Many default tests appear to request credentials without specifying a role. These tests then fail in an environment where more granular roles have been implemented (for example, with the addition of roles to both keystone and policy.json files that have fewer permissions than _member_) and as a result, the historical notion of "any role on a project is generally equivalent to admin_or_owner" no longer applies.
If credentials are added to accounts.yaml with roles less permissive than _member_, there is a chance that the default tests will use them and fail.
For example,
tempest.api.compute.keypairs.test_keypairs.KeyPairsV2TestJSON.test_keypair_create_delete
- will fail if there are credentials in accounts.yaml, whose only defined purpose via the various policy.json files is to start and stop compute instances.
A preferable outcome would be either for a default role to be applied (e.g. _member_) if none were requested from the credential provider by the test itself, or for the individual tests themselves to always request credentials by role.
In the PreProvisionedC
These functions pick up the first user available from a pool of all users in accounts.yaml (excluding users with 'admin' roles).
I propose adding a config option 'identity/
Since installations will use either _member_ or Member, hardcoding this role name like DynamicCredenti