Comment 12 for bug 1963685

What Bartosz says in comment #11 is correct. tempest.conf needs updating with 'log_user_roles = False' to bypass the 'list_role_assignments' call.

Bas fixed this in https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/867810 (Thanks Bas!)

The tempest tests generate a user and I've found no other octavia tempest config [1] that will give the tempest-generated user the admin privileges required for the keystone policy [2] to allow running list_role_assignments. You can set the admin_role=Admin, and it does take effect, however you can't set the domain=admin_domain or project=admin.

[1] https://github.com/openstack/octavia-tempest-plugin/blob/master/octavia_tempest_plugin/config.py

[2] /etc/keystone/policy.json (this is bionic-ussuri)
    "admin_required": "role:Admin",
    "cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:c8fd27a31e23422ab7d3b0a6962f6049 or project_id:4f7d8068c88541c688e2fb849d7cb729)",
(where c8fd27a31e23422ab7d3b0a6962f6049==admin_doman, and 4f7d8068c88541c688e2fb849d7cb729==services)
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
"identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",