Bug 1560279

Summary: TripleO should configure Octavia related user roles in Keystone
Product: Red Hat OpenStack Reporter: Nir Magnezi <nmagnezi>
Component: openstack-tripleoAssignee: Brent Eagles <beagles>
Status: CLOSED DUPLICATE QA Contact: Arik Chernetsky <achernet>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: amuller, aschultz, mburns, rhel-osp-director-maint
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-08 11:30:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nir Magnezi 2018-03-25 14:34:44 UTC 
Description of problem:
=======================
According to [1], we should add the following roles to keystone:

role:load-balancer_observer
role:load-balancer_global_observer
role:load-balancer_member
role:load-balancer_quota_admin
role:load-balancer_admin

Currently, the lack of 'role:load-balancer_member' fails the tempest scenario found here[2].
The outcome

[1] https://docs.openstack.org/octavia/queens/configuration/policy.html
[2] https://github.com/openstack/octavia-tempest-plugin/blob/master/octavia_tempest_plugin/tests/v2/scenario/test_basic_ops.py


How reproducible:
=================
100%

Steps to Reproduce:
===================
1. Run https://github.com/openstack/octavia-tempest-plugin/blob/master/octavia_tempest_plugin/tests/v2/scenario/test_basic_ops.py
2.
3.

Actual results:
===============
Forbidden (HTTP 403)

Expected results:
=================
As soon as a role assigment was made, the user should be able to interact with the Octavia API service.


Additional info:
================
Just for referance, here's how it is being created in the devstack plugin.
The outcome: both admin/admin and demo/demo work. alt_demo does not. 

https://github.com/openstack/octavia/blob/02c7a1d496e6c473876e11bfd12ed14394c0e41c/devstack/plugin.sh#L512
Comment 2 Nir Magnezi 2018-04-08 11:30:37 UTC 

*** This bug has been marked as a duplicate of bug 1508904 ***