Gate fix: Rename Member (legacy) to member role Due to a recent change [0], Member role is no longer being found, as it has been renamed to member. This is causing all the member-based gates to fail. Because "Member" is legacy [1], this patchset uses "member" instead of "Member" during the devstack Patrole plugin for master. For n-1 and n-2 releases "Member" is still used. This patchset also specifies which role was not found in the system while trying to resolve roles CONF.identity.admin_role and CONF.patrole.rbac_test_role in order to make debugging easier. [0] https://review.openstack.org/#/c/572243/ [1] http://git.openstack.org/cgit/openstack-dev/devstack/tree/lib/keystone#n355 Change-Id: I7b59bab164041b26ed8a1a798546e493f22f6edd

commit: 2fc2929882c211682219c5ab71f06e5954fc7b53 [log] [tgz]
author: Felipe Monteiro <felipe.monteiro@att.com> Fri Jun 15 18:26:27 2018 -0400
committer: Felipe Monteiro <felipe.monteiro@att.com> Sat Jun 16 16:20:16 2018 -0400
tree: cbd212581aefb64e4f4b99a8769c03a784f6d29c
parent: ffc1ad8556b3aee842db5345ee4080d8cae7c303 [diff] [blame]
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 2ef88ca..6c40aa1 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py

@@ -147,18 +147,25 @@
             test_obj.os_primary.auth_provider.set_auth()
 
     def _get_roles_by_name(self):
-        available_roles = self.admin_roles_client.list_roles()
-        admin_role_id = rbac_role_id = None
+        available_roles = self.admin_roles_client.list_roles()['roles']
+        role_map = {r['name']: r['id'] for r in available_roles}
+        LOG.debug('Available roles: %s', list(role_map.keys()))
 
-        for role in available_roles['roles']:
-            if role['name'] == CONF.patrole.rbac_test_role:
-                rbac_role_id = role['id']
-            if role['name'] == CONF.identity.admin_role:
-                admin_role_id = role['id']
+        admin_role_id = role_map.get(CONF.identity.admin_role)
+        rbac_role_id = role_map.get(CONF.patrole.rbac_test_role)
 
         if not all([admin_role_id, rbac_role_id]):
-            msg = ("Roles defined by `[patrole] rbac_test_role` and "
-                   "`[identity] admin_role` must be defined in the system.")
+            missing_roles = []
+            msg = ("Could not find `[patrole] rbac_test_role` or "
+                   "`[identity] admin_role`, both of which are required for "
+                   "RBAC testing.")
+            if not admin_role_id:
+                missing_roles.append(CONF.identity.admin_role)
+            if not rbac_role_id:
+                missing_roles.append(CONF.patrole.rbac_test_role)
+            msg += " Following roles were not found: %s." % (
+                ", ".join(missing_roles))
+            msg += " Available roles: %s." % ", ".join(list(role_map.keys()))
             raise rbac_exceptions.RbacResourceSetupFailed(msg)
 
         self.admin_role_id = admin_role_id
@@ -226,4 +233,6 @@
 
     :returns: True if ``rbac_test_role`` is the admin role.
     """
+    # TODO(felipemonteiro): Make this more robust via a context is admin
+    # lookup.
     return CONF.patrole.rbac_test_role == CONF.identity.admin_role
commit	2fc2929882c211682219c5ab71f06e5954fc7b53	[log] [tgz]
author	Felipe Monteiro <felipe.monteiro@att.com>	Fri Jun 15 18:26:27 2018 -0400
committer	Felipe Monteiro <felipe.monteiro@att.com>	Sat Jun 16 16:20:16 2018 -0400
tree	cbd212581aefb64e4f4b99a8769c03a784f6d29c
parent	ffc1ad8556b3aee842db5345ee4080d8cae7c303 [diff] [blame]