The tempest tests generate a user and I've found no other octavia tempest config [1] that will give the tempest-generated user the admin privileges required for the keystone policy [2] to allow running list_role_assignments. You can set the admin_role=Admin, and it does take effect, however you can't set the domain=admin_domain or project=admin.
[2] /etc/keystone/policy.json (this is bionic-ussuri)
"admin_required": "role:Admin",
"cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:c8fd27a31e23422ab7d3b0a6962f6049 or project_id:4f7d8068c88541c688e2fb849d7cb729)",
(where c8fd27a31e23422ab7d3b0a6962f6049==admin_doman, and 4f7d8068c88541c688e2fb849d7cb729==services)
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
"identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
What Bartosz says in comment #11 is correct. tempest.conf needs updating with 'log_user_roles = False' to bypass the 'list_role_ assignments' call.
Bas fixed this in https:/ /review. opendev. org/c/openstack /octavia- tempest- plugin/ +/867810 (Thanks Bas!)
The tempest tests generate a user and I've found no other octavia tempest config [1] that will give the tempest-generated user the admin privileges required for the keystone policy [2] to allow running list_role_ assignments. You can set the admin_role=Admin, and it does take effect, however you can't set the domain=admin_domain or project=admin.
[1] https:/ /github. com/openstack/ octavia- tempest- plugin/ blob/master/ octavia_ tempest_ plugin/ config. py
[2] /etc/keystone/ policy. json (this is bionic-ussuri) required" : "role:Admin", required and (is_admin_ project: True or domain_ id:c8fd27a31e23 422ab7d3b0a6962 f6049 or project_ id:4f7d8068c885 41c688e2fb849d7 cb729)" , ab7d3b0a6962f60 49==admin_ doman, and 4f7d8068c88541c 688e2fb849d7cb7 29==services) on_project_ filter" : "rule:admin_ required and project_ id:%(scope. project. id)s", list_role_ assignments" : "rule:cloud_admin or rule:admin_ on_domain_ filter or rule:admin_ on_project_ filter" ,
"admin_
"cloud_admin": "rule:admin_
(where c8fd27a31e23422
"admin_
"identity: