Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / keystone-tempest-plugin / 5f44b311308a2c157671b27e8464fded41ebaf3c^! / .
commit5f44b311308a2c157671b27e8464fded41ebaf3c[log] [tgz]
authorDouglas Mendizabal <dmendiza@redhat.com>Wed Feb 11 15:21:16 2026 -0500
committerDouglas Mendizabal <dmendiza@redhat.com>Wed Feb 11 15:51:32 2026 -0500
tree5d2fea9e49190bd44047c6b3ea9c8214d7a04394
parent1f48fefa4d6cbf8a473944fb2d92166cb70bd7fc [diff]
Fix test_identity_list_limits for Domain Admin

The patch that fixes bug#2137711 [1] changed the default policy for
`GET /v3/limits`.  The new policy allows users with the "admin" role on
any scope to get an unfiltered list of limits.

With this policy change, Domain Admins can now see all limits querying
the limits API.  This patch updates the test for this persona for this
API to reflect the policy change.

[1] https://opendev.org/openstack/keystone/commit/8a42793e714efb0b5c1bb07bcb81d2b4ab59b600

Related-Bug: #2137711
Signed-off-by: Douglas Mendizábal <dmendiza@redhat.com>
Change-Id: I81d11b2dbb54b4256886fe5daf6a68650c26d87f

diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_limit.py b/keystone_tempest_plugin/tests/rbac/v3/test_limit.py
index bb96fa0..51c7a9b 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_limit.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_limit.py

@@ -290,8 +290,8 @@
             self.admin_limits_client.delete_limit,
             limit_id=reg_limit_2)
         resp = self.do_request('list_limits')
-        # should not see limit for other project
-        self.assertNotIn(
+        # admin should see limit for other project
+        self.assertIn(
             reg_limit_1, [rl['id'] for rl in resp['limits']])
         # should see limit for project in own domain
         self.assertIn(
@@ -359,6 +359,28 @@
 
     credentials = ['domain_manager', 'system_admin']
 
+    def test_identity_list_limits(self):
+        # random project
+        reg_limit_1 = self.admin_limits_client.create_limits(
+            payload=self.limits())['limits'][0]['id']
+        self.addCleanup(
+            self.admin_limits_client.delete_limit,
+            limit_id=reg_limit_1)
+        # project in own domain
+        reg_limit_2 = self.admin_limits_client.create_limits(
+            payload=self.limits(project_id=self.own_project)
+        )['limits'][0]['id']
+        self.addCleanup(
+            self.admin_limits_client.delete_limit,
+            limit_id=reg_limit_2)
+        resp = self.do_request('list_limits')
+        # should not see limit for other project
+        self.assertNotIn(
+            reg_limit_1, [rl['id'] for rl in resp['limits']])
+        # should see limit for project in own domain
+        self.assertIn(
+            reg_limit_2, [rl['id'] for rl in resp['limits']])
+
     def test_identity_get_limit(self):
         # random project
         reg_limit_1 = self.admin_limits_client.create_limits(