Merge "Update auth section of the configuration guide"
diff --git a/etc/tempest.conf.sample b/etc/tempest.conf.sample
index d81d3bb..a2db4f4 100644
--- a/etc/tempest.conf.sample
+++ b/etc/tempest.conf.sample
@@ -156,6 +156,7 @@
 
 # The endpoint type to use for the baremetal provisioning service
 # (string value)
+# Allowed values: public, admin, internal, publicURL, adminURL, internalURL
 #endpoint_type = publicURL
 
 # Timeout for Ironic node to completely provision (integer value)
@@ -341,6 +342,7 @@
 #region =
 
 # The endpoint type to use for the compute service. (string value)
+# Allowed values: public, admin, internal, publicURL, adminURL, internalURL
 #endpoint_type = publicURL
 
 # Path to a private key file for SSH access to remote hosts (string
@@ -467,6 +469,7 @@
 
 # The endpoint type to use for the data processing service. (string
 # value)
+# Allowed values: public, admin, internal, publicURL, adminURL, internalURL
 #endpoint_type = publicURL
 
 
@@ -550,6 +553,7 @@
 #region = RegionOne
 
 # The endpoint type to use for the identity service. (string value)
+# Allowed values: public, admin, internal, publicURL, adminURL, internalURL
 #endpoint_type = publicURL
 
 # Username to use for Nova API requests. (string value)
@@ -631,6 +635,7 @@
 #region =
 
 # The endpoint type to use for the image service. (string value)
+# Allowed values: public, admin, internal, publicURL, adminURL, internalURL
 #endpoint_type = publicURL
 
 # http accessible image (string value)
@@ -739,6 +744,7 @@
 #region =
 
 # The endpoint type to use for the network service. (string value)
+# Allowed values: public, admin, internal, publicURL, adminURL, internalURL
 #endpoint_type = publicURL
 
 # The cidr block to allocate tenant ipv4 subnets from (string value)
@@ -781,6 +787,7 @@
 
 # vnic_type to use when Launching instances with pre-configured ports.
 # Supported ports are: ['normal','direct','macvtap'] (string value)
+# Allowed values: <None>, normal, direct, macvtap
 #port_vnic_type = <None>
 
 
@@ -819,6 +826,7 @@
 
 # The endpoint type to use for the object-store service. (string
 # value)
+# Allowed values: public, admin, internal, publicURL, adminURL, internalURL
 #endpoint_type = publicURL
 
 # Number of seconds to time on waiting for a container to container
@@ -884,6 +892,7 @@
 
 # The endpoint type to use for the orchestration service. (string
 # value)
+# Allowed values: public, admin, internal, publicURL, adminURL, internalURL
 #endpoint_type = publicURL
 
 # Time in seconds between build status checks. (integer value)
@@ -950,6 +959,7 @@
 # DHCP client used by images to renew DCHP lease. If left empty,
 # update operation will be skipped. Supported clients: "udhcpc",
 # "dhclient" (string value)
+# Allowed values: udhcpc, dhclient
 #dhcp_client = udhcpc
 
 
@@ -1049,6 +1059,7 @@
 #catalog_type = metering
 
 # The endpoint type to use for the telemetry service. (string value)
+# Allowed values: public, admin, internal, publicURL, adminURL, internalURL
 #endpoint_type = publicURL
 
 # This variable is used as flag to enable notification tests (boolean
@@ -1078,6 +1089,7 @@
 #region =
 
 # The endpoint type to use for the volume service. (string value)
+# Allowed values: public, admin, internal, publicURL, adminURL, internalURL
 #endpoint_type = publicURL
 
 # Name of the backend1 (must be declared in cinder.conf) (string
diff --git a/tempest/api/compute/admin/test_agents.py b/tempest/api/compute/admin/test_agents.py
index 2bd15ac..fce6550 100644
--- a/tempest/api/compute/admin/test_agents.py
+++ b/tempest/api/compute/admin/test_agents.py
@@ -28,8 +28,8 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(AgentsAdminTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(AgentsAdminTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.agents_client
 
     def setUp(self):
diff --git a/tempest/api/compute/admin/test_aggregates.py b/tempest/api/compute/admin/test_aggregates.py
index e3b0151..32521e4 100644
--- a/tempest/api/compute/admin/test_aggregates.py
+++ b/tempest/api/compute/admin/test_aggregates.py
@@ -30,9 +30,13 @@
     _host_key = 'OS-EXT-SRV-ATTR:host'
 
     @classmethod
+    def setup_clients(cls):
+        super(AggregatesAdminTestJSON, cls).setup_clients()
+        cls.client = cls.os_adm.aggregates_client
+
+    @classmethod
     def resource_setup(cls):
         super(AggregatesAdminTestJSON, cls).resource_setup()
-        cls.client = cls.os_adm.aggregates_client
         cls.aggregate_name_prefix = 'test_aggregate_'
         cls.az_name_prefix = 'test_az_'
 
diff --git a/tempest/api/compute/admin/test_aggregates_negative.py b/tempest/api/compute/admin/test_aggregates_negative.py
index 02e2b0b..24236f4 100644
--- a/tempest/api/compute/admin/test_aggregates_negative.py
+++ b/tempest/api/compute/admin/test_aggregates_negative.py
@@ -28,10 +28,14 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(AggregatesAdminNegativeTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(AggregatesAdminNegativeTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.aggregates_client
         cls.user_client = cls.aggregates_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(AggregatesAdminNegativeTestJSON, cls).resource_setup()
         cls.aggregate_name_prefix = 'test_aggregate_'
         cls.az_name_prefix = 'test_az_'
 
@@ -45,7 +49,7 @@
     def test_aggregate_create_as_user(self):
         # Regular user is not allowed to create an aggregate.
         aggregate_name = data_utils.rand_name(self.aggregate_name_prefix)
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.user_client.create_aggregate,
                           name=aggregate_name)
 
@@ -86,7 +90,7 @@
         aggregate = self.client.create_aggregate(name=aggregate_name)
         self.addCleanup(self.client.delete_aggregate, aggregate['id'])
 
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.user_client.delete_aggregate,
                           aggregate['id'])
 
@@ -94,7 +98,7 @@
     @test.idempotent_id('b7d475a6-5dcd-4ff4-b70a-cd9de66a6672')
     def test_aggregate_list_as_user(self):
         # Regular user is not allowed to list aggregates.
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.user_client.list_aggregates)
 
     @test.attr(type=['negative', 'gate'])
@@ -105,7 +109,7 @@
         aggregate = self.client.create_aggregate(name=aggregate_name)
         self.addCleanup(self.client.delete_aggregate, aggregate['id'])
 
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.user_client.get_aggregate,
                           aggregate['id'])
 
@@ -149,7 +153,7 @@
         aggregate = self.client.create_aggregate(name=aggregate_name)
         self.addCleanup(self.client.delete_aggregate, aggregate['id'])
 
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.user_client.add_host,
                           aggregate['id'], self.host)
 
@@ -178,7 +182,7 @@
         self.client.add_host(aggregate['id'], self.host)
         self.addCleanup(self.client.remove_host, aggregate['id'], self.host)
 
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.user_client.remove_host,
                           aggregate['id'], self.host)
 
diff --git a/tempest/api/compute/admin/test_availability_zone.py b/tempest/api/compute/admin/test_availability_zone.py
index 9d24b00..eadc15a 100644
--- a/tempest/api/compute/admin/test_availability_zone.py
+++ b/tempest/api/compute/admin/test_availability_zone.py
@@ -24,8 +24,8 @@
     _api_version = 2
 
     @classmethod
-    def resource_setup(cls):
-        super(AZAdminV2TestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(AZAdminV2TestJSON, cls).setup_clients()
         cls.client = cls.availability_zone_admin_client
 
     @test.attr(type='gate')
diff --git a/tempest/api/compute/admin/test_availability_zone_negative.py b/tempest/api/compute/admin/test_availability_zone_negative.py
index caecddc..d6e577e 100644
--- a/tempest/api/compute/admin/test_availability_zone_negative.py
+++ b/tempest/api/compute/admin/test_availability_zone_negative.py
@@ -25,8 +25,8 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(AZAdminNegativeTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(AZAdminNegativeTestJSON, cls).setup_clients()
         cls.non_adm_client = cls.availability_zone_client
 
     @test.attr(type=['negative', 'gate'])
@@ -35,5 +35,5 @@
         # List of availability zones and available services with
         # non-administrator user
         self.assertRaises(
-            lib_exc.Unauthorized,
+            lib_exc.Forbidden,
             self.non_adm_client.get_availability_zone_list_detail)
diff --git a/tempest/api/compute/admin/test_fixed_ips.py b/tempest/api/compute/admin/test_fixed_ips.py
index 820b9b0..acfd659 100644
--- a/tempest/api/compute/admin/test_fixed_ips.py
+++ b/tempest/api/compute/admin/test_fixed_ips.py
@@ -23,12 +23,20 @@
 class FixedIPsTestJson(base.BaseV2ComputeAdminTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(FixedIPsTestJson, cls).resource_setup()
+    def skip_checks(cls):
+        super(FixedIPsTestJson, cls).skip_checks()
         if CONF.service_available.neutron:
             msg = ("%s skipped as neutron is available" % cls.__name__)
             raise cls.skipException(msg)
+
+    @classmethod
+    def setup_clients(cls):
+        super(FixedIPsTestJson, cls).setup_clients()
         cls.client = cls.os_adm.fixed_ips_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(FixedIPsTestJson, cls).resource_setup()
         server = cls.create_test_server(wait_until='ACTIVE')
         server = cls.servers_client.get_server(server['id'])
         for ip_set in server['addresses']:
diff --git a/tempest/api/compute/admin/test_fixed_ips_negative.py b/tempest/api/compute/admin/test_fixed_ips_negative.py
index df3c390..052ed71 100644
--- a/tempest/api/compute/admin/test_fixed_ips_negative.py
+++ b/tempest/api/compute/admin/test_fixed_ips_negative.py
@@ -24,13 +24,21 @@
 class FixedIPsNegativeTestJson(base.BaseV2ComputeAdminTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(FixedIPsNegativeTestJson, cls).resource_setup()
+    def skip_checks(cls):
+        super(FixedIPsNegativeTestJson, cls).skip_checks()
         if CONF.service_available.neutron:
             msg = ("%s skipped as neutron is available" % cls.__name__)
             raise cls.skipException(msg)
+
+    @classmethod
+    def setup_clients(cls):
+        super(FixedIPsNegativeTestJson, cls).setup_clients()
         cls.client = cls.os_adm.fixed_ips_client
         cls.non_admin_client = cls.fixed_ips_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(FixedIPsNegativeTestJson, cls).resource_setup()
         server = cls.create_test_server(wait_until='ACTIVE')
         server = cls.servers_client.get_server(server['id'])
         for ip_set in server['addresses']:
@@ -45,7 +53,7 @@
     @test.idempotent_id('9f17f47d-daad-4adc-986e-12370c93e407')
     @test.services('network')
     def test_list_fixed_ip_details_with_non_admin_user(self):
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.get_fixed_ip_details, self.ip)
 
     @test.attr(type=['negative', 'gate'])
@@ -53,7 +61,7 @@
     @test.services('network')
     def test_set_reserve_with_non_admin_user(self):
         body = {"reserve": "None"}
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.reserve_fixed_ip,
                           self.ip, body)
 
@@ -62,7 +70,7 @@
     @test.services('network')
     def test_set_unreserve_with_non_admin_user(self):
         body = {"unreserve": "None"}
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.reserve_fixed_ip,
                           self.ip, body)
 
diff --git a/tempest/api/compute/admin/test_flavors.py b/tempest/api/compute/admin/test_flavors.py
index cd3a4f1..72f73a3 100644
--- a/tempest/api/compute/admin/test_flavors.py
+++ b/tempest/api/compute/admin/test_flavors.py
@@ -28,14 +28,22 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(FlavorsAdminTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(FlavorsAdminTestJSON, cls).skip_checks()
         if not test.is_extension_enabled('OS-FLV-EXT-DATA', 'compute'):
             msg = "OS-FLV-EXT-DATA extension not enabled."
             raise cls.skipException(msg)
 
+    @classmethod
+    def setup_clients(cls):
+        super(FlavorsAdminTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.flavors_client
         cls.user_client = cls.os.flavors_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(FlavorsAdminTestJSON, cls).resource_setup()
+
         cls.flavor_name_prefix = 'test_flavor_'
         cls.ram = 512
         cls.vcpus = 1
diff --git a/tempest/api/compute/admin/test_flavors_access.py b/tempest/api/compute/admin/test_flavors_access.py
index aaa96ac..4558db2 100644
--- a/tempest/api/compute/admin/test_flavors_access.py
+++ b/tempest/api/compute/admin/test_flavors_access.py
@@ -26,14 +26,21 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(FlavorsAccessTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(FlavorsAccessTestJSON, cls).skip_checks()
         if not test.is_extension_enabled('OS-FLV-EXT-DATA', 'compute'):
             msg = "OS-FLV-EXT-DATA extension not enabled."
             raise cls.skipException(msg)
 
-        # Compute admin flavor client
+    @classmethod
+    def setup_clients(cls):
+        super(FlavorsAccessTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.flavors_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(FlavorsAccessTestJSON, cls).resource_setup()
+
         # Non admin tenant ID
         cls.tenant_id = cls.flavors_client.tenant_id
         # Compute admin tenant ID
diff --git a/tempest/api/compute/admin/test_flavors_access_negative.py b/tempest/api/compute/admin/test_flavors_access_negative.py
index af53985..f38e3c7 100644
--- a/tempest/api/compute/admin/test_flavors_access_negative.py
+++ b/tempest/api/compute/admin/test_flavors_access_negative.py
@@ -29,13 +29,21 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(FlavorsAccessNegativeTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(FlavorsAccessNegativeTestJSON, cls).skip_checks()
         if not test.is_extension_enabled('OS-FLV-EXT-DATA', 'compute'):
             msg = "OS-FLV-EXT-DATA extension not enabled."
             raise cls.skipException(msg)
 
+    @classmethod
+    def setup_clients(cls):
+        super(FlavorsAccessNegativeTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.flavors_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(FlavorsAccessNegativeTestJSON, cls).resource_setup()
+
         cls.tenant_id = cls.flavors_client.tenant_id
         cls.flavor_name_prefix = 'test_flavor_access_'
         cls.ram = 512
@@ -70,7 +78,7 @@
                                                new_flavor_id,
                                                is_public='False')
         self.addCleanup(self.client.delete_flavor, new_flavor['id'])
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.flavors_client.add_flavor_access,
                           new_flavor['id'],
                           self.tenant_id)
@@ -91,7 +99,7 @@
         self.client.add_flavor_access(new_flavor['id'], self.tenant_id)
         self.addCleanup(self.client.remove_flavor_access,
                         new_flavor['id'], self.tenant_id)
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.flavors_client.remove_flavor_access,
                           new_flavor['id'],
                           self.tenant_id)
diff --git a/tempest/api/compute/admin/test_flavors_extra_specs.py b/tempest/api/compute/admin/test_flavors_extra_specs.py
index 5847a64..2bf793c 100644
--- a/tempest/api/compute/admin/test_flavors_extra_specs.py
+++ b/tempest/api/compute/admin/test_flavors_extra_specs.py
@@ -27,13 +27,20 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(FlavorsExtraSpecsTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(FlavorsExtraSpecsTestJSON, cls).skip_checks()
         if not test.is_extension_enabled('OS-FLV-EXT-DATA', 'compute'):
             msg = "OS-FLV-EXT-DATA extension not enabled."
             raise cls.skipException(msg)
 
+    @classmethod
+    def setup_clients(cls):
+        super(FlavorsExtraSpecsTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.flavors_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(FlavorsExtraSpecsTestJSON, cls).resource_setup()
         flavor_name = data_utils.rand_name('test_flavor')
         ram = 512
         vcpus = 1
diff --git a/tempest/api/compute/admin/test_flavors_extra_specs_negative.py b/tempest/api/compute/admin/test_flavors_extra_specs_negative.py
index 979fdd3..7998c3d 100644
--- a/tempest/api/compute/admin/test_flavors_extra_specs_negative.py
+++ b/tempest/api/compute/admin/test_flavors_extra_specs_negative.py
@@ -29,13 +29,21 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(FlavorsExtraSpecsNegativeTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(FlavorsExtraSpecsNegativeTestJSON, cls).skip_checks()
         if not test.is_extension_enabled('OS-FLV-EXT-DATA', 'compute'):
             msg = "OS-FLV-EXT-DATA extension not enabled."
             raise cls.skipException(msg)
 
+    @classmethod
+    def setup_clients(cls):
+        super(FlavorsExtraSpecsNegativeTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.flavors_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(FlavorsExtraSpecsNegativeTestJSON, cls).resource_setup()
+
         flavor_name = data_utils.rand_name('test_flavor')
         ram = 512
         vcpus = 1
@@ -63,7 +71,7 @@
     def test_flavor_non_admin_set_keys(self):
         # Test to SET flavor extra spec as a user without admin privileges.
         specs = {"key1": "value1", "key2": "value2"}
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.flavors_client.set_flavor_extra_spec,
                           self.flavor['id'],
                           specs)
@@ -76,7 +84,7 @@
         body = self.client.set_flavor_extra_spec(
             self.flavor['id'], specs)
         self.assertEqual(body['key1'], 'value1')
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.flavors_client.
                           update_flavor_extra_spec,
                           self.flavor['id'],
@@ -89,7 +97,7 @@
         specs = {"key1": "value1", "key2": "value2"}
         self.client.set_flavor_extra_spec(self.flavor['id'], specs)
 
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.flavors_client.unset_flavor_extra_spec,
                           self.flavor['id'],
                           'key1')
diff --git a/tempest/api/compute/admin/test_flavors_negative.py b/tempest/api/compute/admin/test_flavors_negative.py
index 042c270..9fc60ea 100644
--- a/tempest/api/compute/admin/test_flavors_negative.py
+++ b/tempest/api/compute/admin/test_flavors_negative.py
@@ -36,14 +36,21 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(FlavorsAdminNegativeTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(FlavorsAdminNegativeTestJSON, cls).skip_checks()
         if not test.is_extension_enabled('OS-FLV-EXT-DATA', 'compute'):
             msg = "OS-FLV-EXT-DATA extension not enabled."
             raise cls.skipException(msg)
 
+    @classmethod
+    def setup_clients(cls):
+        super(FlavorsAdminNegativeTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.flavors_client
         cls.user_client = cls.os.flavors_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(FlavorsAdminNegativeTestJSON, cls).resource_setup()
         cls.flavor_name_prefix = 'test_flavor_'
         cls.ram = 512
         cls.vcpus = 1
@@ -91,7 +98,7 @@
         flavor_name = data_utils.rand_name(self.flavor_name_prefix)
         new_flavor_id = str(uuid.uuid4())
 
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.user_client.create_flavor,
                           flavor_name, self.ram, self.vcpus, self.disk,
                           new_flavor_id, ephemeral=self.ephemeral,
@@ -101,7 +108,7 @@
     @test.idempotent_id('a9a6dc02-8c14-4e05-a1ca-3468d4214882')
     def test_delete_flavor_as_user(self):
         # only admin user can delete a flavor
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.user_client.delete_flavor,
                           self.flavor_ref_alt)
 
diff --git a/tempest/api/compute/admin/test_floating_ips_bulk.py b/tempest/api/compute/admin/test_floating_ips_bulk.py
index 7ca081a..3c5f507 100644
--- a/tempest/api/compute/admin/test_floating_ips_bulk.py
+++ b/tempest/api/compute/admin/test_floating_ips_bulk.py
@@ -31,9 +31,13 @@
     """
 
     @classmethod
+    def setup_clients(cls):
+        super(FloatingIPsBulkAdminTestJSON, cls).setup_clients()
+        cls.client = cls.os_adm.floating_ips_client
+
+    @classmethod
     def resource_setup(cls):
         super(FloatingIPsBulkAdminTestJSON, cls).resource_setup()
-        cls.client = cls.os_adm.floating_ips_client
         cls.ip_range = CONF.compute.floating_ip_range
         cls.verify_unallocated_floating_ip_range(cls.ip_range)
 
diff --git a/tempest/api/compute/admin/test_hosts.py b/tempest/api/compute/admin/test_hosts.py
index bef5d1f..e525358 100644
--- a/tempest/api/compute/admin/test_hosts.py
+++ b/tempest/api/compute/admin/test_hosts.py
@@ -24,8 +24,8 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(HostsAdminTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(HostsAdminTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.hosts_client
 
     @test.attr(type='gate')
diff --git a/tempest/api/compute/admin/test_hosts_negative.py b/tempest/api/compute/admin/test_hosts_negative.py
index 3c070ce..ea553fd 100644
--- a/tempest/api/compute/admin/test_hosts_negative.py
+++ b/tempest/api/compute/admin/test_hosts_negative.py
@@ -26,8 +26,8 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(HostsAdminNegativeTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(HostsAdminNegativeTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.hosts_client
         cls.non_admin_client = cls.os.hosts_client
 
@@ -40,7 +40,7 @@
     @test.attr(type=['negative', 'gate'])
     @test.idempotent_id('dd032027-0210-4d9c-860e-69b1b8deed5f')
     def test_list_hosts_with_non_admin_user(self):
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.list_hosts)
 
     @test.attr(type=['negative', 'gate'])
@@ -55,7 +55,7 @@
     def test_show_host_detail_with_non_admin_user(self):
         hostname = self._get_host_name()
 
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.show_host_detail,
                           hostname)
 
@@ -64,7 +64,7 @@
     def test_update_host_with_non_admin_user(self):
         hostname = self._get_host_name()
 
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.update_host,
                           hostname,
                           status='enable',
@@ -142,7 +142,7 @@
     def test_startup_host_with_non_admin_user(self):
         hostname = self._get_host_name()
 
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.startup_host,
                           hostname)
 
@@ -160,7 +160,7 @@
     def test_shutdown_host_with_non_admin_user(self):
         hostname = self._get_host_name()
 
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.shutdown_host,
                           hostname)
 
@@ -178,6 +178,6 @@
     def test_reboot_host_with_non_admin_user(self):
         hostname = self._get_host_name()
 
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.reboot_host,
                           hostname)
diff --git a/tempest/api/compute/admin/test_hypervisor.py b/tempest/api/compute/admin/test_hypervisor.py
index c65bded..5e83e95 100644
--- a/tempest/api/compute/admin/test_hypervisor.py
+++ b/tempest/api/compute/admin/test_hypervisor.py
@@ -24,8 +24,8 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(HypervisorAdminTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(HypervisorAdminTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.hypervisor_client
 
     def _list_hypervisors(self):
diff --git a/tempest/api/compute/admin/test_hypervisor_negative.py b/tempest/api/compute/admin/test_hypervisor_negative.py
index 556424a..bbb9112 100644
--- a/tempest/api/compute/admin/test_hypervisor_negative.py
+++ b/tempest/api/compute/admin/test_hypervisor_negative.py
@@ -28,8 +28,8 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(HypervisorAdminNegativeTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(HypervisorAdminNegativeTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.hypervisor_client
         cls.non_adm_client = cls.hypervisor_client
 
@@ -55,7 +55,7 @@
         self.assertTrue(len(hypers) > 0)
 
         self.assertRaises(
-            lib_exc.Unauthorized,
+            lib_exc.Forbidden,
             self.non_adm_client.get_hypervisor_show_details,
             hypers[0]['id'])
 
@@ -66,7 +66,7 @@
         self.assertTrue(len(hypers) > 0)
 
         self.assertRaises(
-            lib_exc.Unauthorized,
+            lib_exc.Forbidden,
             self.non_adm_client.get_hypervisor_servers,
             hypers[0]['id'])
 
@@ -84,7 +84,7 @@
     @test.idempotent_id('e2b061bb-13f9-40d8-9d6e-d5bf17595849')
     def test_get_hypervisor_stats_with_non_admin_user(self):
         self.assertRaises(
-            lib_exc.Unauthorized,
+            lib_exc.Forbidden,
             self.non_adm_client.get_hypervisor_stats)
 
     @test.attr(type=['negative', 'gate'])
@@ -104,7 +104,7 @@
         self.assertTrue(len(hypers) > 0)
 
         self.assertRaises(
-            lib_exc.Unauthorized,
+            lib_exc.Forbidden,
             self.non_adm_client.get_hypervisor_uptime,
             hypers[0]['id'])
 
@@ -113,7 +113,7 @@
     def test_get_hypervisor_list_with_non_admin_user(self):
         # List of hypervisor and available services with non admin user
         self.assertRaises(
-            lib_exc.Unauthorized,
+            lib_exc.Forbidden,
             self.non_adm_client.get_hypervisor_list)
 
     @test.attr(type=['negative', 'gate'])
@@ -121,7 +121,7 @@
     def test_get_hypervisor_list_details_with_non_admin_user(self):
         # List of hypervisor details and available services with non admin user
         self.assertRaises(
-            lib_exc.Unauthorized,
+            lib_exc.Forbidden,
             self.non_adm_client.get_hypervisor_list_details)
 
     @test.attr(type=['negative', 'gate'])
@@ -141,6 +141,6 @@
         self.assertTrue(len(hypers) > 0)
 
         self.assertRaises(
-            lib_exc.Unauthorized,
+            lib_exc.Forbidden,
             self.non_adm_client.search_hypervisor,
             hypers[0]['hypervisor_hostname'])
diff --git a/tempest/api/compute/admin/test_instance_usage_audit_log.py b/tempest/api/compute/admin/test_instance_usage_audit_log.py
index 1a86b2d..6565810 100644
--- a/tempest/api/compute/admin/test_instance_usage_audit_log.py
+++ b/tempest/api/compute/admin/test_instance_usage_audit_log.py
@@ -23,8 +23,8 @@
 class InstanceUsageAuditLogTestJSON(base.BaseV2ComputeAdminTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(InstanceUsageAuditLogTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(InstanceUsageAuditLogTestJSON, cls).setup_clients()
         cls.adm_client = cls.os_adm.instance_usages_audit_log_client
 
     @test.attr(type='gate')
diff --git a/tempest/api/compute/admin/test_instance_usage_audit_log_negative.py b/tempest/api/compute/admin/test_instance_usage_audit_log_negative.py
index 6b5a82f..e9f3371 100644
--- a/tempest/api/compute/admin/test_instance_usage_audit_log_negative.py
+++ b/tempest/api/compute/admin/test_instance_usage_audit_log_negative.py
@@ -25,19 +25,19 @@
 class InstanceUsageAuditLogNegativeTestJSON(base.BaseV2ComputeAdminTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(InstanceUsageAuditLogNegativeTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(InstanceUsageAuditLogNegativeTestJSON, cls).setup_clients()
         cls.adm_client = cls.os_adm.instance_usages_audit_log_client
 
     @test.attr(type=['negative', 'gate'])
     @test.idempotent_id('a9d33178-d2c9-4131-ad3b-f4ca8d0308a2')
     def test_instance_usage_audit_logs_with_nonadmin_user(self):
         # the instance_usage_audit_logs API just can be accessed by admin user
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.instance_usages_audit_log_client.
                           list_instance_usage_audit_logs)
         now = datetime.datetime.now()
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.instance_usages_audit_log_client.
                           get_instance_usage_audit_log,
                           urllib.quote(now.strftime("%Y-%m-%d %H:%M:%S")))
diff --git a/tempest/api/compute/admin/test_migrations.py b/tempest/api/compute/admin/test_migrations.py
index 67e4fe3..3c31e77 100644
--- a/tempest/api/compute/admin/test_migrations.py
+++ b/tempest/api/compute/admin/test_migrations.py
@@ -24,8 +24,8 @@
 class MigrationsAdminTest(base.BaseV2ComputeAdminTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(MigrationsAdminTest, cls).resource_setup()
+    def setup_clients(cls):
+        super(MigrationsAdminTest, cls).setup_clients()
         cls.client = cls.os_adm.migrations_client
 
     @test.attr(type='gate')
diff --git a/tempest/api/compute/admin/test_networks.py b/tempest/api/compute/admin/test_networks.py
index fa72c01..c20d483 100644
--- a/tempest/api/compute/admin/test_networks.py
+++ b/tempest/api/compute/admin/test_networks.py
@@ -30,8 +30,8 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(NetworksTest, cls).resource_setup()
+    def setup_clients(cls):
+        super(NetworksTest, cls).setup_clients()
         cls.client = cls.os_adm.networks_client
 
     @test.idempotent_id('d206d211-8912-486f-86e2-a9d090d1f416')
diff --git a/tempest/api/compute/admin/test_quotas.py b/tempest/api/compute/admin/test_quotas.py
index 35e682e..6b6db47 100644
--- a/tempest/api/compute/admin/test_quotas.py
+++ b/tempest/api/compute/admin/test_quotas.py
@@ -34,9 +34,13 @@
         super(QuotasAdminTestJSON, self).setUp()
 
     @classmethod
+    def setup_clients(cls):
+        super(QuotasAdminTestJSON, cls).setup_clients()
+        cls.adm_client = cls.os_adm.quotas_client
+
+    @classmethod
     def resource_setup(cls):
         super(QuotasAdminTestJSON, cls).resource_setup()
-        cls.adm_client = cls.os_adm.quotas_client
 
         # NOTE(afazekas): these test cases should always create and use a new
         # tenant most of them should be skipped if we can't do that
diff --git a/tempest/api/compute/admin/test_quotas_negative.py b/tempest/api/compute/admin/test_quotas_negative.py
index 73428df..9b87bfc 100644
--- a/tempest/api/compute/admin/test_quotas_negative.py
+++ b/tempest/api/compute/admin/test_quotas_negative.py
@@ -27,12 +27,15 @@
     force_tenant_isolation = True
 
     @classmethod
-    def resource_setup(cls):
-        super(QuotasAdminNegativeTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(QuotasAdminNegativeTestJSON, cls).setup_clients()
         cls.client = cls.os.quotas_client
         cls.adm_client = cls.os_adm.quotas_client
         cls.sg_client = cls.security_groups_client
 
+    @classmethod
+    def resource_setup(cls):
+        super(QuotasAdminNegativeTestJSON, cls).resource_setup()
         # NOTE(afazekas): these test cases should always create and use a new
         # tenant most of them should be skipped if we can't do that
         cls.demo_tenant_id = cls.client.tenant_id
@@ -40,7 +43,7 @@
     @test.attr(type=['negative', 'gate'])
     @test.idempotent_id('733abfe8-166e-47bb-8363-23dbd7ff3476')
     def test_update_quota_normal_user(self):
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.client.update_quota_set,
                           self.demo_tenant_id,
                           ram=0)
@@ -61,7 +64,7 @@
 
         self.addCleanup(self.adm_client.update_quota_set, self.demo_tenant_id,
                         cores=default_vcpu_quota)
-        self.assertRaises((lib_exc.Unauthorized, lib_exc.OverLimit),
+        self.assertRaises((lib_exc.Forbidden, lib_exc.OverLimit),
                           self.create_test_server)
 
     @test.attr(type=['negative', 'gate'])
@@ -78,7 +81,7 @@
 
         self.addCleanup(self.adm_client.update_quota_set, self.demo_tenant_id,
                         ram=default_mem_quota)
-        self.assertRaises((lib_exc.Unauthorized, lib_exc.OverLimit),
+        self.assertRaises((lib_exc.Forbidden, lib_exc.OverLimit),
                           self.create_test_server)
 
     @test.attr(type=['negative', 'gate'])
@@ -94,7 +97,7 @@
                                          instances=instances_quota)
         self.addCleanup(self.adm_client.update_quota_set, self.demo_tenant_id,
                         instances=default_instances_quota)
-        self.assertRaises((lib_exc.Unauthorized, lib_exc.OverLimit),
+        self.assertRaises((lib_exc.Forbidden, lib_exc.OverLimit),
                           self.create_test_server)
 
     @decorators.skip_because(bug="1186354",
@@ -121,7 +124,7 @@
         # Check we cannot create anymore
         # A 403 Forbidden or 413 Overlimit (old behaviour) exception
         # will be raised when out of quota
-        self.assertRaises((lib_exc.Unauthorized, lib_exc.OverLimit),
+        self.assertRaises((lib_exc.Forbidden, lib_exc.OverLimit),
                           self.sg_client.create_security_group,
                           "sg-overlimit", "sg-desc")
 
@@ -161,6 +164,6 @@
         # Check we cannot create SG rule anymore
         # A 403 Forbidden or 413 Overlimit (old behaviour) exception
         # will be raised when out of quota
-        self.assertRaises((lib_exc.OverLimit, lib_exc.Unauthorized),
+        self.assertRaises((lib_exc.OverLimit, lib_exc.Forbidden),
                           self.sg_client.create_security_group_rule,
                           secgroup_id, ip_protocol, 1025, 1025)
diff --git a/tempest/api/compute/admin/test_security_groups.py b/tempest/api/compute/admin/test_security_groups.py
index 19f5b8c..58b5669 100644
--- a/tempest/api/compute/admin/test_security_groups.py
+++ b/tempest/api/compute/admin/test_security_groups.py
@@ -26,8 +26,8 @@
 class SecurityGroupsTestAdminJSON(base.BaseV2ComputeAdminTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(SecurityGroupsTestAdminJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(SecurityGroupsTestAdminJSON, cls).setup_clients()
         cls.adm_client = cls.os_adm.security_groups_client
         cls.client = cls.security_groups_client
 
diff --git a/tempest/api/compute/admin/test_servers.py b/tempest/api/compute/admin/test_servers.py
index adeb64b..e2e1665 100644
--- a/tempest/api/compute/admin/test_servers.py
+++ b/tempest/api/compute/admin/test_servers.py
@@ -28,12 +28,16 @@
     _host_key = 'OS-EXT-SRV-ATTR:host'
 
     @classmethod
-    def resource_setup(cls):
-        super(ServersAdminTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(ServersAdminTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.servers_client
         cls.non_admin_client = cls.servers_client
         cls.flavors_client = cls.os_adm.flavors_client
 
+    @classmethod
+    def resource_setup(cls):
+        super(ServersAdminTestJSON, cls).resource_setup()
+
         cls.s1_name = data_utils.rand_name('server')
         server = cls.create_test_server(name=cls.s1_name,
                                         wait_until='ACTIVE')
diff --git a/tempest/api/compute/admin/test_servers_negative.py b/tempest/api/compute/admin/test_servers_negative.py
index cafbf81..a9cb2ee 100644
--- a/tempest/api/compute/admin/test_servers_negative.py
+++ b/tempest/api/compute/admin/test_servers_negative.py
@@ -33,11 +33,15 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(ServersAdminNegativeTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(ServersAdminNegativeTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.servers_client
         cls.non_adm_client = cls.servers_client
         cls.flavors_client = cls.os_adm.flavors_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(ServersAdminNegativeTestJSON, cls).resource_setup()
         cls.tenant_id = cls.client.tenant_id
 
         cls.s1_name = data_utils.rand_name('server')
@@ -72,7 +76,7 @@
                                                        ram, vcpus, disk,
                                                        flavor_id)
         self.addCleanup(self.flavors_client.delete_flavor, flavor_id)
-        self.assertRaises((lib_exc.Unauthorized, lib_exc.OverLimit),
+        self.assertRaises((lib_exc.Forbidden, lib_exc.OverLimit),
                           self.client.resize,
                           self.servers[0]['id'],
                           flavor_ref['id'])
@@ -94,7 +98,7 @@
                                                        ram, vcpus, disk,
                                                        flavor_id)
         self.addCleanup(self.flavors_client.delete_flavor, flavor_id)
-        self.assertRaises((lib_exc.Unauthorized, lib_exc.OverLimit),
+        self.assertRaises((lib_exc.Forbidden, lib_exc.OverLimit),
                           self.client.resize,
                           self.servers[0]['id'],
                           flavor_ref['id'])
@@ -123,7 +127,7 @@
     @test.idempotent_id('e84e2234-60d2-42fa-8b30-e2d3049724ac')
     def test_get_server_diagnostics_by_non_admin(self):
         # Non-admin user can not view server diagnostics according to policy
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_adm_client.get_server_diagnostics,
                           self.s1_id)
 
diff --git a/tempest/api/compute/admin/test_services.py b/tempest/api/compute/admin/test_services.py
index a6f79aa..932a74e 100644
--- a/tempest/api/compute/admin/test_services.py
+++ b/tempest/api/compute/admin/test_services.py
@@ -25,8 +25,8 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(ServicesAdminTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(ServicesAdminTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.services_client
 
     @test.attr(type='gate')
diff --git a/tempest/api/compute/admin/test_services_negative.py b/tempest/api/compute/admin/test_services_negative.py
index b8974ca..2d4ec51 100644
--- a/tempest/api/compute/admin/test_services_negative.py
+++ b/tempest/api/compute/admin/test_services_negative.py
@@ -25,15 +25,15 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(ServicesAdminNegativeTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(ServicesAdminNegativeTestJSON, cls).setup_clients()
         cls.client = cls.os_adm.services_client
         cls.non_admin_client = cls.services_client
 
     @test.attr(type=['negative', 'gate'])
     @test.idempotent_id('1126d1f8-266e-485f-a687-adc547492646')
     def test_list_services_with_non_admin_user(self):
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.list_services)
 
     @test.attr(type=['negative', 'gate'])
diff --git a/tempest/api/compute/admin/test_simple_tenant_usage.py b/tempest/api/compute/admin/test_simple_tenant_usage.py
index be62b1d..cf7b672 100644
--- a/tempest/api/compute/admin/test_simple_tenant_usage.py
+++ b/tempest/api/compute/admin/test_simple_tenant_usage.py
@@ -23,10 +23,14 @@
 class TenantUsagesTestJSON(base.BaseV2ComputeAdminTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(TenantUsagesTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(TenantUsagesTestJSON, cls).setup_clients()
         cls.adm_client = cls.os_adm.tenant_usages_client
         cls.client = cls.os.tenant_usages_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(TenantUsagesTestJSON, cls).resource_setup()
         cls.tenant_id = cls.client.tenant_id
 
         # Create a server in the demo tenant
diff --git a/tempest/api/compute/admin/test_simple_tenant_usage_negative.py b/tempest/api/compute/admin/test_simple_tenant_usage_negative.py
index 8801e85..a83d727 100644
--- a/tempest/api/compute/admin/test_simple_tenant_usage_negative.py
+++ b/tempest/api/compute/admin/test_simple_tenant_usage_negative.py
@@ -23,11 +23,14 @@
 class TenantUsagesNegativeTestJSON(base.BaseV2ComputeAdminTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(TenantUsagesNegativeTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(TenantUsagesNegativeTestJSON, cls).setup_clients()
         cls.adm_client = cls.os_adm.tenant_usages_client
         cls.client = cls.os.tenant_usages_client
-        cls.identity_client = cls._get_identity_admin_client()
+
+    @classmethod
+    def resource_setup(cls):
+        super(TenantUsagesNegativeTestJSON, cls).resource_setup()
         now = datetime.datetime.now()
         cls.start = cls._parse_strtime(now - datetime.timedelta(days=1))
         cls.end = cls._parse_strtime(now + datetime.timedelta(days=1))
@@ -64,5 +67,5 @@
         params = {'start': self.start,
                   'end': self.end,
                   'detailed': int(bool(True))}
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.client.list_tenant_usages, params)
diff --git a/tempest/api/compute/flavors/test_flavors.py b/tempest/api/compute/flavors/test_flavors.py
index b9056c7..8a66282 100644
--- a/tempest/api/compute/flavors/test_flavors.py
+++ b/tempest/api/compute/flavors/test_flavors.py
@@ -24,8 +24,8 @@
     _min_ram = 'minRam'
 
     @classmethod
-    def resource_setup(cls):
-        super(FlavorsV2TestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(FlavorsV2TestJSON, cls).setup_clients()
         cls.client = cls.flavors_client
 
     @test.attr(type='smoke')
diff --git a/tempest/api/compute/images/test_image_metadata.py b/tempest/api/compute/images/test_image_metadata.py
index 8193a55..6844038 100644
--- a/tempest/api/compute/images/test_image_metadata.py
+++ b/tempest/api/compute/images/test_image_metadata.py
@@ -26,14 +26,21 @@
 class ImagesMetadataTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(ImagesMetadataTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(ImagesMetadataTestJSON, cls).skip_checks()
         if not CONF.service_available.glance:
             skip_msg = ("%s skipped as glance is not available" % cls.__name__)
             raise cls.skipException(skip_msg)
 
+    @classmethod
+    def setup_clients(cls):
+        super(ImagesMetadataTestJSON, cls).setup_clients()
         cls.glance_client = cls.os.image_client
         cls.client = cls.images_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(ImagesMetadataTestJSON, cls).resource_setup()
         cls.image_id = None
 
         name = data_utils.rand_name('image')
diff --git a/tempest/api/compute/images/test_image_metadata_negative.py b/tempest/api/compute/images/test_image_metadata_negative.py
index d181ed9..9f1c21a 100644
--- a/tempest/api/compute/images/test_image_metadata_negative.py
+++ b/tempest/api/compute/images/test_image_metadata_negative.py
@@ -23,8 +23,8 @@
 class ImagesMetadataTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(ImagesMetadataTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(ImagesMetadataTestJSON, cls).setup_clients()
         cls.client = cls.images_client
 
     @test.attr(type=['negative', 'gate'])
diff --git a/tempest/api/compute/images/test_images.py b/tempest/api/compute/images/test_images.py
index 396d629..c29c40d 100644
--- a/tempest/api/compute/images/test_images.py
+++ b/tempest/api/compute/images/test_images.py
@@ -23,17 +23,19 @@
 class ImagesTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(ImagesTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(ImagesTestJSON, cls).skip_checks()
         if not CONF.service_available.glance:
             skip_msg = ("%s skipped as glance is not available" % cls.__name__)
             raise cls.skipException(skip_msg)
-
         if not CONF.compute_feature_enabled.snapshot:
             skip_msg = ("%s skipped as instance snapshotting is not supported"
                         % cls.__name__)
             raise cls.skipException(skip_msg)
 
+    @classmethod
+    def setup_clients(cls):
+        super(ImagesTestJSON, cls).setup_clients()
         cls.client = cls.images_client
         cls.servers_client = cls.servers_client
 
diff --git a/tempest/api/compute/images/test_images_negative.py b/tempest/api/compute/images/test_images_negative.py
index ee52f37..85243f5 100644
--- a/tempest/api/compute/images/test_images_negative.py
+++ b/tempest/api/compute/images/test_images_negative.py
@@ -25,17 +25,19 @@
 class ImagesNegativeTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(ImagesNegativeTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(ImagesNegativeTestJSON, cls).skip_checks()
         if not CONF.service_available.glance:
             skip_msg = ("%s skipped as glance is not available" % cls.__name__)
             raise cls.skipException(skip_msg)
-
         if not CONF.compute_feature_enabled.snapshot:
             skip_msg = ("%s skipped as instance snapshotting is not supported"
                         % cls.__name__)
             raise cls.skipException(skip_msg)
 
+    @classmethod
+    def setup_clients(cls):
+        super(ImagesNegativeTestJSON, cls).setup_clients()
         cls.client = cls.images_client
         cls.servers_client = cls.servers_client
 
diff --git a/tempest/api/compute/images/test_images_oneserver.py b/tempest/api/compute/images/test_images_oneserver.py
index abdeb18..337d5d1 100644
--- a/tempest/api/compute/images/test_images_oneserver.py
+++ b/tempest/api/compute/images/test_images_oneserver.py
@@ -47,9 +47,8 @@
             self.__class__.server_id = self.rebuild_server(self.server_id)
 
     @classmethod
-    def resource_setup(cls):
-        super(ImagesOneServerTestJSON, cls).resource_setup()
-        cls.client = cls.images_client
+    def skip_checks(cls):
+        super(ImagesOneServerTestJSON, cls).skip_checks()
         if not CONF.service_available.glance:
             skip_msg = ("%s skipped as glance is not available" % cls.__name__)
             raise cls.skipException(skip_msg)
@@ -59,6 +58,14 @@
                         % cls.__name__)
             raise cls.skipException(skip_msg)
 
+    @classmethod
+    def setup_clients(cls):
+        super(ImagesOneServerTestJSON, cls).setup_clients()
+        cls.client = cls.images_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(ImagesOneServerTestJSON, cls).resource_setup()
         server = cls.create_test_server(wait_until='ACTIVE')
         cls.server_id = server['id']
 
diff --git a/tempest/api/compute/images/test_images_oneserver_negative.py b/tempest/api/compute/images/test_images_oneserver_negative.py
index f6a4aec..a50a09d 100644
--- a/tempest/api/compute/images/test_images_oneserver_negative.py
+++ b/tempest/api/compute/images/test_images_oneserver_negative.py
@@ -56,9 +56,8 @@
         self.__class__.server_id = self.rebuild_server(self.server_id)
 
     @classmethod
-    def resource_setup(cls):
-        super(ImagesOneServerNegativeTestJSON, cls).resource_setup()
-        cls.client = cls.images_client
+    def skip_checks(cls):
+        super(ImagesOneServerNegativeTestJSON, cls).skip_checks()
         if not CONF.service_available.glance:
             skip_msg = ("%s skipped as glance is not available" % cls.__name__)
             raise cls.skipException(skip_msg)
@@ -68,6 +67,14 @@
                         % cls.__name__)
             raise cls.skipException(skip_msg)
 
+    @classmethod
+    def setup_clients(cls):
+        super(ImagesOneServerNegativeTestJSON, cls).setup_clients()
+        cls.client = cls.images_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(ImagesOneServerNegativeTestJSON, cls).resource_setup()
         server = cls.create_test_server(wait_until='ACTIVE')
         cls.server_id = server['id']
 
diff --git a/tempest/api/compute/images/test_list_image_filters.py b/tempest/api/compute/images/test_list_image_filters.py
index 6176d85..36b9a46 100644
--- a/tempest/api/compute/images/test_list_image_filters.py
+++ b/tempest/api/compute/images/test_list_image_filters.py
@@ -32,14 +32,22 @@
 class ListImageFiltersTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(ListImageFiltersTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(ListImageFiltersTestJSON, cls).skip_checks()
         if not CONF.service_available.glance:
             skip_msg = ("%s skipped as glance is not available" % cls.__name__)
             raise cls.skipException(skip_msg)
+
+    @classmethod
+    def setup_clients(cls):
+        super(ListImageFiltersTestJSON, cls).setup_clients()
         cls.client = cls.images_client
         cls.glance_client = cls.os.image_client
 
+    @classmethod
+    def resource_setup(cls):
+        super(ListImageFiltersTestJSON, cls).resource_setup()
+
         def _create_image():
             name = data_utils.rand_name('image')
             body = cls.glance_client.create_image(name=name,
diff --git a/tempest/api/compute/images/test_list_image_filters_negative.py b/tempest/api/compute/images/test_list_image_filters_negative.py
index e5418ad..d660e2b 100644
--- a/tempest/api/compute/images/test_list_image_filters_negative.py
+++ b/tempest/api/compute/images/test_list_image_filters_negative.py
@@ -25,11 +25,15 @@
 class ListImageFiltersNegativeTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(ListImageFiltersNegativeTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(ListImageFiltersNegativeTestJSON, cls).skip_checks()
         if not CONF.service_available.glance:
             skip_msg = ("%s skipped as glance is not available" % cls.__name__)
             raise cls.skipException(skip_msg)
+
+    @classmethod
+    def setup_clients(cls):
+        super(ListImageFiltersNegativeTestJSON, cls).setup_clients()
         cls.client = cls.images_client
 
     @test.attr(type=['negative', 'gate'])
diff --git a/tempest/api/compute/images/test_list_images.py b/tempest/api/compute/images/test_list_images.py
index 36451ec..7a7a363 100644
--- a/tempest/api/compute/images/test_list_images.py
+++ b/tempest/api/compute/images/test_list_images.py
@@ -23,11 +23,15 @@
 class ListImagesTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(ListImagesTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(ListImagesTestJSON, cls).skip_checks()
         if not CONF.service_available.glance:
             skip_msg = ("%s skipped as glance is not available" % cls.__name__)
             raise cls.skipException(skip_msg)
+
+    @classmethod
+    def setup_clients(cls):
+        super(ListImagesTestJSON, cls).setup_clients()
         cls.client = cls.images_client
 
     @test.attr(type='smoke')
diff --git a/tempest/api/compute/keypairs/test_keypairs.py b/tempest/api/compute/keypairs/test_keypairs.py
index 972f0de..d7c6f0b 100644
--- a/tempest/api/compute/keypairs/test_keypairs.py
+++ b/tempest/api/compute/keypairs/test_keypairs.py
@@ -23,8 +23,8 @@
     _api_version = 2
 
     @classmethod
-    def resource_setup(cls):
-        super(KeyPairsV2TestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(KeyPairsV2TestJSON, cls).setup_clients()
         cls.client = cls.keypairs_client
 
     def _delete_keypair(self, keypair_name):
diff --git a/tempest/api/compute/keypairs/test_keypairs_negative.py b/tempest/api/compute/keypairs/test_keypairs_negative.py
index e63f3c7..71e2bd7 100644
--- a/tempest/api/compute/keypairs/test_keypairs_negative.py
+++ b/tempest/api/compute/keypairs/test_keypairs_negative.py
@@ -24,8 +24,8 @@
 class KeyPairsNegativeTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(KeyPairsNegativeTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(KeyPairsNegativeTestJSON, cls).setup_clients()
         cls.client = cls.keypairs_client
 
     def _create_keypair(self, keypair_name, pub_key=None):
diff --git a/tempest/api/compute/limits/test_absolute_limits_negative.py b/tempest/api/compute/limits/test_absolute_limits_negative.py
index 507f24e..843dc1a 100644
--- a/tempest/api/compute/limits/test_absolute_limits_negative.py
+++ b/tempest/api/compute/limits/test_absolute_limits_negative.py
@@ -53,5 +53,5 @@
 
         # A 403 Forbidden or 413 Overlimit (old behaviour) exception
         # will be raised when out of quota
-        self.assertRaises((lib_exc.Unauthorized, lib_exc.OverLimit),
+        self.assertRaises((lib_exc.Forbidden, lib_exc.OverLimit),
                           self.create_test_server, meta=meta_data)
diff --git a/tempest/api/compute/servers/test_availability_zone.py b/tempest/api/compute/servers/test_availability_zone.py
index 5962042..f3650ac 100644
--- a/tempest/api/compute/servers/test_availability_zone.py
+++ b/tempest/api/compute/servers/test_availability_zone.py
@@ -24,8 +24,8 @@
     _api_version = 2
 
     @classmethod
-    def resource_setup(cls):
-        super(AZV2TestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(AZV2TestJSON, cls).setup_clients()
         cls.client = cls.availability_zone_client
 
     @test.attr(type='gate')
diff --git a/tempest/api/compute/servers/test_create_server.py b/tempest/api/compute/servers/test_create_server.py
index 14eb536..03008f3 100644
--- a/tempest/api/compute/servers/test_create_server.py
+++ b/tempest/api/compute/servers/test_create_server.py
@@ -31,8 +31,18 @@
     disk_config = 'AUTO'
 
     @classmethod
-    def resource_setup(cls):
+    def setup_credentials(cls):
         cls.prepare_instance_network()
+        super(ServersTestJSON, cls).setup_credentials()
+
+    @classmethod
+    def setup_clients(cls):
+        super(ServersTestJSON, cls).setup_clients()
+        cls.client = cls.servers_client
+        cls.network_client = cls.os.network_client
+
+    @classmethod
+    def resource_setup(cls):
         super(ServersTestJSON, cls).resource_setup()
         cls.meta = {'hello': 'world'}
         cls.accessIPv4 = '1.1.1.1'
@@ -41,8 +51,6 @@
         file_contents = 'This is a test file.'
         personality = [{'path': '/test.txt',
                        'contents': base64.b64encode(file_contents)}]
-        cls.client = cls.servers_client
-        cls.network_client = cls.os.network_client
         disk_config = cls.disk_config
         cls.server_initial = cls.create_test_server(name=cls.name,
                                                     meta=cls.meta,
@@ -194,9 +202,9 @@
     disk_config = 'AUTO'
 
     @classmethod
-    def resource_setup(cls):
+    def setup_clients(cls):
         cls.prepare_instance_network()
-        super(ServersWithSpecificFlavorTestJSON, cls).resource_setup()
+        super(ServersWithSpecificFlavorTestJSON, cls).setup_clients()
         cls.flavor_client = cls.os_adm.flavors_client
         cls.client = cls.servers_client
 
@@ -277,8 +285,8 @@
     disk_config = 'MANUAL'
 
     @classmethod
-    def resource_setup(cls):
+    def skip_checks(cls):
+        super(ServersTestManualDisk, cls).skip_checks()
         if not CONF.compute_feature_enabled.disk_config:
             msg = "DiskConfig extension not enabled."
             raise cls.skipException(msg)
-        super(ServersTestManualDisk, cls).resource_setup()
diff --git a/tempest/api/compute/servers/test_delete_server.py b/tempest/api/compute/servers/test_delete_server.py
index 6155958..7160265 100644
--- a/tempest/api/compute/servers/test_delete_server.py
+++ b/tempest/api/compute/servers/test_delete_server.py
@@ -28,8 +28,8 @@
     # for preventing "Quota exceeded for instances"
 
     @classmethod
-    def resource_setup(cls):
-        super(DeleteServersTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(DeleteServersTestJSON, cls).setup_clients()
         cls.client = cls.servers_client
 
     @test.attr(type='gate')
@@ -141,8 +141,8 @@
     # for preventing "Quota exceeded for instances".
 
     @classmethod
-    def resource_setup(cls):
-        super(DeleteServersAdminTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(DeleteServersAdminTestJSON, cls).setup_clients()
         cls.non_admin_client = cls.servers_client
         cls.admin_client = cls.os_adm.servers_client
 
diff --git a/tempest/api/compute/servers/test_disk_config.py b/tempest/api/compute/servers/test_disk_config.py
index a15a9b7..c4cb2bd 100644
--- a/tempest/api/compute/servers/test_disk_config.py
+++ b/tempest/api/compute/servers/test_disk_config.py
@@ -25,12 +25,20 @@
 class ServerDiskConfigTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
-    def resource_setup(cls):
+    def skip_checks(cls):
+        super(ServerDiskConfigTestJSON, cls).skip_checks()
         if not CONF.compute_feature_enabled.disk_config:
             msg = "DiskConfig extension not enabled."
             raise cls.skipException(msg)
-        super(ServerDiskConfigTestJSON, cls).resource_setup()
+
+    @classmethod
+    def setup_clients(cls):
+        super(ServerDiskConfigTestJSON, cls).setup_clients()
         cls.client = cls.os.servers_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(ServerDiskConfigTestJSON, cls).resource_setup()
         server = cls.create_test_server(wait_until='ACTIVE')
         cls.server_id = server['id']
 
diff --git a/tempest/api/compute/servers/test_instance_actions.py b/tempest/api/compute/servers/test_instance_actions.py
index b00221c..c804170 100644
--- a/tempest/api/compute/servers/test_instance_actions.py
+++ b/tempest/api/compute/servers/test_instance_actions.py
@@ -20,9 +20,13 @@
 class InstanceActionsTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
+    def setup_clients(cls):
+        super(InstanceActionsTestJSON, cls).setup_clients()
+        cls.client = cls.servers_client
+
+    @classmethod
     def resource_setup(cls):
         super(InstanceActionsTestJSON, cls).resource_setup()
-        cls.client = cls.servers_client
         server = cls.create_test_server(wait_until='ACTIVE')
         cls.request_id = server.response['x-compute-request-id']
         cls.server_id = server['id']
diff --git a/tempest/api/compute/servers/test_instance_actions_negative.py b/tempest/api/compute/servers/test_instance_actions_negative.py
index a0064b2..2eb46f5 100644
--- a/tempest/api/compute/servers/test_instance_actions_negative.py
+++ b/tempest/api/compute/servers/test_instance_actions_negative.py
@@ -23,9 +23,13 @@
 class InstanceActionsNegativeTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
+    def setup_clients(cls):
+        super(InstanceActionsNegativeTestJSON, cls).setup_clients()
+        cls.client = cls.servers_client
+
+    @classmethod
     def resource_setup(cls):
         super(InstanceActionsNegativeTestJSON, cls).resource_setup()
-        cls.client = cls.servers_client
         server = cls.create_test_server(wait_until='ACTIVE')
         cls.server_id = server['id']
 
diff --git a/tempest/api/compute/servers/test_list_servers_negative.py b/tempest/api/compute/servers/test_list_servers_negative.py
index 7837ac1..1c466c5 100644
--- a/tempest/api/compute/servers/test_list_servers_negative.py
+++ b/tempest/api/compute/servers/test_list_servers_negative.py
@@ -24,9 +24,13 @@
     force_tenant_isolation = True
 
     @classmethod
+    def setup_clients(cls):
+        super(ListServersNegativeTestJSON, cls).setup_clients()
+        cls.client = cls.servers_client
+
+    @classmethod
     def resource_setup(cls):
         super(ListServersNegativeTestJSON, cls).resource_setup()
-        cls.client = cls.servers_client
 
         # The following servers are created for use
         # by the test methods in this class. These
diff --git a/tempest/api/compute/servers/test_server_actions.py b/tempest/api/compute/servers/test_server_actions.py
index ce3772f..2f657c9 100644
--- a/tempest/api/compute/servers/test_server_actions.py
+++ b/tempest/api/compute/servers/test_server_actions.py
@@ -53,10 +53,14 @@
         super(ServerActionsTestJSON, self).tearDown()
 
     @classmethod
+    def setup_clients(cls):
+        super(ServerActionsTestJSON, cls).setup_clients()
+        cls.client = cls.servers_client
+
+    @classmethod
     def resource_setup(cls):
         cls.prepare_instance_network()
         super(ServerActionsTestJSON, cls).resource_setup()
-        cls.client = cls.servers_client
         cls.server_id = cls.rebuild_server(None)
 
     @test.idempotent_id('6158df09-4b82-4ab3-af6d-29cf36af858d')
diff --git a/tempest/api/compute/servers/test_server_group.py b/tempest/api/compute/servers/test_server_group.py
index ac04feb..d1c6256 100644
--- a/tempest/api/compute/servers/test_server_group.py
+++ b/tempest/api/compute/servers/test_server_group.py
@@ -28,12 +28,20 @@
     It also adds the tests for list and get details of server-groups
     """
     @classmethod
-    def resource_setup(cls):
-        super(ServerGroupTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(ServerGroupTestJSON, cls).skip_checks()
         if not test.is_extension_enabled('os-server-groups', 'compute'):
             msg = "os-server-groups extension is not enabled."
             raise cls.skipException(msg)
+
+    @classmethod
+    def setup_clients(cls):
+        super(ServerGroupTestJSON, cls).setup_clients()
         cls.client = cls.servers_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(ServerGroupTestJSON, cls).resource_setup()
         server_group_name = data_utils.rand_name('server-group')
         cls.policy = ['affinity']
 
diff --git a/tempest/api/compute/servers/test_server_metadata.py b/tempest/api/compute/servers/test_server_metadata.py
index 4a14228..3bdd380 100644
--- a/tempest/api/compute/servers/test_server_metadata.py
+++ b/tempest/api/compute/servers/test_server_metadata.py
@@ -20,10 +20,14 @@
 class ServerMetadataTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(ServerMetadataTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(ServerMetadataTestJSON, cls).setup_clients()
         cls.client = cls.servers_client
         cls.quotas = cls.quotas_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(ServerMetadataTestJSON, cls).resource_setup()
         server = cls.create_test_server(meta={}, wait_until='ACTIVE')
         cls.server_id = server['id']
 
diff --git a/tempest/api/compute/servers/test_server_metadata_negative.py b/tempest/api/compute/servers/test_server_metadata_negative.py
index 0eb3800..833832e 100644
--- a/tempest/api/compute/servers/test_server_metadata_negative.py
+++ b/tempest/api/compute/servers/test_server_metadata_negative.py
@@ -23,10 +23,14 @@
 class ServerMetadataNegativeTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(ServerMetadataNegativeTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(ServerMetadataNegativeTestJSON, cls).setup_clients()
         cls.client = cls.servers_client
         cls.quotas = cls.quotas_client
+
+    @classmethod
+    def resource_setup(cls):
+        super(ServerMetadataNegativeTestJSON, cls).resource_setup()
         cls.tenant_id = cls.client.tenant_id
         server = cls.create_test_server(meta={}, wait_until='ACTIVE')
 
@@ -141,14 +145,14 @@
         req_metadata = {}
         for num in range(1, quota_metadata + 2):
             req_metadata['key' + str(num)] = 'val' + str(num)
-        self.assertRaises((lib_exc.OverLimit, lib_exc.Unauthorized),
+        self.assertRaises((lib_exc.OverLimit, lib_exc.Forbidden),
                           self.client.set_server_metadata,
                           self.server_id, req_metadata)
 
         # A 403 Forbidden or 413 Overlimit (old behaviour) exception
         # will be raised while exceeding metadata items limit for
         # tenant.
-        self.assertRaises((lib_exc.Unauthorized, lib_exc.OverLimit),
+        self.assertRaises((lib_exc.Forbidden, lib_exc.OverLimit),
                           self.client.update_server_metadata,
                           self.server_id, req_metadata)
 
diff --git a/tempest/api/compute/servers/test_server_password.py b/tempest/api/compute/servers/test_server_password.py
index 57fa408..a82fddf 100644
--- a/tempest/api/compute/servers/test_server_password.py
+++ b/tempest/api/compute/servers/test_server_password.py
@@ -21,9 +21,13 @@
 class ServerPasswordTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
+    def setup_clients(cls):
+        super(ServerPasswordTestJSON, cls).setup_clients()
+        cls.client = cls.servers_client
+
+    @classmethod
     def resource_setup(cls):
         super(ServerPasswordTestJSON, cls).resource_setup()
-        cls.client = cls.servers_client
         cls.server = cls.create_test_server(wait_until="ACTIVE")
 
     @test.attr(type='gate')
diff --git a/tempest/api/compute/servers/test_server_personality.py b/tempest/api/compute/servers/test_server_personality.py
index 4a28dfb..dbfee8f 100644
--- a/tempest/api/compute/servers/test_server_personality.py
+++ b/tempest/api/compute/servers/test_server_personality.py
@@ -23,8 +23,8 @@
 class ServerPersonalityTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(ServerPersonalityTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(ServerPersonalityTestJSON, cls).setup_clients()
         cls.client = cls.servers_client
         cls.user_client = cls.limits_client
 
@@ -45,7 +45,7 @@
                                 'contents': base64.b64encode(file_contents)})
         # A 403 Forbidden or 413 Overlimit (old behaviour) exception
         # will be raised when out of quota
-        self.assertRaises((lib_exc.Unauthorized, lib_exc.OverLimit),
+        self.assertRaises((lib_exc.Forbidden, lib_exc.OverLimit),
                           self.create_test_server, personality=personality)
 
     @test.attr(type='gate')
diff --git a/tempest/api/compute/servers/test_servers.py b/tempest/api/compute/servers/test_servers.py
index 624d9c2..8668d1a 100644
--- a/tempest/api/compute/servers/test_servers.py
+++ b/tempest/api/compute/servers/test_servers.py
@@ -21,8 +21,8 @@
 class ServersTestJSON(base.BaseV2ComputeTest):
 
     @classmethod
-    def resource_setup(cls):
-        super(ServersTestJSON, cls).resource_setup()
+    def setup_clients(cls):
+        super(ServersTestJSON, cls).setup_clients()
         cls.client = cls.servers_client
 
     def tearDown(self):
diff --git a/tempest/api/compute/servers/test_servers_negative.py b/tempest/api/compute/servers/test_servers_negative.py
index dd82893..e696c6b 100644
--- a/tempest/api/compute/servers/test_servers_negative.py
+++ b/tempest/api/compute/servers/test_servers_negative.py
@@ -41,11 +41,19 @@
         super(ServersNegativeTestJSON, self).tearDown()
 
     @classmethod
+    def setup_credentials(cls):
+        super(ServersNegativeTestJSON, cls).setup_credentials()
+        cls.alt_os = clients.Manager(cls.isolated_creds.get_alt_creds())
+
+    @classmethod
+    def setup_clients(cls):
+        super(ServersNegativeTestJSON, cls).setup_clients()
+        cls.client = cls.servers_client
+        cls.alt_client = cls.alt_os.servers_client
+
+    @classmethod
     def resource_setup(cls):
         super(ServersNegativeTestJSON, cls).resource_setup()
-        cls.client = cls.servers_client
-        cls.alt_os = clients.Manager(cls.isolated_creds.get_alt_creds())
-        cls.alt_client = cls.alt_os.servers_client
         server = cls.create_test_server(wait_until='ACTIVE')
         cls.server_id = server['id']
 
diff --git a/tempest/api/compute/test_live_block_migration.py b/tempest/api/compute/test_live_block_migration.py
index d2221e1..c3f91ee 100644
--- a/tempest/api/compute/test_live_block_migration.py
+++ b/tempest/api/compute/test_live_block_migration.py
@@ -27,12 +27,15 @@
     _host_key = 'OS-EXT-SRV-ATTR:host'
 
     @classmethod
-    def resource_setup(cls):
-        super(LiveBlockMigrationTestJSON, cls).resource_setup()
-
+    def setup_clients(cls):
+        super(LiveBlockMigrationTestJSON, cls).setup_clients()
         cls.admin_hosts_client = cls.os_adm.hosts_client
         cls.admin_servers_client = cls.os_adm.servers_client
 
+    @classmethod
+    def resource_setup(cls):
+        super(LiveBlockMigrationTestJSON, cls).resource_setup()
+
         cls.created_server_ids = []
 
     def _get_compute_hostnames(self):
diff --git a/tempest/api/compute/test_live_block_migration_negative.py b/tempest/api/compute/test_live_block_migration_negative.py
index bed53d6..1a4e0c6 100644
--- a/tempest/api/compute/test_live_block_migration_negative.py
+++ b/tempest/api/compute/test_live_block_migration_negative.py
@@ -27,10 +27,14 @@
     _host_key = 'OS-EXT-SRV-ATTR:host'
 
     @classmethod
-    def resource_setup(cls):
-        super(LiveBlockMigrationNegativeTestJSON, cls).resource_setup()
+    def skip_checks(cls):
+        super(LiveBlockMigrationNegativeTestJSON, cls).skip_checks()
         if not CONF.compute_feature_enabled.live_migration:
             raise cls.skipException("Live migration is not enabled")
+
+    @classmethod
+    def setup_clients(cls):
+        super(LiveBlockMigrationNegativeTestJSON, cls).setup_clients()
         cls.admin_hosts_client = cls.os_adm.hosts_client
         cls.admin_servers_client = cls.os_adm.servers_client
 
diff --git a/tempest/api/compute/test_networks.py b/tempest/api/compute/test_networks.py
index c30beb7..2279723 100644
--- a/tempest/api/compute/test_networks.py
+++ b/tempest/api/compute/test_networks.py
@@ -21,10 +21,14 @@
 
 class NetworksTestJSON(base.BaseV2ComputeTest):
     @classmethod
-    def resource_setup(cls):
+    def skip_checks(cls):
+        super(NetworksTestJSON, cls).skip_checks()
         if CONF.service_available.neutron:
             raise cls.skipException('nova-network is not available.')
-        super(NetworksTestJSON, cls).resource_setup()
+
+    @classmethod
+    def setup_clients(cls):
+        super(NetworksTestJSON, cls).setup_clients()
         cls.client = cls.os.networks_client
 
     @test.attr(type='gate')
diff --git a/tempest/api/compute/test_quotas.py b/tempest/api/compute/test_quotas.py
index 1df67d9..86bf5fa 100644
--- a/tempest/api/compute/test_quotas.py
+++ b/tempest/api/compute/test_quotas.py
@@ -26,9 +26,13 @@
         super(QuotasTestJSON, self).setUp()
 
     @classmethod
+    def setup_clients(cls):
+        super(QuotasTestJSON, cls).setup_clients()
+        cls.client = cls.quotas_client
+
+    @classmethod
     def resource_setup(cls):
         super(QuotasTestJSON, cls).resource_setup()
-        cls.client = cls.quotas_client
         cls.tenant_id = cls.client.tenant_id
         cls.user_id = cls.client.user_id
         cls.default_quota_set = set(('injected_file_content_bytes',
diff --git a/tempest/api/identity/admin/v2/test_roles_negative.py b/tempest/api/identity/admin/v2/test_roles_negative.py
index be9fb52..0885eab 100644
--- a/tempest/api/identity/admin/v2/test_roles_negative.py
+++ b/tempest/api/identity/admin/v2/test_roles_negative.py
@@ -35,7 +35,7 @@
     @test.idempotent_id('d5d5f1df-f8ca-4de0-b2ef-259c1cc67025')
     def test_list_roles_by_unauthorized_user(self):
         # Non-administrator user should not be able to list roles
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.list_roles)
 
     @test.attr(type=['negative', 'gate'])
@@ -58,7 +58,7 @@
     def test_create_role_by_unauthorized_user(self):
         # Non-administrator user should not be able to create role
         role_name = data_utils.rand_name(name='role-')
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.create_role, role_name)
 
     @test.attr(type=['negative', 'gate'])
@@ -91,7 +91,7 @@
         body = self.client.create_role(role_name)
         self.data.roles.append(body)
         role_id = body.get('id')
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.delete_role, role_id)
 
     @test.attr(type=['negative', 'gate'])
@@ -123,7 +123,7 @@
         # Non-administrator user should not be authorized to
         # assign a role to user
         (user, tenant, role) = self._get_role_params()
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.assign_user_role,
                           tenant['id'], user['id'], role['id'])
 
@@ -175,7 +175,7 @@
         self.client.assign_user_role(tenant['id'],
                                      user['id'],
                                      role['id'])
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.remove_user_role,
                           tenant['id'], user['id'], role['id'])
 
@@ -225,7 +225,7 @@
         # a user's roles
         (user, tenant, role) = self._get_role_params()
         self.client.assign_user_role(tenant['id'], user['id'], role['id'])
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.list_user_roles, tenant['id'],
                           user['id'])
 
diff --git a/tempest/api/identity/admin/v2/test_tenant_negative.py b/tempest/api/identity/admin/v2/test_tenant_negative.py
index 8346a3d..952b625 100644
--- a/tempest/api/identity/admin/v2/test_tenant_negative.py
+++ b/tempest/api/identity/admin/v2/test_tenant_negative.py
@@ -27,7 +27,7 @@
     @test.idempotent_id('ca9bb202-63dd-4240-8a07-8ef9c19c04bb')
     def test_list_tenants_by_unauthorized_user(self):
         # Non-administrator user should not be able to list tenants
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.list_tenants)
 
     @test.attr(type=['negative', 'gate'])
@@ -46,7 +46,7 @@
         tenant_name = data_utils.rand_name(name='tenant-')
         tenant = self.client.create_tenant(tenant_name)
         self.data.tenants.append(tenant)
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.delete_tenant, tenant['id'])
 
     @test.attr(type=['negative', 'gate'])
@@ -89,7 +89,7 @@
     def test_create_tenant_by_unauthorized_user(self):
         # Non-administrator user should not be authorized to create a tenant
         tenant_name = data_utils.rand_name(name='tenant-')
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.create_tenant, tenant_name)
 
     @test.attr(type=['negative', 'gate'])
@@ -132,7 +132,7 @@
         tenant_name = data_utils.rand_name(name='tenant-')
         tenant = self.client.create_tenant(tenant_name)
         self.data.tenants.append(tenant)
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.update_tenant, tenant['id'])
 
     @test.attr(type=['negative', 'gate'])
diff --git a/tempest/api/identity/admin/v2/test_users_negative.py b/tempest/api/identity/admin/v2/test_users_negative.py
index f40621b..0336ef1 100644
--- a/tempest/api/identity/admin/v2/test_users_negative.py
+++ b/tempest/api/identity/admin/v2/test_users_negative.py
@@ -35,7 +35,7 @@
     def test_create_user_by_unauthorized_user(self):
         # Non-administrator should not be authorized to create a user
         self.data.setup_test_tenant()
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.create_user, self.alt_user,
                           self.alt_password, self.data.tenant['id'],
                           self.alt_email)
@@ -131,7 +131,7 @@
     def test_update_user_by_unauthorized_user(self):
         # Non-administrator should not be authorized to update user
         self.data.setup_test_tenant()
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.update_user, self.alt_user)
 
     @test.attr(type=['negative', 'gate'])
@@ -139,7 +139,7 @@
     def test_delete_users_by_unauthorized_user(self):
         # Non-administrator user should not be authorized to delete a user
         self.data.setup_test_user()
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.delete_user,
                           self.data.user['id'])
 
@@ -220,7 +220,7 @@
     def test_get_users_by_unauthorized_user(self):
         # Non-administrator user should not be authorized to get user list
         self.data.setup_test_user()
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.get_users)
 
     @test.attr(type=['negative', 'gate'])
diff --git a/tempest/api/identity/admin/v3/test_projects_negative.py b/tempest/api/identity/admin/v3/test_projects_negative.py
index bc92900..897eecc 100644
--- a/tempest/api/identity/admin/v3/test_projects_negative.py
+++ b/tempest/api/identity/admin/v3/test_projects_negative.py
@@ -26,7 +26,7 @@
     @test.idempotent_id('24c49279-45dd-4155-887a-cb738c2385aa')
     def test_list_projects_by_unauthorized_user(self):
         # Non-admin user should not be able to list projects
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.non_admin_client.list_projects)
 
     @test.attr(type=['negative', 'gate'])
@@ -46,7 +46,7 @@
         # Non-admin user should not be authorized to create a project
         project_name = data_utils.rand_name('project-')
         self.assertRaises(
-            lib_exc.Unauthorized, self.non_admin_client.create_project,
+            lib_exc.Forbidden, self.non_admin_client.create_project,
             project_name)
 
     @test.attr(type=['negative', 'gate'])
@@ -72,7 +72,7 @@
         project = self.client.create_project(project_name)
         self.data.projects.append(project)
         self.assertRaises(
-            lib_exc.Unauthorized, self.non_admin_client.delete_project,
+            lib_exc.Forbidden, self.non_admin_client.delete_project,
             project['id'])
 
     @test.attr(type=['negative', 'gate'])
diff --git a/tempest/api/image/v2/test_images_member_negative.py b/tempest/api/image/v2/test_images_member_negative.py
index a0c59ff..c07db0e 100644
--- a/tempest/api/image/v2/test_images_member_negative.py
+++ b/tempest/api/image/v2/test_images_member_negative.py
@@ -37,7 +37,7 @@
                                                self.alt_tenant_id)
         self.assertEqual(member['status'], 'pending')
         self.assertNotIn(image_id, self._list_image_ids_as_alt())
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.os_img_client.update_member_status,
                           image_id, self.alt_tenant_id, 'accepted')
         self.assertNotIn(image_id, self._list_image_ids_as_alt())
diff --git a/tempest/api/object_storage/base.py b/tempest/api/object_storage/base.py
index 6a025d9..f75f4c8 100644
--- a/tempest/api/object_storage/base.py
+++ b/tempest/api/object_storage/base.py
@@ -15,7 +15,6 @@
 
 from tempest_lib import exceptions as lib_exc
 
-from tempest.api.identity import base
 from tempest import clients
 from tempest.common import credentials
 from tempest.common import custom_matchers
@@ -38,29 +37,25 @@
     def setup_credentials(cls):
         cls.set_network_resources()
         super(BaseObjectTest, cls).setup_credentials()
-
         cls.isolated_creds = credentials.get_isolated_credentials(
             cls.__name__, network_resources=cls.network_resources)
-        # Get isolated creds for normal user
-        cls.os = clients.Manager(cls.isolated_creds.get_primary_creds())
-        # Get isolated creds for admin user
-        cls.os_admin = clients.Manager(cls.isolated_creds.get_admin_creds())
-        cls.data = SwiftDataGenerator(cls.os_admin.identity_client)
-        # Get isolated creds for alt user
-        cls.os_alt = clients.Manager(cls.isolated_creds.get_alt_creds())
+        operator_role = CONF.object_storage.operator_role
+        if not cls.isolated_creds.is_role_available(operator_role):
+            skip_msg = ("%s skipped because the configured credential provider"
+                        " is not able to provide credentials with the %s role "
+                        "assigned." % (cls.__name__, operator_role))
+            raise cls.skipException(skip_msg)
+        else:
+            # Get isolated creds for normal user
+            cls.os = clients.Manager(cls.isolated_creds.get_creds_by_roles(
+                [operator_role]))
 
     @classmethod
     def setup_clients(cls):
         super(BaseObjectTest, cls).setup_clients()
-
         cls.object_client = cls.os.object_client
         cls.container_client = cls.os.container_client
         cls.account_client = cls.os.account_client
-        cls.token_client = cls.os_admin.token_client
-        cls.identity_admin_client = cls.os_admin.identity_client
-        cls.object_client_alt = cls.os_alt.object_client
-        cls.container_client_alt = cls.os_alt.container_client
-        cls.identity_client_alt = cls.os_alt.identity_client
 
     @classmethod
     def resource_setup(cls):
@@ -70,12 +65,9 @@
         cls.object_client.auth_provider.clear_auth()
         cls.container_client.auth_provider.clear_auth()
         cls.account_client.auth_provider.clear_auth()
-        cls.object_client_alt.auth_provider.clear_auth()
-        cls.container_client_alt.auth_provider.clear_auth()
 
     @classmethod
     def resource_cleanup(cls):
-        cls.data.teardown_all()
         cls.isolated_creds.clear_isolated_creds()
         super(BaseObjectTest, cls).resource_cleanup()
 
@@ -119,28 +111,3 @@
         self.assertThat(resp, custom_matchers.ExistsAllResponseHeaders(
                         target, method))
         self.assertThat(resp, custom_matchers.AreAllWellFormatted())
-
-
-class SwiftDataGenerator(base.DataGenerator):
-
-    def setup_test_user(self, reseller=False):
-        super(SwiftDataGenerator, self).setup_test_user()
-        if reseller:
-            role_name = CONF.object_storage.reseller_admin_role
-        else:
-            role_name = CONF.object_storage.operator_role
-        role_id = self._get_role_id(role_name)
-        self._assign_role(role_id)
-
-    def _get_role_id(self, role_name):
-        try:
-            roles = self.client.list_roles()
-            return next(r['id'] for r in roles if r['name'] == role_name)
-        except StopIteration:
-            msg = "Role name '%s' is not found" % role_name
-            raise lib_exc.NotFound(msg)
-
-    def _assign_role(self, role_id):
-        self.client.assign_user_role(self.tenant['id'],
-                                     self.user['id'],
-                                     role_id)
diff --git a/tempest/api/object_storage/test_account_quotas.py b/tempest/api/object_storage/test_account_quotas.py
index 9b379f4..74bc519 100644
--- a/tempest/api/object_storage/test_account_quotas.py
+++ b/tempest/api/object_storage/test_account_quotas.py
@@ -26,8 +26,16 @@
     @classmethod
     def setup_credentials(cls):
         super(AccountQuotasTest, cls).setup_credentials()
-        cls.data.setup_test_user(reseller=True)
-        cls.os_reselleradmin = clients.Manager(cls.data.test_credentials)
+        reseller_admin_role = CONF.object_storage.reseller_admin_role
+        if not cls.isolated_creds.is_role_available(reseller_admin_role):
+            skip_msg = ("%s skipped because the configured credential provider"
+                        " is not able to provide credentials with the %s role "
+                        "assigned." % (cls.__name__, reseller_admin_role))
+            raise cls.skipException(skip_msg)
+        else:
+            cls.os_reselleradmin = clients.Manager(
+                cls.isolated_creds.get_creds_by_roles(
+                    roles=[reseller_admin_role]))
 
     @classmethod
     def resource_setup(cls):
diff --git a/tempest/api/object_storage/test_account_quotas_negative.py b/tempest/api/object_storage/test_account_quotas_negative.py
index 7d4008c..cfcdae4 100644
--- a/tempest/api/object_storage/test_account_quotas_negative.py
+++ b/tempest/api/object_storage/test_account_quotas_negative.py
@@ -29,8 +29,16 @@
     @classmethod
     def setup_credentials(cls):
         super(AccountQuotasNegativeTest, cls).setup_credentials()
-        cls.data.setup_test_user(reseller=True)
-        cls.os_reselleradmin = clients.Manager(cls.data.test_credentials)
+        reseller_admin_role = CONF.object_storage.reseller_admin_role
+        if not cls.isolated_creds.is_role_available(reseller_admin_role):
+            skip_msg = ("%s skipped because the configured credential provider"
+                        " is not able to provide credentials with the %s role "
+                        "assigned." % (cls.__name__, reseller_admin_role))
+            raise cls.skipException(skip_msg)
+        else:
+            cls.os_reselleradmin = clients.Manager(
+                cls.isolated_creds.get_creds_by_roles(
+                    roles=[reseller_admin_role]))
 
     @classmethod
     def resource_setup(cls):
@@ -86,12 +94,12 @@
         """
 
         # Not able to remove quota
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.account_client.create_account_metadata,
                           {"Quota-Bytes": ""})
 
         # Not able to modify quota
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.account_client.create_account_metadata,
                           {"Quota-Bytes": "100"})
 
diff --git a/tempest/api/object_storage/test_account_services.py b/tempest/api/object_storage/test_account_services.py
index 63d0425..14ccc12 100644
--- a/tempest/api/object_storage/test_account_services.py
+++ b/tempest/api/object_storage/test_account_services.py
@@ -32,6 +32,13 @@
     containers = []
 
     @classmethod
+    def setup_credentials(cls):
+        super(AccountTest, cls).setup_credentials()
+        cls.os_operator = clients.Manager(
+            cls.isolated_creds.get_creds_by_roles(
+                roles=[CONF.object_storage.operator_role], force_new=True))
+
+    @classmethod
     def resource_setup(cls):
         super(AccountTest, cls).resource_setup()
         for i in moves.xrange(ord('a'), ord('f') + 1):
@@ -63,12 +70,9 @@
 
         # To test listing no containers, create new user other than
         # the base user of this instance.
-        self.data.setup_test_user()
-
-        os_test_user = clients.Manager(self.data.test_credentials)
 
         resp, container_list = \
-            os_test_user.account_client.list_account_containers()
+            self.os_operator.account_client.list_account_containers()
 
         # When sending a request to an account which has not received a PUT
         # container request, the response does not contain 'accept-ranges'
diff --git a/tempest/api/object_storage/test_account_services_negative.py b/tempest/api/object_storage/test_account_services_negative.py
index f329675..4a482da 100644
--- a/tempest/api/object_storage/test_account_services_negative.py
+++ b/tempest/api/object_storage/test_account_services_negative.py
@@ -16,20 +16,27 @@
 
 from tempest.api.object_storage import base
 from tempest import clients
+from tempest import config
 from tempest import test
 
+CONF = config.CONF
+
 
 class AccountNegativeTest(base.BaseObjectTest):
 
+    @classmethod
+    def setup_credentials(cls):
+        super(AccountNegativeTest, cls).setup_credentials()
+        cls.os_operator = clients.Manager(
+            cls.isolated_creds.get_creds_by_roles(
+                roles=[CONF.object_storage.operator_role], force_new=True))
+
     @test.attr(type=['negative', 'gate'])
     @test.idempotent_id('070e6aca-6152-4867-868d-1118d68fb38c')
     def test_list_containers_with_non_authorized_user(self):
         # list containers using non-authorized user
 
-        # create user
-        self.data.setup_test_user()
-        test_os = clients.Manager(self.data.test_credentials)
-        test_auth_provider = test_os.auth_provider
+        test_auth_provider = self.os_operator.auth_provider
         # Get auth for the test user
         test_auth_provider.auth_data
 
@@ -44,6 +51,6 @@
 
         params = {'format': 'json'}
         # list containers with non-authorized user token
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.account_client.list_account_containers,
                           params=params)
diff --git a/tempest/api/object_storage/test_container_acl.py b/tempest/api/object_storage/test_container_acl.py
index 6368bec..2c00022 100644
--- a/tempest/api/object_storage/test_container_acl.py
+++ b/tempest/api/object_storage/test_container_acl.py
@@ -16,21 +16,25 @@
 from tempest.api.object_storage import base
 from tempest import clients
 from tempest.common.utils import data_utils
+from tempest import config
 from tempest import test
 
+CONF = config.CONF
+
 
 class ObjectTestACLs(base.BaseObjectTest):
 
     @classmethod
     def setup_credentials(cls):
         super(ObjectTestACLs, cls).setup_credentials()
-        cls.data.setup_test_user()
-        cls.test_os = clients.Manager(cls.data.test_credentials)
+        cls.os_operator = clients.Manager(
+            cls.isolated_creds.get_creds_by_roles(
+                roles=[CONF.object_storage.operator_role], force_new=True))
 
     @classmethod
     def resource_setup(cls):
         super(ObjectTestACLs, cls).resource_setup()
-        cls.test_auth_data = cls.test_os.auth_provider.auth_data
+        cls.test_auth_data = cls.os_operator.auth_provider.auth_data
 
     def setUp(self):
         super(ObjectTestACLs, self).setUp()
@@ -46,8 +50,9 @@
     def test_read_object_with_rights(self):
         # attempt to read object using authorized user
         # update X-Container-Read metadata ACL
-        cont_headers = {'X-Container-Read':
-                        self.data.test_tenant + ':' + self.data.test_user}
+        tenant_name = self.os_operator.credentials.tenant_name
+        username = self.os_operator.credentials.username
+        cont_headers = {'X-Container-Read': tenant_name + ':' + username}
         resp_meta, body = self.container_client.update_container_metadata(
             self.container_name, metadata=cont_headers,
             metadata_prefix='')
@@ -71,8 +76,9 @@
     def test_write_object_with_rights(self):
         # attempt to write object using authorized user
         # update X-Container-Write metadata ACL
-        cont_headers = {'X-Container-Write':
-                        self.data.test_tenant + ':' + self.data.test_user}
+        tenant_name = self.os_operator.credentials.tenant_name
+        username = self.os_operator.credentials.username
+        cont_headers = {'X-Container-Write': tenant_name + ':' + username}
         resp_meta, body = self.container_client.update_container_metadata(
             self.container_name, metadata=cont_headers,
             metadata_prefix='')
diff --git a/tempest/api/object_storage/test_container_acl_negative.py b/tempest/api/object_storage/test_container_acl_negative.py
index 5892340..18939f0 100644
--- a/tempest/api/object_storage/test_container_acl_negative.py
+++ b/tempest/api/object_storage/test_container_acl_negative.py
@@ -17,21 +17,25 @@
 from tempest.api.object_storage import base
 from tempest import clients
 from tempest.common.utils import data_utils
+from tempest import config
 from tempest import test
 
+CONF = config.CONF
+
 
 class ObjectACLsNegativeTest(base.BaseObjectTest):
 
     @classmethod
     def setup_credentials(cls):
         super(ObjectACLsNegativeTest, cls).setup_credentials()
-        cls.data.setup_test_user()
-        cls.test_os = clients.Manager(cls.data.test_credentials)
+        cls.os_operator = clients.Manager(
+            cls.isolated_creds.get_creds_by_roles(
+                roles=[CONF.object_storage.operator_role], force_new=True))
 
     @classmethod
     def resource_setup(cls):
         super(ObjectACLsNegativeTest, cls).resource_setup()
-        cls.test_auth_data = cls.test_os.auth_provider.auth_data
+        cls.test_auth_data = cls.os_operator.auth_provider.auth_data
 
     def setUp(self):
         super(ObjectACLsNegativeTest, self).setUp()
@@ -84,7 +88,7 @@
             request_part='headers',
             auth_data=self.test_auth_data
         )
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.object_client.create_object,
                           self.container_name, object_name, 'data', headers={})
 
@@ -102,7 +106,7 @@
             request_part='headers',
             auth_data=self.test_auth_data
         )
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.object_client.get_object,
                           self.container_name, object_name)
 
@@ -120,7 +124,7 @@
             request_part='headers',
             auth_data=self.test_auth_data
         )
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.object_client.delete_object,
                           self.container_name, object_name)
 
@@ -144,7 +148,7 @@
             request_part='headers',
             auth_data=self.test_auth_data
         )
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.object_client.get_object,
                           self.container_name, object_name)
 
@@ -164,7 +168,7 @@
             auth_data=self.test_auth_data
         )
         object_name = data_utils.rand_name(name='Object')
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.object_client.create_object,
                           self.container_name,
                           object_name, 'data', headers={})
@@ -174,8 +178,10 @@
     def test_write_object_without_write_rights(self):
         # attempt to write object using non-authorized user
         # update X-Container-Read and X-Container-Write metadata ACL
+        tenant_name = self.os_operator.credentials.tenant_name
+        username = self.os_operator.credentials.username
         cont_headers = {'X-Container-Read':
-                        self.data.test_tenant + ':' + self.data.test_user,
+                        tenant_name + ':' + username,
                         'X-Container-Write': ''}
         resp_meta, body = self.container_client.update_container_metadata(
             self.container_name, metadata=cont_headers,
@@ -187,7 +193,7 @@
             auth_data=self.test_auth_data
         )
         object_name = data_utils.rand_name(name='Object')
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.object_client.create_object,
                           self.container_name,
                           object_name, 'data', headers={})
@@ -197,8 +203,10 @@
     def test_delete_object_without_write_rights(self):
         # attempt to delete object using non-authorized user
         # update X-Container-Read and X-Container-Write metadata ACL
+        tenant_name = self.os_operator.credentials.tenant_name
+        username = self.os_operator.credentials.username
         cont_headers = {'X-Container-Read':
-                        self.data.test_tenant + ':' + self.data.test_user,
+                        tenant_name + ':' + username,
                         'X-Container-Write': ''}
         resp_meta, body = self.container_client.update_container_metadata(
             self.container_name, metadata=cont_headers,
@@ -214,7 +222,7 @@
             request_part='headers',
             auth_data=self.test_auth_data
         )
-        self.assertRaises(lib_exc.Unauthorized,
+        self.assertRaises(lib_exc.Forbidden,
                           self.object_client.delete_object,
                           self.container_name,
                           object_name)
diff --git a/tempest/api/object_storage/test_container_sync.py b/tempest/api/object_storage/test_container_sync.py
index 71f1275..ae42da6 100644
--- a/tempest/api/object_storage/test_container_sync.py
+++ b/tempest/api/object_storage/test_container_sync.py
@@ -19,6 +19,7 @@
 import urlparse
 
 from tempest.api.object_storage import base
+from tempest import clients
 from tempest.common.utils import data_utils
 from tempest import config
 from tempest import test
@@ -36,6 +37,18 @@
     clients = {}
 
     @classmethod
+    def setup_credentials(cls):
+        super(ContainerSyncTest, cls).setup_credentials()
+        cls.os_alt = clients.Manager(cls.isolated_creds.get_creds_by_roles(
+            [CONF.object_storage.operator_role], force_new=True))
+
+    @classmethod
+    def setup_clients(cls):
+        super(ContainerSyncTest, cls).setup_clients()
+        cls.object_client_alt = cls.os_alt.object_client
+        cls.container_client_alt = cls.os_alt.container_client
+
+    @classmethod
     def resource_setup(cls):
         super(ContainerSyncTest, cls).resource_setup()
         cls.containers = []
diff --git a/tempest/api/object_storage/test_object_services.py b/tempest/api/object_storage/test_object_services.py
index a4d0377..f9220cf 100644
--- a/tempest/api/object_storage/test_object_services.py
+++ b/tempest/api/object_storage/test_object_services.py
@@ -23,12 +23,17 @@
 import six
 
 from tempest.api.object_storage import base
+from tempest import clients
 from tempest.common import custom_matchers
 from tempest.common.utils import data_utils
+from tempest import config
 from tempest import test
 
+CONF = config.CONF
+
 
 class ObjectTest(base.BaseObjectTest):
+
     @classmethod
     def resource_setup(cls):
         super(ObjectTest, cls).resource_setup()
@@ -1016,6 +1021,19 @@
 
 
 class PublicObjectTest(base.BaseObjectTest):
+
+    @classmethod
+    def setup_credentials(cls):
+        super(PublicObjectTest, cls).setup_credentials()
+        cls.os_alt = clients.Manager(
+            cls.isolated_creds.get_creds_by_roles(
+                roles=[CONF.object_storage.operator_role], force_new=True))
+
+    @classmethod
+    def setup_clients(cls):
+        super(PublicObjectTest, cls).setup_clients()
+        cls.identity_client_alt = cls.os_alt.identity_client
+
     def setUp(self):
         super(PublicObjectTest, self).setUp()
         self.container_name = data_utils.rand_name(name='TestContainer')
diff --git a/tempest/api/orchestration/stacks/test_neutron_resources.py b/tempest/api/orchestration/stacks/test_neutron_resources.py
index 253d197..bed3f1b 100644
--- a/tempest/api/orchestration/stacks/test_neutron_resources.py
+++ b/tempest/api/orchestration/stacks/test_neutron_resources.py
@@ -96,7 +96,7 @@
         for resource in resources:
             cls.test_resources[resource['logical_resource_id']] = resource
 
-    @test.attr(type='slow')
+    @test.attr(type='gate')
     @test.idempotent_id('f9e2664c-bc44-4eef-98b6-495e4f9d74b3')
     def test_created_resources(self):
         """Verifies created neutron resources."""
@@ -115,7 +115,7 @@
             self.assertEqual(resource_type, resource['resource_type'])
             self.assertEqual('CREATE_COMPLETE', resource['resource_status'])
 
-    @test.attr(type='slow')
+    @test.attr(type='gate')
     @test.idempotent_id('c572b915-edb1-4e90-b196-c7199a6848c0')
     @test.services('network')
     def test_created_network(self):
@@ -128,7 +128,7 @@
         self.assertEqual(self.neutron_basic_template['resources'][
             'Network']['properties']['name'], network['name'])
 
-    @test.attr(type='slow')
+    @test.attr(type='gate')
     @test.idempotent_id('e8f84b96-f9d7-4684-ad5f-340203e9f2c2')
     @test.services('network')
     def test_created_subnet(self):
@@ -147,7 +147,7 @@
             'Subnet']['properties']['ip_version'], subnet['ip_version'])
         self.assertEqual(str(self.subnet_cidr), subnet['cidr'])
 
-    @test.attr(type='slow')
+    @test.attr(type='gate')
     @test.idempotent_id('96af4c7f-5069-44bc-bdcf-c0390f8a67d1')
     @test.services('network')
     def test_created_router(self):
@@ -161,7 +161,7 @@
                          router['external_gateway_info']['network_id'])
         self.assertEqual(True, router['admin_state_up'])
 
-    @test.attr(type='slow')
+    @test.attr(type='gate')
     @test.idempotent_id('89f605bd-153e-43ee-a0ed-9919b63423c5')
     @test.services('network')
     def test_created_router_interface(self):
@@ -185,7 +185,7 @@
         self.assertEqual(str(self.subnet_cidr.iter_hosts().next()),
                          router_interface_ip)
 
-    @test.attr(type='slow')
+    @test.attr(type='gate')
     @test.idempotent_id('75d85316-4ac2-4c0e-a1a9-edd2148fc10e')
     @test.services('compute', 'network')
     def test_created_server(self):
diff --git a/tempest/api_schema/response/compute/v2/servers.py b/tempest/api_schema/response/compute/v2/servers.py
index 0132350..83dbb4f 100644
--- a/tempest/api_schema/response/compute/v2/servers.py
+++ b/tempest/api_schema/response/compute/v2/servers.py
@@ -93,6 +93,15 @@
     # these attributes. So they are not 'required'.
     'hostId'
 )
+# NOTE(gmann): Update OS-EXT-IPS:type and OS-EXT-IPS-MAC:mac_addr
+# attributes in server address. Those are API extension,
+# and some environments return a response without
+# these attributes. So they are not 'required'.
+get_server['response_body']['properties']['server']['properties'][
+    'addresses']['patternProperties']['^[a-zA-Z0-9-_.]+$']['items'][
+    'properties'].update({
+        'OS-EXT-IPS:type': {'type': 'string'},
+        'OS-EXT-IPS-MAC:mac_addr': parameter_types.mac_address})
 
 list_virtual_interfaces = {
     'status_code': [200],
@@ -293,11 +302,21 @@
         'accessIPv4': parameter_types.access_ip_v4,
         'accessIPv6': parameter_types.access_ip_v6
     })
-# NOTE(GMann): OS-DCF:diskConfig, security_groups and accessIPv4/v6 are API
-# extensions, and some environments return a response
+# NOTE(GMann): OS-DCF:diskConfig, security_groups and accessIPv4/v6
+# are API extensions, and some environments return a response
 # without these attributes. So they are not 'required'.
 list_servers_detail['response_body']['properties']['servers']['items'][
     'required'].append('hostId')
+# NOTE(gmann): Update OS-EXT-IPS:type and OS-EXT-IPS-MAC:mac_addr
+# attributes in server address. Those are API extension,
+# and some environments return a response without
+# these attributes. So they are not 'required'.
+list_servers_detail['response_body']['properties']['servers']['items'][
+    'properties']['addresses']['patternProperties']['^[a-zA-Z0-9-_.]+$'][
+    'items']['properties'].update({
+        'OS-EXT-IPS:type': {'type': 'string'},
+        'OS-EXT-IPS-MAC:mac_addr': parameter_types.mac_address})
+
 
 rebuild_server = copy.deepcopy(update_server)
 rebuild_server['status_code'] = [202]
diff --git a/tempest/cli/simple_read_only/identity/__init__.py b/tempest/cli/simple_read_only/identity/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/tempest/cli/simple_read_only/identity/__init__.py
+++ /dev/null
diff --git a/tempest/cli/simple_read_only/identity/test_keystone.py b/tempest/cli/simple_read_only/identity/test_keystone.py
deleted file mode 100644
index 10a26d5..0000000
--- a/tempest/cli/simple_read_only/identity/test_keystone.py
+++ /dev/null
@@ -1,155 +0,0 @@
-# Copyright 2013 OpenStack Foundation
-# All Rights Reserved.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-import re
-
-from tempest_lib import exceptions
-
-from tempest import cli
-from tempest import config
-from tempest.openstack.common import log as logging
-from tempest import test
-
-CONF = config.CONF
-
-
-LOG = logging.getLogger(__name__)
-
-
-class SimpleReadOnlyKeystoneClientTest(cli.ClientTestBase):
-    """Basic, read-only tests for Keystone CLI client.
-
-    Checks return values and output of read-only commands.
-    These tests do not presume any content, nor do they create
-    their own. They only verify the structure of output if present.
-    """
-
-    def keystone(self, *args, **kwargs):
-        return self.clients.keystone(*args, **kwargs)
-
-    @test.idempotent_id('19c3ae95-3c19-4bba-8ba3-48ad19939b71')
-    def test_admin_fake_action(self):
-        self.assertRaises(exceptions.CommandFailed,
-                          self.keystone,
-                          'this-does-not-exist')
-
-    @test.idempotent_id('a1100917-c7c5-4887-a4da-f7d7f13194f5')
-    def test_admin_catalog_list(self):
-        out = self.keystone('catalog')
-        catalog = self.parser.details_multiple(out, with_label=True)
-        for svc in catalog:
-            if svc.get('__label'):
-                self.assertTrue(svc['__label'].startswith('Service:'),
-                                msg=('Invalid beginning of service block: '
-                                     '%s' % svc['__label']))
-            # check that region and publicURL exists. One might also
-            # check for adminURL and internalURL. id seems to be optional
-            # and is missing in the catalog backend
-            self.assertIn('publicURL', svc.keys())
-            self.assertIn('region', svc.keys())
-
-    @test.idempotent_id('35c73506-eab6-4abc-956e-42da90aba8ec')
-    def test_admin_endpoint_list(self):
-        out = self.keystone('endpoint-list')
-        endpoints = self.parser.listing(out)
-        self.assertTableStruct(endpoints, [
-            'id', 'region', 'publicurl', 'internalurl',
-            'adminurl', 'service_id'])
-
-    @test.idempotent_id('f17cb155-bd16-4f32-9956-1b073752fc07')
-    def test_admin_endpoint_service_match(self):
-        endpoints = self.parser.listing(self.keystone('endpoint-list'))
-        services = self.parser.listing(self.keystone('service-list'))
-        svc_by_id = {}
-        for svc in services:
-            svc_by_id[svc['id']] = svc
-        for endpoint in endpoints:
-            self.assertIn(endpoint['service_id'], svc_by_id)
-
-    @test.idempotent_id('be7176f2-9c34-4d84-bb7d-b4bc85d06a33')
-    def test_admin_role_list(self):
-        roles = self.parser.listing(self.keystone('role-list'))
-        self.assertTableStruct(roles, ['id', 'name'])
-
-    @test.idempotent_id('96a4de8d-aa9e-4ca5-89f0-985809eccd66')
-    def test_admin_service_list(self):
-        services = self.parser.listing(self.keystone('service-list'))
-        self.assertTableStruct(services, ['id', 'name', 'type', 'description'])
-
-    @test.idempotent_id('edb45480-0f7b-49eb-8f95-7562cbba96da')
-    def test_admin_tenant_list(self):
-        tenants = self.parser.listing(self.keystone('tenant-list'))
-        self.assertTableStruct(tenants, ['id', 'name', 'enabled'])
-
-    @test.idempotent_id('25a2753d-6bd1-40c0-addc-32864b00cb2d')
-    def test_admin_user_list(self):
-        users = self.parser.listing(self.keystone('user-list'))
-        self.assertTableStruct(users, [
-            'id', 'name', 'enabled', 'email'])
-
-    @test.idempotent_id('f92bf8d4-b27b-47c9-8450-e27c57758de9')
-    def test_admin_user_role_list(self):
-        user_roles = self.parser.listing(self.keystone('user-role-list'))
-        self.assertTableStruct(user_roles, [
-            'id', 'name', 'user_id', 'tenant_id'])
-
-    @test.idempotent_id('14a2687b-3ce1-404c-9f78-a0e28e2f8f7b')
-    def test_admin_discover(self):
-        discovered = self.keystone('discover')
-        self.assertIn('Keystone found at http', discovered)
-        self.assertIn('supports version', discovered)
-
-    @test.idempotent_id('9a567c8c-3787-4e5f-9c30-bed55f2b75c0')
-    def test_admin_help(self):
-        help_text = self.keystone('help')
-        lines = help_text.split('\n')
-        self.assertFirstLineStartsWith(lines, 'usage: keystone')
-
-        commands = []
-        cmds_start = lines.index('Positional arguments:')
-        cmds_end = lines.index('Optional arguments:')
-        command_pattern = re.compile('^ {4}([a-z0-9\-\_]+)')
-        for line in lines[cmds_start:cmds_end]:
-            match = command_pattern.match(line)
-            if match:
-                commands.append(match.group(1))
-        commands = set(commands)
-        wanted_commands = set(('catalog', 'endpoint-list', 'help',
-                               'token-get', 'discover', 'bootstrap'))
-        self.assertFalse(wanted_commands - commands)
-
-    @test.idempotent_id('a7b9e1fe-db31-4846-82c5-52a7aa9863c3')
-    def test_admin_bashcompletion(self):
-        self.keystone('bash-completion')
-
-    @test.idempotent_id('5328c681-df8b-4874-a65c-8fa278f0af8f')
-    def test_admin_ec2_credentials_list(self):
-        creds = self.keystone('ec2-credentials-list')
-        creds = self.parser.listing(creds)
-        self.assertTableStruct(creds, ['tenant', 'access', 'secret'])
-
-    # Optional arguments:
-
-    @test.idempotent_id('af95e809-ce95-4505-8627-170d803b1d13')
-    def test_admin_version(self):
-        self.keystone('', flags='--version')
-
-    @test.idempotent_id('9e26521f-7bfa-4d8e-9d61-fd364f0c20c0')
-    def test_admin_debug_list(self):
-        self.keystone('catalog', flags='--debug')
-
-    @test.idempotent_id('097b3a52-725f-4df7-84b6-277a2b6f6e38')
-    def test_admin_timeout(self):
-        self.keystone('catalog', flags='--timeout %d' % CONF.cli.timeout)
diff --git a/tempest/common/accounts.py b/tempest/common/accounts.py
index 89de69b..8766e7d 100644
--- a/tempest/common/accounts.py
+++ b/tempest/common/accounts.py
@@ -236,10 +236,16 @@
     def get_admin_creds(self):
         return self.get_creds_by_roles([CONF.identity.admin_role])
 
-    def admin_available(self):
-        if not self.hash_dict['roles'].get(CONF.identity.admin_role):
+    def is_role_available(self, role):
+        if self.use_default_creds:
             return False
-        return True
+        else:
+            if self.hash_dict['roles'].get(role):
+                return True
+            return False
+
+    def admin_available(self):
+        return self.is_role_available(CONF.identity.admin_role)
 
 
 class NotLockingAccounts(Accounts):
diff --git a/tempest/common/cred_provider.py b/tempest/common/cred_provider.py
index c22dc1f..ea628f6 100644
--- a/tempest/common/cred_provider.py
+++ b/tempest/common/cred_provider.py
@@ -117,3 +117,7 @@
     @abc.abstractmethod
     def get_creds_by_roles(self, roles, force_new=False):
         return
+
+    @abc.abstractmethod
+    def is_role_available(self, role):
+        return
diff --git a/tempest/common/isolated_creds.py b/tempest/common/isolated_creds.py
index b0531fd..72a3183 100644
--- a/tempest/common/isolated_creds.py
+++ b/tempest/common/isolated_creds.py
@@ -79,8 +79,15 @@
         except StopIteration:
             msg = 'No "%s" role found' % role_name
             raise lib_exc.NotFound(msg)
-        self.identity_admin_client.assign_user_role(tenant['id'], user['id'],
-                                                    role['id'])
+        try:
+            self.identity_admin_client.assign_user_role(tenant['id'],
+                                                        user['id'],
+                                                        role['id'])
+        except lib_exc.Conflict:
+            LOG.warning('Trying to add %s for user %s in tenant %s but they '
+                        ' were already granted that role' % (role_name,
+                                                             user['name'],
+                                                             tenant['name']))
 
     def _delete_user(self, user):
         self.identity_admin_client.delete_user(user)
@@ -114,11 +121,6 @@
         email = data_utils.rand_name(root) + suffix + "@example.com"
         user = self._create_user(username, self.password,
                                  tenant, email)
-        if CONF.service_available.swift:
-            # NOTE(andrey-mp): user needs this role to create containers
-            # in swift
-            swift_operator_role = CONF.object_storage.operator_role
-            self._assign_user_role(tenant, user, swift_operator_role)
         if admin:
             self._assign_user_role(tenant, user, CONF.identity.admin_role)
         # Add roles specified in config file
@@ -385,3 +387,6 @@
 
     def is_multi_tenant(self):
         return True
+
+    def is_role_available(self, role):
+        return True
diff --git a/tempest/common/service_client.py b/tempest/common/service_client.py
index fde05af..ad6610a 100644
--- a/tempest/common/service_client.py
+++ b/tempest/common/service_client.py
@@ -13,7 +13,6 @@
 #    under the License.
 
 from tempest_lib.common import rest_client
-from tempest_lib import exceptions as lib_exceptions
 
 from tempest import config
 
@@ -47,24 +46,6 @@
         super(ServiceClient, self).__init__(auth_provider, service, region,
                                             **params)
 
-    def request(self, method, url, extra_headers=False, headers=None,
-                body=None):
-        # TODO(oomichi): This translation is just for avoiding a single
-        # huge patch to migrate rest_client module to tempest-lib.
-        # Ideally(in the future), we need to remove this translation and
-        # replace each API tests with tempest-lib's exceptions.
-        try:
-            return super(ServiceClient, self).request(
-                method, url,
-                extra_headers=extra_headers,
-                headers=headers, body=body)
-        # TODO(oomichi): This is just a workaround for failing gate tests
-        # when separating Forbidden from Unauthorized in tempest-lib.
-        # We will need to remove this translation and replace negative tests
-        # with lib_exceptions.Forbidden in the future.
-        except lib_exceptions.Forbidden as ex:
-            raise lib_exceptions.Unauthorized(ex)
-
 
 class ResponseBody(dict):
     """Class that wraps an http response and dict body into a single value.
diff --git a/tempest/scenario/manager.py b/tempest/scenario/manager.py
index f24a22a..55d4a52 100644
--- a/tempest/scenario/manager.py
+++ b/tempest/scenario/manager.py
@@ -41,8 +41,8 @@
     """Base class for scenario tests. Uses tempest own clients. """
 
     @classmethod
-    def resource_setup(cls):
-        super(ScenarioTest, cls).resource_setup()
+    def setup_credentials(cls):
+        super(ScenarioTest, cls).setup_credentials()
         # TODO(andreaf) Some of the code from this resource_setup could be
         # moved into `BaseTestCase`
         cls.isolated_creds = credentials.get_isolated_credentials(
@@ -51,6 +51,10 @@
             credentials=cls.credentials()
         )
         cls.admin_manager = clients.Manager(cls.admin_credentials())
+
+    @classmethod
+    def setup_clients(cls):
+        super(ScenarioTest, cls).setup_clients()
         # Clients (in alphabetical order)
         cls.flavors_client = cls.manager.flavors_client
         cls.floating_ips_client = cls.manager.floating_ips_client
@@ -534,13 +538,13 @@
     """
 
     @classmethod
-    def check_preconditions(cls):
+    def skip_checks(cls):
+        super(NetworkScenarioTest, cls).skip_checks()
         if not CONF.service_available.neutron:
             raise cls.skipException('Neutron not available')
 
     @classmethod
     def resource_setup(cls):
-        cls.check_preconditions()
         super(NetworkScenarioTest, cls).resource_setup()
         cls.tenant_id = cls.manager.identity_client.tenant_id
 
@@ -1141,12 +1145,16 @@
 
 class BaremetalScenarioTest(ScenarioTest):
     @classmethod
-    def resource_setup(cls):
+    def skip_checks(cls):
+        super(BaremetalScenarioTest, cls).skip_checks()
         if (not CONF.service_available.ironic or
            not CONF.baremetal.driver_enabled):
             msg = 'Ironic not available or Ironic compute driver not enabled'
             raise cls.skipException(msg)
-        super(BaremetalScenarioTest, cls).resource_setup()
+
+    @classmethod
+    def setup_credentials(cls):
+        super(BaremetalScenarioTest, cls).setup_credentials()
 
         # use an admin client manager for baremetal client
         manager = clients.Manager(
@@ -1154,6 +1162,9 @@
         )
         cls.baremetal_client = manager.baremetal_client
 
+    @classmethod
+    def resource_setup(cls):
+        super(BaremetalScenarioTest, cls).resource_setup()
         # allow any issues obtaining the node list to raise early
         cls.baremetal_client.list_nodes()
 
@@ -1272,8 +1283,8 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        super(EncryptionScenarioTest, cls).resource_setup()
+    def setup_clients(cls):
+        super(EncryptionScenarioTest, cls).setup_clients()
         cls.admin_volume_types_client = cls.admin_manager.volume_types_client
 
     def _wait_for_volume_status(self, status):
@@ -1319,10 +1330,10 @@
     """
 
     @classmethod
-    def resource_setup(cls):
+    def skip_checks(cls):
+        super(OrchestrationScenarioTest, cls).skip_checks()
         if not CONF.service_available.heat:
             raise cls.skipException("Heat support is required")
-        super(OrchestrationScenarioTest, cls).resource_setup()
 
     @classmethod
     def credentials(cls):
@@ -1365,17 +1376,35 @@
     """
 
     @classmethod
-    def resource_setup(cls):
+    def skip_checks(cls):
+        super(SwiftScenarioTest, cls).skip_checks()
         if not CONF.service_available.swift:
             skip_msg = ("%s skipped as swift is not available" %
                         cls.__name__)
             raise cls.skipException(skip_msg)
+
+    @classmethod
+    def setup_credentials(cls):
         cls.set_network_resources()
-        super(SwiftScenarioTest, cls).resource_setup()
+        super(SwiftScenarioTest, cls).setup_credentials()
+        operator_role = CONF.object_storage.operator_role
+        if not cls.isolated_creds.is_role_available(operator_role):
+            skip_msg = ("%s skipped because the configured credential provider"
+                        " is not able to provide credentials with the %s role "
+                        "assigned." % (cls.__name__, operator_role))
+            raise cls.skipException(skip_msg)
+        else:
+            cls.os_operator = clients.Manager(
+                cls.isolated_creds.get_creds_by_roles(
+                    [operator_role]))
+
+    @classmethod
+    def setup_clients(cls):
+        super(SwiftScenarioTest, cls).setup_clients()
         # Clients for Swift
-        cls.account_client = cls.manager.account_client
-        cls.container_client = cls.manager.container_client
-        cls.object_client = cls.manager.object_client
+        cls.account_client = cls.os_operator.account_client
+        cls.container_client = cls.os_operator.container_client
+        cls.object_client = cls.os_operator.object_client
 
     def get_swift_stat(self):
         """get swift status for our user account."""
diff --git a/tempest/scenario/orchestration/__init__.py b/tempest/scenario/orchestration/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/tempest/scenario/orchestration/__init__.py
+++ /dev/null
diff --git a/tempest/scenario/orchestration/cfn_init_signal.yaml b/tempest/scenario/orchestration/cfn_init_signal.yaml
deleted file mode 100644
index c95aabf..0000000
--- a/tempest/scenario/orchestration/cfn_init_signal.yaml
+++ /dev/null
@@ -1,82 +0,0 @@
-HeatTemplateFormatVersion: '2012-12-12'
-Description: |
-  Template which uses a wait condition to confirm that a minimal
-  cfn-init and cfn-signal has worked
-Parameters:
-  key_name:
-    Type: String
-  flavor:
-    Type: String
-  image:
-    Type: String
-  network:
-    Type: String
-  timeout:
-    Type: Number
-Resources:
-  CfnUser:
-    Type: AWS::IAM::User
-  SmokeSecurityGroup:
-    Type: AWS::EC2::SecurityGroup
-    Properties:
-      GroupDescription: Enable only ping and SSH access
-      SecurityGroupIngress:
-      - {CidrIp: 0.0.0.0/0, FromPort: '-1', IpProtocol: icmp, ToPort: '-1'}
-      - {CidrIp: 0.0.0.0/0, FromPort: '22', IpProtocol: tcp, ToPort: '22'}
-  SmokeKeys:
-    Type: AWS::IAM::AccessKey
-    Properties:
-      UserName: {Ref: CfnUser}
-  SmokeServer:
-    Type: OS::Nova::Server
-    Metadata:
-      AWS::CloudFormation::Init:
-        config:
-          files:
-            /tmp/smoke-status:
-              content: smoke test complete
-            /etc/cfn/cfn-credentials:
-              content:
-                Fn::Replace:
-                - SmokeKeys: {Ref: SmokeKeys}
-                  SecretAccessKey:
-                    'Fn::GetAtt': [SmokeKeys, SecretAccessKey]
-                - |
-                  AWSAccessKeyId=SmokeKeys
-                  AWSSecretKey=SecretAccessKey
-              mode: '000400'
-              owner: root
-              group: root
-    Properties:
-      image: {Ref: image}
-      flavor: {Ref: flavor}
-      key_name: {Ref: key_name}
-      security_groups:
-      - {Ref: SmokeSecurityGroup}
-      networks:
-      - uuid: {Ref: network}
-      user_data:
-        Fn::Replace:
-        - WaitHandle: {Ref: WaitHandle}
-        - |
-          #!/bin/bash -v
-          /opt/aws/bin/cfn-init
-          /opt/aws/bin/cfn-signal -e 0 --data "`cat /tmp/smoke-status`" \
-              --id smoke_status "WaitHandle"
-  WaitHandle:
-    Type: AWS::CloudFormation::WaitConditionHandle
-  WaitCondition:
-    Type: AWS::CloudFormation::WaitCondition
-    DependsOn: SmokeServer
-    Properties:
-      Handle: {Ref: WaitHandle}
-      Timeout: {Ref: timeout}
-Outputs:
-  WaitConditionStatus:
-    Description: Contents of /tmp/smoke-status on SmokeServer
-    Value:
-      Fn::GetAtt: [WaitCondition, Data]
-  SmokeServerIp:
-    Description: IP address of server
-    Value:
-      Fn::GetAtt: [SmokeServer, first_address]
diff --git a/tempest/scenario/orchestration/test_server_cfn_init.py b/tempest/scenario/orchestration/test_server_cfn_init.py
deleted file mode 100644
index 53f7843..0000000
--- a/tempest/scenario/orchestration/test_server_cfn_init.py
+++ /dev/null
@@ -1,134 +0,0 @@
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-import json
-
-from tempest_lib import decorators
-
-from tempest import config
-from tempest import exceptions
-from tempest.openstack.common import log as logging
-from tempest.scenario import manager
-from tempest import test
-
-CONF = config.CONF
-LOG = logging.getLogger(__name__)
-
-
-class CfnInitScenarioTest(manager.OrchestrationScenarioTest):
-
-    def setUp(self):
-        super(CfnInitScenarioTest, self).setUp()
-        if not CONF.orchestration.image_ref:
-            raise self.skipException("No image available to test")
-        self.client = self.orchestration_client
-        self.template_name = 'cfn_init_signal.yaml'
-
-    def assign_keypair(self):
-        self.stack_name = self._stack_rand_name()
-        if CONF.orchestration.keypair_name:
-            self.keypair = None
-            self.keypair_name = CONF.orchestration.keypair_name
-        else:
-            self.keypair = self.create_keypair()
-            self.keypair_name = self.keypair['name']
-
-    def launch_stack(self):
-        net = self._get_default_network()
-        self.parameters = {
-            'key_name': self.keypair_name,
-            'flavor': CONF.orchestration.instance_type,
-            'image': CONF.orchestration.image_ref,
-            'timeout': CONF.orchestration.build_timeout,
-            'network': net['id'],
-        }
-
-        # create the stack
-        self.template = self._load_template(__file__, self.template_name)
-        stack = self.client.create_stack(
-            name=self.stack_name,
-            template=self.template,
-            parameters=self.parameters)
-        stack = stack['stack']
-
-        self.stack = self.client.get_stack(stack['id'])
-        self.stack_identifier = '%s/%s' % (self.stack_name, self.stack['id'])
-        self.addCleanup(self.delete_wrapper,
-                        self.orchestration_client.delete_stack,
-                        self.stack_identifier)
-
-    def check_stack(self):
-        sid = self.stack_identifier
-        self.client.wait_for_resource_status(
-            sid, 'WaitHandle', 'CREATE_COMPLETE')
-        self.client.wait_for_resource_status(
-            sid, 'SmokeSecurityGroup', 'CREATE_COMPLETE')
-        self.client.wait_for_resource_status(
-            sid, 'SmokeKeys', 'CREATE_COMPLETE')
-        self.client.wait_for_resource_status(
-            sid, 'CfnUser', 'CREATE_COMPLETE')
-        self.client.wait_for_resource_status(
-            sid, 'SmokeServer', 'CREATE_COMPLETE')
-
-        server_resource = self.client.get_resource(sid, 'SmokeServer')
-        server_id = server_resource['physical_resource_id']
-        server = self.servers_client.get_server(server_id)
-        server_ip =\
-            server['addresses'][CONF.compute.network_for_ssh][0]['addr']
-
-        if not self.ping_ip_address(
-            server_ip, ping_timeout=CONF.orchestration.build_timeout):
-            self._log_console_output(servers=[server])
-            self.fail(
-                "(CfnInitScenarioTest:test_server_cfn_init) Timed out waiting "
-                "for %s to become reachable" % server_ip)
-
-        try:
-            self.client.wait_for_resource_status(
-                sid, 'WaitCondition', 'CREATE_COMPLETE')
-        except (exceptions.StackResourceBuildErrorException,
-                exceptions.TimeoutException) as e:
-            raise e
-        finally:
-            # attempt to log the server console regardless of WaitCondition
-            # going to complete. This allows successful and failed cloud-init
-            # logs to be compared
-            self._log_console_output(servers=[server])
-
-        self.client.wait_for_stack_status(sid, 'CREATE_COMPLETE')
-
-        stack = self.client.get_stack(sid)
-
-        # This is an assert of great significance, as it means the following
-        # has happened:
-        # - cfn-init read the provided metadata and wrote out a file
-        # - a user was created and credentials written to the server
-        # - a cfn-signal was built which was signed with provided credentials
-        # - the wait condition was fulfilled and the stack has changed state
-        wait_status = json.loads(
-            self._stack_output(stack, 'WaitConditionStatus'))
-        self.assertEqual('smoke test complete', wait_status['smoke_status'])
-
-        if self.keypair:
-            # Check that the user can authenticate with the generated
-            # keypair
-            self.get_remote_client(server_ip, username='ec2-user',
-                                   log_console_of_servers=[server])
-
-    @test.attr(type='slow')
-    @decorators.skip_because(bug='1374175')
-    @test.idempotent_id('2be9be1f-8106-4ee2-a7ba-444c7557db2f')
-    @test.services('orchestration', 'compute')
-    def test_server_cfn_init(self):
-        self.assign_keypair()
-        self.launch_stack()
-        self.check_stack()
diff --git a/tempest/scenario/test_aggregates_basic_ops.py b/tempest/scenario/test_aggregates_basic_ops.py
index ff450de..c94a787 100644
--- a/tempest/scenario/test_aggregates_basic_ops.py
+++ b/tempest/scenario/test_aggregates_basic_ops.py
@@ -33,8 +33,8 @@
     Deletes aggregate
     """
     @classmethod
-    def resource_setup(cls):
-        super(TestAggregatesBasicOps, cls).resource_setup()
+    def setup_clients(cls):
+        super(TestAggregatesBasicOps, cls).setup_clients()
         cls.aggregates_client = cls.manager.aggregates_client
         cls.hosts_client = cls.manager.hosts_client
 
diff --git a/tempest/scenario/test_dashboard_basic_ops.py b/tempest/scenario/test_dashboard_basic_ops.py
index 4c4dc94..dd7376a 100644
--- a/tempest/scenario/test_dashboard_basic_ops.py
+++ b/tempest/scenario/test_dashboard_basic_ops.py
@@ -57,11 +57,15 @@
     """
 
     @classmethod
-    def resource_setup(cls):
+    def skip_checks(cls):
+        super(TestDashboardBasicOps, cls).skip_checks()
         if not CONF.service_available.horizon:
             raise cls.skipException("Horizon support is required")
+
+    @classmethod
+    def setup_credentials(cls):
         cls.set_network_resources()
-        super(TestDashboardBasicOps, cls).resource_setup()
+        super(TestDashboardBasicOps, cls).setup_credentials()
 
     def check_login_page(self):
         response = urllib2.urlopen(CONF.dashboard.dashboard_url)
diff --git a/tempest/scenario/test_large_ops.py b/tempest/scenario/test_large_ops.py
index af2b4cb..613732a 100644
--- a/tempest/scenario/test_large_ops.py
+++ b/tempest/scenario/test_large_ops.py
@@ -39,11 +39,19 @@
     """
 
     @classmethod
-    def resource_setup(cls):
+    def skip_checks(cls):
+        super(TestLargeOpsScenario, cls).skip_checks()
         if CONF.scenario.large_ops_number < 1:
             raise cls.skipException("large_ops_number not set to multiple "
                                     "instances")
+
+    @classmethod
+    def setup_credentials(cls):
         cls.set_network_resources()
+        super(TestLargeOpsScenario, cls).setup_credentials()
+
+    @classmethod
+    def resource_setup(cls):
         super(TestLargeOpsScenario, cls).resource_setup()
         # list of cleanup calls to be executed in reverse order
         cls._cleanup_resources = []
diff --git a/tempest/scenario/test_load_balancer_basic.py b/tempest/scenario/test_load_balancer_basic.py
index 6f6036f..0d17048 100644
--- a/tempest/scenario/test_load_balancer_basic.py
+++ b/tempest/scenario/test_load_balancer_basic.py
@@ -43,8 +43,8 @@
     """
 
     @classmethod
-    def check_preconditions(cls):
-        super(TestLoadBalancerBasic, cls).check_preconditions()
+    def skip_checks(cls):
+        super(TestLoadBalancerBasic, cls).skip_checks()
         cfg = config.network
         if not test.is_extension_enabled('lbaas', 'network'):
             msg = 'LBaaS Extension is not enabled'
@@ -57,7 +57,6 @@
     @classmethod
     def resource_setup(cls):
         super(TestLoadBalancerBasic, cls).resource_setup()
-        cls.check_preconditions()
         cls.servers_keypairs = {}
         cls.members = []
         cls.floating_ips = {}
@@ -262,6 +261,8 @@
                                               port_id=port_id)
         self.floating_ips.setdefault(vip.id, [])
         self.floating_ips[vip.id].append(floating_ip)
+        # Check for floating ip status before you check load-balancer
+        self.check_floating_ip_status(floating_ip, "ACTIVE")
 
     def _create_load_balancer(self):
         self._create_pool()
diff --git a/tempest/scenario/test_network_advanced_server_ops.py b/tempest/scenario/test_network_advanced_server_ops.py
index 6e82a41..1d4f915 100644
--- a/tempest/scenario/test_network_advanced_server_ops.py
+++ b/tempest/scenario/test_network_advanced_server_ops.py
@@ -41,8 +41,8 @@
     """
 
     @classmethod
-    def check_preconditions(cls):
-        super(TestNetworkAdvancedServerOps, cls).check_preconditions()
+    def skip_checks(cls):
+        super(TestNetworkAdvancedServerOps, cls).skip_checks()
         if not (CONF.network.tenant_networks_reachable
                 or CONF.network.public_network_id):
             msg = ('Either tenant_networks_reachable must be "true", or '
@@ -50,10 +50,10 @@
             raise cls.skipException(msg)
 
     @classmethod
-    def resource_setup(cls):
+    def setup_credentials(cls):
         # Create no network resources for these tests.
         cls.set_network_resources()
-        super(TestNetworkAdvancedServerOps, cls).resource_setup()
+        super(TestNetworkAdvancedServerOps, cls).setup_credentials()
 
     def _setup_network_and_servers(self):
         self.keypair = self.create_keypair()
@@ -84,10 +84,11 @@
             should_connect=should_connect,
             servers_for_debug=[self.server])
         floating_ip = self.floating_ip.floating_ip_address
+        # Check FloatingIP status before checking the connectivity
+        self.check_floating_ip_status(self.floating_ip, 'ACTIVE')
         self.check_public_network_connectivity(floating_ip, username,
                                                private_key, should_connect,
                                                servers=[self.server])
-        self.check_floating_ip_status(self.floating_ip, 'ACTIVE')
 
     def _wait_server_status_and_check_network_connectivity(self):
         self.servers_client.wait_for_server_status(self.server['id'], 'ACTIVE')
diff --git a/tempest/scenario/test_network_basic_ops.py b/tempest/scenario/test_network_basic_ops.py
index 4199b2c..f4db878 100644
--- a/tempest/scenario/test_network_basic_ops.py
+++ b/tempest/scenario/test_network_basic_ops.py
@@ -77,23 +77,23 @@
     """
 
     @classmethod
-    def check_preconditions(cls):
-        super(TestNetworkBasicOps, cls).check_preconditions()
+    def skip_checks(cls):
+        super(TestNetworkBasicOps, cls).skip_checks()
         if not (CONF.network.tenant_networks_reachable
                 or CONF.network.public_network_id):
             msg = ('Either tenant_networks_reachable must be "true", or '
                    'public_network_id must be defined.')
             raise cls.skipException(msg)
-
-    @classmethod
-    def resource_setup(cls):
         for ext in ['router', 'security-group']:
             if not test.is_extension_enabled(ext, 'network'):
                 msg = "%s extension not enabled." % ext
                 raise cls.skipException(msg)
+
+    @classmethod
+    def setup_credentials(cls):
         # Create no network resources for these tests.
         cls.set_network_resources()
-        super(TestNetworkBasicOps, cls).resource_setup()
+        super(TestNetworkBasicOps, cls).setup_credentials()
 
     def setUp(self):
         super(TestNetworkBasicOps, self).setUp()
@@ -190,12 +190,13 @@
         if should_connect:
             private_key = self._get_server_key(server)
             floatingip_status = 'ACTIVE'
+        # Check FloatingIP Status before initiating a connection
+        if should_check_floating_ip_status:
+            self.check_floating_ip_status(floating_ip, floatingip_status)
         # call the common method in the parent class
         super(TestNetworkBasicOps, self).check_public_network_connectivity(
             ip_address, ssh_login, private_key, should_connect, msg,
             self.servers)
-        if should_check_floating_ip_status:
-            self.check_floating_ip_status(floating_ip, floatingip_status)
 
     def _disassociate_floating_ips(self):
         floating_ip, server = self.floating_ip_tuple
diff --git a/tempest/scenario/test_network_v6.py b/tempest/scenario/test_network_v6.py
index d5d2d77..7b2bdd5 100644
--- a/tempest/scenario/test_network_v6.py
+++ b/tempest/scenario/test_network_v6.py
@@ -34,13 +34,8 @@
     """
 
     @classmethod
-    def resource_setup(cls):
-        # Create no network resources for these tests.
-        cls.set_network_resources()
-        super(TestGettingAddress, cls).resource_setup()
-
-    @classmethod
-    def check_preconditions(cls):
+    def skip_checks(cls):
+        super(TestGettingAddress, cls).skip_checks()
         if not (CONF.network_feature_enabled.ipv6
                 and CONF.network_feature_enabled.ipv6_subnet_attributes):
             raise cls.skipException('IPv6 or its attributes not supported')
@@ -53,7 +48,11 @@
             msg = ('Baremetal does not currently support network isolation')
             raise cls.skipException(msg)
 
-        super(TestGettingAddress, cls).check_preconditions()
+    @classmethod
+    def setup_credentials(cls):
+        # Create no network resources for these tests.
+        cls.set_network_resources()
+        super(TestGettingAddress, cls).setup_credentials()
 
     def setUp(self):
         super(TestGettingAddress, self).setUp()
diff --git a/tempest/scenario/test_security_groups_basic_ops.py b/tempest/scenario/test_security_groups_basic_ops.py
index 4fbadb0..f9667a5 100644
--- a/tempest/scenario/test_security_groups_basic_ops.py
+++ b/tempest/scenario/test_security_groups_basic_ops.py
@@ -119,11 +119,11 @@
             self.router = router
 
     @classmethod
-    def check_preconditions(cls):
+    def skip_checks(cls):
+        super(TestSecurityGroupsBasicOps, cls).skip_checks()
         if CONF.baremetal.driver_enabled:
             msg = ('Not currently supported by baremetal.')
             raise cls.skipException(msg)
-        super(TestSecurityGroupsBasicOps, cls).check_preconditions()
         if not (CONF.network.tenant_networks_reachable or
                 CONF.network.public_network_id):
             msg = ('Either tenant_networks_reachable must be "true", or '
@@ -131,10 +131,10 @@
             raise cls.skipException(msg)
 
     @classmethod
-    def resource_setup(cls):
+    def setup_credentials(cls):
         # Create no network resources for these tests.
         cls.set_network_resources()
-        super(TestSecurityGroupsBasicOps, cls).resource_setup()
+        super(TestSecurityGroupsBasicOps, cls).setup_credentials()
         # TODO(mnewby) Consider looking up entities as needed instead
         # of storing them as collections on the class.
 
@@ -144,6 +144,9 @@
         # Credentials from the manager are filled with both IDs and Names
         cls.alt_creds = cls.alt_manager.credentials
 
+    @classmethod
+    def resource_setup(cls):
+        super(TestSecurityGroupsBasicOps, cls).resource_setup()
         cls.floating_ips = {}
         cls.tenants = {}
         creds = cls.credentials()
@@ -151,6 +154,7 @@
         cls.alt_tenant = cls.TenantProperties(cls.alt_creds)
         for tenant in [cls.primary_tenant, cls.alt_tenant]:
             cls.tenants[tenant.creds.tenant_id] = tenant
+
         cls.floating_ip_access = not CONF.network.public_router_id
 
     def cleanup_wrapper(self, resource):
diff --git a/tempest/scenario/test_server_advanced_ops.py b/tempest/scenario/test_server_advanced_ops.py
index d0b595a..8cbc388 100644
--- a/tempest/scenario/test_server_advanced_ops.py
+++ b/tempest/scenario/test_server_advanced_ops.py
@@ -35,12 +35,16 @@
     """
 
     @classmethod
-    def resource_setup(cls):
+    def skip_checks(cls):
+        super(TestServerAdvancedOps, cls).skip_checks()
         if CONF.compute.flavor_ref_alt == CONF.compute.flavor_ref:
             msg = "Skipping test - flavor_ref and flavor_ref_alt are identical"
             raise cls.skipException(msg)
+
+    @classmethod
+    def setup_credentials(cls):
         cls.set_network_resources()
-        super(TestServerAdvancedOps, cls).resource_setup()
+        super(TestServerAdvancedOps, cls).setup_credentials()
 
     @test.idempotent_id('e6c28180-7454-4b59-b188-0257af08a63b')
     @testtools.skipUnless(CONF.compute_feature_enabled.resize,
diff --git a/tempest/scenario/test_stamp_pattern.py b/tempest/scenario/test_stamp_pattern.py
index bd3cefa..3614e97 100644
--- a/tempest/scenario/test_stamp_pattern.py
+++ b/tempest/scenario/test_stamp_pattern.py
@@ -54,10 +54,10 @@
     """
 
     @classmethod
-    def resource_setup(cls):
+    def skip_checks(cls):
+        super(TestStampPattern, cls).skip_checks()
         if not CONF.volume_feature_enabled.snapshot:
             raise cls.skipException("Cinder volume snapshots are disabled")
-        super(TestStampPattern, cls).resource_setup()
 
     def _wait_for_volume_snapshot_status(self, volume_snapshot, status):
         self.snapshots_client.wait_for_snapshot_status(volume_snapshot['id'],
diff --git a/tempest/scenario/test_swift_telemetry_middleware.py b/tempest/scenario/test_swift_telemetry_middleware.py
index 8305641..a10168c 100644
--- a/tempest/scenario/test_swift_telemetry_middleware.py
+++ b/tempest/scenario/test_swift_telemetry_middleware.py
@@ -44,7 +44,8 @@
     """
 
     @classmethod
-    def resource_setup(cls):
+    def skip_checks(cls):
+        super(TestSwiftTelemetry, cls).skip_checks()
         if not CONF.service_available.ceilometer:
             skip_msg = ("%s skipped as ceilometer is not available" %
                         cls.__name__)
@@ -52,8 +53,11 @@
         elif CONF.telemetry.too_slow_to_test:
             skip_msg = "Ceilometer feature for fast work mysql is disabled"
             raise cls.skipException(skip_msg)
-        super(TestSwiftTelemetry, cls).resource_setup()
-        cls.telemetry_client = cls.manager.telemetry_client
+
+    @classmethod
+    def setup_clients(cls):
+        super(TestSwiftTelemetry, cls).setup_clients()
+        cls.telemetry_client = cls.os_operator.telemetry_client
 
     def _confirm_notifications(self, container_name, obj_name):
         """
@@ -79,15 +83,15 @@
                 meta = sample['resource_metadata']
                 if meta.get('container') and meta['container'] != 'None':
                     containers.append(meta['container'])
-                elif (meta.get('target') and
-                      meta['target']['metadata']['container'] != 'None'):
-                    containers.append(meta['target']['metadata']['container'])
+                elif (meta.get('target.metadata:container') and
+                      meta['target.metadata:container'] != 'None'):
+                    containers.append(meta['target.metadata:container'])
 
                 if meta.get('object') and meta['object'] != 'None':
                     objects.append(meta['object'])
-                elif (meta.get('target') and
-                      meta['target']['metadata']['object'] != 'None'):
-                    objects.append(meta['target']['metadata']['object'])
+                elif (meta.get('target.metadata:object') and
+                      meta['target.metadata:object'] != 'None'):
+                    objects.append(meta['target.metadata:object'])
 
             return (container_name in containers and obj_name in objects)
 
diff --git a/tempest/scenario/test_volume_boot_pattern.py b/tempest/scenario/test_volume_boot_pattern.py
index d1ea270..95edbd2 100644
--- a/tempest/scenario/test_volume_boot_pattern.py
+++ b/tempest/scenario/test_volume_boot_pattern.py
@@ -38,10 +38,10 @@
      * Check written content in the instance booted from snapshot
     """
     @classmethod
-    def resource_setup(cls):
+    def skip_checks(cls):
+        super(TestVolumeBootPattern, cls).skip_checks()
         if not CONF.volume_feature_enabled.snapshot:
             raise cls.skipException("Cinder volume snapshots are disabled")
-        super(TestVolumeBootPattern, cls).resource_setup()
 
     def _create_volume_from_image(self):
         img_uuid = CONF.compute.image_ref
diff --git a/tempest/tests/test_tenant_isolation.py b/tempest/tests/test_tenant_isolation.py
index a18ad46..a420a8f 100644
--- a/tempest/tests/test_tenant_isolation.py
+++ b/tempest/tests/test_tenant_isolation.py
@@ -156,7 +156,6 @@
                                'assign_user_role') as user_mock:
             admin_creds = iso_creds.get_admin_creds()
         user_mock.assert_has_calls([
-            mock.call('1234', '1234', '1'),
             mock.call('1234', '1234', '1234')])
         self.assertEqual(admin_creds.username, 'fake_admin_user')
         self.assertEqual(admin_creds.tenant_name, 'fake_admin_tenant')
@@ -182,9 +181,8 @@
             role_creds = iso_creds.get_creds_by_roles(roles=['role1', 'role2'])
         calls = user_mock.mock_calls
         # Assert that the role creation is called with the 2 specified roles
-        self.assertEqual(len(calls), 3)
+        self.assertEqual(len(calls), 2)
         args = map(lambda x: x[1], calls)
-        self.assertIn(('1234', '1234', '1'), args)
         self.assertIn(('1234', '1234', '1234'), args)
         self.assertIn(('1234', '1234', '12345'), args)
         self.assertEqual(role_creds.username, 'fake_role_user')