +13:00
Zuul cdccb47b1d Merge "Fix creating of client manager for network tests" 2021-01-15 09:51:32 +00:00
Lingxian Kong f5699576d8 Remove the tests for unsupported Nova APIs
Change-Id: Ib582c984796cbcd93fdb3a505d0b3fcdf6a2fbf2
2021-01-15 10:22:21 +13:00
Ghanshyam Mann 700c1db070 Remove stable/stein testing jobs
stable/stein is not suported in Patrole now, so
let's remove their jobs from master gate.

In order to pass the CI, the following changes are also made:
* Added skip for Nova policy
  "os_compute_api:os-admin-actions:reset_network", which was removed in
  https://review.opendev.org/c/openstack/nova/+/749315
* Removed openstack-tox-lower-constraints job for now until we have a
  solution.

Change-Id: Id73342c24342637edc37104f2112235a2edcac39
2021-01-06 10:50:47 +13:00
Lukas Piwowarski 65fef1de1c Fix creating of client manager for network tests
Patrole network tests fail when pre-provisioned credentials are
used (Could not find user).

This is caused by missing 'user_id' and 'tenant_id' parameters
in the client manager.

The reason why this happens only with network tests is because
when client manager from neutron_tempest_plugin is created
the set_auth() function which refills the credentials is not
called (in contrast with tempest's get_client_manager() function
where the set_auth() function is called).

This patch makes sure that client manager contains 'user_id'
and 'tenant_id' by refilling the credentials using the set_auth()
function.

Closes-Bug: 1846410
Change-Id: I01ea0da7e43923f50053d41ac069f3f913d5b728
2020-12-09 16:09:46 +00:00
Ghanshyam Mann 1b8838f189 Fix gate: Add feature flag for nova policies removed in Wallaby
This patch set adds a new feature flag called
``removed_nova_policies_wallaby`` under the configuration
group ``[policy-feature-enabled]`` for skipping Nova
tests whose policies were removed in Wallaby. This feature flag
is currently applied to os-agents which is removed in nova
recently - https://review.opendev.org/#/c/749309

Change-Id: Iaa0ddbdca454b93bd8373ce749603f28c5c59180
2020-11-17 14:15:05 +00:00
Doug Schveninger 89d9ff89fe Fix Extension gates by supporting Skip Execption in test case.
The test test_delete_auto_allocated_topology is the only
test in patrole that does a Skip test exception in the test_ method
so I had to add support to the rbac_rule_validation decorator
so the framework would allow the skip exception to be thrown
through the decorator and make it through to the unittest
framework as a skip. Let me know if anyone has a better
way to do this.  I am just trying to get all of the gates running.

FYI I am down to one testing in multinode that is only
supported by system scoped token in Nova so I think that
we will have to wait until tempest supports scope token and
then when patrole support them we should be able to get all
voting gate and non voting gates to work.

https://storyboard.openstack.org/#!/story/2008018

Change-Id: Id8a599c8754dfc10ffa5fa18c232a9afff180a8e
Story: 2008018
Task: 40670
2020-09-07 20:30:39 -05:00
Doug Schveninger 8746b77bfe fix patrole-multinode-member non-voting gate by skip_because a bug
the bug is due to a nova api that is allowed with a system scoped
token and patrole does not support them at this time.

https://storyboard.openstack.org/#!/story/2008051
Closes-Bug:2008051

Change-Id: I6963fdff199fca342620ab15948ce2c1d29c2c7a
2020-09-02 05:51:59 -05:00
Doug Schveninger 2c80e38e7c Get the patrole gate working due to Nova category changes in Victoria
for floating IP.  per [1] the action or category has changed in Nova
on a deprecated method per [2].

Used the exisintg nova victoria conf setting to support different
action or category for the floating ip apis

[1] https://github.com/openstack/nova/blob/master/nova/policies/floating_ips.py#L21
[2] https://docs.openstack.org/api-ref/compute/#floating-ips-os-floating-ips-deprecated

Change-Id: I0318aa910eb865171afb935aaf26a97182b6f381
2020-08-24 11:33:42 -05:00
Doug Schveninger a5b51b6f33 Shorten Identity project name due to 64 char limit.
Removed -testproject from identity project created using
setup_test_project since rand_name it already has tempest-
in front of the name. Adding -testproject to a project
provides no additional value on a name with restricted size limit.

Also removing -test_domain and -test_update_domain sufix from
domain name since they have a 64 char limit also.

remove -IdentityCosumer from test test_oauth_consumers_rbac.py.

Our downstream tooling we replace tempest- with shorter word
and unique id to find project, global and orphaned project resources
in test and production site. This will allow us to find resource
leaks and submit upstream corrections.

Change-Id: Ic4014938c4a2dae64892954d8638f9d8d519a234
2020-08-15 17:57:30 -05:00
Ghanshyam Mann cfac16a78c Fix gate for multiple issues
1. To have mock installed for unit tests

unit tests jobs use tempest version released in pypi
which has use of mock but in recent changed mock requirement
is removed from requirements file and it end up failing.

- https://zuul.opendev.org/t/openstack/build/c3a33c501c054db9b1eecedb7d4b2c48

Let's add mock into the requirement file to be installed for unit tests
job until we bump the min version of tempest to latest.

2. Nova policy granular work
https://review.opendev.org/#/q/topic:bp/policy-defaults-refresh-deprecated-apis+(status:open+OR+status:merged)
Adding new flag to handle the policy changed in Victoria.

Depends-On: https://review.opendev.org/#/c/745158/

Change-Id: I3683cca390b44146c217ce8600f63a9894057058
2020-08-14 11:49:39 +00:00
Hervé Beraud 7a69fa081c Stop to use the __future__ module.
The __future__ module [1] was used in this context to ensure compatibility
between python 2 and python 3.

We previously dropped the support of python 2.7 [2] and now we only support
python 3 so we don't need to continue to use this module and the imports
listed below.

Imports commonly used and their related PEPs:
- `division` is related to PEP 238 [3]
- `print_function` is related to PEP 3105 [4]
- `unicode_literals` is related to PEP 3112 [5]
- `with_statement` is related to PEP 343 [6]
- `absolute_import` is related to PEP 328 [7]

[1] https://docs.python.org/3/library/__future__.html
[2] https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html
[3] https://www.python.org/dev/peps/pep-0238
[4] https://www.python.org/dev/peps/pep-3105
[5] https://www.python.org/dev/peps/pep-3112
[6] https://www.python.org/dev/peps/pep-0343
[7] https://www.python.org/dev/peps/pep-0328

Change-Id: Iccbc3087d30712f30617349268b66bb7573f7bd4
2020-06-02 20:43:06 +02:00
Zuul b429f7916f Merge "Followup for grouping imports" 2020-05-08 23:53:26 +00:00
Zuul ae8ac5c787 Merge "Use unittest.mock instead of third party mock" 2020-05-08 23:53:25 +00:00
Vishakha Agarwal 14d076b120 Followup for grouping imports
This patch closes the comment [1], it groups the imports in
test_rbac_rule_validation.py

[1]https://review.opendev.org/#/c/720971/1/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py@22

Change-Id: I916796933dc4cee84229850ad87ea6190254d548
2020-05-09 03:02:14 +05:30
Sean McGinnis c5ea6f2cc7
Use unittest.mock instead of third party mock
Now that we no longer support py27, we can use the standard library
unittest.mock module instead of the third party mock lib.

Change-Id: I017716842c61b814bbe16cc2b8788f160f4ad9cd
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
2020-05-08 16:15:18 -05:00
Ghanshyam Mann ee53f843fc Gate fix and update compute tests to adopt new policies
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.

With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.

This commit updates the security group and server password
policy tests to move to new policies from ussuri onwards.

Also add the already fixed instance action policy in reno

Also fix the gate to parse the combining of deprecated rule
check_str with oslo policy parser instead of string processing.

Story: #2007585
Task: #39516

[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html

Change-Id: If661299231d548ce40a2e340b1ddb9ebe8d3f964
2020-04-22 02:57:42 +00:00
Andreas Jaeger 2aad808184 Update hacking for Python3
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.

Update hacking extension for newer flake8. Remove vi header check, this
is enabled as H106 already.

Fix problems found.

Change-Id: Ie4ccf0a1075995f5624a838388b6b0b46343129a
2020-04-02 15:56:12 +00:00
Ghanshyam Mann 84cb426c16 Update compute hypervisor tests to adopt new policies
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.

With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.

This commit updates the hypervisors policy tests
to move to new policies from ussuri onwards.

[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html

Change-Id: Ic540a42be0b05fc7c53c7ca78f6ff8e5725340e1
2020-04-01 22:59:21 +00:00
Ghanshyam Mann be0154c17d Update compute instance-usage and agents tests to adopt new policies
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.

With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.

This commit updates the os-instance-usage-audit-log and os-agents tests
to move to new policies from ussuri onwards.

[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html

Change-Id: I9eb2964c0ffb7022d52fc94c97bbd25c76b6d6d8
2020-03-31 15:12:37 -05:00
Zuul c98b68a536 Merge "Unskip test that relied on Neutron bug being fixed" 2020-03-28 02:35:48 +00:00
Ghanshyam Mann 7564244a25 Update compute tests to adopt new policies
Nova is moving to new policy defaults in ussuri[1] where
few polciies are made more granular to adopt the new defaults.

With granularity in few policies make change in policy name so
we have update the patrole tests to start checking against the
new policy names from ussuri onwards.

This commit updates the os-deferred_delete and os-attach-interfaces
tests to move to new policies from ussuri onwards.

[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html

Change-Id: I399e9e2bf944cfbba4b47f05ba2f529cbc1b9ea1
2020-03-26 00:28:02 +00:00
Rick Bartra 595e61d17c Unskip test that relied on Neutron bug being fixed
'test_delete_flavor_service_profile' no longer has to be skipped as
Launchpad bug 1843290 is now fixed.

Change-Id: Ibe3ddbb18c289662940f442d6d75236f04a6b2cb
2020-03-21 23:31:46 +00:00
Rick Bartra 39ad28a2a8 Add skip check to tests that modify the user source
When using an immutable user source, test should skip if the
test tries to modify the user source. This includes creating,
updating and deleting users. A similar change was merged here:
https://review.opendev.org/#/c/670590/

Change-Id: If7c6ae7fc57a4ac256cf668c4075ee86143202ea
2020-01-13 15:03:07 +00:00
Rick Bartra f8923d1ddf fix: admin and member gates are broken
The patrole-admin and patrole-member gates are broken because they
are trying to test a policy action ('os_compute_api:os-services') that
was changed in the Ussuri release. This commit adds a new policy feature
flag so that this policy test is backwards compatible.

Change-Id: Ia80279ae8ffcc17f10bed05338c41d0c23eea063
2020-01-06 14:31:29 -05:00
Zuul 45f01b7417 Merge "Fix missing "raise" before cls.skipException" 2019-10-11 01:25:52 +00:00
Zuul 0bc9d14ede Merge "fix patrole-multinode-admin non-voting gate" 2019-09-27 21:44:33 +00:00
zhufl 8ca82d8506 Fix missing "raise" before cls.skipException
"raise" is missing before cls.skipException in
test_auto_allocated_topology_rbac.py, this is to fix it.

Change-Id: I8a516bcc2899a38e82f56d955f40364d5dd7929f
2019-09-23 09:25:57 +08:00
Zuul a858df4643 Merge "Add tests for new Trusts policy actions" 2019-09-21 04:40:49 +00:00
Zuul 8629ba5b60 Merge "Fix router leak from L3AgentsExtRbacTest class" 2019-09-20 21:45:24 +00:00
Rick Bartra acd2d568f5 Skip 'test_delete_flavor_service_profile'
This commit skips 'test_delete_flavor_service_profile' until
https://bugs.launchpad.net/neutron/+bug/1843290 is resolved. Once
the bug is fixed, a new commit will be made to unskip this test.

Change-Id: Iec98f28994e05623fe6c93fe3c7cc26199e99643
2019-09-19 13:34:06 +00:00
Zuul d9b68e81a0 Merge "Replace cls.__class__.__name__ with cls.__name__" 2019-09-19 10:38:33 +00:00
Rick Bartra 97fffede9e fix: admin, member, and reader gates broken
Recent changes in Keystone to move trust enforcement [0] to default
policies is currently breaking several voting gates in Patrole.
This commit updates the trusts_rbac tests to account for these changes.

Additionally, 'test_list_trusts' is updated so that it does indeed test
'identity:list_trusts'. If a 'trustor_user_id' or 'trustee_user_id' is passed
into list_trusts() then a different policy action will be enforced. A future
commit will add tests for the actions added here [1].

Added new feature flag called ``keystone_policy_enforcement_train`` under
the configuration group ``[policy-feature-enabled]`` to make ``test_list_trusts``
test backwards compatible, test the current release, and test the correct policy
action. The Keystone Trust API is enforced differently depending on passed arguments.

The new feature flag is needed so that all the voting gates pass, otherwise the
'test_list_trusts' is not backwards compatible and would not test the correct
policy action in the current release.

[0] https://review.opendev.org/#/q/topic:trust-policies+(status:open+OR+status:merged)
[1] https://review.opendev.org/#/c/675807/10/keystone/common/policies/trust.py

Change-Id: Ia5661e12977b26e1c16f09a074d1a805263c6c22
2019-09-12 23:57:40 -04:00
Rick Bartra 544b807baf fix patrole-multinode-admin non-voting gate
The 'patrole-multinode-admin' non-voting gate seems to consistently
fail ServerVolumeAttachmentRbacTest tearDownClass. The failure is coming
from 'test_update_volume_attachment' with the following error message:

Invalid volume: Volume status must be available or error or error_restoring
or error_extending or error_managing and must not be migrating, attached,
belong to a group, have snapshots or be disassociated from snapshots after
volume transfer.'}

The fix is to detach the volume and wait until the detached volume reaches
the 'available' state.

Change-Id: I195115c0d61d15a62cabf3f2b736affbd855cefd
2019-09-11 23:46:58 -04:00
Rick Bartra b28337c1cb Fix router leak from L3AgentsExtRbacTest class
The 'test_list_l3_agents_on_router' test leaves behind a router as a
resource leak. A class resource cleanup is added so that the router
is not left behind once the test runs.

Change-Id: Id393ea75e59fe26da598723993593f6759d594f5
2019-09-11 23:08:45 -04:00
Rick Bartra abfd456b54 Add tests for new Trusts policy actions
New Trusts policy actions were added in Train [0]. This commit adds tests
for the following new policy actions:

- 'identity:list_trusts_for_trustor'
- 'identity:list_trusts_for_trustee'

[0] https://review.opendev.org/#/c/675807/10/keystone/common/policies/trust.py

Change-Id: Iea1a40992f4ab1c8deb4a88587d2662475ad6b26
2019-09-11 21:54:18 -04:00
Doug Schveninger cb096146d7 Fix resource leaks in IdentityPolicyAssociationRbacTest class
The IdentityPolicyAssociationRbacTest,
IdentityEndpointsV3RbacTest and EndpointFilterProjectsV3RbacTest
test cases were leaking region resources on the endpoint create
and just using tempest- in the region description.
The following changes to fix the leaks and make them easier to
find in the future, if they happen.

1) move setup_test_endpoint to the v3 class to have access to the
region client and get the region id created when the endpoint
created so I can add it to the resource clean-up.
2) add a rand_name for the region id not just the description
so we know that tempest- created it.

Change-Id: I3bd5bf02ef6d434ccba65a5a732e550b007a2309
2019-09-04 23:10:02 -05:00
zhufl 94f5f07d9b Replace cls.__class__.__name__ with cls.__name__
This is to replace cls.__class__.__name__ with cls.__name__.

Change-Id: I18fa42128bccb92ecbc1d93e52b55795ae43b52b
2019-08-28 14:17:05 +08:00