All dynamic credentials are forced into "member" role now causing negative test failures
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
devstack |
Fix Released
|
Undecided
|
Ghanshyam Mann | ||
tempest |
Invalid
|
Undecided
|
Unassigned |
Bug Description
This patch:
https:/
Added a line to the _create_creds method:
https:/
roles_to_
Where self.extra_roles resolves to CONF.auth.
This breaks negative RBAC tests that create a tempest credential that has no roles defined to test that the API will not accept requests from users without the proper roles.
When a test suite creates a credential with defined roles, the "member" role should not be automatically added to the role list.
This is also in conflict to the comment in the code that implies if roles are provided, the "member" role will not be assigned:
https:/
There is no change in behavior by https:/ /review. opendev. org/c/openstack /tempest/ +/686306 , 'member' role was assigned to each user previously also on setup use the devstack installation.
its devstack set the 'member' role in CONF.auth. tempest_ roles
- https:/ /opendev. org/openstack/ devstack/ src/commit/ 556f84aea90c572 873fc9834292635 b41e590224/ lib/tempest# L628
and Tempest add this role to each user irrespective of test ask for other roles or not. /opendev. org/openstack/ tempest/ src/commit/ 9b6f441fdc2a970 410ea631dc13188 96349e010f/ tempest/ common/ credentials_ factory. py#L82
- https:/
Also to tests the new RBAC default like 'reader' role devstack should not set the 'member' role as default in CONF.auth. tempest_ roles.
adding devstack in this bug report.