[Fix gate] Fix failing identity v2 admin tests
This patch fixes the failing identity tests that
belong to the v2 admin API [0].
Due to recent changes to Keystone and DevStack,
the v2 admin API tests fail if run outright.
Tempest now skips the v2 admin tests uness
``CONF.identity_feature_enabled.api_v2_admin`` is true [1];
Patrole should do the same.
This patch makes the following changes:
- Skips identity v2 admin tests unless
``CONF.identity_feature_enabled.api_v2_admin`` is true
- Removes superfluous tempest.conf overrides from
post_test_hook
- Updates ``rbac_utils.switch_role`` to ensure that admin
identity credentials are properly configured and that
the ``roles_v3_client`` is always used
- Refactors test_projects_rbac in v2 identity because
the API belongs to both the admin and non-admin API,
which was causing OverPermission error to be thrown.
[0] https://developer.openstack.org/api-ref/identity/v2-admin/
[1] https://review.openstack.org/#/c/458844/
Change-Id: Ic698d0b2cf669793aaad6aff972ba155ef993e4a
diff --git a/releasenotes/notes/admin-only-identity-v2-admin-6f382e38d7a690a4.yaml b/releasenotes/notes/admin-only-identity-v2-admin-6f382e38d7a690a4.yaml
new file mode 100644
index 0000000..750a9f1
--- /dev/null
+++ b/releasenotes/notes/admin-only-identity-v2-admin-6f382e38d7a690a4.yaml
@@ -0,0 +1,12 @@
+---
+fixes:
+ - |
+ Removed ``rule`` kwarg from ``rbac_rule_validation`` decorator for identity
+ v2 admin tests, because the identity v2 admin API does not do policy
+ enforcement, and instead checks whether the request object has
+ ``context_is_admin``.
+other:
+ - |
+ Updated the class names for identity v2 tests to include the "Admin"
+ substring, to convey the fact that these tests are only intended
+ to test the v2 admin API, not the v2 API.