Remove admin_domain_scope tempest setting

Keystone is currently working through a bunch of changes to add proper
system, domain, and project scope support for its API. This includes
implementing ``admin``, ``member``, and ``reader`` roles for system,
domain, and project assignments. More informaiton on those specific
changes can be found here:

  https://review.openstack.org/#/q/(status:open+OR+status:closed)+project:openstack/keystone+branch:master+topic:implement-default-roles

One thing that was uncovered in implementing that support for the
project API was that setting tempest
``CONF.identity.admin_domain_scope = True`` meant domain admins of one
domain would be able to list projects in other domains, highlighted in
the following patch:

  https://review.openstack.org/#/c/624218/2

This commit doesn't set this option and assumes the proper
domain-scoping behavior being built into keystone natively.

Change-Id: I12a57cc43de0b17eababa19b7b94de5277689f82
Related-Bug: 1750660
This commit is contained in:
Lance Bragstad 2018-12-12 19:41:36 +00:00
parent 72f632222f
commit 30d48ff887
1 changed files with 0 additions and 2 deletions

View File

@ -276,8 +276,6 @@ function configure_tempest {
iniset $TEMPEST_CONFIG identity user_lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
iniset $TEMPEST_CONFIG identity user_lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $TEMPEST_CONFIG identity user_unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
# Use domain scoped tokens for admin v3 tests, v3 dynamic credentials of v3 account generation
iniset $TEMPEST_CONFIG identity admin_domain_scope True
if [[ "$TEMPEST_HAS_ADMIN" == "True" ]]; then
iniset $TEMPEST_CONFIG auth admin_username $admin_username
iniset $TEMPEST_CONFIG auth admin_password "$password"