commit 32f98a43d313bac1b657c2e0525003a8657b36a1
author Matthew Treinish <mtreinish@kortar.org> Tue Jul 14 19:58:46 2015 -0400
committer Matthew Treinish <mtreinish@kortar.org> Wed Jul 15 12:20:16 2015 -0400
tree 4c667f3964d5919f30923bb13cd95343aef535f5
parent 4dba0395e0e242add2a8c333d45c19d11e318fa1

Ensure a role is assigned to created users with v3 auth

This commit adds a default role assign to created users and projects
in the isolated credentials path if no other role will be assigned.
The issue previously was that when running with v3 auth tempest was
not assigning a role on the project for the newly created users. So
unless this was done out of band the created users would not be able
to get a token because they didn't have access to the project. By
always assigning a role to the user on the project this will no
longer be an issue. Additionally, we need to ensure that the default
role membership role we're using, "Member" exists before we try to use
it. If it does not it will be created before using it.

Change-Id: I4081cbd61f078bcc457062e2a55adb7b6f249a59
Closes-Bug: #1474193

tempest/common/isolated_creds.py

diff --git a/tempest/common/isolated_creds.py b/tempest/common/isolated_creds.py
index 2102638..ff4eda9 100644
--- a/tempest/common/isolated_creds.py
+++ b/tempest/common/isolated_creds.py
@@ -51,11 +51,21 @@
     def create_project(self, name, description):
         pass
 
-    def assign_user_role(self, user, project, role_name):
+    def _check_role_exists(self, role_name):
         try:
             roles = self._list_roles()
             role = next(r for r in roles if r['name'] == role_name)
         except StopIteration:
+            return None
+        return role
+
+    def create_user_role(self, role_name):
+        if not self._check_role_exists(role_name):
+            self.identity_client.create_role(role_name)
+
+    def assign_user_role(self, user, project, role_name):
+        role = self._check_role_exists(role_name)
+        if not role:
             msg = 'No "%s" role found' % role_name
             raise lib_exc.NotFound(msg)
         try:
@@ -196,16 +206,27 @@
         email = data_utils.rand_name(root) + suffix + "@example.com"
         user = self.creds_client.create_user(
             username, user_password, project, email)
+        role_assigned = False
         if admin:
             self.creds_client.assign_user_role(user, project,
                                                CONF.identity.admin_role)
+            role_assigned = True
         # Add roles specified in config file
         for conf_role in CONF.auth.tempest_roles:
             self.creds_client.assign_user_role(user, project, conf_role)
+            role_assigned = True
         # Add roles requested by caller
         if roles:
             for role in roles:
                 self.creds_client.assign_user_role(user, project, role)
+                role_assigned = True
+        # NOTE(mtreinish) For a user to have access to a project with v3 auth
+        # it must beassigned a role on the project. So we need to ensure that
+        # our newly created user has a role on the newly created project.
+        if self.identity_version == 'v3' and not role_assigned:
+            self.creds_client.create_user_role('Member')
+            self.creds_client.assign_user_role(user, project, 'Member')
+
         creds = self.creds_client.get_credentials(user, project, user_password)
         return cred_provider.TestResources(creds)