When I deployed devstack with enforce_new_defaults=True and enforce_scope=True in the Neutron's config (see https://review.opendev.org/c/openstack/devstack/+/797450) tempest verify-config failed with error like:
/opt/stack/tempest/.tox/venv/lib/python3.8/site-packages/unittest2/compatibility.py:143: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.9 it will stop working
class ChainMap(collections.MutableMapping):
/opt/stack/tempest/tempest/lib/services/image/v1/__init__.py:24: DeprecationWarning: The tempest.lib.services.image.v1 module (Image v1 APIs service clients) is deprecated in favor of tempest.lib.services.image.v2 (Image v2 APIs service clients) and will be removed once Tempest stop supporting stable Ussuri.
warnings.warn(
/opt/stack/tempest/tempest/lib/services/volume/v2/__init__.py:50: DeprecationWarning: The tempest.lib.services.volume.v2 module (volume v2 APIs service clients) is deprecated in favor of tempest.lib.services.volume.v3 (volume v3 APIs service clients) and will be removed once Tempest stop supporting stable wallaby.
warnings.warn(
/opt/stack/tempest/tempest/lib/services/clients.py:210: DeprecationWarning: Class 'tempest.lib.services.volume.v2.extensions_client.ExtensionsClient' has moved to 'tempest.lib.services.volume.v3.extensions_client.ExtensionsClient' in version 'Rocky' and will be removed in a future version
_client = klass(auth_provider=auth_provider, **kwargs)
Config option api_v2 in group image-feature-enabled should be changed to: False
Traceback (most recent call last):
File "/opt/stack/tempest/tempest/cmd/verify_tempest_config.py", line 476, in take_action
main(parsed_args)
File "/opt/stack/tempest/tempest/cmd/verify_tempest_config.py", line 463, in main
icreds.clear_creds()
File "/opt/stack/tempest/tempest/lib/common/dynamic_creds.py", line 571, in clear_creds
self._cleanup_default_secgroup(creds.tenant_id)
File "/opt/stack/tempest/tempest/lib/common/dynamic_creds.py", line 513, in _cleanup_default_secgroup
resp_body = nsg_client.list_security_groups(tenant_id=tenant,
File "/opt/stack/tempest/tempest/lib/services/network/security_groups_client.py", line 69, in list_security_groups
return self.list_resources(uri, **filters)
File "/opt/stack/tempest/tempest/lib/services/network/base.py", line 35, in list_resources
resp, body = self.get(req_uri)
File "/opt/stack/tempest/tempest/lib/common/rest_client.py", line 314, in get
return self.request('GET', url, extra_headers, headers)
File "/opt/stack/tempest/tempest/lib/common/rest_client.py", line 703, in request
self._error_checker(resp, resp_body)
File "/opt/stack/tempest/tempest/lib/common/rest_client.py", line 879, in _error_checker
raise exceptions.ServerFault(resp_body, resp=resp,
tempest.lib.exceptions.ServerFault: Got server fault
Details: Request Failed: internal server error while processing your request.
Finally I narrowed it down to the issue in Neutron and the root cause of it was that context which made request was like:
context.__dict__
{'_domain_id': None,
'_enginefacade_context': <oslo_db.sqlalchemy.enginefacade._TransactionContextTLocal object at 0x7fa97351b0c0>,
'_project_domain_id': 'default',
'_project_id': '395997047fad44708e1ac790c536a5d2',
'_session': <sqlalchemy.orm.session.Session object at 0x7fa973367b80>,
'_txn_constraint': None,
'_user_domain_id': 'default',
'_user_id': 'ab8853dda2f3410096358f926fb005f6',
'auth_token': 'gAAAAABg0wKPEPqNk_vc2OID3ruhm3YmfGAZIE-2EIwI3MQjWL9fe1H8utR5uo2cwWeSwCDKlWsl3ZW2m1DViByDdhTRj80nw0gYDSFci_Hrv7Iex1Mj7d
3dJLVBV7L3VHp3XrnuqxGP720iTz6hJvyyltWZkAXeukp-HDyWi8YI5Ub916ttjlA',
'domain_name': None,
'global_request_id': None,
'is_admin': True,
'is_admin_project': True,
'is_advsvc': False,
'project_domain_name': 'Default',
'project_name': 'admin',
'read_only': False,
'request_id': 'req-ad457a45-1bbf-47a6-a7e2-af3af6ccd1c4',
'resource_uuid': None,
'roles': ['admin', 'member', 'reader'],
'service_project_domain_id': None,
'service_project_domain_name': None,
'service_project_id': None,
'service_project_name': None,
'service_roles': [],
'service_token': None,
'service_user_domain_id': None,
'service_user_domain_name': None,
'service_user_id': None,
'service_user_name': None,
'show_deleted': False,
'system_scope': None,
'timestamp': datetime.datetime(2021, 6, 23, 9, 44, 47, 387523),
'user_domain_name': 'Default',
'user_name': 'admin'}
(Pdb++)
so as You can see, it was project_admin user, not system_admin as it should be. And due to that it couldn't get SG created for different project as only system_admin role can do that with new defaults.
yeah, verify-config and other scripts in Tempest are not yet moved to new policy support. We are working on those bits which need more work on devstack and then tempest side. few of the example are /review. opendev. org/q/topic: %2522secure- rbac%2522+ (status: open+OR+ status: merged) +project: openstack/ devstack+ owner:gmann% 2540ghanshyamma nn.com
https:/