Description of problem: ======================= According to [1], we should add the following roles to keystone: role:load-balancer_observer role:load-balancer_global_observer role:load-balancer_member role:load-balancer_quota_admin role:load-balancer_admin Currently, the lack of 'role:load-balancer_member' fails the tempest scenario found here[2]. The outcome [1] https://docs.openstack.org/octavia/queens/configuration/policy.html [2] https://github.com/openstack/octavia-tempest-plugin/blob/master/octavia_tempest_plugin/tests/v2/scenario/test_basic_ops.py How reproducible: ================= 100% Steps to Reproduce: =================== 1. Run https://github.com/openstack/octavia-tempest-plugin/blob/master/octavia_tempest_plugin/tests/v2/scenario/test_basic_ops.py 2. 3. Actual results: =============== Forbidden (HTTP 403) Expected results: ================= As soon as a role assigment was made, the user should be able to interact with the Octavia API service. Additional info: ================ Just for referance, here's how it is being created in the devstack plugin. The outcome: both admin/admin and demo/demo work. alt_demo does not. https://github.com/openstack/octavia/blob/02c7a1d496e6c473876e11bfd12ed14394c0e41c/devstack/plugin.sh#L512
*** This bug has been marked as a duplicate of bug 1508904 ***