Default tests do not request credentials by role

Bug #1565584 reported by Michael Richardson on 2016-04-04
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tempest
Undecided
Dale Smith

Bug Description

Many default tests appear to request credentials without specifying a role. These tests then fail in an environment where more granular roles have been implemented (for example, with the addition of roles to both keystone and policy.json files that have fewer permissions than _member_) and as a result, the historical notion of "any role on a project is generally equivalent to admin_or_owner" no longer applies.

If credentials are added to accounts.yaml with roles less permissive than _member_, there is a chance that the default tests will use them and fail.

For example,

tempest.api.compute.keypairs.test_keypairs.KeyPairsV2TestJSON.test_keypair_create_delete

- will fail if there are credentials in accounts.yaml, whose only defined purpose via the various policy.json files is to start and stop compute instances.

A preferable outcome would be either for a default role to be applied (e.g. _member_) if none were requested from the credential provider by the test itself, or for the individual tests themselves to always request credentials by role.

description: updated
description: updated
description: updated
Dale Smith (dalees) wrote :

In the PreProvisionedCredentialProvider the mechanism tests use is 'get_primary_creds' and 'get_alt_creds'.

These functions pick up the first user available from a pool of all users in accounts.yaml (excluding users with 'admin' roles).

I propose adding a config option 'identity/member_role' which would allow these functions to instead request a user that has that specific role, rather than the first available with any role.

Since installations will use either _member_ or Member, hardcoding this role name like DynamicCredentialProvider does will not work against all environments. It may be preferable to remove the hardcoded role name in this class also, so any customised policy.json can be accounted for, but that is out of scope for this bug.

Fix proposed to branch: master
Review: https://review.openstack.org/302332

Changed in tempest:
assignee: nobody → Dale Smith (dalees)
status: New → In Progress
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers