diff --git a/.zuul.yaml b/.zuul.yaml index 27001af..528ca0b 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -5,43 +5,70 @@ check: jobs: - cinder-tempest-plugin-lvm-lio-barbican - - cinder-tempest-plugin-lvm-lio-barbican-centos-8: + - cinder-tempest-plugin-lvm-lio-barbican-centos-8-stream: voting: false - cinder-tempest-plugin-lvm-tgt-barbican + - nova-ceph-multistore: + voting: false - cinder-tempest-plugin-cbak-ceph + - cinder-tempest-plugin-cbak-s3 + - cinder-tempest-plugin-basic-wallaby - cinder-tempest-plugin-basic-victoria - cinder-tempest-plugin-basic-ussuri - cinder-tempest-plugin-basic-train + # Set this job to voting once we have some actual tests to run + - cinder-tempest-plugin-protection-functional: + voting: false gate: jobs: - cinder-tempest-plugin-lvm-lio-barbican - cinder-tempest-plugin-lvm-tgt-barbican - cinder-tempest-plugin-cbak-ceph - -- job: - name: cinder-tempest-plugin-lvm-barbican-base + experimental: + jobs: + - cinder-tempest-plugin-cbak-ceph-wallaby + - cinder-tempest-plugin-cbak-ceph-victoria + - cinder-tempest-plugin-cbak-ceph-ussuri + - cinder-tempest-plugin-cbak-ceph-train + +- job: + name: cinder-tempest-plugin-protection-functional + parent: devstack-tempest + required-projects: + - opendev.org/openstack/cinder-tempest-plugin + - opendev.org/openstack/cinder + vars: + tox_envlist: all + tempest_test_regex: 'cinder_tempest_plugin.rbac' + devstack_local_conf: + test-config: + $CINDER_CONF: + oslo_policy: + enforce_new_defaults: True + $TEMPEST_CONFIG: + enforce_scope: + cinder: True + tempest_plugins: + - cinder-tempest-plugin + +- job: + name: cinder-tempest-plugin-lvm-barbican-base-abstract description: | This is a base job for lvm with lio & tgt targets parent: devstack-tempest + abstract: true timeout: 10800 - roles: - - zuul: opendev.org/openstack/cinderlib required-projects: - opendev.org/openstack/barbican - opendev.org/openstack/tempest - opendev.org/openstack/cinder-tempest-plugin - opendev.org/openstack/cinder - - opendev.org/openstack/cinderlib - run: playbooks/tempest-and-cinderlib-run.yaml - # Required to collect the tox-based logs of the cinderlib functional tests - post-run: playbooks/post-cinderlib.yaml host-vars: controller: devstack_plugins: barbican: https://opendev.org/openstack/barbican vars: tempest_test_regex: '(^tempest\.(api|scenario)|(^cinder_tempest_plugin))' - tempest_test_blacklist: '{{ ansible_user_dir }}/{{ zuul.projects["opendev.org/openstack/tempest"].src_dir }}/tools/tempest-integrated-gate-storage-blacklist.txt' tox_envlist: all devstack_localrc: CINDER_LVM_TYPE: thin @@ -59,21 +86,49 @@ barbican: true tempest_plugins: - cinder-tempest-plugin - fetch_subunit_output_additional_dirs: - - "{{ ansible_user_dir }}/{{ zuul.projects['opendev.org/openstack/cinderlib'].src_dir }}" irrelevant-files: - ^.*\.rst$ - ^doc/.*$ - ^releasenotes/.*$ - job: + name: cinder-tempest-plugin-lvm-barbican-base + description: | + This is a base job for lvm with lio & tgt targets + with cinderlib tests. + branches: ^(?!stable/(ocata|pike|queens|rocky|stein)).*$ + parent: cinder-tempest-plugin-lvm-barbican-base-abstract + roles: + - zuul: opendev.org/openstack/cinderlib + required-projects: + - opendev.org/openstack/cinderlib + run: playbooks/tempest-and-cinderlib-run.yaml + # Required to collect the tox-based logs of the cinderlib functional tests + post-run: playbooks/post-cinderlib.yaml + vars: + fetch_subunit_output_additional_dirs: + - "{{ ansible_user_dir }}/{{ zuul.projects['opendev.org/openstack/cinderlib'].src_dir }}" + tempest_test_exclude_list: '{{ ansible_user_dir }}/{{ zuul.projects["opendev.org/openstack/tempest"].src_dir }}/tools/tempest-integrated-gate-storage-exclude-list.txt' + +- job: + name: cinder-tempest-plugin-lvm-barbican-base + description: | + This is a base job for lvm with lio & tgt targets + branches: ^(?=stable/(ocata|pike|queens|rocky|stein)).*$ + parent: cinder-tempest-plugin-lvm-barbican-base-abstract + required-projects: + - name: opendev.org/openstack/cinder-tempest-plugin + override-checkout: stein-last + vars: + tempest_test_blacklist: '{{ ansible_user_dir }}/{{ zuul.projects["opendev.org/openstack/tempest"].src_dir }}/tools/tempest-integrated-gate-storage-blacklist.txt' + +- job: name: cinder-tempest-plugin-cbak-ceph parent: devstack-plugin-ceph-tempest-py3 description: | Integration tests that runs with the ceph devstack plugin, py3 and enable the backup service. vars: - tempest_black_regex: '(VolumesBackupsTest.test_bootable_volume_backup_and_restore|TestVolumeBackupRestore.test_volume_backup_restore)' devstack_local_conf: test-config: $TEMPEST_CONFIG: @@ -82,13 +137,36 @@ devstack_services: c-bak: true +- job: + name: cinder-tempest-plugin-cbak-ceph-wallaby + parent: cinder-tempest-plugin-cbak-ceph + nodeset: openstack-single-node-focal + override-checkout: stable/wallaby + +- job: + name: cinder-tempest-plugin-cbak-ceph-victoria + parent: cinder-tempest-plugin-cbak-ceph + nodeset: openstack-single-node-focal + override-checkout: stable/victoria + +- job: + name: cinder-tempest-plugin-cbak-ceph-ussuri + parent: cinder-tempest-plugin-cbak-ceph + nodeset: openstack-single-node-bionic + override-checkout: stable/ussuri + +- job: + name: cinder-tempest-plugin-cbak-ceph-train + parent: cinder-tempest-plugin-cbak-ceph + nodeset: openstack-single-node-bionic + override-checkout: stable/train + # variant for pre-Ussuri branches (no volume revert for Ceph), # should this job be used on those branches - job: name: cinder-tempest-plugin-cbak-ceph branches: ^(?=stable/(ocata|pike|queens|rocky|stein|train)).*$ vars: - tempest_black_regex: '' devstack_local_conf: test-config: $TEMPEST_CONFIG: @@ -106,9 +184,9 @@ CINDER_ISCSI_HELPER: lioadm - job: - name: cinder-tempest-plugin-lvm-lio-barbican-centos-8 + name: cinder-tempest-plugin-lvm-lio-barbican-centos-8-stream parent: cinder-tempest-plugin-lvm-lio-barbican - nodeset: devstack-single-node-centos-8 + nodeset: devstack-single-node-centos-8-stream description: | This jobs configures Cinder with LVM, LIO, barbican and runs tempest tests and cinderlib tests on CentOS 8. @@ -119,7 +197,25 @@ This jobs configures Cinder with LVM, tgt, barbican and runs tempest tests and cinderlib tests. parent: cinder-tempest-plugin-lvm-barbican-base - + vars: + devstack_localrc: + CINDER_ISCSI_HELPER: tgtadm + +- job: + name: cinder-tempest-plugin-cbak-s3 + parent: cinder-tempest-plugin-basic + description: | + Integration tests that runs with the s3 backup driver with + Swift S3 API. + vars: + devstack_localrc: + CINDER_BACKUP_DRIVER: 's3_swift' + devstack_services: + c-bak: true + s3api: true + # Workaround: TLS proxy seems to cause S3 signature mismatch. + tls-proxy: false + tempest_test_regex: '(test_volume_backup|test_volumes_backup|test_snapshot_backup)' - job: name: cinder-tempest-plugin-basic parent: devstack-tempest @@ -141,6 +237,12 @@ - ^releasenotes/.*$ - job: + name: cinder-tempest-plugin-basic-wallaby + parent: cinder-tempest-plugin-basic + nodeset: openstack-single-node-focal + override-checkout: stable/wallaby + +- job: name: cinder-tempest-plugin-basic-victoria parent: cinder-tempest-plugin-basic nodeset: openstack-single-node-focal diff --git a/README.rst b/README.rst index 79151cd..0254938 100644 --- a/README.rst +++ b/README.rst @@ -24,7 +24,6 @@ :: [[local|localrc]] - VIRT_DRIVER=libvirt ADMIN_PASSWORD=secret SERVICE_TOKEN=$ADMIN_PASSWORD MYSQL_PASSWORD=$ADMIN_PASSWORD @@ -35,8 +34,8 @@ SYSLOG=False LOG_COLOR=False RECLONE=yes - ENABLED_SERVICES=c-api,c-sch,c-vol,cinder,dstat,g-api,g-reg,key,mysql, - n-api,n-cond,n-cpu,n-crt,n-net,n-sch,rabbit,tempest + ENABLED_SERVICES=c-api,c-bak,c-sch,c-vol,cinder,dstat,g-api,g-reg,key + ENABLED_SERVICES+=,mysql,n-api,n-cond,n-cpu,n-crt,n-sch,rabbit,tempest CINDER_ENABLED_BACKENDS=lvmdriver-1 CINDER_DEFAULT_VOLUME_TYPE=lvmdriver-1 CINDER_VOLUME_CLEAR=none diff --git a/cinder_tempest_plugin/rbac/__init__.py b/cinder_tempest_plugin/rbac/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/cinder_tempest_plugin/rbac/v3/__init__.py b/cinder_tempest_plugin/rbac/v3/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/cinder_tempest_plugin/rbac/v3/base.py b/cinder_tempest_plugin/rbac/v3/base.py new file mode 100644 index 0000000..d1a11e5 --- /dev/null +++ b/cinder_tempest_plugin/rbac/v3/base.py @@ -0,0 +1,42 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from tempest import config + +CONF = config.CONF + + +class VolumeV3RbacBaseTests(object): + + identity_version = 'v3' + + @classmethod + def skip_checks(cls): + super(VolumeV3RbacBaseTests, cls).skip_checks() + if not CONF.enforce_scope.cinder: + raise cls.skipException( + "Tempest is not configured to enforce_scope for cinder, " + "skipping RBAC tests. To enable these tests set " + "`tempest.conf [enforce_scope] cinder=True`." + ) + + def do_request(self, method, expected_status=200, client=None, **payload): + if not client: + client = self.client + if isinstance(expected_status, type(Exception)): + self.assertRaises(expected_status, + getattr(client, method), + **payload) + else: + response = getattr(client, method)(**payload) + self.assertEqual(response.response.status, expected_status) + return response diff --git a/cinder_tempest_plugin/rbac/v3/test_capabilities.py b/cinder_tempest_plugin/rbac/v3/test_capabilities.py new file mode 100644 index 0000000..1fa542d --- /dev/null +++ b/cinder_tempest_plugin/rbac/v3/test_capabilities.py @@ -0,0 +1,80 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import abc + +from tempest.lib import exceptions + +from cinder_tempest_plugin.api.volume import base +from cinder_tempest_plugin.rbac.v3 import base as rbac_base + + +class VolumeV3RbacCapabilityTests(rbac_base.VolumeV3RbacBaseTests, + metaclass=abc.ABCMeta): + + @classmethod + def setup_clients(cls): + super().setup_clients() + cls.persona = getattr(cls, 'os_%s' % cls.credentials[0]) + cls.client = cls.persona.volume_capabilities_client_latest + # NOTE(lbragstad): This admin_client will be more useful later when + # cinder supports system-scope and we need it for administrative + # operations. For now, keep os_project_admin as the admin client until + # we have system-scope. + admin_client = cls.os_project_admin + cls.admin_capabilities_client = ( + admin_client.volume_capabilities_client_latest) + cls.admin_stats_client = ( + admin_client.volume_scheduler_stats_client_latest) + + @classmethod + def setup_credentials(cls): + super().setup_credentials() + cls.os_primary = getattr(cls, 'os_%s' % cls.credentials[0]) + + @abc.abstractmethod + def test_get_capabilities(self): + """Test volume_extension:capabilities policy. + + This test must check: + * whether the persona can fetch capabilities for a host. + + """ + pass + + +class ProjectAdminTests(VolumeV3RbacCapabilityTests, base.BaseVolumeTest): + + credentials = ['project_admin', 'system_admin'] + + def test_get_capabilities(self): + pools = self.admin_stats_client.list_pools()['pools'] + host_name = pools[0]['name'] + self.do_request('show_backend_capabilities', expected_status=200, + host=host_name) + + +class ProjectMemberTests(ProjectAdminTests, base.BaseVolumeTest): + + credentials = ['project_member', 'project_admin', 'system_admin'] + + def test_get_capabilities(self): + pools = self.admin_stats_client.list_pools()['pools'] + host_name = pools[0]['name'] + self.do_request('show_backend_capabilities', + expected_status=exceptions.Forbidden, + host=host_name) + + +class ProjectReaderTests(ProjectMemberTests, base.BaseVolumeTest): + + credentials = ['project_reader', 'project_admin', 'system_admin'] diff --git a/tox.ini b/tox.ini index e1eb31f..c9c91ad 100644 --- a/tox.ini +++ b/tox.ini @@ -1,5 +1,5 @@ [tox] -minversion = 3.1.0 +minversion = 3.18.0 envlist = pep8 skipsdist = True # this allows tox to infer the base python from the environment name