Gitiles
Code Review Sign In
spfactory.storpool.com / devstack / 24b65adc9cedff9c7a8ab412fb39613ef5d4a627^! / . / lib / tempest
commit24b65adc9cedff9c7a8ab412fb39613ef5d4a627[log] [tgz]
authorSlawek Kaplonski <skaplons@redhat.com>Tue Jun 22 15:31:46 2021 +0200
committerSlawek Kaplonski <skaplons@redhat.com>Mon Dec 20 14:42:35 2021 +0100
tree18c4e8c2cab1d91c00059986fac74e5ebeabe600
parent6c849e371384e468679d3d030fe494a36587c505 [diff] [blame]
Deploy Neutron with enforced new RBAC rules

This patch adds new config option NEUTRON_ENFORCE_NEW_DEFAULTS which
if set to True will deploy Neutron with enforce new rbac defaults and
scopes.
It will also use SYSTEM_ADMIN user to interact with Neutron where it is
needed.

Depends-On: https://review.opendev.org/c/openstack/neutron/+/798821

Change-Id: I14d934f0deced34d74003b92824cad3c44ec4f5e

diff --git a/lib/tempest b/lib/tempest
index 8fd54c5..ab80217 100644
--- a/lib/tempest
+++ b/lib/tempest

@@ -90,6 +90,10 @@
 # it will run tempest with
 TEMPEST_CONCURRENCY=${TEMPEST_CONCURRENCY:-$(nproc)}
 
+NEUTRON_ADMIN_CLOUD_NAME="devstack-admin"
+if [ "$NEUTRON_ENFORCE_SCOPE" == "True" ]; then
+    NEUTRON_ADMIN_CLOUD_NAME="devstack-system-admin"
+fi
 
 # Functions
 # ---------
@@ -287,8 +291,8 @@
     if [[ "$NEUTRON_CREATE_INITIAL_NETWORKS" == "True" ]] && is_networking_extension_supported 'external-net'; then
         public_network_id=$(openstack --os-cloud devstack-admin network show -f value -c id $PUBLIC_NETWORK_NAME)
         # make sure shared network presence does not confuses the tempest tests
-        openstack --os-cloud devstack-admin network create --share shared
-        openstack --os-cloud devstack-admin subnet create --description shared-subnet --subnet-range ${TEMPEST_SHARED_POOL:-192.168.233.0/24} --network shared shared-subnet
+        openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" network create --share shared --project "$admin_project_id"
+        openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" subnet create --description shared-subnet --subnet-range ${TEMPEST_SHARED_POOL:-192.168.233.0/24} --network shared shared-subnet --project "$admin_project_id"
     fi
 
     iniset $TEMPEST_CONFIG DEFAULT use_syslog $SYSLOG
@@ -443,6 +447,8 @@
     iniset $TEMPEST_CONFIG network-feature-enabled ipv6_subnet_attributes "$IPV6_SUBNET_ATTRIBUTES_ENABLED"
     iniset $TEMPEST_CONFIG network-feature-enabled port_security $NEUTRON_PORT_SECURITY
 
+    iniset $TEMPEST_CONFIG enforce_scope neutron "$NEUTRON_ENFORCE_SCOPE"
+
     # Scenario
     SCENARIO_IMAGE_DIR=${SCENARIO_IMAGE_DIR:-$FILES}
     SCENARIO_IMAGE_FILE=$DEFAULT_IMAGE_FILE_NAME