When you secure your api through the policy.json files, some tempest testcases will start to failing with 403. We would like to propose the ability to set the roles according to the primary and alt default creds in the testcase class credential array. This will allow you to specify higher privileges on primary and lower on alt when using both the dynamic_creds and preprov_creds. The default setting would function as it is today.
The high level design would be:
1) add the following config.py setting
tempest_primary_cred_role # Roles to be applied to dynamic_creds or searched in accounts.yaml.
tempest_alt_cred_role # Roles to be applied to dynamic_creds or searched in accounts.yaml.
2) update DynamicCredentialProvider.get_credentials to assign roles in list according to primary and alt.
3) update PreProvisionedCredentialProvider.get_primary_creds and PreProvisionedCredentialProvider.get_alt_creds to look for the role in accounts.yaml that in the tempest_primary_cred_role or tempest_alt_cred_role provides.
So I'm not sure I understand the issue is here. We've taken a pretty hard stance in the past about adding a generic policy framework to tempest. Making things too adaptable actually makes it too easy to shoot yourself in the foot when verifying that your deployment works. (for example we've had examples of people making policy too restrictive or loose which breaks some basic interop assumptions) Which is why we only have 2 classes of user (normal and admin) and a very basic rbac model. This is why the patrole project https:/ /github. com/openstack/ patrole exists to provide deep functional rbac validation.
I can believe we missed a valid case for cloud validation in tempest. But, right now there is a config option: CONF.auth. tempest_ roles which does what your talking about already. For dynamic creds it assigns that role to all created users. Is the ask here just to add a new config value for setting different roles on the primary and alt users? I'd be kind of reluctant to do that because the theory behind primary and alt is that they're the same class of user.