Some tests fail when running keystone v3 with policy.v3cloudsample.json
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tempest |
Expired
|
Undecided
|
Unassigned |
Bug Description
Running tempest full against a Keystone v3 enabled cloud using the stable newton policy.
What I'm seeing is that some tests (like tempest.
1) A new project in the admin domain
2) A new user in the admin domain
3) Grants the admin role on the new project to the new user.
The test then authenticates with the new users credentials and attempts to list_domains. The policy.json, however, has:
"cloud_admin": "role:admin and (token.
...
"identity:
From tempest I see:
=======
FAIL: tempest.
tags: worker-0
-------
Empty attachments:
stderr
stdout
pythonlogging:'': {{{2017-01-23 15:57:09,806 2014 INFO [tempest.
Traceback (most recent call last):
File "tempest/
project = self.identity_
File "tempest/test.py", line 470, in identity_utils
project_
File "tempest/
roles_client, domains_client, project_
File "tempest/
name=
File "tempest/
resp, body = self.get(url)
File "tempest/
return self.request('GET', url, extra_headers, headers)
File "tempest/
self.
File "tempest/
raise exceptions.
tempest.
Details: {u'message': u'You are not authorized to perform the requested action: identity:
In the keystone log I see:
(keystone.
'access_token_id': None,
'user_id': u'3fd9e70825d64
'roles': [u'Admin'],
'user_domain_id': u'363ab68785c24
'consumer_id': None,
'trustee_id': None,
'is_domain': False,
'trustor_id': None,
'token': <KeystoneToken (audit_
'project_id': u'b48ba24e96d84
'trust_id': None,
'project_
(keystone.
This appears to be project scoped. If I update the policy.json to grant cloud_admin if the project is the admin domain then that seems to fix things. The change I'm trying is:
3c3,4
< "cloud_admin": "role:admin and (token.
---
> "bob": "project_
> "cloud_admin": "role:admin and (token.
I did notice this comment on Bug #1451987 *2:
If you see following errors for all identity api v3 tests, then please be known that its not a a bug in tempest, rather you need to change keystone v3 policy.json and make it more relaxed so tempest can authorize with users created for each test with separate projects(tenants) because we set tenant_isolation to True in tempest.conf ...
...but I would think that policy.
Fwiw the keystone v3 gate tests use the old policy.json.
Regards
Liam
*1 https:/
*2 https:/
Tempest now supports domain scoped tokens exactly for this.
Have you tried the latest tempest? Are you still experiencing this?