Fixes many failing identity tests for member.
Many identity tests are failing for member role because the
framework doesn't currently take how Keystone does policy
enforcement into consideration. Currently, the framework
sets up one admin credential type which creates a user
with admin credentials. During the entire lifecycle of a Patrole
test run, the user retains its admin credentials -- but the admin
credentials are still assigned to the default domain, rather than
to the Tempest project.
It appears that most services only care about whether a user
has a specific role on a project, rather than a domain. However,
Keystone behaves differently, allowing the test user with domain
admin credentials to perform admin actions that should otherwise
be disallowed. This is problematic, because then over-permission
errors are thrown, as the test user that performs the action
as, say, Member retains the admin role on the default domain.
The solution is to create 2 crendential types: admin and primary.
The admin user is responsible for adding/revoking admin role
to/from the primary user, who sets up/cleans up resources with admin
role and performs the API action under test with the rbac role only.
This patch also:
* takes care of removing cls.os = cls.os_adm simultaneously,
which is extremely deceptive and hard to debug
* removes 2 extension tests from compute admin test files
* refactors identity test files that use deprecated/incorrect
functionality
Change-Id: I08b02394276b74711900ff4b6ca286da0e76fd97
Closes-Bug: #1671704
12 files changed