Switch the order of the tests

zaza/openstack/charm_tests/policyd/tests.py

@@ -155,11 +155,12 @@ def test_disable_service(self):
         self._set_policy_with(
             {'rule.yaml': "{'identity:list_services': '!'}"})
 
-        # verify (with the config off) that we can actually access
-        # these points
+        # verify that the policy.d override does disable the endpoint
         with self.config_change(
-                {'preferred-api-version': self.default_api_version},
-                {'preferred-api-version': '3'},
+                {'preferred-api-version': self.default_api_version,
+                 'use-policyd-override': 'False'},
+                {'preferred-api-version': '3',
+                 'use-policyd-override': 'True'},
                 application_name="keystone"):
             zaza_model.block_until_all_units_idle()
             for ip in self.keystone_ips:
@@ -185,21 +186,19 @@ def test_disable_service(self):
                         openstack_utils.get_keystone_session_client(
                             keystone_session))
                     keystone_client.services.list()
-                    logging.info("keystone IP:{} without policyd override "
-                                 "services list working"
-                                 .format(ip))
-                except keystoneauth1.exceptions.http.Forbidden:
                     raise zaza_exceptions.PolicydError(
-                        'Retrieve services list as demo user with project '
-                        'scoped token passed and should have passed. IP = {}'
+                        'Retrieve service list as admin with project scoped '
+                        'token passed and should have failed. IP = {}'
                         .format(ip))
+                except keystoneauth1.exceptions.http.Forbidden:
+                    logging.info("keystone IP:{} policyd override working"
+                                 .format(ip))
 
-        # now verify that the policy.d override does disable the endpoint
+        # now verify (with the config off) that we can actually access
+        # these points
         with self.config_change(
-                {'preferred-api-version': self.default_api_version,
-                 'use-policyd-override': 'False'},
-                {'preferred-api-version': '3',
-                 'use-policyd-override': 'True'},
+                {'preferred-api-version': self.default_api_version},
+                {'preferred-api-version': '3'},
                 application_name="keystone"):
             zaza_model.block_until_all_units_idle()
             for ip in self.keystone_ips:
@@ -225,13 +224,14 @@ def test_disable_service(self):
                         openstack_utils.get_keystone_session_client(
                             keystone_session))
                     keystone_client.services.list()
+                    logging.info("keystone IP:{} without policyd override "
+                                 "services list working"
+                                 .format(ip))
+                except keystoneauth1.exceptions.http.Forbidden:
                     raise zaza_exceptions.PolicydError(
-                        'Retrieve service list as admin with project scoped '
-                        'token passed and should have failed. IP = {}'
+                        'Retrieve services list as demo user with project '
+                        'scoped token passed and should have passed. IP = {}'
                         .format(ip))
-                except keystoneauth1.exceptions.http.Forbidden:
-                    logging.info("keystone IP:{} policyd override working"
-                                 .format(ip))
 
         logging.info('OK')