We are trying to add tempest coverage for Manila to our CI. For this we are using tempest version 29.2.0 with manila-tempest-plugin version 1.8.0.
Most of the manila test run into the following error:
```
manila_tempest_tests.tests.api.test_shares_actions.SharesActionsTest.test_shrink_share
--------------------------------------------------------------------------------------
Traceback (most recent call last):
File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/test.py", line 181, in setUpClass
raise value.with_traceback(trace)
File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/test.py", line 171, in setUpClass
cls.setup_clients()
File "/snap/fcbtest/x1/lib/python3.6/site-packages/manila_tempest_tests/tests/api/base.py", line 1277, in setup_clients
project=cls.admin_project, add_member_role=True)
File "/snap/fcbtest/x1/lib/python3.6/site-packages/manila_tempest_tests/tests/api/base.py", line 1305, in create_user_and_get_client
cls.os_admin.domains_client, project_domain_name)
File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/lib/common/cred_client.py", line 274, in get_creds_client
roles_client, domains_client, project_domain_name)
File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/lib/common/cred_client.py", line 150, in __init__
name=domain_name)['domains'][0]
File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/lib/services/identity/v3/domains_client.py", line 58, in list_domains
resp, body = self.get(url)
File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/lib/common/rest_client.py", line 314, in get
return self.request('GET', url, extra_headers, headers)
File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/lib/common/rest_client.py", line 703, in request
self._error_checker(resp, resp_body)
File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/lib/common/rest_client.py", line 804, in _error_checker
raise exceptions.Forbidden(resp_body, resp=resp)
tempest.lib.exceptions.Forbidden: Forbidden
Details: {'code': 403, 'message': 'You are not authorized to perform the requested action: identity:list_domains.', 'title': 'Forbidden'}
```
This is very similar to LP: #1943850, where the Octavia tempest test ran into authorization issues. That was fixed by downgrading the octavia-tempest-plugin to stein-last (which is not an ideal solution). Downgrading the manila-tempest-plugin does not fix the issue.
As a workaround, I can override the keystone policy, but this is not a good solution for a production cloud.
I suspect that the keystone policy needs to be adjusted, or that there are tempest settings that I am missing. My tempest config can be found attached to this bug.
Charm set: 21.10
Ubuntu: focal
OpenStack: Ussuri
Tempest: 29.2.0 with manila plugin