def test_add_user_to_project_with_project_role(self):
"""
1. Create a User Account
2. Add user of an account with 'Regular' project account role associate it with a Project role;
The role defines what APIs are allowed/disallowed for the user: here, 'listPublicIpAddresses'
is denied for the user account
3. Execute the 'listPublicIpAddresses' API and verify/confirm that the API isn't allowed to be executed
by the user
"""
self.useraccount = Account.create(self.apiclient,
self.testdata["account"],
roleid=4)
self.cleanup.append(self.useraccount)
# Add account to the project
self.project.addUser(self.apiclient,
username=self.useraccount.user[0].username,
projectroleid=self.projectrole.id)
Project.listAccounts(self.apiclient, projectid=self.project.id)
self.userapiclient = self.testClient.getUserApiClient(
UserName=self.useraccount.name,
DomainName=self.useraccount.domain,
type=0)
try:
PublicIPAddress.list(self.userapiclient, projectid=self.project.id)
self.fail(
"API call succeeded which is denied for the project role")
except CloudstackAPIException:
pass
def test_add_multiple_admins_in_project(self):
"""
1. Create a User Account
2. Add user account with 'Admin' project account role and associate it with a Project role;
The role defines what APIs are allowed/disallowed for the user: here, 'listPublicIpAddresses'
is denied for the user account
3. Execute the 'listPublicIpAddresses' API and verify/confirm that the user/account can execute the
API as it is a project admin
"""
self.useraccount = Account.create(self.apiclient,
self.testdata["account"],
roleid=4)
self.cleanup.append(self.useraccount)
self.useraccount1 = Account.create(self.apiclient,
self.testdata["useracc"],
roleid=4)
self.cleanup.append(self.useraccount1)
self.project.addAccount(self.apiclient,
account=self.useraccount.name,
projectroleid=self.projectrole.id,
roletype='Admin')
self.project.addAccount(self.apiclient,
account=self.useraccount1.name,
projectroleid=self.projectrole.id)
project_accounts = Project.listAccounts(self.apiclient,
projectid=self.project.id,
role='Admin')
self.assertEqual(len(project_accounts), 2,
"account not added with admin Role")
self.userapiclientAdminRole = self.testClient.getUserApiClient(
UserName=self.useraccount.name,
DomainName=self.useraccount.domain,
type=0)
self.userapiclientRegularRole = self.testClient.getUserApiClient(
UserName=self.useraccount1.name,
DomainName=self.useraccount1.domain,
type=0)
try:
PublicIPAddress.list(self.userapiclientAdminRole,
projectid=self.project.id)
self.debug(
"User added to the project could execute the listPublicIpAddresses API despite the project "
"role as it is the Admin")
pass
except CloudstackAPIException:
self.fail(
"User is an Admin, should be able to execute the command despite Project role"
)
try:
self.project.suspend(self.userapiclientAdminRole, )
self.debug(
"The user can perform Project administrative operations as it is added as "
"an Admin to the project")
pass
except CloudstackAPIException:
self.fail(
"User should be allowed to execute project administrative operations"
"as it is the Project Admin")
try:
self.project.suspend(self.userapiclientRegularRole, )
except Exception as e:
pass
