I think we all agree that the issue to fix here is the hardcoded adminURL in the _set_identity_clients method in client.py. What we need is to have options to initialize this endpoint_type for non-admin user testing. I also agree with Andrea that different URL is controlled via network configuration / firewall. I have experienced testing on clouds where the endpoint_type needed to be set to internalURL.
What Refstack wants to test are a few basic Keystone functions using "non-amin user credential", such as get token, list user's own tenant(s) .. We expect that a cloud which is built with out-of-the-box default configuration should be able to pass these tests. Typically in these clouds, a non-admin user will have no admin role assigned to it and thus would not be able to access Keystone APIs through adminURL.
I think we all agree that the issue to fix here is the hardcoded adminURL in the _set_identity_ clients method in client.py. What we need is to have options to initialize this endpoint_type for non-admin user testing. I also agree with Andrea that different URL is controlled via network configuration / firewall. I have experienced testing on clouds where the endpoint_type needed to be set to internalURL.
What Refstack wants to test are a few basic Keystone functions using "non-amin user credential", such as get token, list user's own tenant(s) .. We expect that a cloud which is built with out-of-the-box default configuration should be able to pass these tests. Typically in these clouds, a non-admin user will have no admin role assigned to it and thus would not be able to access Keystone APIs through adminURL.
With hardcoded adminURL and non-admim user, the test_list_ tenants_ returns_ authorized_ tenants in tempest. api.identity. v2.test_ tenants /review. openstack. org/#/c/ 192709/) would fail for "code": 403, "title": "Forbidden" (stack trace: http:// paste.openstack .org/show/ 378458/). This test result was collected on a RDO cloud (built based on installation instruction on https:/ /www.rdoproject .org/Quickstart).
(https:/
Does it make sense to add a non_admin_ identity_ client in which the endpoint_type is set to whatever value set in the Tempest configuration file?