Description of problem: Deploying OSP-15 with barbican and executing barbican tempest API test fail with error No "key-manager:service-admin" role found' Details: There is an upstream bug and patch which is not cloned downstream. https://bugs.launchpad.net/kolla-ansible/+bug/1657742 Version-Release number of selected component (if applicable): RHOS_TRUNK-15.0-RHEL-8-20190627.n.0 How reproducible: Deploy OSP-15 with Barbican. Use the following TripleO Heat Templates and parameters. --- tripleo_heat_templates: - /usr/share/openstack-tripleo-heat-templates/environments/services/barbican.yaml - /usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-simple-crypto.yaml custom_templates: parameter_defaults: BarbicanSimpleCryptoGlobalDefault: true SwiftEncryptionEnabled: true ComputeExtraConfig: nova::glance::verify_glance_signatures: true Steps to Reproduce: 1. Install tempest packages and configure the tempest.conf as shown below discover-tempest-config --out etc/tempest.conf \ --deployer-input ~/tempest-deployer-input.conf \ --debug --create \ identity.uri $OS_AUTH_URL \ auth.admin_password $OS_PASSWORD \ auth.admin_username $OS_USERNAME \ auth.use_dynamic_credentials true \ compute-feature-enabled.attach_encrypted_volume true \ glance.verify_glance_signatures True \ ephemeral_storage_encryption.enabled True \ auth.tempest_roles creator \ compute-feature-enabled.attach_encrypted_volume True \ auth.use_dynamic_credentials True Make sure you have: auth.tempest_roles creator set in tempest.conf 2. Execute barbican tempest tests with following regex tempest run --regex ^barbican_tempest_plugin.tests.api Actual results: Captured traceback: ~~~~~~~~~~~~~~~~~~~ b'Traceback (most recent call last):' b' File "/usr/lib/python3.6/site-packages/tempest/test.py", line 173, in setUpClass' b' six.reraise(etype, value, trace)' b' File "/usr/lib/python3.6/site-packages/six.py", line 675, in reraise' b' raise value' b' File "/usr/lib/python3.6/site-packages/tempest/test.py", line 158, in setUpClass' b' cls.setup_credentials()' b' File "/usr/lib/python3.6/site-packages/tempest/test.py", line 407, in setup_credentials' b' force_new=True)' b' File "/usr/lib/python3.6/site-packages/tempest/test.py", line 678, in get_client_manager' b' creds = cred_provider.get_creds_by_roles(**params)' b' File "/usr/lib/python3.6/site-packages/tempest/lib/common/dynamic_creds.py", line 373, in get_creds_by_roles' b' return self.get_credentials(roles)' b' File "/usr/lib/python3.6/site-packages/tempest/lib/common/dynamic_creds.py", line 338, in get_credentials' b' credentials = self._create_creds(roles=credential_type)' b' File "/usr/lib/python3.6/site-packages/tempest/lib/common/dynamic_creds.py", line 203, in _create_creds' b' self.creds_client.assign_user_role(user, project, role)' b' File "/usr/lib/python3.6/site-packages/tempest/lib/common/cred_client.py", line 76, in assign_user_role' b' raise lib_exc.NotFound(msg)' b'tempest.lib.exceptions.NotFound: Object not found' b'Details: No "key-manager:service-admin" role found' b'' Expected results: All tests pass Additional info: https://github.com/openstack/barbican-tempest-plugin/tree/master/barbican_tempest_plugin/tests/api
Created attachment 1586385 [details] barbican_api_tests_logs Adding full barbican API test logs
Based on a discussion with DFG:DF, this looks to be the kolla-ansible related issue. So, we need to find the related tripleo code or is in the wrong layer and fix got into the wrong place. In other words, the current fix https://review.opendev.org/#/c/581419/ is part of openstack-ansible, and we don't ship that project and anyway, it's used only to setup the environment, we need to find a way to push this for Tripleo to make this part of the Director deployment.
Adding upstream review of cherry-pick from master. Targeting Z1 as this not make it in prior to GA per release schedules.
Upstream review has merged. Moving RHBZ to POST.
Found the fix made its way into one of the builds by automation. Updating FIV and moving RHBZ to MODIFIED.
Re-setting Target Milestone z1 to --- to begin the 15z1 Maintenance Release.
If this bug requires doc text for errata release, please set the 'Doc Type' and provide draft text according to the template in the 'Doc Text' field. The documentation team will review, edit, and approve the text. If this bug does not require doc text, please set the 'requires_doc_text' flag to '-'.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0643