diff --git a/octavia_tempest_plugin/config.py b/octavia_tempest_plugin/config.py index c40293cd..9e259d38 100644 --- a/octavia_tempest_plugin/config.py +++ b/octavia_tempest_plugin/config.py @@ -244,7 +244,11 @@ OctaviaGroup = [ help='Does the load-balancer service API policies enforce ' 'the new keystone default roles? This configuration ' 'value should be same as octavia.conf: ' - '[oslo_policy].enforce_new_defaults option.'), + '[oslo_policy].enforce_new_defaults option.', + deprecated_for_removal=True, + deprecated_reason='Consolidated into the RBAC_test_type ' + 'setting.', + deprecated_since='bobcat'), ] lb_feature_enabled_group = cfg.OptGroup(name='loadbalancer-feature-enabled', diff --git a/octavia_tempest_plugin/tests/api/v2/test_amphora.py b/octavia_tempest_plugin/tests/api/v2/test_amphora.py index 180e4f3a..8d591cc3 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_amphora.py +++ b/octavia_tempest_plugin/tests/api/v2/test_amphora.py @@ -94,7 +94,7 @@ class AmphoraAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -182,7 +182,7 @@ class AmphoraAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -217,7 +217,7 @@ class AmphoraAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py index fa7b6a47..fe800848 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py +++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py @@ -109,7 +109,7 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -232,7 +232,7 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): 'os_admin', 'os_primary', 'os_roles_lb_admin', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', 'os_system_admin', + expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', 'os_system_reader', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] @@ -385,7 +385,7 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): 'os_admin', 'os_primary', 'os_roles_lb_admin', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', 'os_system_admin', + expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', 'os_system_reader', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] @@ -458,7 +458,7 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -535,7 +535,7 @@ class AvailabilityZoneAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py index d3833f69..6f67d8f4 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py +++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py @@ -48,7 +48,7 @@ class AvailabilityZoneCapabilitiesAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py index 456a01ec..6984420c 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py +++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py @@ -80,7 +80,7 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -235,7 +235,7 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -396,7 +396,7 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -498,7 +498,7 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -580,7 +580,7 @@ class AvailabilityZoneProfileAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor.py b/octavia_tempest_plugin/tests/api/v2/test_flavor.py index b5b42540..565ff99a 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_flavor.py +++ b/octavia_tempest_plugin/tests/api/v2/test_flavor.py @@ -92,7 +92,7 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -198,7 +198,7 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): 'os_admin', 'os_primary', 'os_roles_lb_admin', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', 'os_system_admin', + expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', 'os_system_reader', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] @@ -326,7 +326,7 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): 'os_admin', 'os_primary', 'os_roles_lb_admin', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', 'os_system_admin', + expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', 'os_system_reader', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] @@ -394,7 +394,7 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -458,7 +458,7 @@ class FlavorAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py b/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py index 884f6562..285df19a 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py +++ b/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py @@ -46,7 +46,7 @@ class FlavorCapabilitiesAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py b/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py index 39f33388..48ade676 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py +++ b/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py @@ -64,7 +64,7 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -184,7 +184,7 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -313,7 +313,7 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -391,7 +391,7 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: @@ -458,7 +458,7 @@ class FlavorProfileAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: diff --git a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py index a305ead9..64368aa3 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py +++ b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py @@ -282,7 +282,8 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -724,8 +725,8 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_primary', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', - 'os_roles_lb_member2', 'os_roles_lb_observer', + expected_allowed = ['os_primary', 'os_roles_lb_member2', + 'os_roles_lb_observer', 'os_roles_lb_global_observer'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2'] @@ -739,8 +740,8 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', 'os_roles_lb_member', @@ -763,7 +764,7 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): # a superscope of "project_reader". This means it can read # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', 'os_system_admin', + expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', 'os_system_reader', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] @@ -1193,8 +1194,8 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', @@ -1475,7 +1476,8 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -1778,7 +1780,8 @@ class HealthMonitorAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] diff --git a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py index e7ed5a65..5a19def8 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py +++ b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py @@ -139,7 +139,8 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -365,8 +366,8 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_primary', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', - 'os_roles_lb_member2', 'os_roles_lb_observer', + expected_allowed = ['os_primary', 'os_roles_lb_member2', + 'os_roles_lb_observer', 'os_roles_lb_global_observer'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2'] @@ -380,8 +381,8 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', 'os_roles_lb_member', @@ -406,7 +407,7 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): # a superscope of "project_reader". This means it can read # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', 'os_system_admin', + expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', 'os_system_reader', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] @@ -652,8 +653,8 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', @@ -761,7 +762,8 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -872,7 +874,8 @@ class L7PolicyAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] diff --git a/octavia_tempest_plugin/tests/api/v2/test_l7rule.py b/octavia_tempest_plugin/tests/api/v2/test_l7rule.py index 5cb85c40..c0eb1d26 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_l7rule.py +++ b/octavia_tempest_plugin/tests/api/v2/test_l7rule.py @@ -147,7 +147,8 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -357,8 +358,8 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', 'os_roles_lb_member', @@ -380,7 +381,7 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): # a superscope of "project_reader". This means it can read # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_system_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', @@ -566,8 +567,8 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', @@ -654,7 +655,8 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -756,7 +758,8 @@ class L7RuleAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] diff --git a/octavia_tempest_plugin/tests/api/v2/test_listener.py b/octavia_tempest_plugin/tests/api/v2/test_listener.py index 625bcf70..7382bf57 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_listener.py +++ b/octavia_tempest_plugin/tests/api/v2/test_listener.py @@ -165,7 +165,8 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -564,8 +565,8 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_primary', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', - 'os_roles_lb_member2', 'os_roles_lb_observer', + expected_allowed = ['os_primary', 'os_roles_lb_member2', + 'os_roles_lb_observer', 'os_roles_lb_global_observer'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2'] @@ -579,8 +580,8 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', 'os_roles_lb_member', @@ -604,7 +605,7 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): # a superscope of "project_reader". This means it can read # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', 'os_system_admin', + expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', 'os_system_reader', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] @@ -887,8 +888,8 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', @@ -1036,7 +1037,8 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -1215,7 +1217,8 @@ class ListenerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] diff --git a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py index 7ade6428..9035260d 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py +++ b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py @@ -89,7 +89,7 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', @@ -193,7 +193,8 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -242,7 +243,8 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -418,8 +420,8 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_primary', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', - 'os_roles_lb_member2', 'os_roles_lb_observer', + expected_allowed = ['os_primary', 'os_roles_lb_member2', + 'os_roles_lb_observer', 'os_roles_lb_global_observer'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2'] @@ -433,8 +435,8 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', 'os_roles_lb_member', @@ -457,7 +459,7 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): # a superscope of "project_reader". This means it can read # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', 'os_system_admin', + expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', 'os_system_reader', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] @@ -635,8 +637,8 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', @@ -739,7 +741,8 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -831,8 +834,8 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', @@ -902,8 +905,8 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', @@ -978,7 +981,7 @@ class LoadBalancerAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] + expected_allowed = ['os_admin', 'os_roles_lb_admin'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin'] if expected_allowed: diff --git a/octavia_tempest_plugin/tests/api/v2/test_member.py b/octavia_tempest_plugin/tests/api/v2/test_member.py index fee2893f..305aa395 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_member.py +++ b/octavia_tempest_plugin/tests/api/v2/test_member.py @@ -902,7 +902,8 @@ class MemberAPITest1(MemberAPITest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -1233,8 +1234,8 @@ class MemberAPITest1(MemberAPITest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', 'os_roles_lb_member', @@ -1255,7 +1256,7 @@ class MemberAPITest1(MemberAPITest): # a superscope of "project_reader". This means it can read # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_system_admin', + expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', @@ -1798,8 +1799,8 @@ class MemberAPITest2(MemberAPITest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', @@ -2255,7 +2256,8 @@ class MemberAPITest2(MemberAPITest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -2713,7 +2715,8 @@ class MemberAPITest2(MemberAPITest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -2958,7 +2961,8 @@ class MemberAPITest2(MemberAPITest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] diff --git a/octavia_tempest_plugin/tests/api/v2/test_pool.py b/octavia_tempest_plugin/tests/api/v2/test_pool.py index 13a22850..db86ebea 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_pool.py +++ b/octavia_tempest_plugin/tests/api/v2/test_pool.py @@ -408,7 +408,8 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -752,8 +753,8 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_primary', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', - 'os_roles_lb_member2', 'os_roles_lb_observer', + expected_allowed = ['os_primary', 'os_roles_lb_member2', + 'os_roles_lb_observer', 'os_roles_lb_global_observer'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2'] @@ -767,8 +768,8 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN: expected_allowed = ['os_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', 'os_roles_lb_member', @@ -791,7 +792,7 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): # a superscope of "project_reader". This means it can read # objects in the "admin" credential's project. if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', 'os_system_admin', + expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', 'os_system_reader', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] @@ -1131,8 +1132,8 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_system_reader', - 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_system_reader', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_system_reader', 'os_roles_lb_admin', @@ -1371,7 +1372,8 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] @@ -1673,7 +1675,8 @@ class PoolAPITest(test_base.LoadBalancerBaseTest): expected_allowed = ['os_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_system_admin', 'os_roles_lb_member'] + expected_allowed = ['os_admin', 'os_roles_lb_admin', + 'os_roles_lb_member'] if CONF.load_balancer.RBAC_test_type == const.ADVANCED: expected_allowed = ['os_system_admin', 'os_roles_lb_admin', 'os_roles_lb_member'] diff --git a/octavia_tempest_plugin/tests/api/v2/test_provider.py b/octavia_tempest_plugin/tests/api/v2/test_provider.py index 9a9dd28d..e47ae8eb 100644 --- a/octavia_tempest_plugin/tests/api/v2/test_provider.py +++ b/octavia_tempest_plugin/tests/api/v2/test_provider.py @@ -49,7 +49,7 @@ class ProviderAPITest(test_base.LoadBalancerBaseTest): 'os_admin', 'os_primary', 'os_roles_lb_admin', 'os_roles_lb_member', 'os_roles_lb_member2'] if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: - expected_allowed = ['os_admin', 'os_primary', 'os_system_admin', + expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin', 'os_system_reader', 'os_roles_lb_observer', 'os_roles_lb_global_observer', 'os_roles_lb_member', 'os_roles_lb_member2'] diff --git a/octavia_tempest_plugin/tests/test_base.py b/octavia_tempest_plugin/tests/test_base.py index 70d51bac..e1daec1b 100644 --- a/octavia_tempest_plugin/tests/test_base.py +++ b/octavia_tempest_plugin/tests/test_base.py @@ -56,9 +56,10 @@ class LoadBalancerBaseTest(validators.ValidatorsMixin, 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role], ['lb_member', CONF.load_balancer.member_role], ['lb_member2', CONF.load_balancer.member_role]] - elif CONF.load_balancer.enforce_new_defaults: + elif CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES: credentials = [ - 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role], + 'admin', 'primary', + ['lb_admin', CONF.load_balancer.admin_role, 'admin'], ['lb_observer', CONF.load_balancer.observer_role, 'reader'], ['lb_global_observer', CONF.load_balancer.global_observer_role, 'reader'], diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index bd90bea8..e217e72f 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -506,21 +506,23 @@ - ^octavia_tempest_plugin/tests/(?!api/|\w+\.py).* - job: - name: octavia-v2-dsvm-noop-api-scoped-tokens + name: octavia-v2-dsvm-noop-api-keystone-default-roles parent: octavia-v2-dsvm-noop-api vars: + devstack_localrc: + OCTAVIA_USE_KEYSTONE_DEFAULT_ROLES: True devstack_local_conf: post-config: $OCTAVIA_CONF: oslo_policy: - enforce_scope: True + enforce_scope: False enforce_new_defaults: True test-config: "$TEMPEST_CONFIG": enforce_scope: - octavia: True + octavia: False load_balancer: - enforce_new_defaults: True + RBAC_test_type: keystone_default_roles - job: name: octavia-v2-dsvm-noop-py2-api diff --git a/zuul.d/projects.yaml b/zuul.d/projects.yaml index 116da494..15f8c90b 100644 --- a/zuul.d/projects.yaml +++ b/zuul.d/projects.yaml @@ -12,7 +12,7 @@ - octavia-v2-dsvm-noop-api-stable-yoga - octavia-v2-dsvm-noop-api-stable-xena - octavia-v2-dsvm-noop-api-stable-wallaby - - octavia-v2-dsvm-noop-api-scoped-tokens + - octavia-v2-dsvm-noop-api-keystone-default-roles - octavia-v2-dsvm-scenario - octavia-v2-dsvm-scenario-stable-yoga - octavia-v2-dsvm-scenario-stable-xena @@ -54,7 +54,7 @@ - octavia-v2-dsvm-noop-api-stable-yoga - octavia-v2-dsvm-noop-api-stable-xena - octavia-v2-dsvm-noop-api-stable-wallaby - - octavia-v2-dsvm-noop-api-scoped-tokens + - octavia-v2-dsvm-noop-api-keystone-default-roles - octavia-v2-dsvm-scenario - octavia-v2-dsvm-scenario-stable-yoga - octavia-v2-dsvm-scenario-stable-xena