Allow tempest tests to run with system scope
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| tempest |
Confirmed
|
Medium
|
Ghanshyam Mann | ||
Bug Description
Currently, most tempest tests are written assuming self.os_admin is a project-admin, which works will for old policies.
Now that keystone supports default roles and system-scope, the default policies are changing across all OpenStack services to be more secure. A huge part of this change is testing and it would be great to re-use the testing that already exists in tempest.
During the Xena PTG we discussed ways to re-use the existing tempest tests we have to implementing this functionality. One proposal was to implement a test decorator that would evaluate if system-scope was used in the deployment via configuration and then alias the self.os_
This functionality will be disabled by default to be backwards compatible, but enabling it would allow us to use all the existing tempest tests to test secure RBAC.
| Martin Kopec (mkopec) wrote | #1 |
| Changed in tempest: | |
| assignee: | nobody → Ghanshyam Mann (ghanshyammann) |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
Confirming and assigning to Ghanshyam per the discussion in https:/