Comment 0 for bug 1565584

Many default tests appear to request credentials without specifying a role. These tests then fail in an environment where more granular roles have been implemented (for example, with the addition of roles to both keystone and policy.json files that have fewer permissions than _member_) and as a result, the historical notion of "any role on a project is generally equivalent to admin_or_owner" no longer applies.

If credentials are added to accounts.yaml with roles less permissive than _member_, there is a chance that the default tests will use them and fail. For example,

tempest.api.compute.keypairs.test_keypairs.KeyPairsV2TestJSON.test_keypair_create_delete

- will fail if there is are credentials in account in accounts.yaml, whose only defined purpose via the various policy.json files is to start and stop compute instances.

A preferable outcome would be either for a default role to be applied (e.g. _member_) if none were requested from the credential provider by the test itself, or for the individual tests themselves to always request credentials by role.