From 9e9f526d656b0bc33173de21df2a6d7e3662b68b Mon Sep 17 00:00:00 2001 From: Michael Johnson Date: Wed, 18 Jan 2023 17:59:17 +0000 Subject: [PATCH] Add "member" role to non-admin test credentials Some services are enabling "new defaults" RBAC by default. This will require all non-admin users to have either the "member" or "reader" role. This patch updates the Octavia tempest plugin to include the "member" role in test credentials when the tempest plugin is configured for "RBAC_test_type" other than owner-or-admin. Change-Id: I8aadb98d438943b18a8d72ff54e216930cfd3ccc --- octavia_tempest_plugin/tests/test_base.py | 6 ++++-- ...-the-member-role-for-new-defaults-5fbc2e05768c04b9.yaml | 7 +++++++ 2 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/Make-sure-member-credentials-have-the-member-role-for-new-defaults-5fbc2e05768c04b9.yaml diff --git a/octavia_tempest_plugin/tests/test_base.py b/octavia_tempest_plugin/tests/test_base.py index f0477f48..70d51bac 100644 --- a/octavia_tempest_plugin/tests/test_base.py +++ b/octavia_tempest_plugin/tests/test_base.py @@ -71,8 +71,10 @@ class LoadBalancerBaseTest(validators.ValidatorsMixin, ['lb_observer', CONF.load_balancer.observer_role, 'reader'], ['lb_global_observer', CONF.load_balancer.global_observer_role, 'reader'], - ['lb_member', CONF.load_balancer.member_role], - ['lb_member2', CONF.load_balancer.member_role]] + # Note: Some projects are now requiring the 'member' role by + # default (nova for example) so make sure our creds have this role + ['lb_member', CONF.load_balancer.member_role, 'member'], + ['lb_member2', CONF.load_balancer.member_role, 'member']] # If scope enforcement is enabled, add in the system scope credentials. # The project scope is already handled by the above credentials. diff --git a/releasenotes/notes/Make-sure-member-credentials-have-the-member-role-for-new-defaults-5fbc2e05768c04b9.yaml b/releasenotes/notes/Make-sure-member-credentials-have-the-member-role-for-new-defaults-5fbc2e05768c04b9.yaml new file mode 100644 index 00000000..89fc5a6a --- /dev/null +++ b/releasenotes/notes/Make-sure-member-credentials-have-the-member-role-for-new-defaults-5fbc2e05768c04b9.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Some services are now enabling the "new default roles" which means all + non-admin users must have the "member" or "reader" role. This fix updates + the test credentials to include these roles when not running in + admin-or-owner test mode.