There are so many protection tests now, and for the moment they are so
inefficient, that running them all as part of our main unit test suite
for py27, py36, py37, and cover jobs yields a high rate of timeouts
which reduces our own development velocity and negatively impacts every
project that co-gates with keystone. This change splits the protection
tests into their own level of tests outside of the configured stestr
test_path and adds a separate tox environment and zuul job to run just
the protection tests on their own. Parallelizing these tests should help
alleviate the timeout issue while we work on making these tests more
efficient.
Change-Id: Ibb12053bd6864a153f7e3998dbd008b6eec4295b
It was decided some time ago that allowing system-members the ability
to do certain things that system-readers can't do, but not as much as
system-admins, isn't really all that helpful.
Unfortunately, the credential API was one of the first APIs we
migrated to formally adopting scope types and default roles. The
credential update policy was still allowing system-members to access
it, despite us deciding against it.
This commit updates the policy to be consistent with the patterns we
use for default roles across the rest of keystone's API.
Change-Id: If11ded59cb191a4d8bf531689b8827c3bfbb39fa
This change adds tests cases for the default roles keystone
supports at install time. It also modifies the policies for the
credentials API to be more self-service by properly checking
for various scopes.
Closes-Bug: 1788415
Partial-Bug: 968696
Change-Id: Ifedb7798c96930b6cc0f91159a14a21ac4b02f9f
Colleen Murphy