Remove admin_domain_scope tempest setting
Keystone is currently working through a bunch of changes to add proper system, domain, and project scope support for its API. This includes implementing ``admin``, ``member``, and ``reader`` roles for system, domain, and project assignments. More informaiton on those specific changes can be found here: https://review.openstack.org/#/q/(status:open+OR+status:closed)+project:openstack/keystone+branch:master+topic:implement-default-roles One thing that was uncovered in implementing that support for the project API was that setting tempest ``CONF.identity.admin_domain_scope = True`` meant domain admins of one domain would be able to list projects in other domains, highlighted in the following patch: https://review.openstack.org/#/c/624218/2 This commit doesn't set this option and assumes the proper domain-scoping behavior being built into keystone natively. Change-Id: I12a57cc43de0b17eababa19b7b94de5277689f82 Related-Bug: 1750660
This commit is contained in:
parent
72f632222f
commit
30d48ff887
|
@ -276,8 +276,6 @@ function configure_tempest {
|
|||
iniset $TEMPEST_CONFIG identity user_lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
|
||||
iniset $TEMPEST_CONFIG identity user_lockout_duration $KEYSTONE_LOCKOUT_DURATION
|
||||
iniset $TEMPEST_CONFIG identity user_unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
|
||||
# Use domain scoped tokens for admin v3 tests, v3 dynamic credentials of v3 account generation
|
||||
iniset $TEMPEST_CONFIG identity admin_domain_scope True
|
||||
if [[ "$TEMPEST_HAS_ADMIN" == "True" ]]; then
|
||||
iniset $TEMPEST_CONFIG auth admin_username $admin_username
|
||||
iniset $TEMPEST_CONFIG auth admin_password "$password"
|
||||
|
|
Loading…
Reference in New Issue