def test_add_user_to_project_with_project_role(self): """ 1. Create a User Account 2. Add user of an account with 'Regular' project account role associate it with a Project role; The role defines what APIs are allowed/disallowed for the user: here, 'listPublicIpAddresses' is denied for the user account 3. Execute the 'listPublicIpAddresses' API and verify/confirm that the API isn't allowed to be executed by the user """ self.useraccount = Account.create(self.apiclient, self.testdata["account"], roleid=4) self.cleanup.append(self.useraccount) # Add account to the project self.project.addUser(self.apiclient, username=self.useraccount.user[0].username, projectroleid=self.projectrole.id) Project.listAccounts(self.apiclient, projectid=self.project.id) self.userapiclient = self.testClient.getUserApiClient( UserName=self.useraccount.name, DomainName=self.useraccount.domain, type=0) try: PublicIPAddress.list(self.userapiclient, projectid=self.project.id) self.fail( "API call succeeded which is denied for the project role") except CloudstackAPIException: pass
def test_add_multiple_admins_in_project(self): """ 1. Create a User Account 2. Add user account with 'Admin' project account role and associate it with a Project role; The role defines what APIs are allowed/disallowed for the user: here, 'listPublicIpAddresses' is denied for the user account 3. Execute the 'listPublicIpAddresses' API and verify/confirm that the user/account can execute the API as it is a project admin """ self.useraccount = Account.create(self.apiclient, self.testdata["account"], roleid=4) self.cleanup.append(self.useraccount) self.useraccount1 = Account.create(self.apiclient, self.testdata["useracc"], roleid=4) self.cleanup.append(self.useraccount1) self.project.addAccount(self.apiclient, account=self.useraccount.name, projectroleid=self.projectrole.id, roletype='Admin') self.project.addAccount(self.apiclient, account=self.useraccount1.name, projectroleid=self.projectrole.id) project_accounts = Project.listAccounts(self.apiclient, projectid=self.project.id, role='Admin') self.assertEqual(len(project_accounts), 2, "account not added with admin Role") self.userapiclientAdminRole = self.testClient.getUserApiClient( UserName=self.useraccount.name, DomainName=self.useraccount.domain, type=0) self.userapiclientRegularRole = self.testClient.getUserApiClient( UserName=self.useraccount1.name, DomainName=self.useraccount1.domain, type=0) try: PublicIPAddress.list(self.userapiclientAdminRole, projectid=self.project.id) self.debug( "User added to the project could execute the listPublicIpAddresses API despite the project " "role as it is the Admin") pass except CloudstackAPIException: self.fail( "User is an Admin, should be able to execute the command despite Project role" ) try: self.project.suspend(self.userapiclientAdminRole, ) self.debug( "The user can perform Project administrative operations as it is added as " "an Admin to the project") pass except CloudstackAPIException: self.fail( "User should be allowed to execute project administrative operations" "as it is the Project Admin") try: self.project.suspend(self.userapiclientRegularRole, ) except Exception as e: pass