Comment 5 for bug 1473396

I think we all agree that the issue to fix here is the hardcoded adminURL in the _set_identity_clients method in client.py. What we need is to have options to initialize this endpoint_type for non-admin user testing. I also agree with Andrea that different URL is controlled via network configuration / firewall. I have experienced testing on clouds where the endpoint_type needed to be set to internalURL.

What Refstack wants to test are a few basic Keystone functions using "non-amin user credential", such as get token, list user's own tenant(s) .. We expect that a cloud which is built with out-of-the-box default configuration should be able to pass these tests. Typically in these clouds, a non-admin user will have no admin role assigned to it and thus would not be able to access Keystone APIs through adminURL.

With hardcoded adminURL and non-admim user, the test_list_tenants_returns_authorized_tenants in tempest.api.identity.v2.test_tenants
(https://review.openstack.org/#/c/192709/) would fail for "code": 403, "title": "Forbidden" (stack trace: http://paste.openstack.org/show/378458/). This test result was collected on a RDO cloud (built based on installation instruction on https://www.rdoproject.org/Quickstart).

Does it make sense to add a non_admin_identity_client in which the endpoint_type is set to whatever value set in the Tempest configuration file?