Add new tempest job enable the rbac scope checks and new defaults

We have many services (Nova, Neutron, Glance etc) implemented the
new RBAC (project scope and project personas). For these services,
all tests should pass as projects personas (project reader) does
not impact existing testing/usage.

keystone has system scope adopted in their policy for now which
we need to make it work for project scope also and until then
we will see test failing.

This commit adds a new tempest full job which enable the scope
and new defaults of RBAC for applicable services.

Depends-On: https://review.opendev.org/c/openstack/neutron/+/865040

Change-Id: Ib8f2f0e25205edba332fb9bd2a73012016d45061
This commit is contained in:
Ghanshyam Mann 2022-11-21 19:14:05 -06:00
parent 982e5d2b95
commit 7ab45a9be8
2 changed files with 28 additions and 0 deletions

View File

@ -344,6 +344,30 @@
# ENABLE_FILE_INJECTION: true # ENABLE_FILE_INJECTION: true
DATABASE_TYPE: postgresql DATABASE_TYPE: postgresql
- job:
name: tempest-full-enforce-scope-new-defaults
parent: tempest-full-py3
description: |
This job runs the Tempest tests with scope and new defaults enabled.
# TODO: remove this once https://review.opendev.org/c/openstack/neutron-lib/+/864213
# fix is released in neutron-lib
required-projects:
- openstack/neutron-lib
- openstack/neutron
vars:
devstack_localrc:
# Enabeling the scope and new defaults for services.
# NOTE: (gmann) We need to keep keystone scope check disable as
# services (except ironic) does not support the system scope and
# they need keystone to continue working with project scope. Until
# Keystone policies are changed to work for both system as well as
# for project scoped, we need to keep scope check disable for
# keystone.
NOVA_ENFORCE_SCOPE: true
CINDER_ENFORCE_SCOPE: true
GLANCE_ENFORCE_SCOPE: true
NEUTRON_ENFORCE_SCOPE: true
- project-template: - project-template:
name: integrated-gate-networking name: integrated-gate-networking
description: | description: |

View File

@ -103,6 +103,8 @@
irrelevant-files: *tempest-irrelevant-files irrelevant-files: *tempest-irrelevant-files
- nova-live-migration: - nova-live-migration:
irrelevant-files: *tempest-irrelevant-files irrelevant-files: *tempest-irrelevant-files
- tempest-full-enforce-scope-new-defaults:
irrelevant-files: *tempest-irrelevant-files
- devstack-plugin-ceph-tempest-py3: - devstack-plugin-ceph-tempest-py3:
# TODO(kopecmartin): make it voting once the below bug is fixed # TODO(kopecmartin): make it voting once the below bug is fixed
# https://bugs.launchpad.net/devstack-plugin-ceph/+bug/1975648 # https://bugs.launchpad.net/devstack-plugin-ceph/+bug/1975648
@ -150,6 +152,8 @@
irrelevant-files: *tempest-irrelevant-files-3 irrelevant-files: *tempest-irrelevant-files-3
- tempest-multinode-full-py3: - tempest-multinode-full-py3:
irrelevant-files: *tempest-irrelevant-files irrelevant-files: *tempest-irrelevant-files
- tempest-full-enforce-scope-new-defaults:
irrelevant-files: *tempest-irrelevant-files
#- devstack-plugin-ceph-tempest-py3: #- devstack-plugin-ceph-tempest-py3:
# irrelevant-files: *tempest-irrelevant-files # irrelevant-files: *tempest-irrelevant-files
#- tempest-full-centos-9-stream: #- tempest-full-centos-9-stream: