a050129384
This patch updates the devstack plugin so that tempest.conf is not
configured to use system-admin. Currently tempest uses an all-in
approach to configuring admin clients, and forcing system scope in
tempest when SRBAC is turned on results in test failures for services
that don't understand system scope.
With this patch, keystone test will be run with a project-scoped admin,
which should be fine since policies have been previously updated to
accept project-admin tokens as legacy admin for Phase 1. [1]
[1] f2f1a5c388
Change-Id: I39d50b8e6e55b0835670d753c3783f32b19b6c47
25 lines
951 B
Bash
25 lines
951 B
Bash
# Copyright 2019 SUSE LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
function configure_enforce_scope {
|
|
iniset $KEYSTONE_CONF oslo_policy enforce_scope true
|
|
iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
|
|
iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
|
|
sudo systemctl restart devstack@keystone
|
|
}
|
|
|
|
function configure_protection_tests {
|
|
iniset $TEMPEST_CONFIG identity-feature-enabled enforce_scope true
|
|
}
|