From 30d48ff88782347e5deb31369aa228f7345cfc6f Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 12 Dec 2018 19:41:36 +0000 Subject: [PATCH] Remove admin_domain_scope tempest setting Keystone is currently working through a bunch of changes to add proper system, domain, and project scope support for its API. This includes implementing ``admin``, ``member``, and ``reader`` roles for system, domain, and project assignments. More informaiton on those specific changes can be found here: https://review.openstack.org/#/q/(status:open+OR+status:closed)+project:openstack/keystone+branch:master+topic:implement-default-roles One thing that was uncovered in implementing that support for the project API was that setting tempest ``CONF.identity.admin_domain_scope = True`` meant domain admins of one domain would be able to list projects in other domains, highlighted in the following patch: https://review.openstack.org/#/c/624218/2 This commit doesn't set this option and assumes the proper domain-scoping behavior being built into keystone natively. Change-Id: I12a57cc43de0b17eababa19b7b94de5277689f82 Related-Bug: 1750660 --- lib/tempest | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/tempest b/lib/tempest index 7526d3bb4e..e3ad7fed6a 100644 --- a/lib/tempest +++ b/lib/tempest @@ -276,8 +276,6 @@ function configure_tempest { iniset $TEMPEST_CONFIG identity user_lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS iniset $TEMPEST_CONFIG identity user_lockout_duration $KEYSTONE_LOCKOUT_DURATION iniset $TEMPEST_CONFIG identity user_unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT - # Use domain scoped tokens for admin v3 tests, v3 dynamic credentials of v3 account generation - iniset $TEMPEST_CONFIG identity admin_domain_scope True if [[ "$TEMPEST_HAS_ADMIN" == "True" ]]; then iniset $TEMPEST_CONFIG auth admin_username $admin_username iniset $TEMPEST_CONFIG auth admin_password "$password"