def test(): global vid_uuid, vid_uuid2 iam2_ops.clean_iam2_enviroment() flavor = case_flavor[os.environ.get('CASE_FLAVOR')] password = '******' vid_tst_obj = test_vid.ZstackTestVid() vid_tst_obj2 = None if flavor['target_role'] == 'system_admin': attributes = [{"name": "__SystemAdmin__"}] username = "******" vid_tst_obj = test_vid.ZstackTestVid() test_stub.create_system_admin(username, password, vid_tst_obj) virtual_id_uuid = vid_tst_obj.get_vid().uuid system_admin_session_uuid = acc_ops.login_by_account(username, password) #create systemadmin by systemadmin session vid_tst_obj2 = test_vid.ZstackTestVid() vid_tst_obj2.create("systemsubadmin", password, session_uuid=system_admin_session_uuid, without_default_role="true") vid_uuid2 = vid_tst_obj2.get_vid().uuid iam2_ops.add_attributes_to_iam2_virtual_id(vid_uuid2, attributes, session_uuid=system_admin_session_uuid) role_uuid = iam2_ops.create_role('systemAdminSubRole').uuid statements = [{"effect":"Allow","actions":["org.zstack.header.image.**"]}] iam2_ops.add_policy_statements_to_role(role_uuid, statements) iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], vid_tst_obj2.get_vid().uuid) elif flavor['target_role'] == 'security_admin': attributes = [{"name": "__SecurityAdmin__"}] username = "******" vid_tst_obj.create(username, password, without_default_role="true") vid_uuid = vid_tst_obj.get_vid().uuid iam2_ops.add_attributes_to_iam2_virtual_id(vid_uuid, attributes) elif flavor['target_role'] == 'audit_admin': attributes = [{"name": "__AuditAdmin__"}] username = "******" vid_tst_obj.create(username, password, without_default_role="true") vid_uuid = vid_tst_obj.get_vid().uuid iam2_ops.add_attributes_to_iam2_virtual_id(vid_uuid, attributes) else: test_util.test_fail("not a candidate role") vid_tst_obj.set_vid_attributes(attributes) vid_tst_obj.check() vid_tst_obj.delete() if vid_tst_obj2: iam2_ops.delete_iam2_virtual_id(vid_uuid2) test_util.test_pass('success test 3 admins attributes!')
def test(): iam2_ops.clean_iam2_enviroment() # 1 create project project_name = 'test_project' project_uuid = iam2_ops.create_iam2_project(project_name).uuid # 2 create project operator and virtual id project_operator_name = 'username' project_operator_password = '******' password='******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id(project_operator_name,project_operator_password,attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo',password).uuid # 3 login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid],project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id(project_operator_name,project_operator_password) project_login_uuid = iam2_ops.login_iam2_project(project_name,session_uuid=project_operator_session_uuid).uuid # 4 create virtual id group virtual_id_group_uuid = iam2_ops.create_iam2_virtual_id_group(project_uuid,'test_virtual_id_group',session_uuid=project_login_uuid).uuid # 5 add virtual id into project and group iam2_ops.add_iam2_virtual_ids_to_project([virtual_id_uuid], project_uuid, session_uuid=project_login_uuid) iam2_ops.add_iam2_virtual_ids_to_group([virtual_id_uuid],virtual_id_group_uuid,session_uuid=project_login_uuid) # 6 remove virtual id from project and group iam2_ops.remove_iam2_virtual_ids_from_group([virtual_id_uuid],virtual_id_group_uuid,session_uuid=project_login_uuid) iam2_ops.remove_iam2_virtual_ids_from_project([virtual_id_uuid], project_uuid, session_uuid=project_login_uuid) # 7 create role statements = [{"effect": "Allow", "actions": ["org.zstack.header.vm.**"]}] role_uuid = iam2_ops.create_role('role1', statements,session_uuid=project_login_uuid).uuid # 8 add/remove roles to/from virtual id(group) iam2_ops.add_roles_to_iam2_virtual_id_group([role_uuid],virtual_id_group_uuid,session_uuid=project_login_uuid) iam2_ops.remove_roles_from_iam2_virtual_idgroup([role_uuid],virtual_id_group_uuid,session_uuid=project_login_uuid) iam2_ops.add_roles_to_iam2_virtual_id([role_uuid],virtual_id_uuid,session_uuid=project_login_uuid) iam2_ops.remove_roles_from_iam2_virtual_id([role_uuid],virtual_id_uuid,session_uuid=project_login_uuid) # 9 delete iam2_ops.delete_role(role_uuid,session_uuid=project_login_uuid) iam2_ops.delete_iam2_virtual_id_group(virtual_id_group_uuid,session_uuid=project_login_uuid) acc_ops.logout(project_login_uuid) iam2_ops.clean_iam2_enviroment() test_util.test_pass('success test iam2 login by project operator')
def test(): global role_uuid, project_uuid, project_admin_uuid, virtual_id_uuid, virtual_id_group_uuid # 1 create project project_name = 'test_project' project_uuid = iam2_ops.create_iam2_project(project_name).uuid # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id(project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo', password).uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid],project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # 4 login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id(project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project(project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) # 5 create virtual id group virtual_id_group_uuid = iam2_ops.create_iam2_virtual_id_group(project_uuid, 'test_virtual_id_group',session_uuid=project_login_uuid).uuid # 6 add virtual id into project and group # TODO:add query iam2_ops.add_iam2_virtual_ids_to_project([virtual_id_uuid], project_uuid, session_uuid=project_login_uuid) iam2_ops.add_iam2_virtual_ids_to_group([virtual_id_uuid], virtual_id_group_uuid, session_uuid=project_login_uuid) # 7 create role statements = [{"effect": "Allow", "actions": ["org.zstack.header.vm.**"]}] role_uuid = iam2_ops.create_role('test_role', statements,session_uuid=project_login_uuid).uuid # 8 add/remove roles to/from virtual id (group) iam2_ops.add_roles_to_iam2_virtual_id_group([role_uuid], virtual_id_group_uuid, session_uuid=project_login_uuid) iam2_ops.remove_roles_from_iam2_virtual_idgroup([role_uuid], virtual_id_group_uuid, session_uuid=project_login_uuid) iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], virtual_id_uuid, session_uuid=project_login_uuid) iam2_ops.remove_roles_from_iam2_virtual_id([role_uuid], virtual_id_uuid, session_uuid=project_login_uuid) # 9 create/delete project operator attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(virtual_id_uuid,attributes,session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('virtualIDUuid', '=', virtual_id_uuid) cond_02 = res_ops.gen_query_conditions('name', '=', "__ProjectOperator__", cond) attribute_uuid = res_ops.query_resource_fields(res_ops.IAM2_VIRTUAL_ID_ATTRIBUTE, cond_02)[0].uuid iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid,[attribute_uuid],session_uuid=project_login_uuid) # 10 remove virtual ids from group and project iam2_ops.remove_iam2_virtual_ids_from_group([virtual_id_uuid], virtual_id_group_uuid, session_uuid=project_login_uuid) iam2_ops.remove_iam2_virtual_ids_from_project([virtual_id_uuid], project_uuid, session_uuid=project_login_uuid) # 11 delete acc_ops.logout(project_login_uuid) iam2_ops.delete_role(role_uuid) iam2_ops.clean_iam2_enviroment() test_util.test_pass('success test iam2 login in by project admin!')
def test(): global role_uuid, project_uuid, project_02_uuid, project_template_01_uuid, project_template_02_uuid, \ company_uuid_01, company_uuid_02, department_01_uuid, department_02_uuid, virtual_id_group_uuid, \ virtual_id_uuid iam2_ops.clean_iam2_enviroment() # 1 create role and add/remove policy statements = [{"effect": "Allow", "actions": ["org.zstack.header.vm.**"]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid action = "org.zstack.header.image.**" statements = [{"effect": "Allow", "actions": [action]}] iam2_ops.add_policy_statements_to_role(role_uuid, statements) statement_uuid = iam2_ops.get_policy_statement_uuid_of_role( role_uuid, action) # statement_uuid= res_ops.get_resource(res_ops.ROLE, uuid=role_uuid)[0].statements[0].uuid iam2_ops.remove_policy_statements_from_role(role_uuid, [statement_uuid]) # 2 create project and add/remove attributes to/from it project_name = 'test_project' project_uuid = iam2_ops.create_iam2_project(project_name).uuid zone_inv = res_ops.query_resource(res_ops.ZONE) if len(zone_inv) >= 2: attributes = [{ "name": "__ProjectRelatedZone__", "value": zone_inv[0].uuid }] iam2_ops.add_attributes_to_iam2_project(project_uuid, attributes) username = '******' password = \ 'b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86' virtual_id_uuid = iam2_ops.create_iam2_virtual_id(username, password).uuid iam2_ops.add_iam2_virtual_ids_to_project([virtual_id_uuid], project_uuid) session_uuid = iam2_ops.login_iam2_virtual_id(username, password) session_uuid = iam2_ops.login_iam2_project(project_name, session_uuid).uuid cond = res_ops.gen_query_conditions('zoneUuid', '=', zone_inv[1].uuid) host_inv = res_ops.query_resource(res_ops.HOST, cond, session_uuid=session_uuid) if host_inv: test_util.test_fail("test Project Related Zone fail") attribute_uuid = iam2_ops.get_attribute_uuid_of_project( project_uuid, "__ProjectRelatedZone__") iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) iam2_ops.remove_attributes_from_iam2_project(project_uuid, [attribute_uuid]) # 3 create project template from project project_template_01_uuid = iam2_ops.create_iam2_project_template_from_project( 'project_template', project_uuid, 'this is a template ' 'description').uuid project_template_inv = res_ops.get_resource(res_ops.IAM2_PROJECT_TEMPLATE, uuid=project_template_01_uuid) if not project_template_inv: test_util.test_fail("create template from project fail") # 4 create project template and then create project from template project_template_02_uuid = iam2_ops.create_iam2_project_template( 'project_template_02').uuid project_02_uuid = iam2_ops.create_iam2_project_from_template( 'project_02', project_template_02_uuid).uuid project_inv = res_ops.get_resource(res_ops.IAM2_PROJECT, uuid=project_02_uuid) if not project_inv: test_util.test_fail("create project from template fail") # 5 create Company and Department (organization) company_uuid_01 = iam2_ops.create_iam2_organization( 'test_company_01', 'Company').uuid company_uuid_02 = iam2_ops.create_iam2_organization( 'test_company_02', 'Company').uuid department_01_uuid = iam2_ops.create_iam2_organization( 'test_department_01', 'Department', parent_uuid=company_uuid_01).uuid department_02_uuid = iam2_ops.create_iam2_organization( 'test_department_02', 'Department').uuid # 6 organization change parent iam2_ops.change_iam2_organization_parent(company_uuid_02, [department_02_uuid]) iam2_ops.change_iam2_organization_parent(company_uuid_02, [department_01_uuid]) department_inv = res_ops.get_resource(res_ops.IAM2_ORGANIZATION, uuid=department_01_uuid)[0] if department_inv.parentUuid != company_uuid_02: test_util.test_fail('change organization parent fail') department_inv = res_ops.get_resource(res_ops.IAM2_ORGANIZATION, uuid=department_02_uuid)[0] if department_inv.parentUuid != company_uuid_02: test_util.test_fail('change organization parent fail') # 7 create virtual id group and add/remove role and attributes to/from it virtual_id_group_uuid = iam2_ops.create_iam2_virtual_id_group( project_uuid, 'test_virtual_id_group').uuid iam2_ops.add_roles_to_iam2_virtual_id_group([role_uuid], virtual_id_group_uuid) iam2_ops.remove_roles_from_iam2_virtual_idgroup([role_uuid], virtual_id_group_uuid) # TODO:there is nothing to do with the below api in the first version of iam2 # iam2_ops.add_attributes_to_iam2_virtual_id_group() # iam2_ops.remove_attributes_from_iam2_virtual_id_group() # 8 create virtual id and add/remove role or attributes to/from it password = '******' virtual_id_uuid = iam2_ops.create_iam2_virtual_id('username', password).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], virtual_id_uuid) iam2_ops.remove_roles_from_iam2_virtual_id([role_uuid], virtual_id_uuid) cond = res_ops.gen_query_conditions('virtualIDUuid', '=', virtual_id_uuid) attributes = [{"name": "__PlatformAdmin__"}] iam2_ops.add_attributes_to_iam2_virtual_id(virtual_id_uuid, attributes) cond_01 = res_ops.gen_query_conditions('name', '=', "__PlatformAdmin__", cond) attribute_uuid = res_ops.query_resource_fields( res_ops.IAM2_VIRTUAL_ID_ATTRIBUTE, cond_01)[0].uuid iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, [attribute_uuid]) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(virtual_id_uuid, attributes) cond_02 = res_ops.gen_query_conditions('name', '=', "__ProjectAdmin__", cond) attribute_uuid = res_ops.query_resource_fields( res_ops.IAM2_VIRTUAL_ID_ATTRIBUTE, cond_02)[0].uuid iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, [attribute_uuid]) # admin can't create Project operator # attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] # iam2_ops.add_attributes_to_iam2_virtual_id(virtual_id_uuid, attributes) # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) # 9 add virtual id to organization and set it as OrganizationSupervisor iam2_ops.add_iam2_virtual_ids_to_organization([virtual_id_uuid], department_01_uuid) attributes = [{ "name": "__OrganizationSupervisor__", "value": virtual_id_uuid }] iam2_ops.add_attributes_to_iam2_organization(department_01_uuid, attributes) cond_03 = res_ops.gen_query_conditions('name', '=', "__OrganizationSupervisor__") cond_03 = res_ops.gen_query_conditions('value', '=', virtual_id_uuid, cond_03) attribute_uuid = res_ops.query_resource( res_ops.IAM2_ORGANIZATION_ATTRIBUTE, cond_03)[0].uuid iam2_ops.remove_attributes_from_iam2_organization(department_01_uuid, [attribute_uuid]) iam2_ops.remove_iam2_virtual_ids_from_organization([virtual_id_uuid], department_01_uuid) # 10 add virtual id to group and project iam2_ops.add_iam2_virtual_ids_to_project([virtual_id_uuid], project_uuid) iam2_ops.add_iam2_virtual_ids_to_group([virtual_id_uuid], virtual_id_group_uuid) iam2_ops.remove_iam2_virtual_ids_from_group([virtual_id_uuid], virtual_id_group_uuid) iam2_ops.remove_iam2_virtual_ids_from_project([virtual_id_uuid], project_uuid) # 11 change state disable = 'disable' enable = 'enable' Disabled = 'Disabled' iam2_ops.change_iam2_organization_state(company_uuid_01, disable) res_inv = res_ops.get_resource(res_ops.IAM2_ORGANIZATION, uuid=company_uuid_01)[0] if res_inv.state != Disabled: test_util.test_fail("test change iam2 organization state fail") iam2_ops.change_iam2_organization_state(company_uuid_01, enable) iam2_ops.change_iam2_organization_state(department_01_uuid, disable) iam2_ops.change_iam2_organization_state(department_01_uuid, enable) iam2_ops.change_iam2_project_state(project_uuid, disable) res_inv = res_ops.get_resource(res_ops.IAM2_PROJECT, uuid=project_uuid)[0] if res_inv.state != Disabled: test_util.test_fail("test change iam2 project state fail") iam2_ops.change_iam2_project_state(project_uuid, enable) iam2_ops.change_iam2_virtual_id_state(virtual_id_uuid, disable) res_inv = res_ops.get_resource(res_ops.IAM2_VIRTUAL_ID, uuid=virtual_id_uuid)[0] if res_inv.state != Disabled: test_util.test_fail("test change iam2 virtual id state fail") iam2_ops.change_iam2_virtual_id_state(virtual_id_uuid, enable) iam2_ops.change_iam2_virtual_id_group_state(virtual_id_group_uuid, disable) res_inv = res_ops.get_resource(res_ops.IAM2_VIRTUAL_ID_GROUP, uuid=virtual_id_group_uuid)[0] if res_inv.state != Disabled: test_util.test_fail("test change iam2 virtual id group state fail") iam2_ops.change_iam2_virtual_id_group_state(virtual_id_group_uuid, enable) iam2_ops.change_role_state(role_uuid, disable) res_inv = res_ops.get_resource(res_ops.ROLE, uuid=role_uuid)[0] if res_inv.state != Disabled: test_util.test_fail("test change iam2 role state fail") iam2_ops.change_role_state(role_uuid, enable) # 12 update virtual_id_new_name = 'virtual_id_new_name' virtual_id_new_des = 'virtual_id_new_des' virtual_id_new_password = '******' iam2_ops.update_iam2_virtual_id(virtual_id_uuid, virtual_id_new_name, virtual_id_new_des, virtual_id_new_password) virtual_id_inv = res_ops.get_resource(res_ops.IAM2_VIRTUAL_ID, uuid=virtual_id_uuid)[0] if virtual_id_inv.name != virtual_id_new_name: test_util.test_fail("update iam2 virtual id name fail") try: iam2_ops.login_iam2_virtual_id('username', password) except: test_util.test_logger("the old username and password can't login") try: virtual_id_session_uuid = iam2_ops.login_iam2_virtual_id( virtual_id_new_name, virtual_id_new_password) acc_ops.logout(virtual_id_session_uuid) except: test_util.test_fail("update iam2 virtual id name or password fail.") virtual_id_group_new_name = 'virtual_id_group_new_name' virtual_id_group_new_des = 'virtual_id_group_new_des' iam2_ops.update_iam2_virtual_id_group(virtual_id_group_uuid, virtual_id_group_new_name, virtual_id_group_new_des) virtual_id_group_inv = res_ops.get_resource(res_ops.IAM2_VIRTUAL_ID_GROUP, uuid=virtual_id_group_uuid)[0] if virtual_id_group_inv.name != virtual_id_group_new_name: test_util.test_fail("update iam2 virtual id group name fail") project_new_name = 'project_new_name' project_new_dsc = 'project_new_dsc' iam2_ops.update_iam2_project(project_uuid, project_new_name, project_new_dsc) project_inv = res_ops.get_resource(res_ops.IAM2_PROJECT, uuid=project_uuid)[0] if project_inv.name != project_new_name or project_inv.description != project_new_dsc: test_util.test_fail("update project information fail") company_new_name = 'company_new_name' company_new_dsc = 'company_new_dsc' iam2_ops.update_iam2_organization(company_uuid_02, company_new_name, company_new_dsc) organization_inv = res_ops.get_resource(res_ops.IAM2_ORGANIZATION, uuid=company_uuid_02)[0] if organization_inv.name != company_new_name or organization_inv.description != company_new_dsc: test_util.test_fail("update organization name fail") # 13 delete iam2_ops.delete_iam2_organization(company_uuid_01) iam2_ops.delete_iam2_organization(company_uuid_02) iam2_ops.delete_iam2_organization(department_01_uuid) iam2_ops.delete_iam2_organization(department_02_uuid) iam2_ops.delete_iam2_virtual_id_group(virtual_id_group_uuid) iam2_ops.delete_iam2_project(project_uuid) iam2_ops.delete_iam2_project(project_02_uuid) iam2_ops.expunge_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_02_uuid) iam2_ops.delete_iam2_project_template(project_template_01_uuid) iam2_ops.delete_iam2_project_template(project_template_02_uuid) iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) iam2_ops.delete_role(role_uuid) iam2_ops.clean_iam2_enviroment() test_util.test_pass('success test iam2 login in by admin!')
def test(): global project_uuid, project_admin_uuid, virtual_id_uuid, project_operator_uuid, plain_user_uuid flavor = case_flavor[os.environ.get('CASE_FLAVOR')] # 1 create project project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid project_linked_account_uuid = project.linkedAccountUuid if flavor['target_role'] == 'project_admin': # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id(project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo', 'password').uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid],project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id(project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project(project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) elif flavor['target_role'] == 'project_operator': project_operator_name = 'username2' project_operator_password = '******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id(project_operator_name,project_operator_password,attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernamethree','password').uuid # login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid],project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id(project_operator_name,project_operator_password) project_login_uuid = iam2_ops.login_iam2_project(project_name,session_uuid=project_operator_session_uuid).uuid elif flavor['target_role'] == 'project_member': plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id(plain_user_name, plain_user_password, project_uuid=project_uuid).uuid # 3 add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid],project_uuid) # 4 login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id(plain_user_name, plain_user_password) # 4 login in project #project_inv=iam2_ops.get_iam2_projects_of_virtual_id(plain_user_session_uuid) project_login_uuid = iam2_ops.login_iam2_project(project_name, plain_user_session_uuid).uuid # Image related ops: Add, Delete, Expunge, sync image size, Update QGA, delete, expunge if flavor['target_role'] == 'project_member': statements = [{"effect": "Allow", "actions": ["org.zstack.header.vm.**"]}, {"effect": "Allow", "actions": ["org.zstack.scheduler.**"]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) vm_creation_option = test_util.VmOption() l3_net_uuid = test_lib.lib_get_l3_by_name(os.environ.get('l3VlanNetwork3')).uuid acc_ops.share_resources([project_linked_account_uuid], [l3_net_uuid]) vm_creation_option.set_l3_uuids([l3_net_uuid]) image_uuid = test_lib.lib_get_image_by_name("centos").uuid vm_creation_option.set_image_uuid(image_uuid) acc_ops.share_resources([project_linked_account_uuid], [image_uuid]) instance_offering_uuid = test_lib.lib_get_instance_offering_by_name(os.environ.get('instanceOfferingName_s')).uuid vm_creation_option.set_instance_offering_uuid(instance_offering_uuid) acc_ops.share_resources([project_linked_account_uuid], [instance_offering_uuid]) vm_creation_option.set_name('vm_for_project_management') vm_creation_option.set_session_uuid(project_login_uuid) vm = test_stub.create_vm(image_uuid = image_uuid, session_uuid=project_login_uuid) # scheduler ops: start_date = int(time.time()) schd_job1 = schd_ops.create_scheduler_job('simple_start_vm_scheduler', 'simple_start_vm_scheduler', vm.get_vm().uuid, 'startVm', None, session_uuid=project_login_uuid) schd_trigger1 = schd_ops.create_scheduler_trigger('simple_start_vm_scheduler', start_date+5, None, 15, 'simple', session_uuid=project_login_uuid) schd_ops.add_scheduler_job_to_trigger(schd_trigger1.uuid, schd_job1.uuid, session_uuid=project_login_uuid) schd_ops.change_scheduler_state(schd_job1.uuid, 'disable', session_uuid=project_login_uuid) schd_ops.change_scheduler_state(schd_job1.uuid, 'enable', session_uuid=project_login_uuid) schd_ops.remove_scheduler_job_from_trigger(schd_trigger1.uuid, schd_job1.uuid, session_uuid=project_login_uuid) schd_ops.del_scheduler_job(schd_job1.uuid, session_uuid=project_login_uuid) schd_ops.del_scheduler_trigger(schd_trigger1.uuid, session_uuid=project_login_uuid) schd_ops.get_current_time() vm_ops.destroy_vm(vm.get_vm().uuid, session_uuid=project_login_uuid) vm_ops.expunge_vm(vm.get_vm().uuid, session_uuid=project_login_uuid) # 11 delete acc_ops.logout(project_login_uuid) if virtual_id_uuid != None: iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) if project_admin_uuid != None: iam2_ops.delete_iam2_virtual_id(project_admin_uuid) if project_operator_uuid != None: iam2_ops.delete_iam2_virtual_id(project_operator_uuid) if plain_user_uuid != None: iam2_ops.delete_iam2_virtual_id(plain_user_uuid) iam2_ops.delete_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_uuid) test_util.test_pass('success test iam2 login in by project admin!')
def test(): global role_uuid, project_uuid, project_02_uuid, project_template_01_uuid, project_template_02_uuid, \ company_uuid_01, company_uuid_02, department_01_uuid, department_02_uuid, virtual_id_group_uuid, \ virtual_id_uuid, platform_admin_uuid iam2_ops.clean_iam2_enviroment() # 1 create platformAdmin username = '******' password = \ 'b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86' platform_admin_uuid = iam2_ops.create_iam2_virtual_id(username, password).uuid attributes = [{"name": "__PlatformAdmin__"}] iam2_ops.add_attributes_to_iam2_virtual_id(platform_admin_uuid, attributes) platform_admin_session_uuid = iam2_ops.login_iam2_virtual_id(username, password) # 2 create role statements = [{"effect": "Allow", "actions": ["org.zstack.header.vm.**"]}] role_uuid = iam2_ops.create_role('test_role', statements, platform_admin_session_uuid).uuid action = "org.zstack.header.image.**" statements = [{"effect": "Allow", "actions": [action]}] iam2_ops.add_policy_statements_to_role(role_uuid, statements, platform_admin_session_uuid) statement_uuid = iam2_ops.get_policy_statement_uuid_of_role(role_uuid, action) # statement_uuid= res_ops.get_resource(res_ops.ROLE, uuid=role_uuid)[0].statements[0].uuid iam2_ops.remove_policy_statements_from_role(role_uuid, [statement_uuid], platform_admin_session_uuid) # 3 create project and and add/remove role and attributes to/from it project_name = 'test_project' project_uuid = iam2_ops.create_iam2_project(project_name, session_uuid=platform_admin_session_uuid).uuid zone_inv=res_ops.query_resource(res_ops.ZONE) if len(zone_inv)>=2: attributes = [{"name":"__ProjectRelatedZone__", "value":zone_inv[0].uuid}] iam2_ops.add_attributes_to_iam2_project(project_uuid,attributes,session_uuid=platform_admin_session_uuid) username='******' password = \ 'b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86' virtual_id_uuid=iam2_ops.create_iam2_virtual_id(username,password,session_uuid=platform_admin_session_uuid).uuid iam2_ops.add_iam2_virtual_ids_to_project([virtual_id_uuid],project_uuid,session_uuid=platform_admin_session_uuid) session_uuid=iam2_ops.login_iam2_virtual_id(username,password) session_uuid=iam2_ops.login_iam2_project(project_name,session_uuid).uuid cond=res_ops.gen_query_conditions('zoneUuid','=',zone_inv[1].uuid) host_inv=res_ops.query_resource(res_ops.HOST,cond,session_uuid=session_uuid) if host_inv: test_util.test_fail("test Project Related Zone fail") attribute_uuid=iam2_ops.get_attribute_uuid_of_project(project_uuid,"__ProjectRelatedZone__") iam2_ops.delete_iam2_virtual_id(virtual_id_uuid,session_uuid=platform_admin_session_uuid) iam2_ops.remove_attributes_from_iam2_project(project_uuid,[attribute_uuid],session_uuid=platform_admin_session_uuid) # iam2_ops.add_attributes_to_iam2_project(project_uuid,attributes='') # iam2_ops.remove_attributes_from_iam2_project(project_uuid,attributes='') # 4 create project template from project project_template_01_uuid = iam2_ops.create_iam2_project_template_from_project('project_template', project_uuid, 'this is a template description', platform_admin_session_uuid).uuid project_template_inv = res_ops.get_resource(res_ops.IAM2_PROJECT_TEMPLATE, uuid=project_template_01_uuid, session_uuid=platform_admin_session_uuid)[0] if not project_template_inv: test_util.test_fail("create template from project fail") # 5 create project template and then create project from template project_template_02_uuid = iam2_ops.create_iam2_project_template('project_template_02', session_uuid=platform_admin_session_uuid).uuid project_02_uuid = iam2_ops.create_iam2_project_from_template('project_02', project_template_02_uuid, session_uuid=platform_admin_session_uuid).uuid project_inv = res_ops.get_resource(res_ops.IAM2_PROJECT, uuid=project_02_uuid, session_uuid=platform_admin_session_uuid) if not project_inv: test_util.test_fail("create project from template fail") # 6 create Company and Department company_uuid_01 = iam2_ops.create_iam2_organization('test_company_01', 'Company', session_uuid=platform_admin_session_uuid).uuid company_uuid_02 = iam2_ops.create_iam2_organization('test_company_02', 'Company', session_uuid=platform_admin_session_uuid).uuid department_01_uuid = iam2_ops.create_iam2_organization('test_department_01', 'Department', parent_uuid=company_uuid_01, session_uuid=platform_admin_session_uuid).uuid department_02_uuid = iam2_ops.create_iam2_organization('test_department_02', 'Department', session_uuid=platform_admin_session_uuid).uuid # 7 organization change parent iam2_ops.change_iam2_organization_parent(company_uuid_02, [department_02_uuid], session_uuid=platform_admin_session_uuid) iam2_ops.change_iam2_organization_parent(company_uuid_02, [department_01_uuid], session_uuid=platform_admin_session_uuid) department_inv = res_ops.get_resource(res_ops.IAM2_ORGANIZATION, uuid=department_01_uuid, session_uuid=platform_admin_session_uuid)[0] if department_inv.parentUuid != company_uuid_02: test_util.test_fail('change organization parent fail') department_inv = res_ops.get_resource(res_ops.IAM2_ORGANIZATION, uuid=department_02_uuid, session_uuid=platform_admin_session_uuid)[0] if department_inv.parentUuid != company_uuid_02: test_util.test_fail('change organization parent fail') # 8 create virtual id group and add/remove role and attributes to/from it virtual_id_group_uuid = iam2_ops.create_iam2_virtual_id_group(project_uuid, 'test_virtual_id_group', session_uuid=platform_admin_session_uuid).uuid iam2_ops.add_roles_to_iam2_virtual_id_group([role_uuid], virtual_id_group_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.remove_roles_from_iam2_virtual_idgroup([role_uuid], virtual_id_group_uuid, session_uuid=platform_admin_session_uuid) # TODO:there is nothing to do with the below api in the first version of iam2 # iam2_ops.add_attributes_to_iam2_virtual_id_group() # iam2_ops.remove_attributes_from_iam2_virtual_id_group() # 9 create virtual id and add/remove role or attributes to/from it virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo', password, session_uuid=platform_admin_session_uuid).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], virtual_id_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.remove_roles_from_iam2_virtual_id([role_uuid], virtual_id_uuid, session_uuid=platform_admin_session_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(virtual_id_uuid, attributes, session_uuid=platform_admin_session_uuid) cond = res_ops.gen_query_conditions('virtualIDUuid', '=', virtual_id_uuid) cond_02 = res_ops.gen_query_conditions('name', '=', "__ProjectAdmin__", cond) attribute_uuid = res_ops.query_resource_fields(res_ops.IAM2_VIRTUAL_ID_ATTRIBUTE, cond_02)[0].uuid iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, [attribute_uuid], session_uuid=platform_admin_session_uuid) # attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] # iam2_ops.add_attributes_to_iam2_virtual_id(virtual_id_uuid, attributes, session_uuid=platform_admin_session_uuid) # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes, # session_uuid=platform_admin_session_uuid) iam2_ops.add_iam2_virtual_ids_to_organization([virtual_id_uuid], department_01_uuid, session_uuid=platform_admin_session_uuid) attributes = [{"name": "__OrganizationSupervisor__", "value": virtual_id_uuid}] iam2_ops.add_attributes_to_iam2_organization(department_01_uuid, attributes, session_uuid=platform_admin_session_uuid) cond_03 = res_ops.gen_query_conditions('name', '=', "__OrganizationSupervisor__") cond_03 = res_ops.gen_query_conditions('value', '=', virtual_id_uuid, cond_03) attribute_uuid = \ res_ops.query_resource(res_ops.IAM2_ORGANIZATION_ATTRIBUTE, cond_03, session_uuid=platform_admin_session_uuid)[ 0].uuid iam2_ops.remove_attributes_from_iam2_organization(department_01_uuid, [attribute_uuid], session_uuid=platform_admin_session_uuid) iam2_ops.remove_iam2_virtual_ids_from_organization([virtual_id_uuid], department_01_uuid, session_uuid=platform_admin_session_uuid) # 10 add virtual id to group and project iam2_ops.add_iam2_virtual_ids_to_project([virtual_id_uuid], project_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.add_iam2_virtual_ids_to_group([virtual_id_uuid], virtual_id_group_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.remove_iam2_virtual_ids_from_group([virtual_id_uuid], virtual_id_group_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.remove_iam2_virtual_ids_from_project([virtual_id_uuid], project_uuid, session_uuid=platform_admin_session_uuid) # 11 change state disable = 'disable' enable = 'enable' Disabled = 'Disabled' iam2_ops.change_iam2_organization_state(company_uuid_01, disable, session_uuid=platform_admin_session_uuid) res_inv = res_ops.get_resource(res_ops.IAM2_ORGANIZATION, uuid=company_uuid_01, session_uuid=platform_admin_session_uuid)[0] if res_inv.state != Disabled: test_util.test_fail("test change iam2 organization state fail") iam2_ops.change_iam2_organization_state(company_uuid_01, enable, session_uuid=platform_admin_session_uuid) iam2_ops.change_iam2_organization_state(department_01_uuid, disable, session_uuid=platform_admin_session_uuid) iam2_ops.change_iam2_organization_state(department_01_uuid, enable, session_uuid=platform_admin_session_uuid) iam2_ops.change_iam2_project_state(project_uuid, disable, session_uuid=platform_admin_session_uuid) res_inv = res_ops.get_resource(res_ops.IAM2_PROJECT, uuid=project_uuid, session_uuid=platform_admin_session_uuid)[0] if res_inv.state != Disabled: test_util.test_fail("test change iam2 project state fail") iam2_ops.change_iam2_project_state(project_uuid, enable, session_uuid=platform_admin_session_uuid) iam2_ops.change_iam2_virtual_id_state(virtual_id_uuid, disable, session_uuid=platform_admin_session_uuid) res_inv = res_ops.get_resource(res_ops.IAM2_VIRTUAL_ID, uuid=virtual_id_uuid, session_uuid=platform_admin_session_uuid)[0] if res_inv.state != Disabled: test_util.test_fail("test change iam2 virtual id state fail") iam2_ops.change_iam2_virtual_id_state(virtual_id_uuid, enable, session_uuid=platform_admin_session_uuid) iam2_ops.change_iam2_virtual_id_group_state(virtual_id_group_uuid, disable, session_uuid=platform_admin_session_uuid) res_inv = res_ops.get_resource(res_ops.IAM2_VIRTUAL_ID_GROUP, uuid=virtual_id_group_uuid, session_uuid=platform_admin_session_uuid)[0] if res_inv.state != Disabled: test_util.test_fail("test change iam2 virtual id group state fail") iam2_ops.change_iam2_virtual_id_group_state(virtual_id_group_uuid, enable, session_uuid=platform_admin_session_uuid) iam2_ops.change_role_state(role_uuid, disable, session_uuid=platform_admin_session_uuid) res_inv = res_ops.get_resource(res_ops.ROLE, uuid=role_uuid, session_uuid=platform_admin_session_uuid)[0] if res_inv.state != Disabled: test_util.test_fail("test change iam2 role state fail") iam2_ops.change_role_state(role_uuid, enable, session_uuid=platform_admin_session_uuid) # 12 update virtual_id_new_name = 'virtual_id_new_name' virtual_id_new_des = 'virtual_id_new_des' virtual_id_new_password = '******' iam2_ops.update_iam2_virtual_id(virtual_id_uuid, virtual_id_new_name, virtual_id_new_des, virtual_id_new_password, session_uuid=platform_admin_session_uuid) virtual_id_inv = res_ops.get_resource(res_ops.IAM2_VIRTUAL_ID, uuid=virtual_id_uuid, session_uuid=platform_admin_session_uuid)[0] if virtual_id_inv.name != virtual_id_new_name: test_util.test_fail("update iam2 virtual id name fail") try: virtual_id_session_uuid = iam2_ops.login_iam2_virtual_id(virtual_id_new_name, virtual_id_new_password) except: test_util.test_fail("update iam2 virtual id name or password fail.") virtual_id_group_new_name = 'virtual_id_group_new_name' virtual_id_group_new_des = 'virtual_id_group_new_des' iam2_ops.update_iam2_virtual_id_group(virtual_id_group_uuid, virtual_id_group_new_name, virtual_id_group_new_des, session_uuid=platform_admin_session_uuid) virtual_id_group_inv = res_ops.get_resource(res_ops.IAM2_VIRTUAL_ID_GROUP, uuid=virtual_id_group_uuid, session_uuid=platform_admin_session_uuid)[0] if virtual_id_group_inv.name != virtual_id_group_new_name: test_util.test_fail("update iam2 virtual id group name fail") project_new_name = 'project_new_name' project_new_dsc = 'project_new_dsc' iam2_ops.update_iam2_project(project_uuid, project_new_name, project_new_dsc, session_uuid=platform_admin_session_uuid) project_inv = \ res_ops.get_resource(res_ops.IAM2_PROJECT, uuid=project_uuid, session_uuid=platform_admin_session_uuid)[0] if project_inv.name != project_new_name or project_inv.description != project_new_dsc: test_util.test_fail("update project information fail") company_new_name = 'company_new_name' company_new_dsc = 'company_new_dsc' iam2_ops.update_iam2_organization(company_uuid_02, company_new_name, company_new_dsc, session_uuid=platform_admin_session_uuid) organization_inv = res_ops.get_resource(res_ops.IAM2_ORGANIZATION, uuid=company_uuid_02, session_uuid=platform_admin_session_uuid)[0] if organization_inv.name != company_new_name or organization_inv.description != company_new_dsc: test_util.test_fail("update organization name fail") # 13 delete iam2_ops.delete_iam2_organization(company_uuid_01, session_uuid=platform_admin_session_uuid) iam2_ops.delete_iam2_organization(company_uuid_02, session_uuid=platform_admin_session_uuid) iam2_ops.delete_iam2_organization(department_01_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.delete_iam2_organization(department_02_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.delete_iam2_virtual_id_group(virtual_id_group_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.delete_iam2_project(project_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.delete_iam2_project(project_02_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.expunge_iam2_project(project_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.expunge_iam2_project(project_02_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.delete_iam2_project_template(project_template_01_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.delete_iam2_project_template(project_template_02_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.delete_iam2_virtual_id(virtual_id_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.delete_role(role_uuid, session_uuid=platform_admin_session_uuid) iam2_ops.delete_iam2_virtual_id(platform_admin_uuid) iam2_ops.clean_iam2_enviroment() test_util.test_pass('success test iam2 login in by admin!')
def test(): global project_uuid, project_admin_uuid, virtual_id_uuid, project_operator_uuid, plain_user_uuid flavor = case_flavor[os.environ.get('CASE_FLAVOR')] # 1 create project if flavor['target_role'] != 'system_admin': project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid project_linked_account_uuid = project.linkedAccountUuid if flavor['target_role'] == 'project_admin': # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id(project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo', 'password').uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid],project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id(project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project(project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) elif flavor['target_role'] == 'project_operator': project_operator_name = 'username2' project_operator_password = '******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id(project_operator_name,project_operator_password,attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernamethree','password').uuid # login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid],project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id(project_operator_name,project_operator_password) project_login_uuid = iam2_ops.login_iam2_project(project_name,session_uuid=project_operator_session_uuid).uuid elif flavor['target_role'] == 'project_member': plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id(plain_user_name, plain_user_password, project_uuid=project_uuid).uuid # 3 add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid],project_uuid) # 4 login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id(plain_user_name, plain_user_password) # 4 login in project #project_inv=iam2_ops.get_iam2_projects_of_virtual_id(plain_user_session_uuid) project_login_uuid = iam2_ops.login_iam2_project(project_name, plain_user_session_uuid).uuid elif flavor['target_role'] == 'system_admin': username = "******" password = '******' vid_tst_obj = test_vid.ZstackTestVid() test_stub.create_system_admin(username, password, vid_tst_obj) virtual_id_uuid = vid_tst_obj.get_vid().uuid project_login_uuid = acc_ops.login_by_account(username, password) # Image related ops: Add, Delete, Expunge, sync image size, Update QGA, delete, expunge if flavor['target_role'] == 'project_member': statements = [{"effect": "Allow", "actions": ["org.zstack.header.vm.**"]}, {"effect": "Allow", "actions": ["org.zstack.scheduler.**"]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) vm_creation_option = test_util.VmOption() l3_net_uuid = test_lib.lib_get_l3_by_name(os.environ.get('l3VlanNetwork3')).uuid if flavor['target_role'] != 'system_admin': acc_ops.share_resources([project_linked_account_uuid], [l3_net_uuid]) vm_creation_option.set_l3_uuids([l3_net_uuid]) image_uuid = test_lib.lib_get_image_by_name("centos").uuid vm_creation_option.set_image_uuid(image_uuid) if flavor['target_role'] != 'system_admin': acc_ops.share_resources([project_linked_account_uuid], [image_uuid]) instance_offering_uuid = test_lib.lib_get_instance_offering_by_name(os.environ.get('instanceOfferingName_s')).uuid vm_creation_option.set_instance_offering_uuid(instance_offering_uuid) if flavor['target_role'] != 'system_admin': acc_ops.share_resources([project_linked_account_uuid], [instance_offering_uuid]) vm_creation_option.set_name('vm_for_project_management') vm_creation_option.set_session_uuid(project_login_uuid) vm = test_stub.create_vm(image_uuid = image_uuid, session_uuid=project_login_uuid) # scheduler ops: start_date = int(time.time()) schd_job1 = schd_ops.create_scheduler_job('simple_start_vm_scheduler', 'simple_start_vm_scheduler', vm.get_vm().uuid, 'startVm', None, session_uuid=project_login_uuid) schd_trigger1 = schd_ops.create_scheduler_trigger('simple_start_vm_scheduler', start_date+5, None, 15, 'simple', session_uuid=project_login_uuid) schd_ops.add_scheduler_job_to_trigger(schd_trigger1.uuid, schd_job1.uuid, session_uuid=project_login_uuid) schd_ops.change_scheduler_state(schd_job1.uuid, 'disable', session_uuid=project_login_uuid) schd_ops.change_scheduler_state(schd_job1.uuid, 'enable', session_uuid=project_login_uuid) schd_ops.remove_scheduler_job_from_trigger(schd_trigger1.uuid, schd_job1.uuid, session_uuid=project_login_uuid) schd_ops.del_scheduler_job(schd_job1.uuid, session_uuid=project_login_uuid) schd_ops.del_scheduler_trigger(schd_trigger1.uuid, session_uuid=project_login_uuid) schd_ops.get_current_time() vm_ops.destroy_vm(vm.get_vm().uuid, session_uuid=project_login_uuid) vm_ops.expunge_vm(vm.get_vm().uuid, session_uuid=project_login_uuid) # 11 delete acc_ops.logout(project_login_uuid) if virtual_id_uuid != None: iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) if project_admin_uuid != None: iam2_ops.delete_iam2_virtual_id(project_admin_uuid) if project_operator_uuid != None: iam2_ops.delete_iam2_virtual_id(project_operator_uuid) if plain_user_uuid != None: iam2_ops.delete_iam2_virtual_id(plain_user_uuid) if flavor['target_role'] != 'system_admin': iam2_ops.delete_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_uuid) test_util.test_pass('success test iam2 login in by project admin!')
def test(): global project_uuid, project_admin_uuid, virtual_id_uuid, project_operator_uuid, plain_user_uuid flavor = case_flavor[os.environ.get('CASE_FLAVOR')] # 1 create project if flavor['target_role'] != 'system_admin': project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid project_linked_account_uuid = project.linkedAccountUuid if flavor['target_role'] == 'project_admin': # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id(project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo', 'password').uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid],project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id(project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project(project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) elif flavor['target_role'] == 'project_operator': project_operator_name = 'username2' project_operator_password = '******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id(project_operator_name,project_operator_password,attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernamethree','password').uuid # login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid],project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id(project_operator_name,project_operator_password) project_login_uuid = iam2_ops.login_iam2_project(project_name,session_uuid=project_operator_session_uuid).uuid elif flavor['target_role'] == 'project_member': plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id(plain_user_name, plain_user_password, project_uuid=project_uuid).uuid # 3 add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid],project_uuid) # 4 login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id(plain_user_name, plain_user_password) # 4 login in project #project_inv=iam2_ops.get_iam2_projects_of_virtual_id(plain_user_session_uuid) project_login_uuid = iam2_ops.login_iam2_project(project_name, plain_user_session_uuid).uuid elif flavor['target_role'] == 'system_admin': username = "******" password = '******' vid_tst_obj = test_vid.ZstackTestVid() test_stub.create_system_admin(username, password, vid_tst_obj) virtual_id_uuid = vid_tst_obj.get_vid().uuid project_login_uuid = acc_ops.login_by_account(username, password) # Image related ops: Add, Delete, Expunge, sync image size, Update QGA, delete, expunge if flavor['target_role'] == 'project_member': statements = [{"effect": "Allow", "actions": ["org.zstack.header.image.**"]}, {"effect": "Allow", "actions": ["org.zstack.header.storage.backup.**"]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) bs = res_ops.query_resource(res_ops.BACKUP_STORAGE)[0] image_option = test_util.ImageOption() image_option.set_name('fake_image') image_option.set_description('fake image') image_option.set_format('raw') image_option.set_mediaType('RootVolumeTemplate') image_option.set_backup_storage_uuid_list([bs.uuid]) image_option.url = "http://fake/fake.raw" image_option.set_session_uuid(project_login_uuid) image_uuid = img_ops.add_image(image_option).uuid img_ops.sync_image_size(image_uuid, session_uuid=project_login_uuid) img_ops.change_image_state(image_uuid, 'disable', session_uuid=project_login_uuid) img_ops.change_image_state(image_uuid, 'enable', session_uuid=project_login_uuid) if bs.type == inventory.IMAGE_STORE_BACKUP_STORAGE_TYPE: img_ops.export_image_from_backup_storage(image_uuid, bs.uuid, session_uuid=project_login_uuid) img_ops.delete_exported_image_from_backup_storage(image_uuid, bs.uuid, session_uuid=project_login_uuid) img_ops.set_image_qga_enable(image_uuid, session_uuid=project_login_uuid) img_ops.set_image_qga_disable(image_uuid, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('name', '=', "fake_image") image = res_ops.query_resource(res_ops.IMAGE, cond, session_uuid=project_login_uuid) if image == None: test_util.test_fail('fail to query image just added') img_ops.delete_image(image_uuid, session_uuid=project_login_uuid) img_ops.expunge_image(image_uuid, session_uuid=project_login_uuid) # 11 delete acc_ops.logout(project_login_uuid) if virtual_id_uuid != None: iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) if project_admin_uuid != None: iam2_ops.delete_iam2_virtual_id(project_admin_uuid) if project_operator_uuid != None: iam2_ops.delete_iam2_virtual_id(project_operator_uuid) if plain_user_uuid != None: iam2_ops.delete_iam2_virtual_id(plain_user_uuid) if flavor['target_role'] != 'system_admin': iam2_ops.delete_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_uuid) test_util.test_pass('success test iam2 login in by project admin!')
def test(): global project_uuid, project_admin_uuid, virtual_id_uuid, project_operator_uuid, plain_user_uuid flavor = case_flavor[os.environ.get('CASE_FLAVOR')] # 1 create project project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid project_linked_account_uuid = project.linkedAccountUuid if flavor['target_role'] == 'project_admin': # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id(project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo', 'password').uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid],project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id(project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project(project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) elif flavor['target_role'] == 'project_operator': project_operator_name = 'username2' project_operator_password = '******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id(project_operator_name,project_operator_password,attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernamethree','password').uuid # login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid],project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id(project_operator_name,project_operator_password) project_login_uuid = iam2_ops.login_iam2_project(project_name,session_uuid=project_operator_session_uuid).uuid elif flavor['target_role'] == 'project_member': plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id(plain_user_name, plain_user_password, project_uuid=project_uuid).uuid # 3 add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid],project_uuid) # 4 login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id(plain_user_name, plain_user_password) # 4 login in project #project_inv=iam2_ops.get_iam2_projects_of_virtual_id(plain_user_session_uuid) project_login_uuid = iam2_ops.login_iam2_project(project_name, plain_user_session_uuid).uuid # Image related ops: Add, Delete, Expunge, sync image size, Update QGA, delete, expunge if flavor['target_role'] == 'project_member': statements = [{"effect": "Allow", "actions": ["org.zstack.header.vm.**"]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) vm_creation_option = test_util.VmOption() l3_net_uuid = test_lib.lib_get_l3_by_name(os.environ.get('l3VlanNetwork3')).uuid acc_ops.share_resources([project_linked_account_uuid], [l3_net_uuid]) vm_creation_option.set_l3_uuids([l3_net_uuid]) image_uuid = test_lib.lib_get_image_by_name("centos").uuid vm_creation_option.set_image_uuid(image_uuid) acc_ops.share_resources([project_linked_account_uuid], [image_uuid]) instance_offering_uuid = test_lib.lib_get_instance_offering_by_name(os.environ.get('instanceOfferingName_s')).uuid vm_creation_option.set_instance_offering_uuid(instance_offering_uuid) acc_ops.share_resources([project_linked_account_uuid], [instance_offering_uuid]) vm_creation_option.set_name('vm_for_project_management') vm_creation_option.set_session_uuid(project_login_uuid) vm = test_stub.create_vm(image_uuid = image_uuid, session_uuid=project_login_uuid) vm_uuid = vm.get_vm().uuid # VM related ops: Create, Delete, Expunge, Start, Stop, Suspend, Resume, Migrate vm_ops.stop_vm(vm_uuid, session_uuid=project_login_uuid) vm_ops.start_vm(vm_uuid, session_uuid=project_login_uuid) candidate_hosts = vm_ops.get_vm_migration_candidate_hosts(vm_uuid) if candidate_hosts != None and test_lib.lib_check_vm_live_migration_cap(vm.get_vm()): vm_ops.migrate_vm(vm_uuid, candidate_hosts.inventories[0].uuid, session_uuid=project_login_uuid) vm_ops.stop_vm(vm_uuid, force='cold', session_uuid=project_login_uuid) vm_ops.start_vm(vm_uuid, session_uuid=project_login_uuid) vm_ops.suspend_vm(vm_uuid, session_uuid=project_login_uuid) vm_ops.resume_vm(vm_uuid, session_uuid=project_login_uuid) vm_ops.destroy_vm(vm_uuid, session_uuid=project_login_uuid) vm_ops.expunge_vm(vm_uuid, session_uuid=project_login_uuid) # 11 delete acc_ops.logout(project_login_uuid) if virtual_id_uuid != None: iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) if project_admin_uuid != None: iam2_ops.delete_iam2_virtual_id(project_admin_uuid) if project_operator_uuid != None: iam2_ops.delete_iam2_virtual_id(project_operator_uuid) if plain_user_uuid != None: iam2_ops.delete_iam2_virtual_id(plain_user_uuid) iam2_ops.delete_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_uuid) test_util.test_pass('success test iam2 login in by project admin!')
def test(): global role_uuid, project_uuid, project_admin_uuid, virtual_id_uuid, virtual_id_group_uuid # 1 create project project_name = 'test_project' project_uuid = iam2_ops.create_iam2_project(project_name).uuid # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id( project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo', password).uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid], project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # 4 login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id( project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project( project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) # 5 create virtual id group virtual_id_group_uuid = iam2_ops.create_iam2_virtual_id_group( project_uuid, 'test_virtual_id_group', session_uuid=project_login_uuid).uuid # 6 add virtual id into project and group # TODO:add query iam2_ops.add_iam2_virtual_ids_to_project([virtual_id_uuid], project_uuid, session_uuid=project_login_uuid) iam2_ops.add_iam2_virtual_ids_to_group([virtual_id_uuid], virtual_id_group_uuid, session_uuid=project_login_uuid) # 7 create role statements = [{"effect": "Allow", "actions": ["org.zstack.header.vm.**"]}] role_uuid = iam2_ops.create_role('test_role', statements, session_uuid=project_login_uuid).uuid # 8 add/remove roles to/from virtual id (group) iam2_ops.add_roles_to_iam2_virtual_id_group( [role_uuid], virtual_id_group_uuid, session_uuid=project_login_uuid) iam2_ops.remove_roles_from_iam2_virtual_idgroup( [role_uuid], virtual_id_group_uuid, session_uuid=project_login_uuid) iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], virtual_id_uuid, session_uuid=project_login_uuid) iam2_ops.remove_roles_from_iam2_virtual_id([role_uuid], virtual_id_uuid, session_uuid=project_login_uuid) # 9 create/delete project operator attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(virtual_id_uuid, attributes, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('virtualIDUuid', '=', virtual_id_uuid) cond_02 = res_ops.gen_query_conditions('name', '=', "__ProjectOperator__", cond) attribute_uuid = res_ops.query_resource_fields( res_ops.IAM2_VIRTUAL_ID_ATTRIBUTE, cond_02)[0].uuid iam2_ops.remove_attributes_from_iam2_virtual_id( virtual_id_uuid, [attribute_uuid], session_uuid=project_login_uuid) # 10 remove virtual ids from group and project iam2_ops.remove_iam2_virtual_ids_from_group( [virtual_id_uuid], virtual_id_group_uuid, session_uuid=project_login_uuid) iam2_ops.remove_iam2_virtual_ids_from_project( [virtual_id_uuid], project_uuid, session_uuid=project_login_uuid) # 11 delete acc_ops.logout(project_login_uuid) iam2_ops.delete_role(role_uuid) iam2_ops.clean_iam2_enviroment() test_util.test_pass('success test iam2 login in by project admin!')
def test(): global vid_uuid iam2_ops.clean_iam2_enviroment() statements = [] flavor = case_flavor[os.environ.get('CASE_FLAVOR')] vid_test_obj = test_vid.ZstackTestVid() if flavor['target_admin'] == 'noDeleteAdmin': username = '******' password = '******' vid_test_obj.create(username, password, without_default_role="true") vid_uuid = vid_test_obj.get_vid().uuid #platform_admin_uuid = iam2_ops.create_iam2_virtual_id(username, password).uuid attributes = [{"name": "__PlatformAdmin__"}, {"name":"__PlatformAdminRelatedZone__", "value": "ALL_ZONES"}] iam2_ops.add_attributes_to_iam2_virtual_id(vid_uuid, attributes) #platform_admin_session_uuid = iam2_ops.login_iam2_virtual_id(username, password) role_uuid = iam2_ops.create_role('noDeleteRole').uuid statements = [{"effect": "Deny", "actions": ["org.zstack.v2v.APIDeleteV2VConversionHostMsg", "org.zstack.scheduler.APIRemoveSchedulerJobFromSchedulerTriggerMsg", "org.zstack.header.hybrid.account.APIDeleteHybridKeySecretMsg", "org.zstack.iam2.api.APIRemoveIAM2VirtualIDsFromOrganizationMsg", "org.zstack.header.longjob.APIDeleteLongJobMsg", "org.zstack.header.cloudformation.APIDeleteResourceStackMsg", "org.zstack.monitoring.APIDetachMonitorTriggerActionFromTriggerMsg", "org.zstack.iam2.api.APIDeleteIAM2ProjectTemplateMsg", "org.zstack.header.cloudformation.APIDeleteStackTemplateMsg", "org.zstack.header.aliyun.storage.disk.APIDeleteAliyunDiskFromLocalMsg", "org.zstack.header.identity.APILogOutMsg", "org.zstack.autoscaling.group.APIDeleteAutoScalingGroupMsg", "org.zstack.header.aliyun.network.vpc.APIDeleteEcsVSwitchRemoteMsg", "org.zstack.network.securitygroup.APIDeleteSecurityGroupMsg", "org.zstack.iam2.api.APIRemoveAttributesFromIAM2VirtualIDGroupMsg", "org.zstack.header.hybrid.network.vpn.APIDeleteVpcVpnGatewayLocalMsg", "org.zstack.header.storage.primary.APIDetachPrimaryStorageFromClusterMsg", "org.zstack.header.hybrid.backup.APIDeleteBackupFileInPublicMsg", "org.zstack.header.storage.database.backup.APIDeleteExportedDatabaseBackupFromBackupStorageMsg", "org.zstack.iam2.api.APIRemoveRolesFromIAM2VirtualIDGroupMsg", "org.zstack.header.aliyun.network.group.APIDeleteEcsSecurityGroupRuleRemoteMsg", "org.zstack.header.vm.APIDeleteVmNicMsg", "org.zstack.header.affinitygroup.APIDeleteAffinityGroupMsg", "org.zstack.header.zone.APIDeleteZoneMsg", "org.zstack.sns.APIDeleteSNSApplicationPlatformMsg", "org.zstack.header.aliyun.storage.snapshot.APIDeleteAliyunSnapshotFromRemoteMsg", "org.zstack.vrouterRoute.APIDeleteVRouterRouteTableMsg", "org.zstack.pciDevice.APIDeletePciDeviceMsg", "org.zstack.header.network.l3.APIRemoveDnsFromL3NetworkMsg", "org.zstack.storage.ceph.backup.APIRemoveMonFromCephBackupStorageMsg", "org.zstack.header.image.APIExpungeImageMsg", "org.zstack.header.network.l3.APIDeleteL3NetworkMsg", "org.zstack.header.aliyun.network.connection.APIDeleteAliyunRouterInterfaceLocalMsg", "org.zstack.network.service.lb.APIRemoveCertificateFromLoadBalancerListenerMsg", "org.zstack.nas.APIDeleteNasMountTargetMsg", "org.zstack.nas.APIDeleteNasFileSystemMsg", "org.zstack.header.storage.primary.APIDeletePrimaryStorageMsg", "org.zstack.zwatch.alarm.APIRemoveLabelFromEventSubscriptionMsg", "org.zstack.ticket.iam2.api.APIDeleteIAM2TicketFlowMsg", "org.zstack.header.identity.APIDeletePolicyMsg", "org.zstack.network.service.portforwarding.APIDetachPortForwardingRuleMsg", "org.zstack.header.host.APIDeleteHostMsg", "org.zstack.header.affinitygroup.APIRemoveVmFromAffinityGroupMsg", "org.zstack.header.baremetal.preconfiguration.APIDeletePreconfigurationTemplateMsg", "org.zstack.iam2.api.APIRemoveAttributesFromIAM2VirtualIDMsg", "org.zstack.sns.APIDeleteSNSApplicationEndpointMsg", "org.zstack.header.aliyun.network.connection.APIDeleteVirtualBorderRouterLocalMsg", "org.zstack.monitoring.media.APIDeleteMediaMsg", "org.zstack.aliyun.pangu.APIDeleteAliyunPanguPartitionMsg", "org.zstack.header.aliyun.ecs.APIDeleteEcsInstanceMsg", "org.zstack.scheduler.APIDeleteSchedulerTriggerMsg", "org.zstack.scheduler.APIRemoveSchedulerJobsFromSchedulerJobGroupMsg", "org.zstack.zwatch.alarm.APIUnsubscribeEventMsg", "org.zstack.header.identity.role.api.APIDetachRoleFromAccountMsg", "org.zstack.zwatch.alarm.APIRemoveActionFromAlarmMsg", "org.zstack.ldap.APIDeleteLdapBindingMsg", "org.zstack.header.daho.process.APIDeleteDahoDataCenterConnectionMsg", "org.zstack.monitoring.APIDeleteAlertMsg", "org.zstack.header.configuration.APIDeleteInstanceOfferingMsg", "org.zstack.storage.ceph.primary.APIRemoveMonFromCephPrimaryStorageMsg", "org.zstack.ipsec.APIRemoveRemoteCidrsFromIPsecConnectionMsg", "org.zstack.header.network.l3.APIRemoveHostRouteFromL3NetworkMsg", "org.zstack.header.image.APIDeleteImageMsg", "org.zstack.header.hybrid.network.eip.APIDeleteHybridEipRemoteMsg", "org.zstack.header.vm.APIDeleteVmSshKeyMsg", "org.zstack.header.identity.APIDetachPolicyFromUserMsg", "org.zstack.iam2.api.APIRemoveAttributesFromIAM2ProjectMsg", "org.zstack.iam2.api.APIRemoveAttributesFromIAM2OrganizationMsg", "org.zstack.header.network.l2.APIDetachL2NetworkFromClusterMsg", "org.zstack.header.aliyun.oss.APIDeleteOssBucketFileRemoteMsg", "org.zstack.iam2.api.APIRemoveIAM2VirtualIDsFromGroupMsg", "org.zstack.header.aliyun.storage.snapshot.APIDeleteAliyunSnapshotFromLocalMsg", "org.zstack.header.aliyun.ecs.APIDeleteAllEcsInstancesFromDataCenterMsg", "org.zstack.header.aliyun.network.connection.APIDeleteAliyunRouterInterfaceRemoteMsg", "org.zstack.sns.platform.dingtalk.APIRemoveSNSDingTalkAtPersonMsg", "org.zstack.autoscaling.template.APIDetachAutoScalingTemplateFromGroupMsg", "org.zstack.aliyun.nas.message.APIDeleteAliyunNasAccessGroupMsg", "org.zstack.header.storage.snapshot.APIDeleteVolumeSnapshotMsg", "org.zstack.header.volume.APIDetachDataVolumeFromVmMsg", "org.zstack.ipsec.APIDeleteIPsecConnectionMsg", "org.zstack.header.aliyun.oss.APIDeleteOssBucketRemoteMsg", "org.zstack.header.network.l2.APIDeleteL2NetworkMsg", "org.zstack.iam2.api.APIDeleteIAM2VirtualIDMsg", "org.zstack.header.baremetal.instance.APIDestroyBaremetalInstanceMsg", "org.zstack.header.vm.cdrom.APIDeleteVmCdRomMsg", "org.zstack.header.aliyun.network.vrouter.APIDeleteVirtualRouterLocalMsg", "org.zstack.header.hybrid.network.vpn.APIDeleteVpcIkeConfigLocalMsg", "org.zstack.header.aliyun.oss.APIDeleteOssBucketNameLocalMsg", "org.zstack.header.vm.APIDeleteVmConsolePasswordMsg", "org.zstack.header.storage.backup.APIDeleteBackupStorageMsg", "org.zstack.iam2.api.APIExpungeIAM2ProjectMsg", "org.zstack.vrouterRoute.APIDetachVRouterRouteTableFromVRouterMsg", "org.zstack.ticket.api.APIDeleteTicketMsg", "org.zstack.iam2.api.APIDeleteIAM2ProjectMsg", "org.zstack.header.aliyun.network.vpc.APIDeleteEcsVSwitchInLocalMsg", "org.zstack.zwatch.alarm.sns.APIDeleteSNSTextTemplateMsg", "org.zstack.iam2.api.APIDeleteIAM2OrganizationMsg", "org.zstack.header.tag.APIDeleteTagMsg", "org.zstack.header.aliyun.network.group.APIDeleteEcsSecurityGroupInLocalMsg", "org.zstack.network.securitygroup.APIDeleteSecurityGroupRuleMsg", "org.zstack.storage.fusionstor.primary.APIRemoveMonFromFusionstorPrimaryStorageMsg", "org.zstack.header.daho.process.APIDeleteDahoCloudConnectionMsg", "org.zstack.header.identity.APIDeleteUserMsg", "org.zstack.zwatch.alarm.APIRemoveActionFromEventSubscriptionMsg", "org.zstack.ticket.api.APIDeleteTicketFlowCollectionMsg", "org.zstack.network.service.lb.APIDeleteLoadBalancerListenerMsg", "org.zstack.storage.fusionstor.backup.APIRemoveMonFromFusionstorBackupStorageMsg", "org.zstack.header.identity.APIDetachPoliciesFromUserMsg", "org.zstack.tag2.APIDetachTagFromResourcesMsg", "org.zstack.header.identity.role.api.APIDetachPolicyFromRoleMsg", "org.zstack.storage.ceph.primary.APIDeleteCephPrimaryStoragePoolMsg", "org.zstack.header.aliyun.image.APIDeleteEcsImageLocalMsg", "org.zstack.header.network.service.APIDetachNetworkServiceFromL3NetworkMsg", "org.zstack.zwatch.alarm.APIRemoveLabelFromAlarmMsg", "org.zstack.header.vm.APIDeleteVmBootModeMsg", "org.zstack.billing.APIDeleteResourcePriceMsg", "org.zstack.header.hybrid.network.vpn.APIDeleteVpcVpnConnectionLocalMsg", "org.zstack.header.aliyun.storage.disk.APIDeleteAliyunDiskFromRemoteMsg", "org.zstack.header.identity.APIDetachPolicyFromUserGroupMsg", "org.zstack.header.identityzone.APIDeleteIdentityZoneInLocalMsg", "org.zstack.header.vm.APIDeleteVmHostnameMsg", "org.zstack.core.config.resourceconfig.APIDeleteResourceConfigMsg", "org.zstack.header.aliyun.storage.snapshot.APIGCAliyunSnapshotRemoteMsg", "org.zstack.zwatch.api.APIDeleteMetricDataMsg", "org.zstack.header.baremetal.pxeserver.APIDetachBaremetalPxeServerFromClusterMsg", "org.zstack.header.hybrid.network.vpn.APIDeleteVpcUserVpnGatewayRemoteMsg", "org.zstack.header.identity.APIDeleteUserGroupMsg", "org.zstack.header.vm.APIDetachIsoFromVmInstanceMsg", "org.zstack.header.vm.APIDestroyVmInstanceMsg", "org.zstack.network.securitygroup.APIDetachSecurityGroupFromL3NetworkMsg", "org.zstack.autoscaling.group.rule.trigger.APIDeleteAutoScalingRuleTriggerMsg", "org.zstack.scheduler.APIDeleteSchedulerJobGroupMsg", "org.zstack.header.cluster.APIDeleteClusterMsg", "org.zstack.zwatch.alarm.APIDeleteAlarmMsg", "org.zstack.header.network.l3.APIDeleteIpRangeMsg", "org.zstack.header.core.webhooks.APIDeleteWebhookMsg", "org.zstack.network.service.lb.APIDeleteLoadBalancerMsg", "org.zstack.autoscaling.group.rule.APIDeleteAutoScalingRuleMsg", "org.zstack.header.storage.snapshot.APIBatchDeleteVolumeSnapshotMsg", "org.zstack.header.vm.APIDeleteNicQosMsg", "org.zstack.header.hybrid.network.vpn.APIDeleteVpcVpnConnectionRemoteMsg", "org.zstack.header.vipQos.APIDeleteVipQosMsg", "org.zstack.monitoring.actions.APIDeleteMonitorTriggerActionMsg", "org.zstack.header.baremetal.chassis.APIDeleteBaremetalChassisMsg", "org.zstack.header.volume.APIExpungeDataVolumeMsg", "org.zstack.header.identity.role.api.APIRemovePolicyStatementsFromRoleMsg", "org.zstack.header.aliyun.network.connection.APIDeleteConnectionBetweenL3NetWorkAndAliyunVSwitchMsg", "org.zstack.header.vm.APIExpungeVmInstanceMsg", "org.zstack.vpc.APIRemoveDnsFromVpcRouterMsg", "org.zstack.header.configuration.APIDeleteDiskOfferingMsg", "org.zstack.header.protocol.APIRemoveVRouterNetworksFromOspfAreaMsg", "org.zstack.scheduler.APIDeleteSchedulerJobMsg", "org.zstack.network.service.lb.APIDeleteCertificateMsg", "org.zstack.header.hybrid.network.eip.APIDeleteHybridEipFromLocalMsg", "org.zstack.header.hybrid.network.vpn.APIDeleteVpcIpSecConfigLocalMsg", "org.zstack.header.identity.role.api.APIDeleteRoleMsg", "org.zstack.scheduler.APIRemoveSchedulerJobGroupFromSchedulerTriggerMsg", "org.zstack.accessKey.APIDeleteAccessKeyMsg", "org.zstack.header.protocol.APIDeleteVRouterOspfAreaMsg", "org.zstack.header.volume.APIDeleteVolumeQosMsg", "org.zstack.pciDevice.APIDeletePciDeviceOfferingMsg", "org.zstack.header.storage.volume.backup.APIDeleteVmBackupMsg", "org.zstack.iam2.api.APIDeleteIAM2VirtualIDGroupMsg", "org.zstack.ldap.APIDeleteLdapServerMsg", "org.zstack.header.storage.database.backup.APIDeleteDatabaseBackupMsg", "org.zstack.network.service.portforwarding.APIDeletePortForwardingRuleMsg", "org.zstack.header.aliyun.ecs.APIDeleteEcsInstanceLocalMsg", "org.zstack.sns.APIUnsubscribeSNSTopicMsg", "org.zstack.vrouterRoute.APIDeleteVRouterRouteEntryMsg", "org.zstack.network.service.vip.APIDeleteVipMsg", "org.zstack.header.storage.backup.APIDeleteExportedImageFromBackupStorageMsg", "org.zstack.core.gc.APIDeleteGCJobMsg", "org.zstack.network.service.eip.APIDeleteEipMsg", "org.zstack.header.daho.process.APIDeleteDahoVllMsg", "org.zstack.header.aliyun.network.vrouter.APIDeleteAliyunRouteEntryRemoteMsg", "org.zstack.header.aliyun.network.connection.APIDeleteConnectionAccessPointLocalMsg", "org.zstack.network.service.lb.APIRemoveVmNicFromLoadBalancerMsg", "org.zstack.sns.APIDeleteSNSTopicMsg", "org.zstack.ipsec.APIDetachL3NetworksFromIPsecConnectionMsg", "org.zstack.iam2.api.APIRemoveRolesFromIAM2VirtualIDMsg", "org.zstack.iam2.api.APIRemoveIAM2VirtualIDsFromProjectMsg", "org.zstack.header.vm.APIDeleteVmStaticIpMsg", "org.zstack.header.storage.backup.APIDetachBackupStorageFromZoneMsg", "org.zstack.header.aliyun.account.APIDeleteAliyunKeySecretMsg", "org.zstack.storage.device.iscsi.APIDeleteIscsiServerMsg", "org.zstack.autoscaling.template.APIDeleteAutoScalingTemplateMsg", "org.zstack.header.storage.volume.backup.APIDeleteVolumeBackupMsg", "org.zstack.header.baremetal.pxeserver.APIDeleteBaremetalPxeServerMsg", "org.zstack.aliyun.nas.message.APIDeleteAliyunNasAccessGroupRuleMsg", "org.zstack.header.volume.APIDeleteDataVolumeMsg", "org.zstack.header.aliyun.network.group.APIDeleteEcsSecurityGroupRemoteMsg", "org.zstack.network.securitygroup.APIDeleteVmNicFromSecurityGroupMsg", "org.zstack.network.l2.vxlan.vxlanNetworkPool.APIDeleteVniRangeMsg", "org.zstack.header.aliyun.image.APIDeleteEcsImageRemoteMsg", "org.zstack.storage.device.iscsi.APIDetachIscsiServerFromClusterMsg", "org.zstack.autoscaling.group.instance.APIDeleteAutoScalingGroupInstanceMsg", "org.zstack.header.identity.APIDeleteAccountMsg", "org.zstack.header.storageDevice.APIDetachScsiLunFromVmInstanceMsg", "org.zstack.vmware.APIDeleteVCenterMsg", "org.zstack.license.APIDeleteLicenseMsg", "org.zstack.header.hybrid.network.vpn.APIDeleteVpcUserVpnGatewayLocalMsg", "org.zstack.header.vm.APIDetachL3NetworkFromVmMsg", "org.zstack.header.identity.APIRemoveUserFromGroupMsg", "org.zstack.header.aliyun.network.vpc.APIDeleteEcsVpcRemoteMsg", "org.zstack.header.datacenter.APIDeleteDataCenterInLocalMsg", "org.zstack.header.aliyun.network.vpc.APIDeleteEcsVpcInLocalMsg", "org.zstack.network.service.eip.APIDetachEipMsg", "org.zstack.monitoring.APIDeleteMonitorTriggerMsg"]}] policy_uuid = iam2_ops.create_policy('noDeletePolicy', statements).uuid iam2_ops.attach_policy_to_role(policy_uuid, role_uuid) iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], vid_test_obj.get_vid().uuid) vid_test_obj.set_customized("noDeleteAdminPermission") vid_test_obj.set_vid_statements(statements) vid_test_obj.check() iam2_ops.update_role(role_uuid, []) iam2_ops.add_policy_statements_to_role(role_uuid, statements) vid_test_obj.set_customized("noDeleteAdminPermission") vid_test_obj.set_vid_statements(statements) vid_test_obj.check() #if flavor['target_admin'] == 'readOnlyAdmin': # username = '******' # password = '******' # vid_uuid = iam2_ops.create_iam2_virtual_id(username, password).uuid # attributes = [{"name": "__AuditAdmin__"}] # iam2_ops.add_attributes_to_iam2_virtual_id(vid_uuid, attributes) # read_only_admin_session_uuid = iam2_ops.login_iam2_virtual_id(username, password) # vid_test_obj.set_vid_statements(statements) # vid_test_obj.check() vid_test_obj.delete() test_util.test_pass('success test iam2 policy!')
def test(): global project_uuid, project_admin_uuid, virtual_id_uuid, project_operator_uuid, plain_user_uuid flavor = case_flavor[os.environ.get('CASE_FLAVOR')] # 1 create project project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid project_linked_account_uuid = project.linkedAccountUuid if flavor['target_role'] == 'project_admin': # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id( project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id( 'usernametwo', 'password').uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid], project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id( project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project( project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) elif flavor['target_role'] == 'project_operator': project_operator_name = 'username2' project_operator_password = '******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id( project_operator_name, project_operator_password, attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id( 'usernamethree', 'password').uuid # login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid], project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id( project_operator_name, project_operator_password) project_login_uuid = iam2_ops.login_iam2_project( project_name, session_uuid=project_operator_session_uuid).uuid elif flavor['target_role'] == 'project_member': plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id( plain_user_name, plain_user_password, project_uuid=project_uuid).uuid # 3 add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid], project_uuid) # 4 login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id( plain_user_name, plain_user_password) # 4 login in project #project_inv=iam2_ops.get_iam2_projects_of_virtual_id(plain_user_session_uuid) project_login_uuid = iam2_ops.login_iam2_project( project_name, plain_user_session_uuid).uuid # Image related ops: Add, Delete, Expunge, sync image size, Update QGA, delete, expunge if flavor['target_role'] == 'project_member': statements = [{ "effect": "Allow", "actions": ["org.zstack.header.vm.**"] }] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) vm_creation_option = test_util.VmOption() pub_l3_uuid = test_lib.lib_get_l3_by_name( os.environ.get('l3PublicNetworkName')).uuid l3_net_uuid = test_lib.lib_get_l3_by_name( os.environ.get('l3VlanNetworkName3')).uuid acc_ops.share_resources([project_linked_account_uuid], [l3_net_uuid]) vm_creation_option.set_l3_uuids([l3_net_uuid]) image_uuid = test_lib.lib_get_image_by_name( os.environ.get('imageName_net')).uuid vm_creation_option.set_image_uuid(image_uuid) acc_ops.share_resources([project_linked_account_uuid], [image_uuid]) instance_offering_uuid = test_lib.lib_get_instance_offering_by_name( os.environ.get('instanceOfferingName_s')).uuid vm_creation_option.set_instance_offering_uuid(instance_offering_uuid) acc_ops.share_resources([project_linked_account_uuid], [instance_offering_uuid]) vm_creation_option.set_name('vm_for_project_management') vm_creation_option.set_session_uuid(project_login_uuid) vm = test_stub.create_vm(image_uuid=image_uuid, session_uuid=project_login_uuid) vm_uuid = vm.get_vm().uuid vip_option = test_util.VipOption() vip_option.set_name("vip for pm") vip_option.set_session_uuid(project_login_uuid) vip_option.set_l3_uuid(pub_l3_uuid) vm_nic = vm.vm.vmNics[0] vm_nic_uuid = vm_nic.uuid vip = net_ops.create_vip(vip_option) eip_option = test_util.EipOption() eip_option.set_name('eip for pm') eip_option.set_session_uuid(project_login_uuid) eip_option.set_vip_uuid(vip.uuid) eip_option.set_vm_nic_uuid(vm_nic_uuid) eip = net_ops.create_eip(eip_option) net_ops.detach_eip(eip.uuid, session_uuid=project_login_uuid) net_ops.attach_eip(eip.uuid, vm_nic_uuid, session_uuid=project_login_uuid) net_ops.detach_eip(eip.uuid, session_uuid=project_login_uuid) net_ops.delete_eip(eip.uuid) net_ops.delete_vip(vip.uuid) vm_ops.destroy_vm(vm_uuid, session_uuid=project_login_uuid) vm_ops.expunge_vm(vm_uuid, session_uuid=project_login_uuid) # 11 delete acc_ops.logout(project_login_uuid) if virtual_id_uuid != None: iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) if project_admin_uuid != None: iam2_ops.delete_iam2_virtual_id(project_admin_uuid) if project_operator_uuid != None: iam2_ops.delete_iam2_virtual_id(project_operator_uuid) if plain_user_uuid != None: iam2_ops.delete_iam2_virtual_id(plain_user_uuid) iam2_ops.delete_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_uuid) test_util.test_pass('success test iam2 login in by project admin!')
def test(): global project_uuid, project_admin_uuid, virtual_id_uuid, project_operator_uuid, plain_user_uuid flavor = case_flavor[os.environ.get('CASE_FLAVOR')] # 1 create project project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid project_linked_account_uuid = project.linkedAccountUuid if flavor['target_role'] == 'project_admin': # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id(project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo', 'password').uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid],project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id(project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project(project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) elif flavor['target_role'] == 'project_operator': project_operator_name = 'username2' project_operator_password = '******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id(project_operator_name,project_operator_password,attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernamethree','password').uuid # login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid],project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id(project_operator_name,project_operator_password) project_login_uuid = iam2_ops.login_iam2_project(project_name,session_uuid=project_operator_session_uuid).uuid elif flavor['target_role'] == 'project_member': plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id(plain_user_name, plain_user_password, project_uuid=project_uuid).uuid # 3 add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid],project_uuid) # 4 login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id(plain_user_name, plain_user_password) # 4 login in project #project_inv=iam2_ops.get_iam2_projects_of_virtual_id(plain_user_session_uuid) project_login_uuid = iam2_ops.login_iam2_project(project_name, plain_user_session_uuid).uuid # Image related ops: Add, Delete, Expunge, sync image size, Update QGA, delete, expunge if flavor['target_role'] == 'project_member': statements = [{"effect": "Allow", "actions": ["org.zstack.header.volume.**"]}, {"effect": "Allow", "actions": ["org.zstack.header.vm.**"]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) # Volume related ops: Create, Delete, Expunge, Attach, Dettach, Enable, Disable disk_offering_uuid = res_ops.query_resource(res_ops.DISK_OFFERING)[0].uuid acc_ops.share_resources([project_linked_account_uuid], [disk_offering_uuid]) volume_option = test_util.VolumeOption() volume_option.set_disk_offering_uuid(disk_offering_uuid) volume_option.set_name('data_volume_project_management') volume_option.set_session_uuid(project_login_uuid) data_volume = vol_ops.create_volume_from_offering(volume_option) vol_ops.stop_volume(data_volume.uuid, session_uuid=project_login_uuid) vol_ops.start_volume(data_volume.uuid, session_uuid=project_login_uuid) vm_creation_option = test_util.VmOption() l3_net_uuid = test_lib.lib_get_l3_by_name(os.environ.get('l3VlanNetwork3')).uuid acc_ops.share_resources([project_linked_account_uuid], [l3_net_uuid]) vm_creation_option.set_l3_uuids([l3_net_uuid]) image_uuid = test_lib.lib_get_image_by_name("centos").uuid vm_creation_option.set_image_uuid(image_uuid) acc_ops.share_resources([project_linked_account_uuid], [image_uuid]) instance_offering_uuid = test_lib.lib_get_instance_offering_by_name(os.environ.get('instanceOfferingName_s')).uuid vm_creation_option.set_instance_offering_uuid(instance_offering_uuid) acc_ops.share_resources([project_linked_account_uuid], [instance_offering_uuid]) vm_creation_option.set_name('vm_for_project_management') vm_creation_option.set_session_uuid(project_login_uuid) vm = test_stub.create_vm(image_uuid = image_uuid, session_uuid=project_login_uuid) vm_uuid = vm.get_vm().uuid vol_ops.attach_volume(data_volume.uuid, vm_uuid, session_uuid=project_login_uuid) vol_ops.detach_volume(data_volume.uuid, vm_uuid, session_uuid=project_login_uuid) vol_ops.delete_volume(data_volume.uuid, session_uuid=project_login_uuid) vol_ops.expunge_volume(data_volume.uuid, session_uuid=project_login_uuid) # 11 delete acc_ops.logout(project_login_uuid) if virtual_id_uuid != None: iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) if project_admin_uuid != None: iam2_ops.delete_iam2_virtual_id(project_admin_uuid) if project_operator_uuid != None: iam2_ops.delete_iam2_virtual_id(project_operator_uuid) if plain_user_uuid != None: iam2_ops.delete_iam2_virtual_id(plain_user_uuid) iam2_ops.delete_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_uuid) test_util.test_pass('success test iam2 login in by project admin!')
def test(): global project_uuid, project_admin_uuid, virtual_id_uuid, project_operator_uuid, plain_user_uuid flavor = case_flavor[os.environ.get('CASE_FLAVOR')] # 1 create project if flavor['target_role'] != 'system_admin': project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid project_linked_account_uuid = project.linkedAccountUuid if flavor['target_role'] == 'project_admin': # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id(project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo', 'password').uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid],project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id(project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project(project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) elif flavor['target_role'] == 'project_operator': project_operator_name = 'username2' project_operator_password = '******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id(project_operator_name,project_operator_password,attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernamethree','password').uuid # login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid],project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id(project_operator_name,project_operator_password) project_login_uuid = iam2_ops.login_iam2_project(project_name,session_uuid=project_operator_session_uuid).uuid elif flavor['target_role'] == 'project_member': plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id(plain_user_name, plain_user_password, project_uuid=project_uuid).uuid # 3 add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid],project_uuid) # 4 login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id(plain_user_name, plain_user_password) # 4 login in project #project_inv=iam2_ops.get_iam2_projects_of_virtual_id(plain_user_session_uuid) project_login_uuid = iam2_ops.login_iam2_project(project_name, plain_user_session_uuid).uuid elif flavor['target_role'] == 'system_admin': username = "******" password = '******' vid_tst_obj = test_vid.ZstackTestVid() test_stub.create_system_admin(username, password, vid_tst_obj) virtual_id_uuid = vid_tst_obj.get_vid().uuid project_login_uuid = acc_ops.login_by_account(username, password) # Image related ops: Add, Delete, Expunge, sync image size, Update QGA, delete, expunge if flavor['target_role'] == 'project_member': statements = [{"effect": "Allow", "actions": ["org.zstack.sns.**"]}, {"effect": "Allow", "actions": ["org.zstack.zwatch.**"]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) # create platform smtp_server = os.environ.get('smtpServer') smtp_port = os.environ.get('smtpPort') email_platform_name = 'Alarm_email' email_username = os.environ.get('mailUsername') email_password = os.environ.get('mailPassword') email_platform = zwt_ops.create_sns_email_platform(smtp_server, smtp_port, email_platform_name, email_username, email_password, session_uuid=project_login_uuid) email_platform_uuid = email_platform.uuid cond=res_ops.gen_query_conditions('uuid','=',email_platform_uuid) inv = res_ops.query_resource(res_ops.SNS_EMAIL_PLATFORM,cond, session_uuid=project_login_uuid) if not inv: test_util.test_fail('create sns email platform failed') try: zwt_ops.validate_sns_email_platform(email_platform_uuid) except: test_util.test_fail('Validate SNS Email Platform Failed, Email Plarform: %s' % email_platform_uuid) # create endpoint email_receiver = os.environ.get('mailUsername') email_endpoint_name = os.environ.get('mailPassword') email_endpoint_uuid = zwt_ops.create_sns_email_endpoint(email_receiver, email_endpoint_name, email_platform_uuid, session_uuid=project_login_uuid).uuid cond=res_ops.gen_query_conditions('uuid','=',email_endpoint_uuid) inv=res_ops.query_resource(res_ops.SNS_EMAIL_ENDPOINT,cond, session_uuid=project_login_uuid) if not inv: test_util.test_fail('create sns email endpoint failed') http_endpoint_name='http' url = 'http://localhost:8080/webhook-url' http_username='******' http_password='******' http_endpoint=zwt_ops.create_sns_http_endpoint(url,http_endpoint_name,http_username,http_password, session_uuid=project_login_uuid) http_endpoint_uuid=http_endpoint.uuid cond=res_ops.gen_query_conditions('uuid','=',http_endpoint_uuid) inv=res_ops.query_resource(res_ops.SNS_HTTP_ENDPOINT,cond, session_uuid=project_login_uuid) if not inv: test_util.test_fail('create sns http endpoint failed') # create sns topic and query system-in topic sns_topic_uuid = zwt_ops.create_sns_topic('sns_topic_01', session_uuid=project_login_uuid).uuid zwt_ops.subscribe_sns_topic(sns_topic_uuid, email_endpoint_uuid, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('endpoints.uuid','=',email_endpoint_uuid) inv=res_ops.query_resource(res_ops.SNS_TOPIC,cond, session_uuid=project_login_uuid) if not inv: test_util.test_fail('create and subscribe snstopic failed') cond = res_ops.gen_query_conditions('name', '=', 'system-alarm') system_alarm_topic = res_ops.query_resource(res_ops.SNS_TOPIC, cond)[0] system_alarm_topic_uuid=system_alarm_topic.uuid if flavor['target_role'] != 'system_admin': acc_ops.share_resources([project_linked_account_uuid], [system_alarm_topic_uuid]) cond = res_ops.gen_query_conditions('name', '=', 'system-alarm') system_alarm_topic = res_ops.query_resource(res_ops.SNS_TOPIC, cond)[0] system_alarm_topic_uuid=system_alarm_topic.uuid zwt_ops.subscribe_sns_topic(system_alarm_topic_uuid, email_endpoint_uuid, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('endpoints.uuid','=',email_endpoint_uuid) inv=res_ops.query_resource(res_ops.SNS_TOPIC,cond, session_uuid=project_login_uuid) if not inv: test_util.test_fail('subscribe system-alarm topic failed') cond = res_ops.gen_query_conditions('name','=','api') api_topic= res_ops.query_resource(res_ops.SNS_TOPIC,cond)[0] api_topic_uuid=api_topic.uuid if flavor['target_role'] != 'system_admin': acc_ops.share_resources([project_linked_account_uuid], [api_topic_uuid]) cond = res_ops.gen_query_conditions('name','=','api') api_topic= res_ops.query_resource(res_ops.SNS_TOPIC,cond, session_uuid=project_login_uuid)[0] api_topic_uuid=api_topic.uuid zwt_ops.subscribe_sns_topic(api_topic_uuid,http_endpoint_uuid, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('endpointUuid','=',http_endpoint_uuid) cond = res_ops.gen_query_conditions('topicUuid','=',api_topic_uuid) inv=res_ops.query_resource(res_ops.SNS_TOPIC_SUBSCRIBER,cond, session_uuid=project_login_uuid) if not inv: test_util.test_fail('subscribe api topic failed') # subscribe event namespace = 'ZStack/VM' actions = [{"actionUuid": sns_topic_uuid, "actionType": "sns"}] labels = [{"key": "NewState", "op": "Equal", "value": "Disconnected"}] event_name = 'VMStateChangedOnHost' event_sub_uuid = zwt_ops.subscribe_event(namespace, event_name, actions, labels, session_uuid=project_login_uuid).uuid cond = res_ops.gen_query_conditions('uuid', '=', event_sub_uuid) event_subscription = res_ops.query_resource(res_ops.EVENT_SUBSCRIPTION, cond, session_uuid=project_login_uuid) if not event_subscription: test_util.test_fail('Subscribe event failed') #update endpoint new_name='endpointNewName' new_description='endpoint new description' zwt_ops.update_sns_application_endpoint(email_endpoint_uuid,new_name,new_description, session_uuid=project_login_uuid) cond= res_ops.gen_query_conditions('uuid','=',email_endpoint_uuid) inv =res_ops.query_resource(res_ops.SNS_APPLICATION_ENDPOINT,cond, session_uuid=project_login_uuid)[0] if inv.name!=new_name or inv.description!=new_description: test_util.test_fail('test update email endpoint failed') zwt_ops.update_sns_application_endpoint(http_endpoint_uuid,new_name,new_description, session_uuid=project_login_uuid) cond= res_ops.gen_query_conditions('uuid','=',http_endpoint_uuid) inv =res_ops.query_resource(res_ops.SNS_APPLICATION_ENDPOINT,cond, session_uuid=project_login_uuid)[0] if inv.name!=new_name or inv.description!=new_description: test_util.test_fail('test update http endpoint failed') new_name_platform='platformNewName' new_description_platform='platformNewName' zwt_ops.update_sns_application_platform(email_platform_uuid,new_name_platform,new_description_platform, session_uuid=project_login_uuid) cond= res_ops.gen_query_conditions('uuid','=',email_platform_uuid) inv =res_ops.query_resource(res_ops.SNS_APPLICATION_PLATFORM,cond, session_uuid=project_login_uuid)[0] if inv.name!=new_name_platform or inv.description!=new_description_platform: test_util.test_fail('test update email platform failed') #change state state_event = 'disable' state_result = 'Disabled' zwt_ops.change_sns_topic_state(system_alarm_topic_uuid,state_event, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('uuid','=',system_alarm_topic_uuid) inv=res_ops.query_resource(res_ops.SNS_TOPIC,cond, session_uuid=project_login_uuid)[0] if inv.state!=state_result: test_util.test_fail('change system alarm topic state failed') zwt_ops.change_sns_topic_state(api_topic_uuid, state_event, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('uuid', '=', api_topic_uuid) inv = res_ops.query_resource(res_ops.SNS_TOPIC, cond, session_uuid=project_login_uuid)[0] if inv.state != state_result: test_util.test_fail('change api topic state failed') zwt_ops.change_sns_application_endpoint_state(email_endpoint_uuid,state_event, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('uuid', '=', email_endpoint_uuid) inv = res_ops.query_resource(res_ops.SNS_APPLICATION_ENDPOINT, cond, session_uuid=project_login_uuid)[0] if inv.state != state_result: test_util.test_fail('change email endpoint state failed') zwt_ops.change_sns_application_endpoint_state(http_endpoint_uuid,state_event, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('uuid', '=', http_endpoint_uuid) inv = res_ops.query_resource(res_ops.SNS_APPLICATION_ENDPOINT, cond, session_uuid=project_login_uuid)[0] if inv.state != state_result: test_util.test_fail('change http endpoint state failed') zwt_ops.change_sns_application_platform_state(email_platform_uuid,state_event, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('uuid', '=', email_platform_uuid) inv = res_ops.query_resource(res_ops.SNS_APPLICATION_PLATFORM, cond, session_uuid=project_login_uuid)[0] if inv.state != state_result: test_util.test_fail('change email platform state failed') # test recover and delete state_event='enable' state_result='Enabled' zwt_ops.change_sns_topic_state(system_alarm_topic_uuid,state_event, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('uuid','=',system_alarm_topic_uuid) inv=res_ops.query_resource(res_ops.SNS_TOPIC,cond, session_uuid=project_login_uuid)[0] if inv.state!=state_result: test_util.test_fail('change system alarm topic state failed') zwt_ops.change_sns_topic_state(api_topic_uuid, state_event, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('uuid', '=', api_topic_uuid) inv = res_ops.query_resource(res_ops.SNS_TOPIC, cond, session_uuid=project_login_uuid)[0] if inv.state != state_result: test_util.test_fail('change api topic state failed') zwt_ops.unsubscribe_event(event_sub_uuid, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('uuid', '=', event_sub_uuid) event_subscription = res_ops.query_resource(res_ops.EVENT_SUBSCRIPTION, cond, session_uuid=project_login_uuid) if event_subscription: test_util.test_fail('unsubscribe event failed') zwt_ops.unsubscribe_sns_topic(sns_topic_uuid, email_endpoint_uuid) cond =res_ops.gen_query_conditions('endpointUuid','=',email_endpoint_uuid) cond=res_ops.gen_query_conditions('topicUuid','=',sns_topic_uuid,cond) inv = res_ops.query_resource(res_ops.SNS_TOPIC_SUBSCRIBER,cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('unsubscribe sns topic failed') zwt_ops.unsubscribe_sns_topic(system_alarm_topic_uuid, email_endpoint_uuid, session_uuid=project_login_uuid) cond =res_ops.gen_query_conditions('endpointUuid','=',email_endpoint_uuid) cond=res_ops.gen_query_conditions('topicUuid','=',system_alarm_topic_uuid,cond) inv = res_ops.query_resource(res_ops.SNS_TOPIC_SUBSCRIBER,cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('unsubscribe system alarm topic failed') zwt_ops.unsubscribe_sns_topic(api_topic_uuid, http_endpoint_uuid, session_uuid=project_login_uuid) cond =res_ops.gen_query_conditions('endpointUuid','=',http_endpoint_uuid) cond=res_ops.gen_query_conditions('topicUuid','=',api_topic_uuid,cond) inv = res_ops.query_resource(res_ops.SNS_TOPIC_SUBSCRIBER,cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('unsubscribe api topic failed') zwt_ops.delete_sns_topic(sns_topic_uuid, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('uuid','=',sns_topic_uuid) inv = res_ops.query_resource(res_ops.SNS_TOPIC, cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('delete sns topic failed') zwt_ops.delete_sns_application_endpoint(http_endpoint_uuid, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('uuid','=',http_endpoint_uuid) inv = res_ops.query_resource(res_ops.SNS_APPLICATION_ENDPOINT, cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('delete http endpoint failed') zwt_ops.delete_sns_application_endpoint(email_endpoint_uuid, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('uuid','=',email_endpoint_uuid) inv = res_ops.query_resource(res_ops.SNS_APPLICATION_ENDPOINT, cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('delete email endpoint failed') zwt_ops.delete_sns_application_platform(email_platform_uuid, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('uuid','=',email_platform_uuid) inv = res_ops.query_resource(res_ops.SNS_APPLICATION_PLATFORM, cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('delete email platform failed') # 11 delete acc_ops.logout(project_login_uuid) if virtual_id_uuid != None: iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) if project_admin_uuid != None: iam2_ops.delete_iam2_virtual_id(project_admin_uuid) if project_operator_uuid != None: iam2_ops.delete_iam2_virtual_id(project_operator_uuid) if plain_user_uuid != None: iam2_ops.delete_iam2_virtual_id(plain_user_uuid) if flavor['target_role'] != 'system_admin': iam2_ops.delete_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_uuid) test_util.test_pass('success test iam2 login in by project admin!')
def test(): global project_uuid, project_admin_uuid, virtual_id_uuid, project_operator_uuid, plain_user_uuid flavor = case_flavor[os.environ.get('CASE_FLAVOR')] # 1 create project if flavor['target_role'] != 'system_admin': project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid project_linked_account_uuid = project.linkedAccountUuid if flavor['target_role'] == 'project_admin': # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id(project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo', 'password').uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid],project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id(project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project(project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) elif flavor['target_role'] == 'project_operator': project_operator_name = 'username2' project_operator_password = '******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id(project_operator_name,project_operator_password,attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernamethree','password').uuid # login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid],project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id(project_operator_name,project_operator_password) project_login_uuid = iam2_ops.login_iam2_project(project_name,session_uuid=project_operator_session_uuid).uuid elif flavor['target_role'] == 'project_member': plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id(plain_user_name, plain_user_password, project_uuid=project_uuid).uuid # 3 add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid],project_uuid) # 4 login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id(plain_user_name, plain_user_password) # 4 login in project #project_inv=iam2_ops.get_iam2_projects_of_virtual_id(plain_user_session_uuid) project_login_uuid = iam2_ops.login_iam2_project(project_name, plain_user_session_uuid).uuid elif flavor['target_role'] == 'system_admin': username = "******" password = '******' vid_tst_obj = test_vid.ZstackTestVid() test_stub.create_system_admin(username, password, vid_tst_obj) virtual_id_uuid = vid_tst_obj.get_vid().uuid project_login_uuid = acc_ops.login_by_account(username, password) # Image related ops: Add, Delete, Expunge, sync image size, Update QGA, delete, expunge if flavor['target_role'] == 'project_member': statements = [{"effect": "Allow", "actions": ["org.zstack.network.service.lb.**"]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) # certificate cert = net_ops.create_certificate('certificate_for_pm', 'fake certificate', session_uuid=project_login_uuid) net_ops.delete_certificate(cert.uuid, session_uuid=project_login_uuid) # 11 delete acc_ops.logout(project_login_uuid) if virtual_id_uuid != None: iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) if project_admin_uuid != None: iam2_ops.delete_iam2_virtual_id(project_admin_uuid) if project_operator_uuid != None: iam2_ops.delete_iam2_virtual_id(project_operator_uuid) if plain_user_uuid != None: iam2_ops.delete_iam2_virtual_id(plain_user_uuid) if flavor['target_role'] != 'system_admin': iam2_ops.delete_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_uuid) test_util.test_pass('success test iam2 login in by project admin!')
def test(): global project_uuid, project_admin_uuid, virtual_id_uuid, project_operator_uuid, plain_user_uuid flavor = case_flavor[os.environ.get('CASE_FLAVOR')] # 1 create project project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid project_linked_account_uuid = project.linkedAccountUuid if flavor['target_role'] == 'project_admin': # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id( project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id( 'usernametwo', 'password').uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid], project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id( project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project( project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) elif flavor['target_role'] == 'project_operator': project_operator_name = 'username2' project_operator_password = '******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id( project_operator_name, project_operator_password, attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id( 'usernamethree', 'password').uuid # login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid], project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id( project_operator_name, project_operator_password) project_login_uuid = iam2_ops.login_iam2_project( project_name, session_uuid=project_operator_session_uuid).uuid elif flavor['target_role'] == 'project_member': plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id( plain_user_name, plain_user_password, project_uuid=project_uuid).uuid # 3 add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid], project_uuid) # 4 login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id( plain_user_name, plain_user_password) # 4 login in project #project_inv=iam2_ops.get_iam2_projects_of_virtual_id(plain_user_session_uuid) project_login_uuid = iam2_ops.login_iam2_project( project_name, plain_user_session_uuid).uuid # Image related ops: Add, Delete, Expunge, sync image size, Update QGA, delete, expunge if flavor['target_role'] == 'project_member': statements = [{ "effect": "Allow", "actions": ["org.zstack.header.image.**"] }, { "effect": "Allow", "actions": ["org.zstack.header.storage.backup.**"] }] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) bs = res_ops.query_resource(res_ops.BACKUP_STORAGE)[0] image_option = test_util.ImageOption() image_option.set_name('fake_image') image_option.set_description('fake image') image_option.set_format('raw') image_option.set_mediaType('RootVolumeTemplate') image_option.set_backup_storage_uuid_list([bs.uuid]) image_option.url = "http://fake/fake.raw" image_option.set_session_uuid(project_login_uuid) image_uuid = img_ops.add_image(image_option).uuid img_ops.sync_image_size(image_uuid, session_uuid=project_login_uuid) img_ops.change_image_state(image_uuid, 'disable', session_uuid=project_login_uuid) img_ops.change_image_state(image_uuid, 'enable', session_uuid=project_login_uuid) if bs.type == inventory.IMAGE_STORE_BACKUP_STORAGE_TYPE: img_ops.export_image_from_backup_storage( image_uuid, bs.uuid, session_uuid=project_login_uuid) img_ops.delete_exported_image_from_backup_storage( image_uuid, bs.uuid, session_uuid=project_login_uuid) img_ops.set_image_qga_enable(image_uuid, session_uuid=project_login_uuid) img_ops.set_image_qga_disable(image_uuid, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('name', '=', "fake_image") image = res_ops.query_resource(res_ops.IMAGE, cond, session_uuid=project_login_uuid) if image == None: test_util.test_fail('fail to query image just added') img_ops.delete_image(image_uuid, session_uuid=project_login_uuid) img_ops.expunge_image(image_uuid, session_uuid=project_login_uuid) # 11 delete acc_ops.logout(project_login_uuid) if virtual_id_uuid != None: iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) if project_admin_uuid != None: iam2_ops.delete_iam2_virtual_id(project_admin_uuid) if project_operator_uuid != None: iam2_ops.delete_iam2_virtual_id(project_operator_uuid) if plain_user_uuid != None: iam2_ops.delete_iam2_virtual_id(plain_user_uuid) iam2_ops.delete_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_uuid) test_util.test_pass('success test iam2 login in by project admin!')
def test(): global project_uuid, virtual_id_uuid statements = [] flavor = case_flavor[os.environ.get('CASE_FLAVOR')] zone_uuid = res_ops.query_resource(res_ops.ZONE)[0].uuid project_name = 'test_project_01' attributes = [{"name": "__ProjectRelatedZone__", "value": zone_uuid}] project_obj = iam2_ops.create_iam2_project(project_name, attributes=attributes) project_uuid = project_obj.uuid project_linked_account_uuid = project_obj.linkedAccountUuid password = '******' '''name = 'username' name1 = 'username1' name2 = 'username2' password = '******' vid = test_vid.ZstackTestVid() vid.create(name, password) attributes = [{"name": "__PlatformAdmin__"}] iam2_ops.add_attributes_to_iam2_virtual_id(vid.get_vid().uuid, attributes) vid.set_vid_attributes(attributes) vid.check() attributes = [{"name": "__ProjectAdmin__", "value": project_linked_account_uuid}] vid1 = test_vid.ZstackTestVid() vid1.create(name1, password) iam2_ops.add_iam2_virtual_ids_to_project([vid1.get_vid().uuid], project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(vid1.get_vid().uuid, attributes) vid1.set_vid_attributes(attributes) vid1.check() vid2 = test_vid.ZstackTestVid() vid2.create(name2, password) iam2_ops.add_iam2_virtual_ids_to_project([vid2.get_vid().uuid], project_uuid) attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(vid2.get_vid().uuid, attributes) vid2.set_vid_attributes(attributes) vid2.check() ''' policy_check_vid = test_vid.ZstackTestVid() policy_check_vid.create('policy_check', password) iam2_ops.add_iam2_virtual_ids_to_project([policy_check_vid.get_vid().uuid], project_uuid) virtual_id_uuid = policy_check_vid.get_vid().uuid if flavor['target_role'] == 'vm': statements = [{"effect": "Allow", "actions": ["org.zstack.header.vm.**", "org.zstack.ha.**"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: vm") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'vm_ops_without_creation': statements = [{"effect": "Allow", "actions": ["org.zstack.header.vm.APIGetVmQgaMsg", "org.zstack.header.vm.APIChangeVmImageMsg", "org.zstack.header.vm.APISetVmSshKeyMsg", "org.zstack.header.vm.APIStopVmInstanceMsg", "org.zstack.header.vm.APISetVmStaticIpMsg", "org.zstack.header.vm.APIRecoverVmInstanceMsg", "org.zstack.header.vm.APIQueryVmNicMsg", "org.zstack.header.vm.APIStartVmInstanceMsg", "org.zstack.header.vm.APIDestroyVmInstanceMsg", "org.zstack.header.vm.APIGetVmConsolePasswordMsg", "org.zstack.header.vm.APIDeleteVmStaticIpMsg", "org.zstack.header.vm.APISetNicQosMsg", "org.zstack.header.vm.APIRebootVmInstanceMsg", "org.zstack.header.vm.APIGetNicQosMsg", "org.zstack.header.vm.APIGetVmBootOrderMsg", "org.zstack.header.vm.APIChangeVmPasswordMsg", "org.zstack.header.vm.APIGetCandidatePrimaryStoragesForCreatingVmMsg", "org.zstack.header.vm.APISetVmRDPMsg", "org.zstack.header.vm.APIMigrateVmMsg", "org.zstack.header.vm.APIGetVmMigrationCandidateHostsMsg", "org.zstack.header.vm.APIAttachL3NetworkToVmMsg", "org.zstack.header.vm.APIExpungeVmInstanceMsg", "org.zstack.header.vm.APIGetCandidateVmForAttachingIsoMsg", "org.zstack.header.vm.APIAttachIsoToVmInstanceMsg", "org.zstack.header.vm.APIGetVmAttachableL3NetworkMsg", "org.zstack.header.vm.APIGetVmHostnameMsg", "org.zstack.header.vm.APIDeleteVmSshKeyMsg", "org.zstack.header.vm.APIGetVmMonitorNumberMsg", "org.zstack.header.vm.APISetVmQgaMsg", "org.zstack.header.vm.APIDetachL3NetworkFromVmMsg", "org.zstack.header.vm.APISetVmConsolePasswordMsg", "org.zstack.header.vm.APIGetCandidateZonesClustersHostsForCreatingVmMsg", "org.zstack.header.vm.APIGetVmAttachableDataVolumeMsg", "org.zstack.header.vm.APIGetInterdependentL3NetworksImagesMsg", "org.zstack.header.vm.APIGetCandidateIsoForAttachingVmMsg", "org.zstack.header.vm.APIDeleteNicQosMsg", "org.zstack.header.vm.APISetVmUsbRedirectMsg", "org.zstack.header.vm.APISetVmBootOrderMsg", "org.zstack.header.vm.APIGetImageCandidatesForVmToChangeMsg", "org.zstack.header.vm.APIGetVmConsoleAddressMsg", "org.zstack.header.vm.APIChangeInstanceOfferingMsg", "org.zstack.header.vm.APIDeleteVmHostnameMsg", "org.zstack.header.vm.APIGetVmUsbRedirectMsg", "org.zstack.header.vm.APIQueryVmInstanceMsg", "org.zstack.header.vm.APISetVmMonitorNumberMsg", "org.zstack.header.vm.APIReimageVmInstanceMsg", "org.zstack.header.vm.APIResumeVmInstanceMsg", "org.zstack.header.vm.APIUpdateVmNicMacMsg", "org.zstack.header.vm.APIGetVmCapabilitiesMsg", "org.zstack.header.vm.APIUpdateVmInstanceMsg", "org.zstack.header.vm.APIGetVmSshKeyMsg", "org.zstack.header.vm.APICloneVmInstanceMsg", "org.zstack.header.vm.APIDeleteVmConsolePasswordMsg", "org.zstack.header.vm.APISetVmHostnameMsg", "org.zstack.header.vm.APIGetVmStartingCandidateClustersHostsMsg", "org.zstack.header.vm.APIDetachIsoFromVmInstanceMsg", "org.zstack.header.vm.APIGetVmRDPMsg", "org.zstack.header.vm.APIPauseVmInstanceMsg"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: vm-operation-without-create-permission") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'image': statements = [{"effect": "Allow", "actions": ["org.zstack.header.image.**", "org.zstack.storage.backup.imagestore.APIGetImagesFromImageStoreBackupStorageMsg"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: image") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'snapshot': statements = [{"effect": "Allow", "actions": ["org.zstack.header.storage.snapshot.**", "org.zstack.header.volume.APICreateVolumeSnapshotMsg"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: snapshot") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'volume': statements = [{"effect": "Allow", "actions": ["org.zstack.header.volume.APICreateDataVolumeFromVolumeTemplateMsg", "org.zstack.header.volume.APIGetVolumeQosMsg", "org.zstack.header.volume.APISyncVolumeSizeMsg", "org.zstack.header.volume.APICreateDataVolumeFromVolumeSnapshotMsg", "org.zstack.header.volume.APIResizeDataVolumeMsg", "org.zstack.header.volume.APIRecoverDataVolumeMsg", "org.zstack.header.volume.APIExpungeDataVolumeMsg", "org.zstack.mevoco.APIQueryShareableVolumeVmInstanceRefMsg", "org.zstack.header.volume.APICreateDataVolumeMsg", "org.zstack.header.volume.APIGetVolumeCapabilitiesMsg", "org.zstack.header.volume.APIDetachDataVolumeFromVmMsg", "org.zstack.header.volume.APIDeleteVolumeQosMsg", "org.zstack.header.volume.APIGetVolumeFormatMsg", "org.zstack.header.volume.APIGetDataVolumeAttachableVmMsg", "org.zstack.header.volume.APIAttachDataVolumeToVmMsg", "org.zstack.header.volume.APIResizeRootVolumeMsg", "org.zstack.header.volume.APISetVolumeQosMsg", "org.zstack.header.volume.APIDeleteDataVolumeMsg", "org.zstack.header.volume.APIUpdateVolumeMsg", "org.zstack.header.volume.APIChangeVolumeStateMsg", "org.zstack.header.volume.APIQueryVolumeMsg"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: volume") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'affinity_group': statements = [{"effect": "Allow", "actions": ["org.zstack.header.affinitygroup.**"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: affinity-group") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'networks': statements = [{"effect": "Allow", "actions": ["org.zstack.header.network.l3.**", "org.zstack.network.service.flat.**", "org.zstack.header.network.l2.APIUpdateL2NetworkMsg", "org.zstack.header.network.service.APIQueryNetworkServiceProviderMsg", "org.zstack.header.network.service.APIAttachNetworkServiceToL3NetworkMsg", "org.zstack.network.l2.vxlan.vxlanNetworkPool.APIQueryVniRangeMsg", "org.zstack.network.l2.vxlan.vxlanNetwork.APIQueryL2VxlanNetworkMsg", "org.zstack.network.l2.vxlan.vxlanNetwork.APICreateL2VxlanNetworkMsg", "org.zstack.network.l2.vxlan.vxlanNetworkPool.APIQueryL2VxlanNetworkPoolMsg"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: networks") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'eip': statements = [{"effect": "Allow", "actions": ["org.zstack.network.service.vip.**", "org.zstack.network.service.eip.**", "org.zstack.header.vipQos.**"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: eip") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'sg': statements = [{"effect": "Allow", "actions": ["org.zstack.network.securitygroup.**"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: security-group") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'lb': statements = [{"effect": "Allow", "actions": ["org.zstack.network.service.lb.**", "org.zstack.network.service.vip.**", "org.zstack.header.vipQos.**"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: load-balancer") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'pf': statements = [{"effect": "Allow", "actions": ["org.zstack.network.service.portforwarding.**", "org.zstack.network.service.vip.**", "org.zstack.header.vipQos.**"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: port-forwarding") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'scheduler': statements = [{"effect": "Allow", "actions": ["org.zstack.scheduler.**"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: scheduler") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'pci': statements = [{"effect": "Allow", "actions": ["org.zstack.pciDevice.APIAttachPciDeviceToVmMsg", "org.zstack.pciDevice.APIUpdateHostIommuStateMsg", "org.zstack.pciDevice.APIGetPciDeviceCandidatesForNewCreateVmMsg", "org.zstack.pciDevice.APIDetachPciDeviceFromVmMsg", "org.zstack.pciDevice.APIQueryPciDeviceMsg", "org.zstack.pciDevice.APIGetPciDeviceCandidatesForAttachingVmMsg"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: pci-device") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'zwatch': statements = [{"effect": "Allow", "actions": ["org.zstack.zwatch.**", "org.zstack.sns.**"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: zwatch") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) if flavor['target_role'] == 'sns': statements = [{"effect": "Allow", "actions": ["org.zstack.sns.**"]}] cond = res_ops.gen_query_conditions('name', '=', "predefined: sns") cond = res_ops.gen_query_conditions('type', '=', "predefined", cond) #role_uuid = iam2_ops.create_role('test_role', statements).uuid role_uuid = res_ops.query_resource(res_ops.ROLE, cond)[0].uuid #iam2_ops.add_policy_statements_to_role(role_uuid, statements) #statement_uuid = iam2_ops.get_policy_statement_uuid_of_role(role_uuid, action) #iam2_ops.remove_policy_statements_from_role(role_uuid, [statement_uuid]) iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], policy_check_vid.get_vid().uuid) policy_check_vid.set_vid_statements(statements) policy_check_vid.check() #iam2_ops.remove_roles_from_iam2_virtual_id([role_uuid], policy_check_vid.get_vid().uuid) #policy_check_vid.set_vid_statements([]) #policy_check_vid.check() iam2_ops.delete_iam2_project(project_uuid) #vid.delete() #vid1.delete() #vid2.delete() policy_check_vid.delete() test_util.test_pass('success test iam2 policy!')
def test(): global project_uuid, project_admin_uuid, virtual_id_uuid, project_operator_uuid, plain_user_uuid flavor = case_flavor[os.environ.get('CASE_FLAVOR')] # 1 create project project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid project_linked_account_uuid = project.linkedAccountUuid if flavor['target_role'] == 'project_admin': # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id( project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id( 'usernametwo', 'password').uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid], project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id( project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project( project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) elif flavor['target_role'] == 'project_operator': project_operator_name = 'username2' project_operator_password = '******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id( project_operator_name, project_operator_password, attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id( 'usernamethree', 'password').uuid # login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid], project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id( project_operator_name, project_operator_password) project_login_uuid = iam2_ops.login_iam2_project( project_name, session_uuid=project_operator_session_uuid).uuid elif flavor['target_role'] == 'project_member': plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id( plain_user_name, plain_user_password, project_uuid=project_uuid).uuid # 3 add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid], project_uuid) # 4 login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id( plain_user_name, plain_user_password) # 4 login in project #project_inv=iam2_ops.get_iam2_projects_of_virtual_id(plain_user_session_uuid) project_login_uuid = iam2_ops.login_iam2_project( project_name, plain_user_session_uuid).uuid # Image related ops: Add, Delete, Expunge, sync image size, Update QGA, delete, expunge if flavor['target_role'] == 'project_member': statements = [{ "effect": "Allow", "actions": ["org.zstack.network.service.lb.**"] }] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) # certificate cert = net_ops.create_certificate('certificate_for_pm', 'fake certificate', session_uuid=project_login_uuid) net_ops.delete_certificate(cert.uuid, session_uuid=project_login_uuid) # 11 delete acc_ops.logout(project_login_uuid) if virtual_id_uuid != None: iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) if project_admin_uuid != None: iam2_ops.delete_iam2_virtual_id(project_admin_uuid) if project_operator_uuid != None: iam2_ops.delete_iam2_virtual_id(project_operator_uuid) if plain_user_uuid != None: iam2_ops.delete_iam2_virtual_id(plain_user_uuid) iam2_ops.delete_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_uuid) test_util.test_pass('success test iam2 login in by project admin!')
def test(): global project_uuid, project_admin_uuid, virtual_id_uuid, project_operator_uuid, plain_user_uuid flavor = case_flavor[os.environ.get('CASE_FLAVOR')] # 1 create project project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid project_linked_account_uuid = project.linkedAccountUuid if flavor['target_role'] == 'project_admin': # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id(project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo', 'password').uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid],project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id(project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project(project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) elif flavor['target_role'] == 'project_operator': project_operator_name = 'username2' project_operator_password = '******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id(project_operator_name,project_operator_password,attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernamethree','password').uuid # login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid],project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id(project_operator_name,project_operator_password) project_login_uuid = iam2_ops.login_iam2_project(project_name,session_uuid=project_operator_session_uuid).uuid elif flavor['target_role'] == 'project_member': plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id(plain_user_name, plain_user_password, project_uuid=project_uuid).uuid # 3 add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid],project_uuid) # 4 login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id(plain_user_name, plain_user_password) # 4 login in project #project_inv=iam2_ops.get_iam2_projects_of_virtual_id(plain_user_session_uuid) project_login_uuid = iam2_ops.login_iam2_project(project_name, plain_user_session_uuid).uuid zone_uuid = res_ops.get_resource(res_ops.ZONE)[0].uuid try: l2 = net_ops.create_l2_novlan('l2_for_pm', 'eth0', zone_uuid, session_uuid=project_login_uuid) test_util.test_fail("Expect exception: project admin not allowed to create Novlan L2 except vxlan") except: pass try: l2 = net_ops.create_l2_vlan('l2_for_pm', 'eth0', zone_uuid, 1234, session_uuid=project_login_uuid) test_util.test_fail("Expect exception: project admin not allowed to create vlan L2 except vxlan") except: pass if flavor['target_role'] == 'project_member': statements = [{"effect": "Allow", "actions": ["org.zstack.network.l2.**"]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) vxlan_pool = res_ops.get_resource(res_ops.L2_VXLAN_NETWORK_POOL) if vxlan_pool == None or len(vxlan_pool) == 0: test_util.test_skip('Vxlan is required for testing') vxlan_pool_uuid = vxlan_pool[0].uuid acc_ops.share_resources([project_linked_account_uuid], [vxlan_pool_uuid]) vxlan_pool_uuid = res_ops.get_resource(res_ops.L2_VXLAN_NETWORK_POOL, session_uuid=project_login_uuid)[0].uuid vxlan_l2_uuid = vxlan_ops.create_l2_vxlan_network('vxlan_for_pm', vxlan_pool_uuid, zone_uuid, session_uuid=project_login_uuid).uuid net_ops.delete_l2(vxlan_l2_uuid, session_uuid=project_login_uuid) # 11 delete acc_ops.logout(project_login_uuid) if virtual_id_uuid != None: iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) if project_admin_uuid != None: iam2_ops.delete_iam2_virtual_id(project_admin_uuid) if project_operator_uuid != None: iam2_ops.delete_iam2_virtual_id(project_operator_uuid) if plain_user_uuid != None: iam2_ops.delete_iam2_virtual_id(plain_user_uuid) iam2_ops.delete_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_uuid) test_util.test_pass('success test iam2 login in by project admin!')
def test(): global project_uuid, project_admin_uuid, virtual_id_uuid, project_operator_uuid, plain_user_uuid flavor = case_flavor[os.environ.get('CASE_FLAVOR')] # 1 create project project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid project_linked_account_uuid = project.linkedAccountUuid if flavor['target_role'] == 'project_admin': # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id(project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo', 'password').uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid],project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id(project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project(project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) elif flavor['target_role'] == 'project_operator': project_operator_name = 'username2' project_operator_password = '******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id(project_operator_name,project_operator_password,attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernamethree','password').uuid # login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid],project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id(project_operator_name,project_operator_password) project_login_uuid = iam2_ops.login_iam2_project(project_name,session_uuid=project_operator_session_uuid).uuid elif flavor['target_role'] == 'project_member': plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id(plain_user_name, plain_user_password, project_uuid=project_uuid).uuid # 3 add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid],project_uuid) # 4 login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id(plain_user_name, plain_user_password) # 4 login in project #project_inv=iam2_ops.get_iam2_projects_of_virtual_id(plain_user_session_uuid) project_login_uuid = iam2_ops.login_iam2_project(project_name, plain_user_session_uuid).uuid # Image related ops: Add, Delete, Expunge, sync image size, Update QGA, delete, expunge if flavor['target_role'] == 'project_member': statements = [{"effect": "Allow", "actions": ["org.zstack.sns.**"]}, {"effect": "Allow", "actions": ["org.zstack.zwatch.**"]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) # create platform smtp_server = os.environ.get('smtpServer') smtp_port = os.environ.get('smtpPort') email_platform_name = 'Alarm_email' email_username = os.environ.get('mailUsername') email_password = os.environ.get('mailPassword') email_platform = zwt_ops.create_sns_email_platform(smtp_server, smtp_port, email_platform_name, email_username, email_password, session_uuid=project_login_uuid) email_platform_uuid = email_platform.uuid cond=res_ops.gen_query_conditions('uuid','=',email_platform_uuid) inv = res_ops.query_resource(res_ops.SNS_EMAIL_PLATFORM,cond, session_uuid=project_login_uuid) if not inv: test_util.test_fail('create sns email platform failed') try: zwt_ops.validate_sns_email_platform(email_platform_uuid) except: test_util.test_fail('Validate SNS Email Platform Failed, Email Plarform: %s' % email_platform_uuid) # create endpoint email_receiver = os.environ.get('mailUsername') email_endpoint_name = os.environ.get('mailPassword') email_endpoint_uuid = zwt_ops.create_sns_email_endpoint(email_receiver, email_endpoint_name, email_platform_uuid, session_uuid=project_login_uuid).uuid cond=res_ops.gen_query_conditions('uuid','=',email_endpoint_uuid) inv=res_ops.query_resource(res_ops.SNS_EMAIL_ENDPOINT,cond, session_uuid=project_login_uuid) if not inv: test_util.test_fail('create sns email endpoint failed') http_endpoint_name='http' url = 'http://localhost:8080/webhook-url' http_username='******' http_password='******' http_endpoint=zwt_ops.create_sns_http_endpoint(url,http_endpoint_name,http_username,http_password, session_uuid=project_login_uuid) http_endpoint_uuid=http_endpoint.uuid cond=res_ops.gen_query_conditions('uuid','=',http_endpoint_uuid) inv=res_ops.query_resource(res_ops.SNS_HTTP_ENDPOINT,cond, session_uuid=project_login_uuid) if not inv: test_util.test_fail('create sns http endpoint failed') # create sns topic and query system-in topic sns_topic_uuid = zwt_ops.create_sns_topic('sns_topic_01', session_uuid=project_login_uuid).uuid zwt_ops.subscribe_sns_topic(sns_topic_uuid, email_endpoint_uuid, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('endpoints.uuid','=',email_endpoint_uuid) inv=res_ops.query_resource(res_ops.SNS_TOPIC,cond, session_uuid=project_login_uuid) if not inv: test_util.test_fail('create and subscribe snstopic failed') cond = res_ops.gen_query_conditions('name', '=', 'system-alarm') system_alarm_topic = res_ops.query_resource(res_ops.SNS_TOPIC, cond)[0] system_alarm_topic_uuid=system_alarm_topic.uuid acc_ops.share_resources([project_linked_account_uuid], [system_alarm_topic_uuid]) cond = res_ops.gen_query_conditions('name', '=', 'system-alarm') system_alarm_topic = res_ops.query_resource(res_ops.SNS_TOPIC, cond)[0] system_alarm_topic_uuid=system_alarm_topic.uuid zwt_ops.subscribe_sns_topic(system_alarm_topic_uuid, email_endpoint_uuid, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('endpoints.uuid','=',email_endpoint_uuid) inv=res_ops.query_resource(res_ops.SNS_TOPIC,cond, session_uuid=project_login_uuid) if not inv: test_util.test_fail('subscribe system-alarm topic failed') cond = res_ops.gen_query_conditions('name','=','api') api_topic= res_ops.query_resource(res_ops.SNS_TOPIC,cond)[0] api_topic_uuid=api_topic.uuid acc_ops.share_resources([project_linked_account_uuid], [api_topic_uuid]) cond = res_ops.gen_query_conditions('name','=','api') api_topic= res_ops.query_resource(res_ops.SNS_TOPIC,cond, session_uuid=project_login_uuid)[0] api_topic_uuid=api_topic.uuid zwt_ops.subscribe_sns_topic(api_topic_uuid,http_endpoint_uuid, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('endpointUuid','=',http_endpoint_uuid) cond = res_ops.gen_query_conditions('topicUuid','=',api_topic_uuid) inv=res_ops.query_resource(res_ops.SNS_TOPIC_SUBSCRIBER,cond, session_uuid=project_login_uuid) if not inv: test_util.test_fail('subscribe api topic failed') # subscribe event namespace = 'ZStack/VM' actions = [{"actionUuid": sns_topic_uuid, "actionType": "sns"}] labels = [{"key": "NewState", "op": "Equal", "value": "Disconnected"}] event_name = 'VMStateChangedOnHost' event_sub_uuid = zwt_ops.subscribe_event(namespace, event_name, actions, labels, session_uuid=project_login_uuid).uuid cond = res_ops.gen_query_conditions('uuid', '=', event_sub_uuid) event_subscription = res_ops.query_resource(res_ops.EVENT_SUBSCRIPTION, cond, session_uuid=project_login_uuid) if not event_subscription: test_util.test_fail('Subscribe event failed') #update endpoint new_name='endpointNewName' new_description='endpoint new description' zwt_ops.update_sns_application_endpoint(email_endpoint_uuid,new_name,new_description, session_uuid=project_login_uuid) cond= res_ops.gen_query_conditions('uuid','=',email_endpoint_uuid) inv =res_ops.query_resource(res_ops.SNS_APPLICATION_ENDPOINT,cond, session_uuid=project_login_uuid)[0] if inv.name!=new_name or inv.description!=new_description: test_util.test_fail('test update email endpoint failed') zwt_ops.update_sns_application_endpoint(http_endpoint_uuid,new_name,new_description, session_uuid=project_login_uuid) cond= res_ops.gen_query_conditions('uuid','=',http_endpoint_uuid) inv =res_ops.query_resource(res_ops.SNS_APPLICATION_ENDPOINT,cond, session_uuid=project_login_uuid)[0] if inv.name!=new_name or inv.description!=new_description: test_util.test_fail('test update http endpoint failed') new_name_platform='platformNewName' new_description_platform='platformNewName' zwt_ops.update_sns_application_platform(email_platform_uuid,new_name_platform,new_description_platform, session_uuid=project_login_uuid) cond= res_ops.gen_query_conditions('uuid','=',email_platform_uuid) inv =res_ops.query_resource(res_ops.SNS_APPLICATION_PLATFORM,cond, session_uuid=project_login_uuid)[0] if inv.name!=new_name_platform or inv.description!=new_description_platform: test_util.test_fail('test update email platform failed') #change state state_event = 'disable' state_result = 'Disabled' zwt_ops.change_sns_topic_state(system_alarm_topic_uuid,state_event, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('uuid','=',system_alarm_topic_uuid) inv=res_ops.query_resource(res_ops.SNS_TOPIC,cond, session_uuid=project_login_uuid)[0] if inv.state!=state_result: test_util.test_fail('change system alarm topic state failed') zwt_ops.change_sns_topic_state(api_topic_uuid, state_event, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('uuid', '=', api_topic_uuid) inv = res_ops.query_resource(res_ops.SNS_TOPIC, cond, session_uuid=project_login_uuid)[0] if inv.state != state_result: test_util.test_fail('change api topic state failed') zwt_ops.change_sns_application_endpoint_state(email_endpoint_uuid,state_event, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('uuid', '=', email_endpoint_uuid) inv = res_ops.query_resource(res_ops.SNS_APPLICATION_ENDPOINT, cond, session_uuid=project_login_uuid)[0] if inv.state != state_result: test_util.test_fail('change email endpoint state failed') zwt_ops.change_sns_application_endpoint_state(http_endpoint_uuid,state_event, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('uuid', '=', http_endpoint_uuid) inv = res_ops.query_resource(res_ops.SNS_APPLICATION_ENDPOINT, cond, session_uuid=project_login_uuid)[0] if inv.state != state_result: test_util.test_fail('change http endpoint state failed') zwt_ops.change_sns_application_platform_state(email_platform_uuid,state_event, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('uuid', '=', email_platform_uuid) inv = res_ops.query_resource(res_ops.SNS_APPLICATION_PLATFORM, cond, session_uuid=project_login_uuid)[0] if inv.state != state_result: test_util.test_fail('change email platform state failed') # test recover and delete state_event='enable' state_result='Enabled' zwt_ops.change_sns_topic_state(system_alarm_topic_uuid,state_event, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('uuid','=',system_alarm_topic_uuid) inv=res_ops.query_resource(res_ops.SNS_TOPIC,cond, session_uuid=project_login_uuid)[0] if inv.state!=state_result: test_util.test_fail('change system alarm topic state failed') zwt_ops.change_sns_topic_state(api_topic_uuid, state_event, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('uuid', '=', api_topic_uuid) inv = res_ops.query_resource(res_ops.SNS_TOPIC, cond, session_uuid=project_login_uuid)[0] if inv.state != state_result: test_util.test_fail('change api topic state failed') zwt_ops.unsubscribe_event(event_sub_uuid, session_uuid=project_login_uuid) cond = res_ops.gen_query_conditions('uuid', '=', event_sub_uuid) event_subscription = res_ops.query_resource(res_ops.EVENT_SUBSCRIPTION, cond, session_uuid=project_login_uuid) if event_subscription: test_util.test_fail('unsubscribe event failed') zwt_ops.unsubscribe_sns_topic(sns_topic_uuid, email_endpoint_uuid) cond =res_ops.gen_query_conditions('endpointUuid','=',email_endpoint_uuid) cond=res_ops.gen_query_conditions('topicUuid','=',sns_topic_uuid,cond) inv = res_ops.query_resource(res_ops.SNS_TOPIC_SUBSCRIBER,cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('unsubscribe sns topic failed') zwt_ops.unsubscribe_sns_topic(system_alarm_topic_uuid, email_endpoint_uuid, session_uuid=project_login_uuid) cond =res_ops.gen_query_conditions('endpointUuid','=',email_endpoint_uuid) cond=res_ops.gen_query_conditions('topicUuid','=',system_alarm_topic_uuid,cond) inv = res_ops.query_resource(res_ops.SNS_TOPIC_SUBSCRIBER,cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('unsubscribe system alarm topic failed') zwt_ops.unsubscribe_sns_topic(api_topic_uuid, http_endpoint_uuid, session_uuid=project_login_uuid) cond =res_ops.gen_query_conditions('endpointUuid','=',http_endpoint_uuid) cond=res_ops.gen_query_conditions('topicUuid','=',api_topic_uuid,cond) inv = res_ops.query_resource(res_ops.SNS_TOPIC_SUBSCRIBER,cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('unsubscribe api topic failed') zwt_ops.delete_sns_topic(sns_topic_uuid, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('uuid','=',sns_topic_uuid) inv = res_ops.query_resource(res_ops.SNS_TOPIC, cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('delete sns topic failed') zwt_ops.delete_sns_application_endpoint(http_endpoint_uuid, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('uuid','=',http_endpoint_uuid) inv = res_ops.query_resource(res_ops.SNS_APPLICATION_ENDPOINT, cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('delete http endpoint failed') zwt_ops.delete_sns_application_endpoint(email_endpoint_uuid, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('uuid','=',email_endpoint_uuid) inv = res_ops.query_resource(res_ops.SNS_APPLICATION_ENDPOINT, cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('delete email endpoint failed') zwt_ops.delete_sns_application_platform(email_platform_uuid, session_uuid=project_login_uuid) cond=res_ops.gen_query_conditions('uuid','=',email_platform_uuid) inv = res_ops.query_resource(res_ops.SNS_APPLICATION_PLATFORM, cond, session_uuid=project_login_uuid) if inv: test_util.test_fail('delete email platform failed') # 11 delete acc_ops.logout(project_login_uuid) if virtual_id_uuid != None: iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) if project_admin_uuid != None: iam2_ops.delete_iam2_virtual_id(project_admin_uuid) if project_operator_uuid != None: iam2_ops.delete_iam2_virtual_id(project_operator_uuid) if plain_user_uuid != None: iam2_ops.delete_iam2_virtual_id(plain_user_uuid) iam2_ops.delete_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_uuid) test_util.test_pass('success test iam2 login in by project admin!')
def test(): global project_uuid, project_admin_uuid, virtual_id_uuid, project_operator_uuid, plain_user_uuid flavor = case_flavor[os.environ.get('CASE_FLAVOR')] # 1 create project if flavor['target_role'] != 'system_admin': project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid project_linked_account_uuid = project.linkedAccountUuid if flavor['target_role'] == 'project_admin': # 2 create virtual id project_admin_name = 'username' project_admin_password = '******' project_admin_uuid = iam2_ops.create_iam2_virtual_id(project_admin_name, project_admin_password).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernametwo', 'password').uuid # 3 create project admin iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid],project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) # login in project by project admin project_admin_session_uuid = iam2_ops.login_iam2_virtual_id(project_admin_name, project_admin_password) project_login_uuid = iam2_ops.login_iam2_project(project_name, session_uuid=project_admin_session_uuid).uuid # iam2_ops.remove_attributes_from_iam2_virtual_id(virtual_id_uuid, attributes) elif flavor['target_role'] == 'project_operator': project_operator_name = 'username2' project_operator_password = '******' attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] project_operator_uuid = iam2_ops.create_iam2_virtual_id(project_operator_name,project_operator_password,attributes=attributes).uuid virtual_id_uuid = iam2_ops.create_iam2_virtual_id('usernamethree','password').uuid # login in project by project operator iam2_ops.add_iam2_virtual_ids_to_project([project_operator_uuid],project_uuid) project_operator_session_uuid = iam2_ops.login_iam2_virtual_id(project_operator_name,project_operator_password) project_login_uuid = iam2_ops.login_iam2_project(project_name,session_uuid=project_operator_session_uuid).uuid elif flavor['target_role'] == 'project_member': plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id(plain_user_name, plain_user_password, project_uuid=project_uuid).uuid # 3 add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid],project_uuid) # 4 login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id(plain_user_name, plain_user_password) # 4 login in project #project_inv=iam2_ops.get_iam2_projects_of_virtual_id(plain_user_session_uuid) project_login_uuid = iam2_ops.login_iam2_project(project_name, plain_user_session_uuid).uuid elif flavor['target_role'] == 'system_admin': username = "******" password = '******' vid_tst_obj = test_vid.ZstackTestVid() test_stub.create_system_admin(username, password, vid_tst_obj) virtual_id_uuid = vid_tst_obj.get_vid().uuid project_login_uuid = acc_ops.login_by_account(username, password) zone_uuid = res_ops.get_resource(res_ops.ZONE)[0].uuid try: l2 = net_ops.create_l2_novlan('l2_for_pm', 'eth0', zone_uuid, session_uuid=project_login_uuid) test_util.test_fail("Expect exception: project admin not allowed to create Novlan L2 except vxlan") except: pass try: l2 = net_ops.create_l2_vlan('l2_for_pm', 'eth0', zone_uuid, 1234, session_uuid=project_login_uuid) test_util.test_fail("Expect exception: project admin not allowed to create vlan L2 except vxlan") except: pass if flavor['target_role'] == 'project_member': statements = [{"effect": "Allow", "actions": ["org.zstack.network.l2.**"]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) vxlan_pool = res_ops.get_resource(res_ops.L2_VXLAN_NETWORK_POOL) if vxlan_pool == None or len(vxlan_pool) == 0: test_util.test_skip('Vxlan is required for testing') vxlan_pool_uuid = vxlan_pool[0].uuid if flavor['target_role'] != 'system_admin': acc_ops.share_resources([project_linked_account_uuid], [vxlan_pool_uuid]) vxlan_pool_uuid = res_ops.get_resource(res_ops.L2_VXLAN_NETWORK_POOL, session_uuid=project_login_uuid)[0].uuid vxlan_l2_uuid = vxlan_ops.create_l2_vxlan_network('vxlan_for_pm', vxlan_pool_uuid, zone_uuid, session_uuid=project_login_uuid).uuid net_ops.delete_l2(vxlan_l2_uuid, session_uuid=project_login_uuid) # 11 delete acc_ops.logout(project_login_uuid) if virtual_id_uuid != None: iam2_ops.delete_iam2_virtual_id(virtual_id_uuid) if project_admin_uuid != None: iam2_ops.delete_iam2_virtual_id(project_admin_uuid) if project_operator_uuid != None: iam2_ops.delete_iam2_virtual_id(project_operator_uuid) if plain_user_uuid != None: iam2_ops.delete_iam2_virtual_id(plain_user_uuid) if flavor['target_role'] != 'system_admin': iam2_ops.delete_iam2_project(project_uuid) iam2_ops.expunge_iam2_project(project_uuid) test_util.test_pass('success test iam2 login in by project admin!')
def test(): global new_zone_uuid iam2_ops.clean_iam2_enviroment() # 1 create new zone new_zone_uuid = test_stub.create_zone().uuid # 2 create platform admin related new zone platform_admin_name = 'platformadmin' password = \ 'b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86' platform_admin_uuid = iam2_ops.create_iam2_virtual_id(platform_admin_name, password).uuid attributes = [{"name": "__PlatformAdmin__"}, {"name": "__PlatformAdminRelatedZone__", "value": new_zone_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(platform_admin_uuid, attributes) # 3 create project project_name = 'test_project' project = iam2_ops.create_iam2_project(project_name) project_uuid = project.uuid linked_account_uuid = project.linkedAccountUuid attributes = [{"name": "__ProjectRelatedZone__", "value": new_zone_uuid}] iam2_ops.add_attributes_to_iam2_project(project_uuid, attributes) # 4 create projectAdmin and virtual id into project project_admin_name = 'projectadmin' project_admin_uuid = iam2_ops.create_iam2_virtual_id(project_admin_name, password).uuid iam2_ops.add_iam2_virtual_ids_to_project([project_admin_uuid], project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(project_admin_uuid, attributes) username = '******' virtual_id_uuid = iam2_ops.create_iam2_virtual_id(username, password).uuid iam2_ops.add_iam2_virtual_ids_to_project([virtual_id_uuid], project_uuid) action = "org.zstack.ticket.**" statements = [{"effect": "Allow", "actions": [action]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid iam2_ops.add_policy_statements_to_role(role_uuid, statements) statement_uuid = iam2_ops.get_policy_statement_uuid_of_role(role_uuid, action) iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], virtual_id_uuid) virtual_id_session = iam2_ops.login_iam2_virtual_id(username, password) virtual_id_session = iam2_ops.login_iam2_project(project_name, virtual_id_session).uuid # 5 create ticket ticket = test_stub.create_vm_ticket(virtual_id_uuid, project_uuid, virtual_id_session) ticket_02 = test_stub.create_vm_ticket(virtual_id_uuid, project_uuid, virtual_id_session, name='new ticket', request_name='ticket-vm-2') acc_ops.logout(virtual_id_session) ticket_ops.change_ticket_status(ticket.uuid, 'reject') # 6 delete Zone zone_ops.delete_zone(new_zone_uuid) # 7 cascade test # test for platformAdmin cond = res_ops.gen_query_conditions('virtualIDUuid', '=', platform_admin_uuid) cond_02 = res_ops.gen_query_conditions('name', '=', "__PlatformAdminRelatedZone__", cond) attributes = res_ops.query_resource(res_ops.IAM2_VIRTUAL_ID_ATTRIBUTE, cond_02) if attributes: test_util.test_fail('the attributes:uuid[%s] name[%s] is still exist after delete the new zone[%s]' % ( attributes[0].uuid, attributes[0].name, new_zone_uuid)) # test for project cond = res_ops.gen_query_conditions('uuid', '=', project_uuid) project_inv = res_ops.query_resource(res_ops.IAM2_PROJECT, cond) if project_inv: test_util.test_fail( 'the project[%s] is still exist after delete the new zone[%s]' % (project_inv[0].uuid, new_zone_uuid)) cond = res_ops.gen_query_conditions('virtualIDUuid', '=', project_admin_uuid) cond_02 = res_ops.gen_query_conditions('name', '=', "__ProjectAdmin__", cond) attributes = res_ops.query_resource(res_ops.IAM2_VIRTUAL_ID_ATTRIBUTE, cond_02) if attributes: test_util.test_fail('the attributes:uuid[%s] name[%s] is still exist after delete the new zone[%s]' % ( attributes[0].uuid, attributes[0].name, new_zone_uuid)) platform_admin_session = iam2_ops.login_iam2_virtual_id(platform_admin_name, password) project_admin_session = iam2_ops.login_iam2_virtual_id(project_admin_name, password) virtual_id_session = iam2_ops.login_iam2_virtual_id(username, password) try: iam2_ops.login_iam2_project(project_name, project_admin_session) test_util.test_fail("can't login deleted project ,fail!") except: test_util.test_logger("can't login deleted project ,success!") try: iam2_ops.login_iam2_project(project_name, virtual_id_session) test_util.test_fail("can't login deleted project ,fail!") except: test_util.test_logger("can't login deleted project ,success!") # test for ticket cond = res_ops.gen_query_conditions('uuid', '=', ticket.uuid) ticket_inv = res_ops.query_resource(res_ops.TICKET, cond) if ticket_inv: test_util.test_fail( "Ticket [%s] is still exist after delete the zone[%s]" % (ticket_inv[0].uuid, new_zone_uuid)) cond = res_ops.gen_query_conditions('uuid', '=', ticket_02.uuid) ticket_02_inv = res_ops.query_resource(res_ops.TICKET, cond) if ticket_02_inv: test_util.test_fail( "Ticket [%s] is still exist after delete the zone[%s]" % (ticket_02_inv[0].uuid, new_zone_uuid)) iam2_ops.clean_iam2_enviroment() test_util.test_pass("success test project retired")
def test(): global project_uuid, virtual_id_uuid statements = [] flavor = case_flavor[os.environ.get('CASE_FLAVOR')] zone_uuid = res_ops.query_resource(res_ops.ZONE)[0].uuid project_name = 'test_project_01' attributes = [{"name": "__ProjectRelatedZone__", "value": zone_uuid}] project_obj = iam2_ops.create_iam2_project(project_name, attributes=attributes) project_uuid = project_obj.uuid project_linked_account_uuid = project_obj.linkedAccountUuid password = '******' '''name = 'username' name1 = 'username1' name2 = 'username2' password = '******' vid = test_vid.ZstackTestVid() vid.create(name, password) attributes = [{"name": "__PlatformAdmin__"}] iam2_ops.add_attributes_to_iam2_virtual_id(vid.get_vid().uuid, attributes) vid.set_vid_attributes(attributes) vid.check() attributes = [{"name": "__ProjectAdmin__", "value": project_linked_account_uuid}] vid1 = test_vid.ZstackTestVid() vid1.create(name1, password) iam2_ops.add_iam2_virtual_ids_to_project([vid1.get_vid().uuid], project_uuid) attributes = [{"name": "__ProjectAdmin__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(vid1.get_vid().uuid, attributes) vid1.set_vid_attributes(attributes) vid1.check() vid2 = test_vid.ZstackTestVid() vid2.create(name2, password) iam2_ops.add_iam2_virtual_ids_to_project([vid2.get_vid().uuid], project_uuid) attributes = [{"name": "__ProjectOperator__", "value": project_uuid}] iam2_ops.add_attributes_to_iam2_virtual_id(vid2.get_vid().uuid, attributes) vid2.set_vid_attributes(attributes) vid2.check() ''' policy_check_vid = test_vid.ZstackTestVid() policy_check_vid.create('policy_check', password) iam2_ops.add_iam2_virtual_ids_to_project([policy_check_vid.get_vid().uuid], project_uuid) virtual_id_uuid = policy_check_vid.get_vid().uuid if flavor['target_role'] == 'vm': statements = [{ "effect": "Allow", "actions": ["org.zstack.header.vm.**", "org.zstack.ha.**"] }] if flavor['target_role'] == 'vm_ops_without_creation': statements = [{ "effect": "Allow", "actions": [ "org.zstack.header.vm.APIGetVmQgaMsg", "org.zstack.header.vm.APIChangeVmImageMsg", "org.zstack.header.vm.APISetVmSshKeyMsg", "org.zstack.header.vm.APIStopVmInstanceMsg", "org.zstack.header.vm.APISetVmStaticIpMsg", "org.zstack.header.vm.APIRecoverVmInstanceMsg", "org.zstack.header.vm.APIQueryVmNicMsg", "org.zstack.header.vm.APIStartVmInstanceMsg", "org.zstack.header.vm.APIDestroyVmInstanceMsg", "org.zstack.header.vm.APIGetVmConsolePasswordMsg", "org.zstack.header.vm.APIDeleteVmStaticIpMsg", "org.zstack.header.vm.APISetNicQosMsg", "org.zstack.header.vm.APIRebootVmInstanceMsg", "org.zstack.header.vm.APIGetNicQosMsg", "org.zstack.header.vm.APIGetVmBootOrderMsg", "org.zstack.header.vm.APIChangeVmPasswordMsg", "org.zstack.header.vm.APIGetCandidatePrimaryStoragesForCreatingVmMsg", "org.zstack.header.vm.APISetVmRDPMsg", "org.zstack.header.vm.APIMigrateVmMsg", "org.zstack.header.vm.APIGetVmMigrationCandidateHostsMsg", "org.zstack.header.vm.APIAttachL3NetworkToVmMsg", "org.zstack.header.vm.APIExpungeVmInstanceMsg", "org.zstack.header.vm.APIGetCandidateVmForAttachingIsoMsg", "org.zstack.header.vm.APIAttachIsoToVmInstanceMsg", "org.zstack.header.vm.APIGetVmAttachableL3NetworkMsg", "org.zstack.header.vm.APIGetVmHostnameMsg", "org.zstack.header.vm.APIDeleteVmSshKeyMsg", "org.zstack.header.vm.APIGetVmMonitorNumberMsg", "org.zstack.header.vm.APISetVmQgaMsg", "org.zstack.header.vm.APIDetachL3NetworkFromVmMsg", "org.zstack.header.vm.APISetVmConsolePasswordMsg", "org.zstack.header.vm.APIGetCandidateZonesClustersHostsForCreatingVmMsg", "org.zstack.header.vm.APIGetVmAttachableDataVolumeMsg", "org.zstack.header.vm.APIGetInterdependentL3NetworksImagesMsg", "org.zstack.header.vm.APIGetCandidateIsoForAttachingVmMsg", "org.zstack.header.vm.APIDeleteNicQosMsg", "org.zstack.header.vm.APISetVmUsbRedirectMsg", "org.zstack.header.vm.APISetVmBootOrderMsg", "org.zstack.header.vm.APIGetImageCandidatesForVmToChangeMsg", "org.zstack.header.vm.APIGetVmConsoleAddressMsg", "org.zstack.header.vm.APIChangeInstanceOfferingMsg", "org.zstack.header.vm.APIDeleteVmHostnameMsg", "org.zstack.header.vm.APIGetVmUsbRedirectMsg", "org.zstack.header.vm.APIQueryVmInstanceMsg", "org.zstack.header.vm.APISetVmMonitorNumberMsg", "org.zstack.header.vm.APIReimageVmInstanceMsg", "org.zstack.header.vm.APIResumeVmInstanceMsg", "org.zstack.header.vm.APIUpdateVmNicMacMsg", "org.zstack.header.vm.APIGetVmCapabilitiesMsg", "org.zstack.header.vm.APIUpdateVmInstanceMsg", "org.zstack.header.vm.APIGetVmSshKeyMsg", "org.zstack.header.vm.APICloneVmInstanceMsg", "org.zstack.header.vm.APIDeleteVmConsolePasswordMsg", "org.zstack.header.vm.APISetVmHostnameMsg", "org.zstack.header.vm.APIGetVmStartingCandidateClustersHostsMsg", "org.zstack.header.vm.APIDetachIsoFromVmInstanceMsg", "org.zstack.header.vm.APIGetVmRDPMsg", "org.zstack.header.vm.APIPauseVmInstanceMsg" ] }] if flavor['target_role'] == 'image': statements = [{ "effect": "Allow", "actions": [ "org.zstack.header.image.**", "org.zstack.storage.backup.imagestore.APIGetImagesFromImageStoreBackupStorageMsg" ] }] if flavor['target_role'] == 'snapshot': statements = [{ "effect": "Allow", "actions": [ "org.zstack.header.storage.snapshot.**", "org.zstack.header.volume.APICreateVolumeSnapshotMsg" ] }] if flavor['target_role'] == 'volume': statements = [{ "effect": "Allow", "actions": [ "org.zstack.header.volume.APICreateDataVolumeFromVolumeTemplateMsg", "org.zstack.header.volume.APIGetVolumeQosMsg", "org.zstack.header.volume.APISyncVolumeSizeMsg", "org.zstack.header.volume.APICreateDataVolumeFromVolumeSnapshotMsg", "org.zstack.header.volume.APIResizeDataVolumeMsg", "org.zstack.header.volume.APIRecoverDataVolumeMsg", "org.zstack.header.volume.APIExpungeDataVolumeMsg", "org.zstack.mevoco.APIQueryShareableVolumeVmInstanceRefMsg", "org.zstack.header.volume.APICreateDataVolumeMsg", "org.zstack.header.volume.APIGetVolumeCapabilitiesMsg", "org.zstack.header.volume.APIDetachDataVolumeFromVmMsg", "org.zstack.header.volume.APIDeleteVolumeQosMsg", "org.zstack.header.volume.APIGetVolumeFormatMsg", "org.zstack.header.volume.APIGetDataVolumeAttachableVmMsg", "org.zstack.header.volume.APIAttachDataVolumeToVmMsg", "org.zstack.header.volume.APIResizeRootVolumeMsg", "org.zstack.header.volume.APISetVolumeQosMsg", "org.zstack.header.volume.APIDeleteDataVolumeMsg", "org.zstack.header.volume.APIUpdateVolumeMsg", "org.zstack.header.volume.APIChangeVolumeStateMsg", "org.zstack.header.volume.APIQueryVolumeMsg" ] }] if flavor['target_role'] == 'affinity_group': statements = [{ "effect": "Allow", "actions": ["org.zstack.header.affinitygroup.**"] }] if flavor['target_role'] == 'networks': statements = [{ "effect": "Allow", "actions": [ "org.zstack.header.network.l3.**", "org.zstack.network.service.flat.**", "org.zstack.header.network.l2.APIUpdateL2NetworkMsg", "org.zstack.header.network.service.APIQueryNetworkServiceProviderMsg", "org.zstack.header.network.service.APIAttachNetworkServiceToL3NetworkMsg", "org.zstack.network.l2.vxlan.vxlanNetworkPool.APIQueryVniRangeMsg", "org.zstack.network.l2.vxlan.vxlanNetwork.APIQueryL2VxlanNetworkMsg", "org.zstack.network.l2.vxlan.vxlanNetwork.APICreateL2VxlanNetworkMsg", "org.zstack.network.l2.vxlan.vxlanNetworkPool.APIQueryL2VxlanNetworkPoolMsg" ] }] if flavor['target_role'] == 'eip': statements = [{ "effect": "Allow", "actions": [ "org.zstack.network.service.vip.**", "org.zstack.network.service.eip.**", "org.zstack.header.vipQos.**" ] }] if flavor['target_role'] == 'sg': statements = [{ "effect": "Allow", "actions": ["org.zstack.network.securitygroup.**"] }] if flavor['target_role'] == 'lb': statements = [{ "effect": "Allow", "actions": [ "org.zstack.network.service.lb.**", "org.zstack.network.service.vip.**", "org.zstack.header.vipQos.**" ] }] if flavor['target_role'] == 'pf': statements = [{ "effect": "Allow", "actions": [ "org.zstack.network.service.portforwarding.**", "org.zstack.network.service.vip.**", "org.zstack.header.vipQos.**" ] }] if flavor['target_role'] == 'scheduler': statements = [{ "effect": "Allow", "actions": ["org.zstack.scheduler.**"] }] if flavor['target_role'] == 'pci': statements = [{ "effect": "Allow", "actions": [ "org.zstack.pciDevice.APIAttachPciDeviceToVmMsg", "org.zstack.pciDevice.APIUpdateHostIommuStateMsg", "org.zstack.pciDevice.APIGetPciDeviceCandidatesForNewCreateVmMsg", "org.zstack.pciDevice.APIDetachPciDeviceFromVmMsg", "org.zstack.pciDevice.APIQueryPciDeviceMsg", "org.zstack.pciDevice.APIGetPciDeviceCandidatesForAttachingVmMsg" ] }] if flavor['target_role'] == 'zwatch': statements = [{ "effect": "Allow", "actions": ["org.zstack.zwatch.**", "org.zstack.sns.**"] }] if flavor['target_role'] == 'sns': statements = [{"effect": "Allow", "actions": ["org.zstack.sns.**"]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid #iam2_ops.add_policy_statements_to_role(role_uuid, statements) #statement_uuid = iam2_ops.get_policy_statement_uuid_of_role(role_uuid, action) #iam2_ops.remove_policy_statements_from_role(role_uuid, [statement_uuid]) iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], policy_check_vid.get_vid().uuid) policy_check_vid.set_vid_statements(statements) policy_check_vid.check() #iam2_ops.remove_roles_from_iam2_virtual_id([role_uuid], policy_check_vid.get_vid().uuid) #policy_check_vid.set_vid_statements([]) #policy_check_vid.check() iam2_ops.delete_iam2_project(project_uuid) #vid.delete() #vid1.delete() #vid2.delete() policy_check_vid.delete() test_util.test_pass('success test iam2 policy!')
def test(): iam2_ops.clean_iam2_enviroment() global project_uuid,project_admin_uuid,virtual_id_uuid # create project project_name = 'test_project' project_uuid = iam2_ops.create_iam2_project(project_name).uuid # create plain user plain_user_name = 'username' plain_user_password = '******' plain_user_uuid = iam2_ops.create_iam2_virtual_id(plain_user_name, plain_user_password,project_uuid=project_uuid).uuid #add role statements = [{"effect": "Allow", "actions": ["org.zstack.ticket.**"]}] role_uuid = iam2_ops.create_role('test_role', statements).uuid action = "org.zstack.ticket.**" statements = [{"effect": "Allow", "actions": [action]}] iam2_ops.add_policy_statements_to_role(role_uuid, statements) statement_uuid = iam2_ops.get_policy_statement_uuid_of_role(role_uuid, action) iam2_ops.add_roles_to_iam2_virtual_id([role_uuid], plain_user_uuid) #add virtual id to project iam2_ops.add_iam2_virtual_ids_to_project([plain_user_uuid],project_uuid) #login in project by plain user plain_user_session_uuid = iam2_ops.login_iam2_virtual_id(plain_user_name, plain_user_password) project_login_uuid = iam2_ops.login_iam2_project(project_name, session_uuid=plain_user_session_uuid).uuid #get iam2 virtual id api permission and project iam2_ops.get_iam2_virtual_id_permission(session_uuid=project_login_uuid) #create ticket ticket_name = 'ticket_1' session_uuid = project_login_uuid api_name='org.zstack.header.vm.APICreateVmInstanceMsg' request_name='create-vm-ticket' executeTimes=1 account_system_type='iam2' conditions = res_ops.gen_query_conditions('type', '=', 'UserVm') instance_offering_uuid =res_ops.query_resource(res_ops.INSTANCE_OFFERING, conditions)[0].uuid image_name = os.environ.get('imageName_s') image_uuid=test_lib.lib_get_image_by_name(image_name).uuid l3_name = os.environ.get('l3VlanNetworkName1') l3_network_uuids=test_lib.lib_get_l3_by_name(l3_name).uuid api_body={"name":"vm","instanceOfferingUuid":instance_offering_uuid,"imageUuid":image_uuid,"l3NetworkUuids":[l3_network_uuids]} ticket= ticket_ops.create_ticket(ticket_name,request_name,api_body,api_name,executeTimes,account_system_type,plain_user_uuid,project_uuid,session_uuid) if ticket == None: test_util.test_fail('fail to create ticket by plain user!') #query ticket cond= res_ops.gen_query_conditions('uuid','=', ticket.uuid) ticket_list = res_ops.query_resource(res_ops.TICKET,cond,session_uuid) if ticket_list!= None: test_util.test_logger('success query ticket by plain user!') #examination the ticket by user try: ticket_ops.change_ticket_status(ticket.uuid,'reject',session_uuid) test_util.test_fail("can't examination ticket by user ") except: test_util.test_logger('examination ticket fail by user ') #examination the ticket by admin ticket_ops.change_ticket_status(ticket.uuid,'reject') #update ticket request_name_2='create-vm-ticket-2' ticket_ops.update_ticket_request(ticket.uuid,request_name_2,api_body,api_name,executeTimes,session_uuid) #query ticket cond= res_ops.gen_query_conditions('uuid','=', ticket.uuid) ticket_list = res_ops.query_resource(res_ops.TICKET,cond,session_uuid)[0] request=ticket_list.request[0] requestName=request.requestName if requestName !='create-vm-ticket-2': test_util.test_fail('fail to update ticket by plain user!') #create ticket_2 ticket_name = 'ticket_2' session_uuid = project_login_uuid api_name='org.zstack.header.vm.APICreateVmInstanceMsg' request_name='create-vm-ticket' executeTimes=1 account_system_type='iam2' conditions = res_ops.gen_query_conditions('type', '=', 'UserVm') instance_offering_uuid =res_ops.query_resource(res_ops.INSTANCE_OFFERING, conditions)[0].uuid image_name = os.environ.get('imageName_s') image_uuid=test_lib.lib_get_image_by_name(image_name).uuid l3_name = os.environ.get('l3VlanNetworkName1') l3_network_uuids=test_lib.lib_get_l3_by_name(l3_name).uuid api_body={"name":"vm","instanceOfferingUuid":instance_offering_uuid,"imageUuid":image_uuid,"l3NetworkUuids":[l3_network_uuids]} ticket_2= ticket_ops.create_ticket(ticket_name,request_name,api_body,api_name,executeTimes,account_system_type,plain_user_uuid,project_uuid,session_uuid) #Withdraw the ticket ticket_ops.change_ticket_status(ticket_2.uuid,'cancel',session_uuid) cond= res_ops.gen_query_conditions('uuid','=', ticket_2.uuid) statusEvent = res_ops.query_resource(res_ops.TICKET,cond,session_uuid)[0].status if statusEvent !='Cancelled' : test_util.test_fail('fail to Withdraw ticket by plain user!') #create ticket_3 ticket_name = 'ticket_3' session_uuid = project_login_uuid api_name='org.zstack.header.vm.APICreateVmInstanceMsg' request_name='create-vm-ticket' executeTimes=1 account_system_type='iam2' conditions = res_ops.gen_query_conditions('type', '=', 'UserVm') instance_offering_uuid =res_ops.query_resource(res_ops.INSTANCE_OFFERING, conditions)[0].uuid image_name = os.environ.get('imageName_s') image_uuid=test_lib.lib_get_image_by_name(image_name).uuid l3_name = os.environ.get('l3VlanNetworkName1') l3_network_uuids=test_lib.lib_get_l3_by_name(l3_name).uuid api_body={"name":"vm","instanceOfferingUuid":instance_offering_uuid,"imageUuid":image_uuid,"l3NetworkUuids":[l3_network_uuids]} ticket_3= ticket_ops.create_ticket(ticket_name,request_name,api_body,api_name,executeTimes,account_system_type,plain_user_uuid,project_uuid,session_uuid) #delete ticket ticket_ops.delete_ticket(ticket_3.uuid) cond= res_ops.gen_query_conditions('uuid','=', ticket_3.uuid) ticket_list_2 = res_ops.query_resource(res_ops.TICKET,cond) if not ticket_list_2: test_util.test_pass('success test iam2 ticket by plain user') else: test_util.test_fail("test fail ")