AUTO-228 - [Do not merge] Initial changes for rbac product fixes

fetch_resources.sh

@@ -372,6 +372,7 @@ function configure_tempest
 	cd /root
         eval "$(<env.sh)"
         cd -
+        IFS=$' ' read -r -d '' -a wlm_containers < <( docker ps | grep wlm-api | cut -d ' ' -f 1 | tr "\n" "," && printf '\0' )
         wlm_pod=`kubectl -n triliovault get pods | grep triliovault-wlm-api | cut -d ' ' -f 1  | head -1`
         conn_str=`kubectl -n triliovault exec $wlm_pod -- grep sql_connection "/etc/triliovault-wlm/triliovault-wlm.conf" | cut -d '=' -f 2`
         mysql_ip=`kubectl get pods -n openstack -o wide | grep mariadb-server | head -1 | xargs | cut -d ' ' -f 6`
@@ -624,6 +625,9 @@ function configure_tempest
     if [[ ${OPENSTACK_DISTRO,,} == 'mosk'* ]]
     then
         echo 'command_prefix = "'$command_prefix'"' >> $TEMPEST_TVAULTCONF
+        echo 'openstack_distro = "'$OPENSTACK_DISTRO'"' >> $TEMPEST_TVAULTCONF
+        echo 'wlm_pod = "'$wlm_pod'"' >> $TEMPEST_TVAULTCONF
+        echo 'wlm_containers = ["'$wlm_containers'"]' >> $TEMPEST_TVAULTCONF
     fi
     sed -i 's/\r//g' $TEMPEST_TVAULTCONF
     sed -i '/OPENSTACK_DISTRO=/c OPENSTACK_DISTRO='$OPENSTACK_DISTRO'' $TEMPEST_DIR/tools/with_venv.sh

tempest/api/workloadmgr/base.py

@@ -2359,6 +2359,33 @@ def verify_snapshot_unmount(
             # raise Exception("Unmounting of a snapshot failed")
         return is_successful
 
+    def add_changes_policyyaml_file(self, role, rule, policy_filepath, policy_changes_cleanup=True):
+        if role == "newadmin":
+            old_rule = "admin_api"
+            LOG.debug("Add %s role in policy.yaml", role)
+            operations = ["workload:get_storage_usage", "workload:get_nodes"]
+
+        elif role == "backup":
+            old_rule = "admin_or_owner"
+            LOG.debug("Add %s role in policy.yaml", role)
+            operations = ["workload:workload_snapshot", "snapshot:snapshot_delete", "workload:workload_create",
+                          "workload:workload_delete", "snapshot:snapshot_restore", "restore:restore_delete"]
+
+        role_add_command = 'sed -i \'1s/^/{0}:\\n- - role:{1}\\n/\' {2}'.format(
+            rule, role, policy_filepath)
+        #role_add_command = 'sed -i \'1s/^/{0}:\\n- - role:{1}\\n/\' /etc/workloadmgr/policy.yaml'.format(
+        #    rule, role)
+        rule_assign_command = ""
+        for op in operations:
+            rule_assign_command += '; ' + 'sed -i \'/{1}/c {1}: rule:{0}\'\
+            {2}'.format(rule, op, policy_filepath)
+        LOG.debug("role_add_command: %s ;\n rule_assign_command: %s", role_add_command, rule_assign_command)
+        commands = role_add_command + rule_assign_command
+        LOG.debug("Commands to add role: %s", commands)
+        if (tvaultconf.cleanup and policy_changes_cleanup):
+            self.addCleanup(self.revert_changes_policyyaml, old_rule)
+        return commands
+
     '''
     Method to add newadmin role and newadmin_api rule to 
     "workload:get_storage_usage" operation and "workload:get_nodes" 
@@ -2371,34 +2398,36 @@ def verify_snapshot_unmount(
 
     def change_policyyaml_file(self, role, rule, policy_changes_cleanup=True):
         if len(tvaultconf.tvault_ip) == 0:
-            raise Exception("Tvault IPs not available")
-        for ip in tvaultconf.tvault_ip:
-            ssh = self.SshRemoteMachineConnection(ip, tvaultconf.tvault_username,
-                                                  tvaultconf.tvault_password)
-            if role == "newadmin":
-                old_rule = "admin_api"
-                LOG.debug("Add %s role in policy.yaml", role)
-                operations = ["workload:get_storage_usage", "workload:get_nodes"]
-
-            elif role == "backup":
-                old_rule = "admin_or_owner"
-                LOG.debug("Add %s role in policy.yaml", role)
-                operations = ["workload:workload_snapshot", "snapshot:snapshot_delete", "workload:workload_create",
-                              "workload:workload_delete", "snapshot:snapshot_restore", "restore:restore_delete"]
-
-            role_add_command = 'sed -i \'1s/^/{0}:\\n- - role:{1}\\n/\' /etc/workloadmgr/policy.yaml'.format(
-                rule, role)
-            rule_assign_command = ""
-            for op in operations:
-                rule_assign_command += '; ' + 'sed -i \'/{1}/c {1}: rule:{0}\'\
-                /etc/workloadmgr/policy.yaml'.format(rule, op)
-            LOG.debug("role_add_command: %s ;\n rule_assign_command: %s", role_add_command, rule_assign_command)
-            commands = role_add_command + rule_assign_command
-            LOG.debug("Commands to add role: %s", commands)
-            stdin, stdout, stderr = ssh.exec_command(commands)
-            if (tvaultconf.cleanup and policy_changes_cleanup):
-                self.addCleanup(self.revert_changes_policyyaml, old_rule)
-            ssh.close()
+            if (tvaultconf.openstack_distro.lower() == 'mosk'):
+                for wlm_container in tvaultconf.wlm_containers:
+                    #cmd = 'kubectl exec ' + tvaultconf.wlm_pod + ' -n triliovault -it -- bash'
+                    wlm_file = '/etc/triliovault-wlm/policy.yaml'
+                    #ssh = self.SshRemoteMachineConnection(ip, tvaultconf.tvault_username,
+                    #                                      tvaultconf.tvault_password)
+                    commands = self.add_changes_policyyaml_file(role, rule, wlm_file, policy_changes_cleanup=True)
+                    #cmd = 'kubectl exec ' + tvaultconf.wlm_pod + ' -n triliovault -it -- ' + commands
+                    cmd = 'docker exec -itu root' + wlm_container + ' bash -c "' + commands + '"'
+                    LOG.debug("rbac commands: " + cmd)
+                    #stdin, stdout, stderr = ssh.exec_command(cmd)
+                    p = subprocess.Popen(shlex.split(cmd), stdout=subprocess.PIPE,
+                                         stderr=subprocess.PIPE)
+                    stdout, stderr = p.communicate()
+                    LOG.debug(f"stdout: {stdout}; stderr: {stderr}")
+                    #if (tvaultconf.cleanup and policy_changes_cleanup):
+                    #    self.addCleanup(self.revert_changes_policyyaml, old_rule)
+                    #ssh.close()
+            else:
+                raise Exception("Tvault IPs not available")
+        else:
+            for ip in tvaultconf.tvault_ip:
+                policy_filepath = '/etc/workloadmgr/policy.yaml'
+                ssh = self.SshRemoteMachineConnection(ip, tvaultconf.tvault_username,
+                                                      tvaultconf.tvault_password)
+                commands = self.add_changes_policyyaml_file(role, rule, policy_filepath, policy_changes_cleanup=True)
+                stdin, stdout, stderr = ssh.exec_command(commands)
+                if (tvaultconf.cleanup and policy_changes_cleanup):
+                    self.addCleanup(self.revert_changes_policyyaml, old_rule)
+                ssh.close()
 
     '''
     Method to revert changes of role and rule in policy.json file on tvault
@@ -2411,30 +2440,54 @@ def change_policyyaml_file(self, role, rule, policy_changes_cleanup=True):
     policy.yaml file on tvault
     '''
 
+    def revert_changes_policyyaml_file(self, rule, policy_filepath):
+        if rule == "admin_api":
+            role = "newadmin_api"
+            operations = ["workload:get_storage_usage", "workload:get_nodes"]
+
+        elif rule == "admin_or_owner":
+            role = "backup_api"
+            operations = ["workload:workload_snapshot", "snapshot:snapshot_delete", "workload:workload_create",
+                          "workload:workload_delete", "snapshot:snapshot_restore", "restore:restore_delete"]
+
+        role_delete_command = "sed -i '/^{0}/,+1d' {1}".format(role, policy_filepath)
+        rule_reassign_command = ""
+        for op in operations:
+            rule_reassign_command += '; ' + 'sed -i \'/{1}/c {1}: rule:{0}\'\
+            {2}'.format(rule, op, policy_filepath)
+        LOG.debug("role_delete_command: %s ;\n rule_reassign_command: %s", \
+                  role_delete_command, rule_reassign_command)
+        commands = role_delete_command + rule_reassign_command
+        LOG.debug("Commands to revert policy changes: %s", commands)
+        return commands
+
     def revert_changes_policyyaml(self, rule):
         if len(tvaultconf.tvault_ip) == 0:
-            raise Exception("Tvault IPs not available")
+            if (tvaultconf.openstack_distro.lower() == 'mosk'):
+                for wlm_container in tvaultconf.wlm_containers:
+                    # cmd = 'kubectl exec ' + tvaultconf.wlm_pod + ' -n triliovault -it -- bash'
+                    wlm_file = '/etc/triliovault-wlm/policy.yaml'
+                    # ssh = self.SshRemoteMachineConnection(ip, tvaultconf.tvault_username,
+                    #                                      tvaultconf.tvault_password)
+                    commands = self.revert_changes_policyyaml_file(rule, wlm_file)
+                    #cmd = 'kubectl exec ' + wlm_container + ' -n triliovault -it -- ' + commands
+                    cmd = 'docker exec -itu root ' + wlm_container + ' bash -c "' + commands + '"'
+                    LOG.debug("rbac commands: " + cmd)
+                    # stdin, stdout, stderr = ssh.exec_command(cmd)
+                    p = subprocess.Popen(shlex.split(cmd), stdout=subprocess.PIPE,
+                                         stderr=subprocess.PIPE)
+                    stdout, stderr = p.communicate()
+                    LOG.debug(f"stdout: {stdout}; stderr: {stderr}")
+                    #if (tvaultconf.cleanup and policy_changes_cleanup):
+                    #    self.addCleanup(self.revert_changes_policyyaml, old_rule)
+                    # ssh.close()
+            else:
+                raise Exception("Tvault IPs not available")
         for ip in tvaultconf.tvault_ip:
+            policy_filepath = '/etc/workloadmgr/policy.yaml'
             ssh = self.SshRemoteMachineConnection(ip, tvaultconf.tvault_username,
                                                   tvaultconf.tvault_password)
-            if rule == "admin_api":
-                role = "newadmin_api"
-                operations = ["workload:get_storage_usage", "workload:get_nodes"]
-
-            elif rule == "admin_or_owner":
-                role = "backup_api"
-                operations = ["workload:workload_snapshot", "snapshot:snapshot_delete", "workload:workload_create",
-                              "workload:workload_delete", "snapshot:snapshot_restore", "restore:restore_delete"]
-
-            role_delete_command = "sed -i '/^{0}/,+1d' /etc/workloadmgr/policy.yaml".format(role)
-            rule_reassign_command = ""
-            for op in operations:
-                rule_reassign_command += '; ' + 'sed -i \'/{1}/c {1}: rule:{0}\'\
-                /etc/workloadmgr/policy.yaml'.format(rule, op)
-            LOG.debug("role_delete_command: %s ;\n rule_reassign_command: %s", \
-                      role_delete_command, rule_reassign_command)
-            commands = role_delete_command + rule_reassign_command
-            LOG.debug("Commands to revert policy changes: %s", commands)
+            commands = self.revert_changes_policyyaml_file(role, rule, policy_filepath, policy_changes_cleanup=True)
             stdin, stdout, stderr = ssh.exec_command(commands)
             ssh.close()
 

tempest/api/workloadmgr/rbac/test_tvault_rbac_backuprole_touser_policyyaml.py

@@ -145,7 +145,9 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
             # Create workload with CLI by admin role
             workload_create = command_argument_string.workload_create + \
                 " --instance instance-id=" + str(self.instances_id[1])
+            LOG.debug("workload create command: {}".format(workload_create))
             error = cli_parser.cli_error(workload_create)
+            LOG.debug("Error for workload create: {}".format(error))
             if error and (str(error.strip('\n')).find(workload_create_error_str) != -1):
                 LOG.debug(
                     "Command workload_create did not execute correctly by admin role")
@@ -156,8 +158,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Command workload_create did not execute correctly by admin role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command workload_create executed correctly by admin role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
 
             # Run snapshot_create CLI by admin role
             snapshot_create = command_argument_string.snapshot_create + \
@@ -174,8 +175,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Can not execute snapshot_create command by admin role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command snapshot_create executed correctly by admin role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
 
             # Create one-click restore using CLI command by admin role
             restore_command = command_argument_string.oneclick_restore + \
@@ -191,8 +191,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Can not execute restore_create command by admin role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command restore_create executed correctly by admin role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
 
             # Run restore_delete CLI by admin role
             restore_delete = command_argument_string.restore_delete + \
@@ -208,8 +207,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Can not execute restore_delete command by admin role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command restore_delete executed correctly by admin role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
 
             # Run snapshot_delete CLI by admin role
             snapshot_delete = command_argument_string.snapshot_delete + \
@@ -225,8 +223,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Can not execute snapshot_delete command by admin role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command snapshot_delete executed correctly by admin role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
 
             # Delete workload with CLI by admin role
             workload_delete = command_argument_string.workload_delete + \
@@ -242,8 +239,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Can not execute workload_delete command by admin role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command workload_delete executed correctly by admin role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
 
             # Use nonadmin credentials
             os.environ['OS_USERNAME'] = CONF.identity.nonadmin_user
@@ -263,8 +259,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Can not execute workload_create command by default role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command workload_create executed correctly by default role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
 
             # Run snapshot_create CLI by default role
             snapshot_create = command_argument_string.snapshot_create + \
@@ -280,8 +275,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Can not execute snapshot_create command by default role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command snapshot_create executed correctly by default role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
 
             # Create one-click restore using CLI by default role
             restore_command = command_argument_string.oneclick_restore + \
@@ -297,8 +291,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Can not execute restore_create command by default role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command restore_create executed correctly by default role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
 
             # Run restore_delete CLI by default role
             restore_delete = command_argument_string.restore_delete + \
@@ -314,8 +307,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Can not execute restore_delete command by default role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command restore_delete executed correctly by default role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
 
             # Run snapshot_delete CLI by default role
             snapshot_delete = command_argument_string.snapshot_delete + \
@@ -332,8 +324,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Can not execute snapshot_delete command by default role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command snapshot_delete executed correctly by default role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
 
             # Delete workload with CLI by default role
             workload_delete = command_argument_string.workload_delete + \
@@ -349,8 +340,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Can not execute workload_delete command by default role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command workload_delete executed correctly by default role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
 
             # Use backupuser credentials
             os.environ['OS_USERNAME'] = CONF.identity.backupuser
@@ -364,8 +354,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Execute  restore_delete command by backup role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command  restore_delete did not execute correctly by backup role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
             else:
                 reporting.add_test_step(
                     "Execute restore_delete command by backup role",
@@ -388,8 +377,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Execute snapshot_delete command by backup role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "Command snapshot_delete did not execute correctly by backup role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
             else:
                 reporting.add_test_step(
                     "Execute snapshot_delete command by backup role",
@@ -407,8 +395,7 @@ def test_tvault_rbac_backuprole_touser_policyyaml(self):
                 reporting.add_test_step(
                     "Execute workload_delete command by backup role",
                     tvaultconf.FAIL)
-                raise Exception(
-                    "RBAC policy fails for workload deletion by backup role")
+                reporting.set_test_script_status(tvaultconf.FAIL)
             else:
                 LOG.debug("Workload deleted successfully by backup role")
                 reporting.add_test_step(