Default tests do not request credentials by role
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tempest |
Expired
|
Undecided
|
Unassigned |
Bug Description
Many default tests appear to request credentials without specifying a role. These tests then fail in an environment where more granular roles have been implemented (for example, with the addition of roles to both keystone and policy.json files that have fewer permissions than _member_) and as a result, the historical notion of "any role on a project is generally equivalent to admin_or_owner" no longer applies.
If credentials are added to accounts.yaml with roles less permissive than _member_, there is a chance that the default tests will use them and fail.
For example,
tempest.
- will fail if there are credentials in accounts.yaml, whose only defined purpose via the various policy.json files is to start and stop compute instances.
A preferable outcome would be either for a default role to be applied (e.g. _member_) if none were requested from the credential provider by the test itself, or for the individual tests themselves to always request credentials by role.
In the PreProvisionedC redentialProvid er the mechanism tests use is 'get_primary_creds' and 'get_alt_creds'.
These functions pick up the first user available from a pool of all users in accounts.yaml (excluding users with 'admin' roles).
I propose adding a config option 'identity/ member_ role' which would allow these functions to instead request a user that has that specific role, rather than the first available with any role.
Since installations will use either _member_ or Member, hardcoding this role name like DynamicCredenti alProvider does will not work against all environments. It may be preferable to remove the hardcoded role name in this class also, so any customised policy.json can be accounted for, but that is out of scope for this bug.