Skip failing tests affected by minimum password age

Some identity api tests are failing, when keystone parameter
minimum_password_age is set to value greater than 0. It causes inability
to update user's password more than once per test suite. As in this test
suite it is required total of four times, this patch suggests skipping
these tests to avoid complicated workaround.

This bug has been discussed in several patches [1][2].

Additionaly, config option for user_minimum_password_age is added into
tempest/config.py, to allow users to work with this keystone parameter.

[1] https://review.opendev.org/c/openstack/tempest/+/806671
[2] https://review.opendev.org/c/openstack/tempest/+/838726

Related-Bug: #1946459
Change-Id: I418e4001b0aa27f10a78f3490cc233293c30c274

releasenotes/notes/add-keystone-config-opt-minimum-password-age-426e9d225f743137.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Adding a new config option `[identity]/user_minimum_password_age`
+    which allows to specify the number of days that a password must
+    be used before the user can change it. For this option to take
+    effect, identity-feature-enabled.security_compliance must be set
+    to True.

tempest/api/identity/v3/test_users.py

@@ -88,6 +88,10 @@ class IdentityV3UsersTest(base.BaseIdentityV3Test):
                       'Skipped because environment has an '
                       'immutable user source and solely '
                       'provides read-only access to users.')
+    @testtools.skipIf(CONF.identity.user_minimum_password_age > 0,
+                      'Skipped because password cannot '
+                      'be changed immediately, resulting '
+                      'in failed password update.')
     def test_user_update_own_password(self):
         """Test updating user's own password"""
         old_pass = self.creds.password
@@ -116,6 +120,10 @@ class IdentityV3UsersTest(base.BaseIdentityV3Test):
                       'Skipped because environment has an '
                       'immutable user source and solely '
                       'provides read-only access to users.')
+    @testtools.skipIf(CONF.identity.user_minimum_password_age > 0,
+                      'Skipped because password cannot '
+                      'be changed immediately, resulting '
+                      'in failed password update.')
     def test_password_history_check_self_service_api(self):
         """Test checking password changing history"""
         old_pass = self.creds.password

tempest/config.py

@@ -199,8 +199,15 @@ IdentityGroup = [
                     "default value is 0 meaning disabling this feature. "
                     "NOTE: This config option value must be same as "
                     "keystone.conf: security_compliance.unique_last_password_"
-                    "count otherwise test might fail"
-               ),
+                    "count otherwise test might fail"),
+    cfg.IntOpt('user_minimum_password_age',
+               default=0,
+               help="The number of days that a password must be used before "
+                    "the user can change it. This only takes effect when "
+                    "identity-feature-enabled.security_compliance is set to "
+                    "'True'. For more details, refer to keystone config "
+                    "options "
+                    "keystone.conf:security_compliance.minimum_password_age.")
 ]
 
 service_clients_group = cfg.OptGroup(name='service-clients',