Merge "Ensure a role is assigned to created users with v3 auth"
diff --git a/tempest/common/isolated_creds.py b/tempest/common/isolated_creds.py
index 2102638..ff4eda9 100644
--- a/tempest/common/isolated_creds.py
+++ b/tempest/common/isolated_creds.py
@@ -51,11 +51,21 @@
def create_project(self, name, description):
pass
- def assign_user_role(self, user, project, role_name):
+ def _check_role_exists(self, role_name):
try:
roles = self._list_roles()
role = next(r for r in roles if r['name'] == role_name)
except StopIteration:
+ return None
+ return role
+
+ def create_user_role(self, role_name):
+ if not self._check_role_exists(role_name):
+ self.identity_client.create_role(role_name)
+
+ def assign_user_role(self, user, project, role_name):
+ role = self._check_role_exists(role_name)
+ if not role:
msg = 'No "%s" role found' % role_name
raise lib_exc.NotFound(msg)
try:
@@ -196,16 +206,27 @@
email = data_utils.rand_name(root) + suffix + "@example.com"
user = self.creds_client.create_user(
username, user_password, project, email)
+ role_assigned = False
if admin:
self.creds_client.assign_user_role(user, project,
CONF.identity.admin_role)
+ role_assigned = True
# Add roles specified in config file
for conf_role in CONF.auth.tempest_roles:
self.creds_client.assign_user_role(user, project, conf_role)
+ role_assigned = True
# Add roles requested by caller
if roles:
for role in roles:
self.creds_client.assign_user_role(user, project, role)
+ role_assigned = True
+ # NOTE(mtreinish) For a user to have access to a project with v3 auth
+ # it must beassigned a role on the project. So we need to ensure that
+ # our newly created user has a role on the newly created project.
+ if self.identity_version == 'v3' and not role_assigned:
+ self.creds_client.create_user_role('Member')
+ self.creds_client.assign_user_role(user, project, 'Member')
+
creds = self.creds_client.get_credentials(user, project, user_password)
return cred_provider.TestResources(creds)