Allow tempest tests to run with system scope
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tempest |
Confirmed
|
Medium
|
Ghanshyam Mann |
Bug Description
Currently, most tempest tests are written assuming self.os_admin is a project-admin, which works will for old policies.
Now that keystone supports default roles and system-scope, the default policies are changing across all OpenStack services to be more secure. A huge part of this change is testing and it would be great to re-use the testing that already exists in tempest.
During the Xena PTG we discussed ways to re-use the existing tempest tests we have to implementing this functionality. One proposal was to implement a test decorator that would evaluate if system-scope was used in the deployment via configuration and then alias the self.os_
This functionality will be disabled by default to be backwards compatible, but enabling it would allow us to use all the existing tempest tests to test secure RBAC.
Confirming and assigning to Ghanshyam per the discussion in https:/ /etherpad. opendev. org/p/policy- popup-xena- ptg