Creation of Member role is no longer required

Fix proposed to branch: master
Review: https://review.openstack.org/100101

Ommitted in the description the minor detail that there are a number of tempest tests that appear to rely on Member being present...

In all cases the tempest failutres come back to _assign_member_role failing because the role in tempest/config.py, which is set to Member, is no longer being created by devstack (well, if you also include the patch I'm proposing for devstack). Updating the configuration first will fix this.

Fix proposed to branch: master
Review: https://review.openstack.org/100113

Could you update description in keystone.conf about this role?

Did you mean the member_role_name value (which seems to have an up to date comment) or the LDAP strings?

I mean member_role_name/member_role_id.
It has comment -

# During a SQL upgrade member_role_name will be used to create
# a new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, member_role_name will be ignored. (string
# value)
#member_role_name=_member_

It a bit confuse me.
Such comment doesn't describe that this is default role for user in tenant.

Fix proposed to branch: master
Review: https://review.openstack.org/110803

Reviewed: https://review.openstack.org/110803
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d7b52931aeef06eda6ec774f6cc3497836b14899
Submitter: Jenkins
Branch: master

commit d7b52931aeef06eda6ec774f6cc3497836b14899
Author: Dolph Mathews <email address hidden>
Date: Wed Oct 1 21:18:25 2014 +0000

    revise docs on default _member_ role

    Closes-Bug: 1330132
    Change-Id: I3d9647ee6e537b304191dfa5e34e56122c11cd68

Fix proposed to branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/129376

Reviewed: https://review.openstack.org/129376
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6f806bdc9b58206ecccf29f79df1257e737e9f5b
Submitter: Jenkins
Branch: feature/hierarchical-multitenancy

commit fdbad9f530ea4478d96437b021c9b5cc6d338901
Author: Nathan Kinder <email address hidden>
Date: Wed Oct 15 16:21:01 2014 -0700

    Restrict certain APIs to cloud admin in domain-aware policy

    Some of the APIs in the domain-aware policy file are currently
    allowed by any "admin" user, when they should really be locked
    down to the cloud admin. Without this, users who are a project
    admin will be allowed to do things like manage regions, IdPs,
    and other objects that they should not be allowed to touch.

    Change-Id: Ifca8bc2fffd2d8c1bf02373d1fadd459a77f836c
    Closes-bug: #1381809

commit 062786bc53533edf78a24e35688d7183c0b57175
Author: Brad Topol <email address hidden>
Date: Mon Sep 8 11:28:02 2014 -0500

    Clean up federated identity audit code

    Change-Id: I110eb40c83f1de25bff9215b0490269f5941316a

commit 1056f9abfb283abb083538b7588a006c1b242d1b
Author: wanghong <email address hidden>
Date: Thu Oct 9 15:39:27 2014 +0800

    obsolete deployment docs

    Now we use 'database' section instead, but the doc does not synchronize.

    Change-Id: Ie73ec8225ce1290a4b8fdbb5b9db4c566b5ada22
    Closes-Bug: #1377101

commit 1b2fc1e10469bf5ff97b8a825ba404dd8f602320
Author: David Stanek <email address hidden>
Date: Thu Sep 4 17:59:58 2014 +0000

    Fixes a spelling error in hacking tests

    bp more-code-style-automation

    Change-Id: I9159aba128415d6e3a1f9ee9147c7cba19abeffe

commit 2520502724c549fb7ad846203ed60eb86c21aed3
Author: OpenStack Proposal Bot <email address hidden>
Date: Tue Oct 7 19:12:29 2014 +0000

    Updated from global requirements

    Change-Id: If2d591bba119998e41f109f4099ba4147821171e

commit 8af522af96c4bc0f6d0f7de48f6433fd19115d54
Author: Henry Nash <email address hidden>
Date: Tue Oct 7 10:01:47 2014 +0100

    Remove deprecated KVS trust backend.

    The trust backend is one of the KVS backends that was marked as
    deprecated, for removal in Kilo. This patch removes it.

    Partially implements: bp removed-as-of-kilo

    Change-Id: Ib67cd33419d09e219d90ab8c50d375964a12640c

commit a96b20238919037837156e238e708abff415cade
Author: Steve Martinelli <email address hidden>
Date: Fri Sep 26 14:40:22 2014 -0400

    Add v3 openstackclient CLI examples

    Add some notes about authenticating with v3 keystone and
    openstackclient. Also add some examples that don't exist in v2.0,
    like domains and groups.

    Change-Id: I92f9f9ab3ed4657f0771ad284ee6c4c613eca27c

commit 495b44ae0ed3e69e21022ccfc9e2d67ba4d0a97e
Author: Steve Martinelli <email address hidden>
Date: Thu Sep 25 12:08:15 2014 -0400

    Update the CLI examples to also use openstackclient

    In the CLI example section, use openstackclient examples and
    keystoneclient examples.

    Change-Id: Ia13730fbac5900998993c56d9a792b392a1ba3ac

commit 4f9add8029de5f9463b9bd9ca4f933f1be79c021
Author: Steve Martinelli <stevemar@c...

Change abandoned by Sean Dague (<email address hidden>) on branch: master
Review: https://review.openstack.org/100101
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Change abandoned by Sean Dague (<email address hidden>) on branch: master
Review: https://review.openstack.org/100113
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Fix proposed to branch: master
Review: https://review.openstack.org/229799

Change abandoned by Rob Cresswell (<email address hidden>) on branch: master
Review: https://review.openstack.org/229799

This devstack bug was last updated over 180 days ago, as devstack
is a fast moving project and we'd like to get the tracker down to
currently actionable bugs, this is getting marked as Invalid. If the
issue still exists, please feel free to reopen it.

The tempest code still contains "Member" within:

tempest/config.py
tempest/lib/common/dynamic_creds.py
tempest/tests/lib/common/test_dynamic_creds.py
etc/tempest.conf.sample

What is the current role? IIUC Member was replaced by _member_ but based on what I've heard recently, _member_ is deprecated too?

It has been renamed to 'member' role

- https://review.opendev.org/#/q/topic:fix-member+(status:open+OR+status:merged)

As Kopec mentioned in his comment, below tempest file still using the 'Member' role and that can be replaced with 'member' role.

tempest/config.py
- 'Member' is used as default value of operator_role config option we can change it to 'member'.

tempest/lib/common/dynamic_creds.py
- here it is used to make sure if no roles are configured then at least one role is assigned to
user by default so replacing 'Member' to 'member' is fine here.

tempest/tests/lib/common/test_dynamic_creds.py
- this can be replace with 'member' when changing the dynamic_creds.py

etc/tempest.conf.sample
this is same when changing the tmepest.conf

Fix proposed to branch: master
Review: https://review.opendev.org/731146

I changed the importance to High as we have a fix for this waiting for a review.

Reviewed: https://review.opendev.org/731146
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=99d4dae684070125f981d4512807a52dede48382
Submitter: Zuul
Branch: master

commit 99d4dae684070125f981d4512807a52dede48382
Author: Martin Kopec <email address hidden>
Date: Wed May 27 10:33:17 2020 +0000

    Change 'Member' role reference to 'member'

    'Member' role has been deprecated and replaced by 'member'.
    The patch replaces the leftover occurrences of 'Member' by 'member'.

    Change-Id: I857655b8568eb2df1bb9bc263117119388d42f01
    Closes-Bug: #1330132

Yay!

This issue was fixed in the openstack/tempest 25.0.1 release.