Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / tempest / 7ab45a9be8ee6fd4c8ded8d76e3237c14fa8727a^! / .
commit7ab45a9be8ee6fd4c8ded8d76e3237c14fa8727a[log] [tgz]
authorGhanshyam Mann <gmann@ghanshyammann.com>Mon Nov 21 19:14:05 2022 -0600
committerGhanshyam Mann <gmann@ghanshyammann.com>Mon Nov 21 19:14:05 2022 -0600
treef6c1bbd2e8868a43ad9158ee146b8e4cc47aebe4
parent982e5d2b95e448568484eb4b81bc85caf0fc95ab [diff]
Add new tempest job enable the rbac scope checks and new defaults

We have many services (Nova, Neutron, Glance etc) implemented the
new RBAC (project scope and project personas). For these services,
all tests should pass as projects personas (project reader) does
not impact existing testing/usage.

keystone has system scope adopted in their policy for now which
we need to make it work for project scope also and until then
we will see test failing.

This commit adds a new tempest full job which enable the scope
and new defaults of RBAC for applicable services.

Depends-On: https://review.opendev.org/c/openstack/neutron/+/865040

Change-Id: Ib8f2f0e25205edba332fb9bd2a73012016d45061

diff --git a/zuul.d/integrated-gate.yaml b/zuul.d/integrated-gate.yaml
index 121e04d..7d0246b 100644
--- a/zuul.d/integrated-gate.yaml
+++ b/zuul.d/integrated-gate.yaml

@@ -344,6 +344,30 @@
         # ENABLE_FILE_INJECTION: true
         DATABASE_TYPE: postgresql
 
+- job:
+    name: tempest-full-enforce-scope-new-defaults
+    parent: tempest-full-py3
+    description: |
+      This job runs the Tempest tests with scope and new defaults enabled.
+    # TODO: remove this once https://review.opendev.org/c/openstack/neutron-lib/+/864213
+    # fix is released in neutron-lib
+    required-projects:
+      - openstack/neutron-lib
+      - openstack/neutron
+    vars:
+      devstack_localrc:
+        # Enabeling the scope and new defaults for services.
+        # NOTE: (gmann) We need to keep keystone scope check disable as
+        # services (except ironic) does not support the system scope and
+        # they need keystone to continue working with project scope. Until
+        # Keystone policies are changed to work for both system as well as
+        # for project scoped, we need to keep scope check disable for
+        # keystone.
+        NOVA_ENFORCE_SCOPE: true
+        CINDER_ENFORCE_SCOPE: true
+        GLANCE_ENFORCE_SCOPE: true
+        NEUTRON_ENFORCE_SCOPE: true
+
 - project-template:
     name: integrated-gate-networking
     description: |

diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 6412e78..46c0d8d 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml

@@ -103,6 +103,8 @@
             irrelevant-files: *tempest-irrelevant-files
         - nova-live-migration:
             irrelevant-files: *tempest-irrelevant-files
+        - tempest-full-enforce-scope-new-defaults:
+            irrelevant-files: *tempest-irrelevant-files
         - devstack-plugin-ceph-tempest-py3:
             # TODO(kopecmartin): make it voting once the below bug is fixed
             # https://bugs.launchpad.net/devstack-plugin-ceph/+bug/1975648
@@ -150,6 +152,8 @@
             irrelevant-files: *tempest-irrelevant-files-3
         - tempest-multinode-full-py3:
             irrelevant-files: *tempest-irrelevant-files
+        - tempest-full-enforce-scope-new-defaults:
+            irrelevant-files: *tempest-irrelevant-files
         #- devstack-plugin-ceph-tempest-py3:
         #    irrelevant-files: *tempest-irrelevant-files
         #- tempest-full-centos-9-stream: