Remove admin_domain_scope tempest setting
Keystone is currently working through a bunch of changes to add proper
system, domain, and project scope support for its API. This includes
implementing ``admin``, ``member``, and ``reader`` roles for system,
domain, and project assignments. More informaiton on those specific
changes can be found here:
https://review.openstack.org/#/q/(status:open+OR+status:closed)+project:openstack/keystone+branch:master+topic:implement-default-roles
One thing that was uncovered in implementing that support for the
project API was that setting tempest
``CONF.identity.admin_domain_scope = True`` meant domain admins of one
domain would be able to list projects in other domains, highlighted in
the following patch:
https://review.openstack.org/#/c/624218/2
This commit doesn't set this option and assumes the proper
domain-scoping behavior being built into keystone natively.
Change-Id: I12a57cc43de0b17eababa19b7b94de5277689f82
Related-Bug: 1750660
Lance Bragstad authored on 2018/12/13 04:41:36Showing 1 changed files
| ... | ... |
@@ -276,8 +276,6 @@ function configure_tempest {
|
| 276 | 276 |
iniset $TEMPEST_CONFIG identity user_lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS |
| 277 | 277 |
iniset $TEMPEST_CONFIG identity user_lockout_duration $KEYSTONE_LOCKOUT_DURATION |
| 278 | 278 |
iniset $TEMPEST_CONFIG identity user_unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT |
| 279 |
- # Use domain scoped tokens for admin v3 tests, v3 dynamic credentials of v3 account generation |
|
| 280 |
- iniset $TEMPEST_CONFIG identity admin_domain_scope True |
|
| 281 | 279 |
if [[ "$TEMPEST_HAS_ADMIN" == "True" ]]; then |
| 282 | 280 |
iniset $TEMPEST_CONFIG auth admin_username $admin_username |
| 283 | 281 |
iniset $TEMPEST_CONFIG auth admin_password "$password" |