Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / tempest / b58f00cb61ab6d41f0231ef94bbd8fa24c45db41^! / .
commitb58f00cb61ab6d41f0231ef94bbd8fa24c45db41[log] [tgz]
authorPavlo Shchelokovskyy <shchelokovskyy@gmail.com>Mon Aug 29 13:45:36 2022 +0300
committerPavlo Shchelokovskyy <shchelokovskyy@gmail.com>Mon Aug 29 15:00:29 2022 +0300
tree447c795e2e8eeaa9d63c42a76100f77781cbcb40
parent3488b8e5edccdcf2068aa0ec2f8ea2c282191396 [diff]
Require member role in the static get_primary_creds

otherwise the reader role might be picked up, which is not enough
in some cases even when scope and new policies are not enforced,
like barbican requiring a 'creator' role,
and reader+creator makes no sense.

Change-Id: Icab8c2a84d13ba29e4402442edc29df539c70c9f
Related-Issue: PRODX-26490

diff --git a/tempest/lib/common/preprov_creds.py b/tempest/lib/common/preprov_creds.py
index f7d5380..508618a 100644
--- a/tempest/lib/common/preprov_creds.py
+++ b/tempest/lib/common/preprov_creds.py

@@ -362,7 +362,8 @@
     def get_primary_creds(self):
         if self._creds.get('primary'):
             return self._creds.get('primary')
-        net_creds = self._get_creds()
+        # NOTE(pas-ha) use the same call as get_project_member_creds
+        net_creds = self._get_creds(['member'], scope='project')
         self._creds['primary'] = net_creds
         return net_creds
 

diff --git a/tempest/tests/lib/common/test_preprov_creds.py b/tempest/tests/lib/common/test_preprov_creds.py
index a5f0543..04e6771 100644
--- a/tempest/tests/lib/common/test_preprov_creds.py
+++ b/tempest/tests/lib/common/test_preprov_creds.py

@@ -77,7 +77,10 @@
             {'username': 'test_admin2', 'project_name': 'test_tenant12',
              'password': 'p', 'roles': [admin_role]},
             {'username': 'test_admin3', 'project_name': 'test_tenant13',
-             'password': 'p', 'types': ['admin']}]
+             'password': 'p', 'types': ['admin']},
+            {'username': 'test_user14', 'project_name': 'test_tenant14',
+             'password': 'p', 'roles': ['member']},
+        ]
 
     def setUp(self):
         super(TestPreProvisionedCredentials, self).setUp()
@@ -324,7 +327,7 @@
         calls = get_free_hash_mock.mock.mock_calls
         self.assertEqual(len(calls), 1)
         args = calls[0][1][0]
-        self.assertEqual(len(args), 10)
+        self.assertEqual(len(args), 11)
         for i in admin_hashes:
             self.assertNotIn(i, args)
 
@@ -485,4 +488,8 @@
             {'username': 'test_admin2', 'project_name': 'test_project12',
              'domain_name': 'domain', 'password': 'p', 'roles': [admin_role]},
             {'username': 'test_admin3', 'project_name': 'test_tenant13',
-             'domain_name': 'domain', 'password': 'p', 'types': ['admin']}]
+             'domain_name': 'domain', 'password': 'p', 'types': ['admin']},
+            {'username': 'test_user14', 'project_name': 'test_tenant14',
+             'domain_name': 'domain', 'password': 'p',
+             'roles': ['member']},
+        ]