tempest

All dynamic credentials are forced into "member" role now causing negative test failures

Bug #1915740 reported by Michael Johnson
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
devstack
Fix Released
Undecided
Ghanshyam Mann
tempest
Invalid
Undecided
Unassigned

Bug Description

This patch:

https://review.opendev.org/c/openstack/tempest/+/686306

Added a line to the _create_creds method:

https://review.opendev.org/c/openstack/tempest/+/686306/17/tempest/lib/common/dynamic_creds.py#238

roles_to_assign.extend(self.extra_roles)

Where self.extra_roles resolves to CONF.auth.tempest_roles which has "member" in the default list.

This breaks negative RBAC tests that create a tempest credential that has no roles defined to test that the API will not accept requests from users without the proper roles.

When a test suite creates a credential with defined roles, the "member" role should not be automatically added to the role list.

This is also in conflict to the comment in the code that implies if roles are provided, the "member" role will not be assigned:
https://github.com/openstack/tempest/blob/master/tempest/lib/common/dynamic_creds.py#L172

Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

There is no change in behavior by https://review.opendev.org/c/openstack/tempest/+/686306 , 'member' role was assigned to each user previously also on setup use the devstack installation.

its devstack set the 'member' role in CONF.auth.tempest_roles

- https://opendev.org/openstack/devstack/src/commit/556f84aea90c572873fc9834292635b41e590224/lib/tempest#L628

and Tempest add this role to each user irrespective of test ask for other roles or not.
- https://opendev.org/openstack/tempest/src/commit/9b6f441fdc2a970410ea631dc1318896349e010f/tempest/common/credentials_factory.py#L82

Also to tests the new RBAC default like 'reader' role devstack should not set the 'member' role as default in CONF.auth.tempest_roles.

adding devstack in this bug report.

Changed in devstack:
assignee: nobody → Ghanshyam Mann (ghanshyammann)
status: New → Triaged
Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

fixing in https://review.opendev.org/c/openstack/devstack/+/774524

Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

marking Tempest invalid as Tempest correctly set the roles as per configuration.

Changed in tempest:
status: New → Invalid
Changed in devstack:
status: Triaged → In Progress
Revision history for this message
Luigi Toscano (ltoscano) wrote :

The change has broken users at least cinder-backup, which uses swift, and tempest tests for volume backup can't access swift anymore.

Now we have a problem: each job can override tempest_roles. But if that's done through zuul configuration, which means local.conf, those values override any existing value. This breaks for example the barbican tempest plugin which takes care of adding an item to the list, and users can't rely on this anymore.

Revision history for this message
Martin Kopec (mkopec) wrote :

https://review.opendev.org/c/openstack/devstack/+/774524 got merged

Changed in devstack:
status: In Progress → Fix Released
Revision history for this message
Martin Kopec (mkopec) wrote :

cinder-tempest-plugin had to adjust:
https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/777685

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.