A user with reader role can create and delete group snapshot.
These requests should be forbidden for reader.
From the tempest logs:
***** create group snapshot:
2023-10-01 15:03:14,134 92819 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_create_group_snapshot): 202 POST https://10.209.35.34/volume/v3/6205b6edf2c5400484a510cf0c559100/group_snapshots 0.378s
2023-10-01 15:03:14,135 92819 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.19', 'X-Auth-Token': '<omitted>'}
Body: {"group_snapshot": {"group_id": "cf2b5558-dde1-4727-9aad-cc622092d395", "name": "tempest-ProjectReaderTests-Group_Snapshot-1594032646"}}
Response - Headers: {'date': 'Sun, 01 Oct 2023 15:03:13 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-request-id': 'req-4e4393c2-13b5-425f-bdce-a8bde471e532', 'content-length': '187', 'openstack-api-version': 'volume 3.19', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-4e4393c2-13b5-425f-bdce-a8bde471e532', 'connection': 'close', 'status': '202', 'content-location': 'https://10.209.35.34/volume/v3/6205b6edf2c5400484a510cf0c559100/group_snapshots'}
Body: b'{"group_snapshot": {"id": "82d784bf-8a69-4d94-88b8-b7c5f8c6dd51", "name": "tempest-ProjectReaderTests-Group_Snapshot-1594032646", "group_type_id": "a76bef25-0603-4046-b772-1750f72a0bba"}}'
}}}
***** delete group snapshot:
2023-10-01 15:03:21,069 92819 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_delete_group_snapshot): 202 DELETE https://10.209.35.34/volume/v3/6205b6edf2c5400484a510cf0c559100/group_snapshots/5d3af872-86bd-4d52-8cdc-dd78a5ce6f6b 0.140s
2023-10-01 15:03:21,069 92819 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.19', 'X-Auth-Token': '<omitted>'}
Body: None
Response - Headers: {'date': 'Sun, 01 Oct 2023 15:03:20 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-length': '0', 'content-type': 'text/html; charset=UTF-8', 'openstack-api-version': 'volume 3.19', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-4d065c67-4223-4783-99fd-6ad9a4e6396d', 'connection': 'close', 'status': '202', 'content-location': 'https://10.209.35.34/volume/v3/6205b6edf2c5400484a510cf0c559100/group_snapshots/5d3af872-86bd-4d52-8cdc-dd78a5ce6f6b'}
Body: b''
}}}
Additional info:
Failing job:
https://zuul.opendev.org/t/openstack/build/11df3f9f84384514b91678ba58972000
From cinder.conf:
[oslo_policy]
enforce_new_defaults = True