Fix owner_or_admin API tests
lb_observer and lb_global_observer don't have any meaning when
admin_or_owner policy override in enabled.
This commit disables client creation for those roles and removes their
uses from API tests (the behavior of the owner_or_admin tests are now
similar to their behavior before the introduction of the new RBAC
tests).
Requires the following configuration in tempest.conf:
[load_balancer]
RBAC_test_type = owner_or_admin
member_role = member
admin_role = admin
Change-Id: I2231384933d5974b962a558e8c0b3bffb1140b5a
diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py
index 8ea6808..e18a194 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py
@@ -230,7 +230,6 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = [
'os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
@@ -384,7 +383,6 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = [
'os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor.py b/octavia_tempest_plugin/tests/api/v2/test_flavor.py
index c30f830..89b36cc 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_flavor.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_flavor.py
@@ -196,7 +196,6 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = [
'os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
@@ -324,8 +323,7 @@
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = [
- 'os_admin', 'os_primary', 'os_roles_lb_observer',
- 'os_roles_lb_global_observer', 'os_roles_lb_admin',
+ 'os_admin', 'os_primary', 'os_roles_lb_admin',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
diff --git a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py
index 0b4036d..a2eec1c 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py
@@ -722,8 +722,7 @@
# Test that a different users cannot see the lb_member healthmonitors
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_primary', 'os_roles_lb_member2',
- 'os_roles_lb_observer']
+ expected_allowed = ['os_primary', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary',
'os_roles_lb_member2', 'os_roles_lb_observer',
@@ -758,9 +757,7 @@
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_roles_lb_member', 'os_roles_lb_member2',
- 'os_roles_lb_observer',
- 'os_roles_lb_global_observer']
+ 'os_roles_lb_member', 'os_roles_lb_member2']
# Note: os_admin is here because it evaluaties to "project_admin"
# in oslo_policy and since keystone considers "project_admin"
# a superscope of "project_reader". This means it can read
diff --git a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py
index 6e1406b..05ef55d 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py
@@ -363,8 +363,7 @@
# Test that a different users cannot see the lb_member l7policies
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_primary', 'os_roles_lb_member2',
- 'os_roles_lb_observer']
+ expected_allowed = ['os_primary', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary',
'os_roles_lb_member2', 'os_roles_lb_observer',
@@ -401,9 +400,7 @@
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_roles_lb_member', 'os_roles_lb_member2',
- 'os_roles_lb_observer',
- 'os_roles_lb_global_observer']
+ 'os_roles_lb_member', 'os_roles_lb_member2']
# Note: os_admin is here because it evaluaties to "project_admin"
# in oslo_policy and since keystone considers "project_admin"
# a superscope of "project_reader". This means it can read
diff --git a/octavia_tempest_plugin/tests/api/v2/test_listener.py b/octavia_tempest_plugin/tests/api/v2/test_listener.py
index a482dc0..bb78aad 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_listener.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_listener.py
@@ -536,8 +536,7 @@
# Test that a different users cannot see the lb_member listeners.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_primary', 'os_roles_lb_member2',
- 'os_roles_lb_observer']
+ expected_allowed = ['os_primary', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary',
'os_roles_lb_member2', 'os_roles_lb_observer',
@@ -573,9 +572,7 @@
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_roles_lb_member', 'os_roles_lb_member2',
- 'os_roles_lb_observer',
- 'os_roles_lb_global_observer']
+ 'os_roles_lb_member', 'os_roles_lb_member2']
# Note: os_admin is here because it evaluaties to "project_admin"
# in oslo_policy and since keystone considers "project_admin"
# a superscope of "project_reader". This means it can read
diff --git a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py
index ba1187c..86de17e 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py
@@ -416,8 +416,7 @@
# Test that a different users cannot see the lb_member load balancers.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_primary', 'os_roles_lb_member2',
- 'os_roles_lb_observer']
+ expected_allowed = ['os_primary', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary',
'os_roles_lb_member2', 'os_roles_lb_observer',
@@ -452,9 +451,7 @@
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_roles_lb_member', 'os_roles_lb_member2',
- 'os_roles_lb_observer',
- 'os_roles_lb_global_observer']
+ 'os_roles_lb_member', 'os_roles_lb_member2']
# Note: os_admin is here because it evaluaties to "project_admin"
# in oslo_policy and since keystone considers "project_admin"
# a superscope of "project_reader". This means it can read
diff --git a/octavia_tempest_plugin/tests/api/v2/test_pool.py b/octavia_tempest_plugin/tests/api/v2/test_pool.py
index 61a17cb..565812e 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_pool.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_pool.py
@@ -753,8 +753,7 @@
# Test that a different users cannot see the lb_member pools.
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
- expected_allowed = ['os_primary', 'os_roles_lb_member2',
- 'os_roles_lb_observer']
+ expected_allowed = ['os_primary', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary',
'os_roles_lb_member2', 'os_roles_lb_observer',
@@ -789,9 +788,7 @@
expected_allowed = []
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_roles_lb_member', 'os_roles_lb_member2',
- 'os_roles_lb_observer',
- 'os_roles_lb_global_observer']
+ 'os_roles_lb_member', 'os_roles_lb_member2']
# Note: os_admin is here because it evaluaties to "project_admin"
# in oslo_policy and since keystone considers "project_admin"
# a superscope of "project_reader". This means it can read
diff --git a/octavia_tempest_plugin/tests/api/v2/test_provider.py b/octavia_tempest_plugin/tests/api/v2/test_provider.py
index f85d598..ae4a08a 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_provider.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_provider.py
@@ -47,7 +47,6 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = [
'os_admin', 'os_primary', 'os_roles_lb_admin',
- 'os_roles_lb_observer', 'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
diff --git a/octavia_tempest_plugin/tests/test_base.py b/octavia_tempest_plugin/tests/test_base.py
index e182d58..b9438e4 100644
--- a/octavia_tempest_plugin/tests/test_base.py
+++ b/octavia_tempest_plugin/tests/test_base.py
@@ -50,7 +50,12 @@
RBAC_tests.RBACTestsMixin, test.BaseTestCase):
"""Base class for load balancer tests."""
- if CONF.load_balancer.enforce_new_defaults:
+ if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
+ credentials = [
+ 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
+ ['lb_member', CONF.load_balancer.member_role],
+ ['lb_member2', CONF.load_balancer.member_role]]
+ elif CONF.load_balancer.enforce_new_defaults:
credentials = [
'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
['lb_observer', CONF.load_balancer.observer_role, 'reader'],