commit 86b2f6db38a6044df83d6bd09a9cc5a920d13240
author Pavlo Shchelokovskyy <shchelokovskyy@gmail.com> Mon Aug 29 13:45:36 2022 +0300
committer Pavlo Shchelokovskyy <shchelokovskyy@gmail.com> Fri Apr 18 13:32:05 2025 +0000
tree 389fcc3108aa2c90cc223a654a72af8110389051
parent b8645e535d5f312081d3e6c9fb6c71ef8cd06533

Require member role in the static get_primary_creds

otherwise the reader role might be picked up, which is not enough
in some cases even when scope and new policies are not enforced,
like barbican requiring a 'creator' role,
and reader+creator makes no sense.

Change-Id: Icab8c2a84d13ba29e4402442edc29df539c70c9f
Related-Issue: PRODX-26490
(cherry picked from commit 9dff261a9f2d4d0fb9e944398a3687fa0e49bf9d)

tempest/lib/common/preprov_creds.py

diff --git a/tempest/lib/common/preprov_creds.py b/tempest/lib/common/preprov_creds.py
index 3ba7db1..fd4ccf8 100644
--- a/tempest/lib/common/preprov_creds.py
+++ b/tempest/lib/common/preprov_creds.py
@@ -312,7 +312,8 @@
     def get_primary_creds(self):
         if self._creds.get('primary'):
             return self._creds.get('primary')
-        net_creds = self._get_creds()
+        # NOTE(pas-ha) use the same call as get_project_member_creds
+        net_creds = self._get_creds(['member'], scope='project')
         self._creds['primary'] = net_creds
         return net_creds
 

tempest/tests/lib/common/test_preprov_creds.py

diff --git a/tempest/tests/lib/common/test_preprov_creds.py b/tempest/tests/lib/common/test_preprov_creds.py
index 5a36f71..4e39c6b 100644
--- a/tempest/tests/lib/common/test_preprov_creds.py
+++ b/tempest/tests/lib/common/test_preprov_creds.py
@@ -78,12 +78,15 @@
              'password': 'p', 'roles': [admin_role]},
             {'username': 'test_admin3', 'project_name': 'test_tenant13',
              'password': 'p', 'types': ['admin']},
+            {'username': 'test_user14', 'project_name': 'test_tenant14',
+             'password': 'p', 'roles': ['member']},
             {'username': 'test_project_manager1',
              'project_name': 'test_tenant14', 'password': 'p',
              'roles': ['manager']},
             {'username': 'test_project_manager2',
              'tenant_name': 'test_tenant15', 'password': 'p',
-             'roles': ['manager']}]
+             'roles': ['manager']},
+        ]
 
     def setUp(self):
         super(TestPreProvisionedCredentials, self).setUp()
@@ -325,7 +328,7 @@
         calls = get_free_hash_mock.mock.mock_calls
         self.assertEqual(len(calls), 1)
         args = calls[0][1][0]
-        self.assertEqual(len(args), 12)
+        self.assertEqual(len(args), 13)
         for i in admin_hashes:
             self.assertNotIn(i, args)
 
@@ -507,11 +510,15 @@
              'domain_name': 'domain', 'password': 'p', 'roles': [admin_role]},
             {'username': 'test_admin3', 'project_name': 'test_tenant13',
              'domain_name': 'domain', 'password': 'p', 'types': ['admin']},
+            {'username': 'test_user14', 'project_name': 'test_tenant14',
+             'domain_name': 'domain', 'password': 'p',
+             'roles': ['member']},
             {'username': 'test_project_manager1',
              'project_name': 'test_project14', 'domain_name': 'domain',
              'password': 'p', 'roles': ['manager']},
             {'username': 'test_domain_manager1',
-             'domain_name': 'domain', 'password': 'p', 'roles': ['manager']}]
+             'domain_name': 'domain', 'password': 'p', 'roles': ['manager']},
+        ]
 
     def test_get_domain_manager_creds(self):
         test_accounts_class = preprov_creds.PreProvisionedCredentialProvider(