Current tests do not have good test coverage of existing policies.
Either tests for policies do not exist or if they exist then they
do not cover the actual negative and positive testing.
For Example, if any policy with default rule as admin only then
test should verify:
- policy check pass with context having admin or server owner
- policy check fail with context having non-admin and not server owner
As discussed in policy-defaults-refresh [1], to change the policies
with new default roles and scope_type, we need to have the enough
testing coverage of existing policy behavior.
When we will add the scope_type in policies or new default roles,
then these test coverage will be extended to adopt the new changes
and also make sure we do not break the existing behavior.
This commit covers the testing coverage of existing create_backup policies.
Partial implement blueprint policy-defaults-refresh
[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#testing
Change-Id: Iebc79fd72415603112a15a12f06153fb7a4e7fcc
This test is trying to check how an operator is able to adopt things
like project_reader. We need project_member APIs to not be available
to the project_reader.
This basically simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: Ic6e1fb081fe61262f718efc045b3b3f28694e8a7
This adds new defaults roles in os-admin-password API policies.
This policy is default to owner or system admin role.
Partial implement blueprint policy-defaults-refresh
Change-Id: Ieb026dadca2021dcc0451bf2167b15f5380e74ef
PlacementDirect was integrated into a functional test suite when it was
first created as a way to prove that it worked [1] and demonstrate how
to use it.
However, it was a pain then, because the interceptor needs to be created
every time you want to use it; and since extracted placement started
diverging from in-tree placement, other problems started cropping up
(see the associated bug).
So this commit removes the use of PlacementDirect from nova. Details:
- test_report_client now uses PlacementFixture. So all the `with
interceptor` context management is gone. This accounts for the vast
majority of the apparent change, which is just outdenting those
contexts.
- SchedulerReportClientTestBase, which was doing some hocus pocus to
wrap the SchedulerReportClient such that we could do some microversion
checks, is removed. The test suite simply instantiates the
microversion-checking wrapper class directly as the client used by the
test cases.
- We were taking advantage of a PlacementDirect feature allowing us to
default to the latest microversion if not explicitly specified in the
request. Without this, we had to add the `version` kwarg to some of
the calls we were making to SchedulerReportClient primitives
(get/put/post/delete).
- A piece of test_update_from_provider_tree was using a
deliberately-broken interceptor to prove that the code in question
wasn't hitting the API. We replace this with a non-callable mock on
the Adapter's request method.
- test_global_request_id was taking advantage of the interceptor to
validate that the global request ID was making it to the "other side"
of the API boundary. This was fun, but overkill. We now simply assert
that the correct HTTP header is making it into the ksa Adapter's
request method.
- Functional test suite test_resource_tracker.IronicResourceTrackerTest
was inheriting from the SchedulerReportClientTestBase class, but not
using the interceptor anywhere. Can't tell you why that was done. So
now it just uses the plain old test.TestCase like everyone else.
[1] This commit does remove all of nova's testing of PlacementDirect.
However, it is still tested in the placement repository itself:
https://github.com/openstack/placement/blob/69b9659a457b6d715ed47e6bd6d3b923d548c620/placement/tests/functional/test_direct.py
Change-Id: Icb889c09a69e7c5cbf9330e5d9917d6ab3ac3dc5
Related-Bug: #1818560
oslo.db has removed this module in
I63e4baf772be9ddfb787ac3aff01fcaddf7b901c. To the degree that
it is used in this Nova module is for a single check of SQLAlchemy
prior to 0.9.0 which is well below the minimum SQLAlchemy version
of 1.2.19.
Change-Id: I062da797ae4a4961535155a19ad330f5e8e14950
I408baef12358a83921c4693b847a692f6c19e36f bumped the MIN versions of
Libvirt and QEMU past the required versions for native LUKS decryption
support during the Stein cycle.
As a result and building on I5a0de814f2868f1a4980a69b72b45ee829cedb94 we
can now remove various bits of compatibility code introduced to support
the use of native LUKS decryption in environments with mixed versions of
Libvirt and QEMU. This includes code used during N to N+1 upgrades that
is no longer required as both ends of a migration during an upgrade
should now have the required versions of Libvirt and QEMU.
An _is_luks_v1 utility method is retained to ensure the native approach
is only used when using LUKS v1 volumes as native LUKS v2 support is not
currently available within QEMU.
Change-Id: I41b7c1653c6a887ee4b08e588c5d422409aebfba
This test would previously only attempt to invoke a race between
instance.save(expected_task_state=task_states.SPAWNING) and a parallel
attempt to delete an instance when the instance also has a vm_state of
ACTIVE and task_state of None. However vm_state and task_state would
often be different within the test resulting in no attempt to invoke the
test being made.
As instance.save is only called with expected_task_state set to
task_states.SPAWNING by _unshelve_instance and _build_and_run_instance
we should just check for this and avoid any state races within the test.
Additionally when attempting to invoke the race this test would call
_wait_for_server_parameter and provide self.api. This change removes
this argument as since I8c96b337f32148f8f5899c9b87af331b1fa41424 this is
no longer required and will result in a `TypeError:
'TestOpenStackClient' object is not subscriptable` error.
Closes-Bug: #1866072
Change-Id: I36da36cc5b099174eece0dfba29485fc20b2867b
Current tests do not have good test coverage of existing policies.
Either tests for policies do not exist or if they exist then they
do not cover the actual negative and positive testing.
For Example, if any policy with default rule as admin only then
test should verify:
- policy check pass with context having admin role
- policy check fail with context having any other role than admin
As discussed in policy-defaults-refresh [1], to change the policies
with new default roles and scope_type, we need to have the enough
testing coverage of existing policy behavior.
When we will add the scope_type in policies or new default roles,
then these test coverage will be extended to adopt the new changes
and also make sure we do not break the existing behavior.
This commit covers the testing coverage of existing deferred_delete policies.
Partial implement blueprint policy-defaults-refresh
[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#testing
Change-Id: Ia84899b47f330ddb5993fc90e81d9817e8b9325a
Current tests do not have good test coverage of existing policies.
Either tests for policies do not exist or if they exist then they
do not cover the actual negative and positive testing.
For Example, if any policy with default rule as admin only then
test should verify:
- policy check pass with context having admin or server owner
- policy check fail with context having non-admin and not server owner
As discussed in policy-defaults-refresh [1], to change the policies
with new default roles and scope_type, we need to have the enough
testing coverage of existing policy behavior.
When we will add the scope_type in policies or new default roles,
then these test coverage will be extended to adopt the new changes
and also make sure we do not break the existing behavior.
This commit covers the testing coverage of existing os-console-auth-tokens
policies.
Partial implement blueprint policy-defaults-refresh
[1] https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#testing
Change-Id: Iface875e2af24fd2dced0daa079bf7595762e999
Currently if target is not passed in context.can(),
it use defauls target which is context.user_id, context.project_id.
These defaults target are not useful as it pass the
context's user_id and project_id only which means we tell
oslo policy to verify the context data with context data.
This commit pass the actual target for os-availability-zone policies
which is empty dict because policy rule is system scoped rather
than project, so the token scope check deals with the required
target checking.
Partial implement blueprint policy-defaults-refresh
Change-Id: I19fa9f2cb762baf5aeb5e9f25465863f9613f6db
This adds new defaults roles in Admin Action API policies.
- All APIs are system admin role
Partial implement blueprint policy-defaults-refresh
Change-Id: I8b211b2345bf43c3605dc6c6d09bc2ce868783de
Currently if target is not passed in context.can(),
it use defauls target which is context.user_id, context.project_id.
These defaults target are not useful as it pass the
context's user_id and project_id only which means we tell
oslo policy to verify the context data with context data.
This commit pass the actual target for os-assisted_volume_snapshots
policies which is empty dict because policy rule is system scoped rather
than project, so the token scope check deals with the required
target checking.
Partial implement blueprint policy-defaults-refresh
Change-Id: I38393f3042adb82fef5e038c99296c27c88ed864
Ghanshyam Mann