There has been a direction change in the "secure-RBAC" goal and scoped
tokens are no longer being implemented[1].
The Octavia tempest tests were updated for the new keystone roles and
scoped tokens at the same time with an (bad) assumption that they would be
turned on at the same time.
This patch updates the Octavia tempest plugin to not assume that scoped
tokens are in use when the RBAC type is set to keystone_default_roles.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change
Depends-On: https://review.opendev.org/c/openstack/octavia/+/877433
Change-Id: Ia1c4ca0b675d39bd43640184d6d3deba823fd3f6
All the load balancer service clients are registered via the plugin interface[1],
that way Tempest register and create the lazy initialization of registered clients
so that they can be access from there in consistent way.
But octavia-tempest-client create a separate instance of those and access instead of
accessing the registered service client in Tempest. This commit makes all the service clients
access from Tempest registry and remove the separate objects.
[1] cac3eefc44/octavia_tempest_plugin/plugin.py (L54)
Change-Id: Ie24909b49baf2c6a886e2ff711e641e36ffe6b50
lb_observer and lb_global_observer don't have any meaning when
admin_or_owner policy override in enabled.
This commit disables client creation for those roles and removes their
uses from API tests (the behavior of the owner_or_admin tests are now
similar to their behavior before the introduction of the new RBAC
tests).
Requires the following configuration in tempest.conf:
[load_balancer]
RBAC_test_type = owner_or_admin
member_role = member
admin_role = admin
Change-Id: I2231384933d5974b962a558e8c0b3bffb1140b5a
This patch refactors the RBAC enforcement checks in the API tests.
It also updates those test for keystone scoped tokens and default roles.
Change-Id: I6fad03f5a89c213562918ca258884aac34ba7ce7