Default to project admin for preprovisioned admin creds
when using pre-provisioned creds, asking for 'admin' creds may
currently return whatever creds with admin role,
including system admin.
That unfortinately does not work for some services, especially
those that still use project id as part of their endpoint
(cinder, heat, swift).
Default to project admin when not asked specifically for a system one.
Also, improve handling of scopes with credential "types".
Related-Issue: PRODX-55335
Change-Id: I1fcc60109cfcf2f034c33e6faac646f193685226
diff --git a/tempest/lib/common/preprov_creds.py b/tempest/lib/common/preprov_creds.py
index 16553fc..68bbe89 100644
--- a/tempest/lib/common/preprov_creds.py
+++ b/tempest/lib/common/preprov_creds.py
@@ -101,11 +101,14 @@
'used_projects')
@classmethod
- def _append_role(cls, role, account_hash, hash_dict):
+ def _append_role(cls, role, account_hash, hash_dict, scope=None):
if role in hash_dict['roles']:
hash_dict['roles'][role].append(account_hash)
else:
hash_dict['roles'][role] = [account_hash]
+ if scope:
+ hash_dict = cls._append_scoped_role(
+ scope, role, account_hash, hash_dict)
return hash_dict
@classmethod
@@ -141,7 +144,7 @@
types = account.pop('types')
if 'resources' in account:
resources = account.pop('resources')
- if 'project_name' in account:
+ if 'project_name' in account or 'tenant_name' in account:
scope = 'project'
elif 'domain_name' in account:
scope = 'domain'
@@ -155,21 +158,18 @@
hash_dict['creds'][temp_hash_key] = account
for role in roles:
hash_dict = cls._append_role(role, temp_hash_key,
- hash_dict)
- if scope:
- hash_dict = cls._append_scoped_role(
- scope, role, temp_hash_key, hash_dict)
+ hash_dict, scope=scope)
# If types are set for the account append the matching role
# subdict with the hash
for type in types:
if type == 'admin':
hash_dict = cls._append_role(admin_role, temp_hash_key,
- hash_dict)
+ hash_dict, scope=scope)
elif type == 'operator':
if object_storage_operator_role:
hash_dict = cls._append_role(
object_storage_operator_role, temp_hash_key,
- hash_dict)
+ hash_dict, scope=scope)
else:
msg = ("Type 'operator' configured, but no "
"object_storage_operator_role specified")
@@ -179,7 +179,7 @@
hash_dict = cls._append_role(
object_storage_reseller_admin_role,
temp_hash_key,
- hash_dict)
+ hash_dict, scope=scope)
else:
msg = ("Type 'reseller_admin' configured, but no "
"object_storage_reseller_admin_role specified")
@@ -480,7 +480,7 @@
new_index = str(roles).encode('utf-8') + b'-' + \
str(len(self._creds)).encode('utf-8')
self._creds[new_index] = exist_creds
- net_creds = self._get_creds(roles=roles)
+ net_creds = self._get_creds(roles=roles, scope=scope)
self._creds[str(roles).encode('utf-8')] = net_creds
return net_creds
@@ -491,7 +491,7 @@
# TODO(gmann): Remove this method in favor of get_project_admin_creds()
# after the deprecation phase.
def get_admin_creds(self):
- return self.get_creds_by_roles([self.admin_role])
+ return self.get_creds_by_roles([self.admin_role], scope="project")
def is_role_available(self, role):
if self.hash_dict['roles'].get(role):