Remove admin_domain_scope tempest setting
Keystone is currently working through a bunch of changes to add proper
system, domain, and project scope support for its API. This includes
implementing ``admin``, ``member``, and ``reader`` roles for system,
domain, and project assignments. More informaiton on those specific
changes can be found here:
https://review.openstack.org/#/q/(status:open+OR+status:closed)+project:openstack/keystone+branch:master+topic:implement-default-roles
One thing that was uncovered in implementing that support for the
project API was that setting tempest
``CONF.identity.admin_domain_scope = True`` meant domain admins of one
domain would be able to list projects in other domains, highlighted in
the following patch:
https://review.openstack.org/#/c/624218/2
This commit doesn't set this option and assumes the proper
domain-scoping behavior being built into keystone natively.
Change-Id: I12a57cc43de0b17eababa19b7b94de5277689f82
Related-Bug: 1750660
diff --git a/lib/tempest b/lib/tempest
index 7526d3b..e3ad7fe 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -276,8 +276,6 @@
iniset $TEMPEST_CONFIG identity user_lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
iniset $TEMPEST_CONFIG identity user_lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $TEMPEST_CONFIG identity user_unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
- # Use domain scoped tokens for admin v3 tests, v3 dynamic credentials of v3 account generation
- iniset $TEMPEST_CONFIG identity admin_domain_scope True
if [[ "$TEMPEST_HAS_ADMIN" == "True" ]]; then
iniset $TEMPEST_CONFIG auth admin_username $admin_username
iniset $TEMPEST_CONFIG auth admin_password "$password"