Update Octavia tempest tests for no scoped tokens
There has been a direction change in the "secure-RBAC" goal and scoped
tokens are no longer being implemented[1].
The Octavia tempest tests were updated for the new keystone roles and
scoped tokens at the same time with an (bad) assumption that they would be
turned on at the same time.
This patch updates the Octavia tempest plugin to not assume that scoped
tokens are in use when the RBAC type is set to keystone_default_roles.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change
Depends-On: https://review.opendev.org/c/openstack/octavia/+/877433
Change-Id: Ia1c4ca0b675d39bd43640184d6d3deba823fd3f6
diff --git a/octavia_tempest_plugin/config.py b/octavia_tempest_plugin/config.py
index c40293c..9e259d3 100644
--- a/octavia_tempest_plugin/config.py
+++ b/octavia_tempest_plugin/config.py
@@ -244,7 +244,11 @@
help='Does the load-balancer service API policies enforce '
'the new keystone default roles? This configuration '
'value should be same as octavia.conf: '
- '[oslo_policy].enforce_new_defaults option.'),
+ '[oslo_policy].enforce_new_defaults option.',
+ deprecated_for_removal=True,
+ deprecated_reason='Consolidated into the RBAC_test_type '
+ 'setting.',
+ deprecated_since='bobcat'),
]
lb_feature_enabled_group = cfg.OptGroup(name='loadbalancer-feature-enabled',
diff --git a/octavia_tempest_plugin/tests/api/v2/test_amphora.py b/octavia_tempest_plugin/tests/api/v2/test_amphora.py
index 180e4f3..8d591cc 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_amphora.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_amphora.py
@@ -94,7 +94,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -182,7 +182,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -217,7 +217,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py
index fa7b6a4..fe80084 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone.py
@@ -109,7 +109,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -232,7 +232,7 @@
'os_admin', 'os_primary', 'os_roles_lb_admin',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
+ expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
@@ -385,7 +385,7 @@
'os_admin', 'os_primary', 'os_roles_lb_admin',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
+ expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
@@ -458,7 +458,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -535,7 +535,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py
index d3833f6..6f67d8f 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py
@@ -48,7 +48,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
diff --git a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py
index 456a01e..6984420 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_availability_zone_profile.py
@@ -80,7 +80,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -235,7 +235,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -396,7 +396,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -498,7 +498,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -580,7 +580,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor.py b/octavia_tempest_plugin/tests/api/v2/test_flavor.py
index b5b4254..565ff99 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_flavor.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_flavor.py
@@ -92,7 +92,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -198,7 +198,7 @@
'os_admin', 'os_primary', 'os_roles_lb_admin',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
+ expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
@@ -326,7 +326,7 @@
'os_admin', 'os_primary', 'os_roles_lb_admin',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
+ expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
@@ -394,7 +394,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -458,7 +458,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py b/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py
index 884f656..285df19 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_flavor_capabilities.py
@@ -46,7 +46,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
diff --git a/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py b/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py
index 39f3338..48ade67 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py
@@ -64,7 +64,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -184,7 +184,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -313,7 +313,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -391,7 +391,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
@@ -458,7 +458,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
diff --git a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py
index a305ead..64368aa 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py
@@ -282,7 +282,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -724,8 +725,8 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_primary', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary',
- 'os_roles_lb_member2', 'os_roles_lb_observer',
+ expected_allowed = ['os_primary', 'os_roles_lb_member2',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2']
@@ -739,8 +740,8 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
@@ -763,7 +764,7 @@
# a superscope of "project_reader". This means it can read
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
+ expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
@@ -1193,8 +1194,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
@@ -1475,7 +1476,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -1778,7 +1780,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
diff --git a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py
index e7ed5a6..5a19def 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_l7policy.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_l7policy.py
@@ -139,7 +139,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -365,8 +366,8 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_primary', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary',
- 'os_roles_lb_member2', 'os_roles_lb_observer',
+ expected_allowed = ['os_primary', 'os_roles_lb_member2',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2']
@@ -380,8 +381,8 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
@@ -406,7 +407,7 @@
# a superscope of "project_reader". This means it can read
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
+ expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
@@ -652,8 +653,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
@@ -761,7 +762,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -872,7 +874,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
diff --git a/octavia_tempest_plugin/tests/api/v2/test_l7rule.py b/octavia_tempest_plugin/tests/api/v2/test_l7rule.py
index 5cb85c4..c0eb1d2 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_l7rule.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_l7rule.py
@@ -147,7 +147,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -357,8 +358,8 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
@@ -380,7 +381,7 @@
# a superscope of "project_reader". This means it can read
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_system_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
@@ -566,8 +567,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
@@ -654,7 +655,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -756,7 +758,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
diff --git a/octavia_tempest_plugin/tests/api/v2/test_listener.py b/octavia_tempest_plugin/tests/api/v2/test_listener.py
index 625bcf7..7382bf5 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_listener.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_listener.py
@@ -165,7 +165,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -564,8 +565,8 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_primary', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary',
- 'os_roles_lb_member2', 'os_roles_lb_observer',
+ expected_allowed = ['os_primary', 'os_roles_lb_member2',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2']
@@ -579,8 +580,8 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
@@ -604,7 +605,7 @@
# a superscope of "project_reader". This means it can read
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
+ expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
@@ -887,8 +888,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
@@ -1036,7 +1037,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -1215,7 +1217,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
diff --git a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py
index 7ade642..9035260 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_load_balancer.py
@@ -89,7 +89,7 @@
expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
@@ -193,7 +193,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -242,7 +243,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -418,8 +420,8 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_primary', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary',
- 'os_roles_lb_member2', 'os_roles_lb_observer',
+ expected_allowed = ['os_primary', 'os_roles_lb_member2',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2']
@@ -433,8 +435,8 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
@@ -457,7 +459,7 @@
# a superscope of "project_reader". This means it can read
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
+ expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
@@ -635,8 +637,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
@@ -739,7 +741,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -831,8 +834,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
@@ -902,8 +905,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
@@ -978,7 +981,7 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin']
if expected_allowed:
diff --git a/octavia_tempest_plugin/tests/api/v2/test_member.py b/octavia_tempest_plugin/tests/api/v2/test_member.py
index fee2893..305aa39 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_member.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_member.py
@@ -902,7 +902,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -1233,8 +1234,8 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
@@ -1255,7 +1256,7 @@
# a superscope of "project_reader". This means it can read
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_system_admin',
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
@@ -1798,8 +1799,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
@@ -2255,7 +2256,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -2713,7 +2715,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -2958,7 +2961,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
diff --git a/octavia_tempest_plugin/tests/api/v2/test_pool.py b/octavia_tempest_plugin/tests/api/v2/test_pool.py
index 13a2285..db86ebe 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_pool.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_pool.py
@@ -408,7 +408,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -752,8 +753,8 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_primary', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary',
- 'os_roles_lb_member2', 'os_roles_lb_observer',
+ expected_allowed = ['os_primary', 'os_roles_lb_member2',
+ 'os_roles_lb_observer',
'os_roles_lb_global_observer']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_roles_lb_observer', 'os_roles_lb_member2']
@@ -767,8 +768,8 @@
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
expected_allowed = ['os_admin', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin', 'os_roles_lb_member',
@@ -791,7 +792,7 @@
# a superscope of "project_reader". This means it can read
# objects in the "admin" credential's project.
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
+ expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
@@ -1131,8 +1132,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_system_reader', 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_system_reader',
'os_roles_lb_admin',
@@ -1371,7 +1372,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
@@ -1673,7 +1675,8 @@
expected_allowed = ['os_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_system_admin', 'os_roles_lb_member']
+ expected_allowed = ['os_admin', 'os_roles_lb_admin',
+ 'os_roles_lb_member']
if CONF.load_balancer.RBAC_test_type == const.ADVANCED:
expected_allowed = ['os_system_admin', 'os_roles_lb_admin',
'os_roles_lb_member']
diff --git a/octavia_tempest_plugin/tests/api/v2/test_provider.py b/octavia_tempest_plugin/tests/api/v2/test_provider.py
index 9a9dd28..e47ae8e 100644
--- a/octavia_tempest_plugin/tests/api/v2/test_provider.py
+++ b/octavia_tempest_plugin/tests/api/v2/test_provider.py
@@ -49,7 +49,7 @@
'os_admin', 'os_primary', 'os_roles_lb_admin',
'os_roles_lb_member', 'os_roles_lb_member2']
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
- expected_allowed = ['os_admin', 'os_primary', 'os_system_admin',
+ expected_allowed = ['os_admin', 'os_primary', 'os_roles_lb_admin',
'os_system_reader', 'os_roles_lb_observer',
'os_roles_lb_global_observer',
'os_roles_lb_member', 'os_roles_lb_member2']
diff --git a/octavia_tempest_plugin/tests/test_base.py b/octavia_tempest_plugin/tests/test_base.py
index 70d51ba..e1daec1 100644
--- a/octavia_tempest_plugin/tests/test_base.py
+++ b/octavia_tempest_plugin/tests/test_base.py
@@ -56,9 +56,10 @@
'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
['lb_member', CONF.load_balancer.member_role],
['lb_member2', CONF.load_balancer.member_role]]
- elif CONF.load_balancer.enforce_new_defaults:
+ elif CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
credentials = [
- 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
+ 'admin', 'primary',
+ ['lb_admin', CONF.load_balancer.admin_role, 'admin'],
['lb_observer', CONF.load_balancer.observer_role, 'reader'],
['lb_global_observer', CONF.load_balancer.global_observer_role,
'reader'],
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index bd90bea..e217e72 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -506,21 +506,23 @@
- ^octavia_tempest_plugin/tests/(?!api/|\w+\.py).*
- job:
- name: octavia-v2-dsvm-noop-api-scoped-tokens
+ name: octavia-v2-dsvm-noop-api-keystone-default-roles
parent: octavia-v2-dsvm-noop-api
vars:
+ devstack_localrc:
+ OCTAVIA_USE_KEYSTONE_DEFAULT_ROLES: True
devstack_local_conf:
post-config:
$OCTAVIA_CONF:
oslo_policy:
- enforce_scope: True
+ enforce_scope: False
enforce_new_defaults: True
test-config:
"$TEMPEST_CONFIG":
enforce_scope:
- octavia: True
+ octavia: False
load_balancer:
- enforce_new_defaults: True
+ RBAC_test_type: keystone_default_roles
- job:
name: octavia-v2-dsvm-noop-py2-api
diff --git a/zuul.d/projects.yaml b/zuul.d/projects.yaml
index 116da49..15f8c90 100644
--- a/zuul.d/projects.yaml
+++ b/zuul.d/projects.yaml
@@ -12,7 +12,7 @@
- octavia-v2-dsvm-noop-api-stable-yoga
- octavia-v2-dsvm-noop-api-stable-xena
- octavia-v2-dsvm-noop-api-stable-wallaby
- - octavia-v2-dsvm-noop-api-scoped-tokens
+ - octavia-v2-dsvm-noop-api-keystone-default-roles
- octavia-v2-dsvm-scenario
- octavia-v2-dsvm-scenario-stable-yoga
- octavia-v2-dsvm-scenario-stable-xena
@@ -54,7 +54,7 @@
- octavia-v2-dsvm-noop-api-stable-yoga
- octavia-v2-dsvm-noop-api-stable-xena
- octavia-v2-dsvm-noop-api-stable-wallaby
- - octavia-v2-dsvm-noop-api-scoped-tokens
+ - octavia-v2-dsvm-noop-api-keystone-default-roles
- octavia-v2-dsvm-scenario
- octavia-v2-dsvm-scenario-stable-yoga
- octavia-v2-dsvm-scenario-stable-xena