1.4 KiB
RBAC Utils Module
Overview
Patrole manipulates the os_primary
Tempest
credentials, which are the primary set of Tempest credentials. It is
necessary to use the same credentials across the entire test setup/test
execution/test teardown workflow because otherwise 400-level errors will
be thrown by OpenStack services.
This is because many services check the request context's project
scope -- and in very rare cases, user scope. However, each set of
Tempest credentials (via dynamic
credentials) is allocated its own distinct project. For example, the
os_admin
and os_primary
credentials each have
a distinct project, meaning that it is not always possible for the
os_primary
credentials to access resources created by the
os_admin
credentials.
The only foolproof solution is to manipulate the role for the same set of credentials, rather than using distinct credentials for setup/teardown and test execution, respectively. This is especially true when considering custom policy rule definitions, which can be arbitrarily complex.
Implementation
patrole_tempest_plugin.rbac_utils