RBAC Utils Module

RBAC Utils Module


Patrole manipulates the os_primary Tempest credentials, which are the primary set of Tempest credentials. It is necessary to use the same credentials across the entire test setup/test execution/test teardown workflow because otherwise 400-level errors will be thrown by OpenStack services.

This is because many services check the request context’s project scope – and in very rare cases, user scope. However, each set of Tempest credentials (via dynamic credentials) is allocated its own distinct project. For example, the os_admin and os_primary credentials each have a distinct project, meaning that it is not always possible for the os_primary credentials to access resources created by the os_admin credentials.

The only foolproof solution is to manipulate the role for the same set of credentials, rather than using distinct credentials for setup/teardown and test execution, respectively. This is especially true when considering custom policy rule definitions, which can be arbitrarily complex.


RBAC Utils Module

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.