RBAC Utils Module¶
Overview¶
Patrole manipulates the os_primary Tempest credentials, which are the
primary set of Tempest credentials. It is necessary to use the same credentials
across the entire test setup/test execution/test teardown workflow
because otherwise 400-level errors will be thrown by OpenStack services.
This is because many services check the request context’s project scope – and
in very rare cases, user scope. However, each set of Tempest credentials (via
dynamic credentials) is allocated its own distinct project. For example, the
os_admin and os_primary credentials each have a distinct project,
meaning that it is not always possible for the os_primary credentials to
access resources created by the os_admin credentials.
The only foolproof solution is to manipulate the role for the same set of credentials, rather than using distinct credentials for setup/teardown and test execution, respectively. This is especially true when considering custom policy rule definitions, which can be arbitrarily complex.
