Use only keystone roles in keystone RBAC tests

- don't use the load-balancer_* roles, they may not exist (and they don't
  do anything) in this configuration
- create a temporary user with a temporary non-member role

Change-Id: I9fc26307f64a2eccbbaf2d979e44fa668328565f

octavia_tempest_plugin/tests/test_base.py

@@ -25,7 +25,9 @@ from cryptography.hazmat.primitives import serialization
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import uuidutils
+from tempest import clients
 from tempest import config
+from tempest.lib import auth
 from tempest.lib.common.utils import data_utils
 from tempest.lib.common.utils.linux import remote_client
 from tempest.lib import exceptions
@@ -60,13 +62,12 @@ class LoadBalancerBaseTest(validators.ValidatorsMixin,
     elif CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
         credentials = [
             'admin', 'primary',
-            ['lb_admin', CONF.load_balancer.admin_role, 'admin'],
-            ['lb_observer', CONF.load_balancer.observer_role, 'reader'],
-            ['lb_global_observer', CONF.load_balancer.global_observer_role,
-             'reader'],
-            ['lb_member', CONF.load_balancer.member_role, 'member'],
-            ['lb_member2', CONF.load_balancer.member_role, 'member'],
-            ['lb_member_not_default_member', CONF.load_balancer.member_role]]
+            ['lb_admin', 'admin'],
+            ['lb_observer', 'reader'],
+            ['lb_global_observer', 'reader'],
+            ['lb_member', 'member'],
+            ['lb_member2', 'member']]
+        # Note: an additional non-member user is added in setup_credentials
     else:
         credentials = [
             'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
@@ -133,6 +134,38 @@ class LoadBalancerBaseTest(validators.ValidatorsMixin,
                    'public_network_id must be defined.')
             raise cls.skipException(msg)
 
+    @classmethod
+    def _setup_new_user_role_client(cls, project_id, role_name):
+        user = {
+            'name': data_utils.rand_name('user'),
+            'password': data_utils.rand_password()
+        }
+        user_id = cls.os_admin.users_v3_client.create_user(
+            **user)['user']['id']
+        cls._created_users.append(user_id)
+        roles = cls.os_admin.roles_v3_client.list_roles(
+            name=role_name)['roles']
+        if len(roles) == 0:
+            role = {
+                'name': role_name
+            }
+            role_id = cls.os_admin.roles_v3_client.create_role(
+                **role)['role']['id']
+            cls._created_roles.append(role_id)
+        else:
+            role_id = roles[0]['id']
+        cls.os_admin.roles_v3_client.create_user_role_on_project(
+            project_id, user_id, role_id
+        )
+        creds = auth.KeystoneV3Credentials(
+            user_id=user_id,
+            password=user['password'],
+            project_id=project_id
+        )
+        auth_provider = clients.get_auth_provider(creds)
+        creds = auth_provider.fill_credentials()
+        return clients.Manager(credentials=creds)
+
     @classmethod
     def setup_credentials(cls):
         """Setup test credentials and network resources."""
@@ -140,12 +173,36 @@ class LoadBalancerBaseTest(validators.ValidatorsMixin,
         cls.set_network_resources()
         super(LoadBalancerBaseTest, cls).setup_credentials()
 
+        cls._created_projects = []
+        cls._created_users = []
+        cls._created_roles = []
+
+        non_dyn_users = []
+
+        if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
+            # Create a non-member user for keystone_default_roles
+            # When using dynamic credentials, tempest cannot create a user
+            # without a role, it always adds at least the "member" role.
+            # We manually create the user with a temporary role
+            project_id = cls.os_admin.projects_client.create_project(
+                data_utils.rand_name()
+            )['project']['id']
+            cls._created_projects.append(project_id)
+            cls.os_not_member = cls._setup_new_user_role_client(
+                project_id,
+                data_utils.rand_name('role'))
+            cls.allocated_creds.append('os_not_member')
+            non_dyn_users.append('not_member')
+
+        # Tests shall not mess with the list of allocated credentials
+        cls.allocated_credentials = tuple(cls.allocated_creds)
+
         if not CONF.load_balancer.log_user_roles:
             return
 
         # Log the user roles for this test run
         role_name_cache = {}
-        for cred in cls.credentials:
+        for cred in cls.credentials + non_dyn_users:
             user_roles = []
             if isinstance(cred, list):
                 user_name = cred[0]
@@ -168,6 +225,16 @@ class LoadBalancerBaseTest(validators.ValidatorsMixin,
                 user_roles.append([role_name, role['scope']])
             LOG.info("User %s has roles: %s", user_name, user_roles)
 
+    @classmethod
+    def clear_credentials(cls):
+        for user_id in cls._created_users:
+            cls.os_admin.users_v3_client.delete_user(user_id)
+        for project_id in cls._created_projects:
+            cls.os_admin.projects_client.delete_project(project_id)
+        for role_id in cls._created_roles:
+            cls.os_admin.roles_v3_client.delete_role(role_id)
+        super().clear_credentials()
+
     @classmethod
     def setup_clients(cls):
         """Setup client aliases."""

releasenotes/notes/keystone-default-roles-changes-10733c184f0eebc3.yaml

@@ -0,0 +1,9 @@
+---
+other:
+  - |
+    When using the ``keystone_default_roles`` RBAC tests, the
+    ``load-balancer_*`` roles are no longer used by tempest, it relies only on
+    the keystone ``admin``, ``member``, ``reader`` roles. The
+    ``[load_balancer].member_role``, ``[load_balancer].admin_role``,
+    ``[load_balancer].observer_role`` and
+    ``[load_balancer].global_observer_role`` settings are ignored.