project_member and project_reader dynamic credentials are in different projects
Bug #1964509 reported by
Michael Johnson
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tempest |
Fix Released
|
High
|
Ghanshyam Mann |
Bug Description
When using the new "project_member" and "project_reader" dynamic credentials, I found that the two credentials are created in different projects. This makes testing with these roles much harder.
Example:
credentials = ['admin', 'primary', 'system_admin', 'system_reader', 'project_member', 'project_reader']
##### primary project ID: 01e6f78fbc6a44e
##### os_project_member project ID: 2f207de1fef54c2
##### os_project_reader project ID: 196ae03170c3469
Can we setup the member and reader credentials to be part of the same project to allow easier testing of the "read-only" role?
Changed in tempest: | |
status: | New → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Ghanshyam Mann (ghanshyammann) |
To post a comment you must log in.
yes, they are supposed to be same project id even previous creds admin and primary should have same project id.
Currently, it was working fine as services policy did not have any project_id in member or admin policy and we have not tested it same/different project id among admin and members.
But with new RBAC where service policies are having the project_id in default rules and we need to test for reader, member permission on particular APIs we should fix this.