Description of problem: ======================= As part a part of Octavia API RBAC enforcement[1], in order to interact with Octavia API a user/project must be assigned with one of the roles mentioned here[2]. As a result, in devstack we both create demo/demo and assign [3] it with a load-balancer_member role. In order to successfully run, tempest against Octavia python-tempestconf should assign the load-balancer_member role when it creates[4]. Otherwise (what currently happens), test_basic_ops fails to run [1] https://review.openstack.org/#/c/472872/ [2] https://github.com/openstack/octavia/blob/02c7a1d496e6c473876e11bfd12ed14394c0e41c/devstack/plugin.sh#L507-L511 [3] https://github.com/openstack/octavia/blob/02c7a1d496e6c473876e11bfd12ed14394c0e41c/devstack/plugin.sh#L512 [4] https://github.com/openstack/python-tempestconf/blob/6a10dbb153e39e62c0ca748c46aedd28ff47861e/config_tempest/main.py#L336 [5] https://github.com/openstack/octavia-tempest-plugin/blob/master/octavia_tempest_plugin/tests/v2/scenario/test_basic_ops.py
Hello, Arie added the same in Infrared in https://review.gerrithub.io/#/c/406734/ Thanks, Chandan Kumar
(In reply to Chandan Kumar from comment #1) > Hello, > > Arie added the same in Infrared in https://review.gerrithub.io/#/c/406734/ > > Thanks, > > Chandan Kumar We need the fix in python-tempestconf since Infrared is not a component that we ship as a part of OSP.
Moving to RHOS-14, As it linked with refactoring python-tempestconf
*** Bug 1562085 has been marked as a duplicate of this bug. ***
Instead of creating and assigning custom roles, I submitted a patch[1] that configures tempest.conf to work with Octavia with legacy RBAC. The above matches the way we configure Octavia, using policy.json[2] [1] https://review.openstack.org/#/c/571177/ [2] https://bugzilla.redhat.com/show_bug.cgi?id=1577635
The review has been merged to master.
python-tempestconf-2.0.0-0.20180821043805.d7db90e.el7ost package has been released and it contains a feature which discovers octavia service and sets its configuration. The following values are set under load_balancer section in tempest.conf: enable_security_groups member_role admin_role RBAC_test_type The package is available in the latest puddle (2018-09-05.1).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:0045