Merge "Update roles required for testing"

.zuul.yaml

@@ -42,7 +42,7 @@
         test-config:
           $TEMPEST_CONFIG:
             auth:
-              tempest_roles: creator
+              create_isolated_networks: False
             image-feature-enabled:
               # this may be removed soon, as api_v1 is false since tempest>=20
               api_v1: False
@@ -159,14 +159,13 @@
     name: barbican-tempest-plugin-simple-crypto-secure-rbac
     parent: barbican-tempest-plugin-simple-crypto
     vars:
+      devstack_localrc:
+        ENFORCE_SCOPE: True
       devstack_local_conf:
-        post-config:
-          $BARBICAN_CONF:
-            oslo_policy:
-              enforce_new_defaults: True
-              enforce_scope: True
         # (lpiwowar): Uncomment once this bug is resolved:
         # https://bugs.launchpad.net/barbican/+bug/2043457
+        # post-config:
+        #   $BARBICAN_CONF:
         #     secretstore:
         #      enable_multiple_secret_stores: True
         #      stores_lookup_suffix: simple_crypto

barbican_tempest_plugin/tests/api/base.py

@@ -61,8 +61,7 @@ class BaseKeyManagerTest(test.BaseTestCase,
                          api_version_utils.BaseMicroversionTest):
     """Base class for all api tests."""
 
-    # Why do I have to be an admin to create secrets? No idea...
+    credentials = ['project_admin']
-    credentials = ('admin', ['service_admin', 'key-manager:service-admin'])
     client_manager = clients.Clients
     created_objects = {}
 
@@ -88,8 +87,6 @@ class BaseKeyManagerTest(test.BaseTestCase,
         cls.secret_consumer_client = os.secret_v1_1.SecretConsumerClient()
         cls.secret_metadata_client = os.secret_v1.SecretMetadataClient()
         cls.version_client = os.secret_v1_1.VersionClient()
-
-        os = getattr(cls, 'os_roles_%s' % cls.credentials[1][0])
         cls.quota_client = os.secret_v1.QuotaClient()
 
     @classmethod

barbican_tempest_plugin/tests/api/test_quotas.py

@@ -16,7 +16,7 @@ from barbican_tempest_plugin.tests.api import base
 
 from tempest import config
 from tempest.lib import decorators
-from tempest.lib import exceptions
+
 
 CONF = config.CONF
 
@@ -26,15 +26,6 @@ class QuotasTest(base.BaseKeyManagerTest):
 
     @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
     def test_get_effective_quota(self):
-        if CONF.enforce_scope.barbican:
-            # This test is using key-manager:service-admin legacy
-            # role. User with only this role should get a Forbidden
-            # error when trying to get effective quotas in SRBAC
-            # environment.
-            self.assertRaises(
-                exceptions.Forbidden,
-                self.quota_client.get_default_project_quota)
-        else:
         body = self.quota_client.get_default_project_quota()
         quotas = body.get('quotas')
         self.assertEqual(-1, quotas.get('secrets'))
@@ -46,6 +37,8 @@ class QuotasTest(base.BaseKeyManagerTest):
 
 class ProjectQuotasTest(base.BaseKeyManagerTest):
 
+    credentials = ['admin', ['service_admin', 'key-manager:service-admin']]
+
     @classmethod
     def skip_checks(cls):
         super().skip_checks()
@@ -56,6 +49,11 @@ class ProjectQuotasTest(base.BaseKeyManagerTest):
             raise cls.skipException("enforce_scope is enabled for barbican, "
                                     "skipping project quota tests.")
 
+    @classmethod
+    def setup_clients(cls):
+        super().setup_clients()
+        cls.quota_client = cls.os_roles_service_admin.secret_v1.QuotaClient()
+
     @decorators.idempotent_id('07dec492-7f19-4d94-a9d7-28c0643db1bc')
     def test_manage_project_quotas(self):
         # Confirm that there are no quotas