You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Tests/iam/iaas-roles/README.md
+10-4Lines changed: 10 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,10 +9,15 @@ The test suite strictly requires an OpenStack user that possesses the following
9
9
1. the "`member`" role in the project referenced as authentication target
10
10
2. access permissions to the "`list_roles`" in the Identity API
11
11
12
-
The second requirement (access to "`list_roles`") is usually not granted to users with the "`member`" role in default configurations and only works for user accounts also possessing the "`admin`" role.
13
-
So the test would require an user account possessing both the "`member`" and "`admin`" role.
12
+
The second requirement (access to "`list_roles`") is usually not granted to users with the "`member`" role in default configurations and only works for user accounts also possessing the "`manager`" role in the domain.
13
+
So the test would require an user account possessing both the "`member`" role in a project as well as the "`manager`" role in the domain.
14
14
15
-
One alternative way to address this without granting the "`admin`" role to the test account is to create a dedicated role in the cloud environment which only has access to the role list endpoint and assign it to the user account intended for testing (in addition to the "`member`" role).
15
+
Note that the "`manager`" role only works this way starting with OpenStack Keystone 2024.2.
16
+
If an older Keystone release is used, see the alternative instructions below.
17
+
18
+
#### Alternative using a dedicated role
19
+
20
+
One alternative way to address this is for older Keystone releases is to create a dedicated role in the cloud environment which only has access to the role list endpoint and assign it to the user account intended for testing (in addition to the "`member`" role).
16
21
17
22
To achieve this, first the role has to be created and assigned:
18
23
@@ -22,7 +27,8 @@ openstack role add --user ... --project ... member
22
27
openstack role add --user ... --project ... scs-conformance-tester
23
28
```
24
29
25
-
Finally, the policy definition for the role list endpoint has to be extended to allow this role:
30
+
Finally, the Keystone API policy definition for the role list endpoint has to be extended to allow this role.
31
+
The following is an example entry for `/etc/keystone/policy.yaml` of the Keystone service:
26
32
27
33
```yaml
28
34
"identity:list_roles": "... or role:scs-conformance-tester"
0 commit comments