tempest

project_member and project_reader dynamic credentials are in different projects

Bug #1964509 reported by Michael Johnson
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tempest
Fix Released
High
Ghanshyam Mann

Bug Description

When using the new "project_member" and "project_reader" dynamic credentials, I found that the two credentials are created in different projects. This makes testing with these roles much harder.

Example:
credentials = ['admin', 'primary', 'system_admin', 'system_reader', 'project_member', 'project_reader']

##### primary project ID: 01e6f78fbc6a44e7b281145ef1e73a60
##### os_project_member project ID: 2f207de1fef54c21bc7a0b1274e67453
##### os_project_reader project ID: 196ae03170c3469bb1809137d8f58de2

Can we setup the member and reader credentials to be part of the same project to allow easier testing of the "read-only" role?

Ghanshyam Mann (ghanshyammann)
Changed in tempest:
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Ghanshyam Mann (ghanshyammann)
Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

yes, they are supposed to be same project id even previous creds admin and primary should have same project id.

Currently, it was working fine as services policy did not have any project_id in member or admin policy and we have not tested it same/different project id among admin and members.

But with new RBAC where service policies are having the project_id in default rules and we need to test for reader, member permission on particular APIs we should fix this.

Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

We're working around the issue by creating a new user dynamically:

https://review.opendev.org/c/openstack/manila-tempest-plugin/+/805938/62/manila_tempest_tests/tests/rbac/base.py#122

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tempest (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tempest/+/871018

Changed in tempest:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tempest (master)

Reviewed: https://review.opendev.org/c/openstack/tempest/+/871018
Committed: https://opendev.org/openstack/tempest/commit/35fc95dbd05b3ed97d01ecf66ce3ca9f5c7d865b
Submitter: "Zuul (22348)"
Branch: master

commit 35fc95dbd05b3ed97d01ecf66ce3ca9f5c7d865b
Author: Ghanshyam Mann <email address hidden>
Date: Wed Jan 18 23:22:29 2023 -0600

    Fix creation of requested creds within the same project

    We have a bug in dynamic creds creation where project creds
    with different roles are created under a new projects. Creds
    of different role of projects must be created within the same
    project.

    Fixing the creation of 'project_admin', 'project_member',
    'project_reader', 'primary' creds in same projects. All the alt
    creds will be created under same projects. but main and alt creds
    will use different project, for example, 'project_alt_member'
    and 'project_member' creds will be created in different project.

    'admin' creds will continue be in new project as many test
    use it as legacy admin.

    Closes-Bug: #1964509
    Change-Id: I9af005e2900195c42ecbbf7434facae2d3952f30

Changed in tempest:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tempest 34.0.0

This issue was fixed in the openstack/tempest 34.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.