The patch https://review.opendev.org/#/c/673389/ introduced a regression
by changing the osc-lib interface.

Two conflicting attempts to fix the regression were launched:

1) Reverting the patch.

2) The patch https://review.opendev.org/683119 changes the exception
   from the generic CommandError back to a specific Forbidden exception.

   The patch https://review.opendev.org/683118 catches this exception
   and passes on, i.e. re-implements the same behavior as before.

The first idea was implemented, the initial patch reverted. The second
idea was partially implemented. The change in python-openstackclient
(683118) was merged. The change in osc-lib was approved but failed to
merge because the initial change had been reverted.

Now we have again a situation where the exception produced in osc-lib
does not match the exception expected by the caller.

It is unclear if the osc-lib interface will ever get a rebased version
of https://review.opendev.org/683119 merged, so the safest way to
address the issue is to also catch the exception that used to be
thrown before the inital change and is again thrown after the inital
change has been reverted.

Change-Id: I2ea2def607ec5be112e42d53a1e660fef0cdd69c
(cherry picked from commit 0a8753dc3eaeda25554ccd769350de1e9792a62b)

pip 20.3 finally includes a proper dependency resolver. Its use is
causing the following error messages on the lower-constraints job:

  ERROR: Cannot install ... because these package versions have
  conflicting dependencies.

  The conflict is caused by:
      bandit 1.1.0 depends on PyYAML>=3.1.0
      cliff 3.4.0 depends on PyYAML>=3.12
      openstacksdk 0.52.0 depends on PyYAML>=3.13

Bump our lower constraint for PyYAML to resolve this issue. With that
resolved, we see a new issue:

  ERROR: Could not find a version that satisfies the requirement
  cryptography>=2.7 (from openstacksdk)
  ERROR: No matching distribution found for cryptography>=2.7

This is less self-explanatory but looking at the lower-constraints for
openstacksdk 0.52.0 shows a dependency on cryptography 2.7 [1], meaning
we need to bump this also.

Next up, flake8-import-order seems to cause the dependency resolver to
go nuts, eventually ending with the following error message in a Python
3.6 environment:

  Using cached enum34-1.1.2.zip (49 kB)
    ERROR: Command errored out with exit status 1:
     command: ...
         cwd: ...
    Complete output (9 lines):
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File ".../lib/python3.6/site-packages/setuptools/__init__.py", line 7, in <module>
        import setuptools.distutils_patch  # noqa: F401
      File ".../lib/python3.6/site-packages/setuptools/distutils_patch.py", line 9, in <module>
        import re
      File "/usr/lib64/python3.6/re.py", line 142, in <module>
        class RegexFlag(enum.IntFlag):
    AttributeError: module 'enum' has no attribute 'IntFlag'
    ----------------------------------------

A quick Google suggests this is because the enum34 package is not
complete [2]. We shouldn't even be using it since our base virtualenv
should at least use Python 3.6, but I guess some dependency doesn't
properly restrict the dependency to <= Python 3.4. This is moved from
'test-requirements.txt' to 'tox.ini' since we don't need to use our
constraints machinery for linters.

Finally, the versions of bandit and hacking that pip is bringing in both
requires in a newer version of babel, which in turn requires a new
version of pytz.

  Collecting hacking>=2.0.0
  ...
  ERROR: Cannot install oslo.i18n because these package versions have
  conflicting dependencies.
  The conflict is caused by:
      babel 2.9.0 depends on pytz>=2015.7
      babel 2.8.1 depends on pytz>=2015.7
      babel 2.8.0 depends on pytz>=2015.7
      babel 2.7.0 depends on pytz>=2015.7

Seeing as we shouldn't be tracking bandit in
lower-constraints, I'm not sure why we're want to bump these
dependencies for just that. As above, we move these dependencies out of
'test-requirements' and into 'tox.ini' since we can do that for linters.

Conflicts:
  lower-constraints.txt
  test-requirements.txt

NOTE(stephenfin): Conflicts are due to the absence of ddt and presence
of mock in lower-constraints.txt and test-requirements.txt,
respectively.

Modifications:
  lower-constraints.txt

NOTE(stephenfin): There's no need to bump cryptography here since we're
using an older version of openstacksdk.

[1] https://opendev.org/openstack/openstacksdk/src/tag/0.52.0/requirements.txt#L19
[2] https://github.com/iterative/dvc/issues/1995#issuecomment-491889669

Change-Id: I8ec738fbcabc8d8553db79a876e5592576cd18fa
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
(cherry picked from commit 20769cd7b27d51da84a324a17922427eba5c6eac)
(cherry picked from commit 83cd9b5b9c3b4c471b41190675f880599b78e44e)

Neither Tempest itself nor any of the service projects use OSC. As such,
there's no reason to run Tempest jobs here. It's simply a waste of
resources.

Change-Id: I74b0b196fe59e5e1462e3dadc659cf6680a53f80
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
(cherry picked from commit 671f73694a207b4b2b5a7cf377bc46dad7e79324)
(cherry picked from commit 75847d1e968977d504420a8990f724e4917c2f4f)

The policies parameter has been replaced with the
policy parameter since Nova API version 2.64[1]

This commit adds a check to make sure the correct parameter is used.

[1]https://docs.openstack.org/nova/latest/reference/api-microversion-history.html#id59

Change-Id: Ia37beb7790884d6d15bec45074f446e64af1a2aa
Story: #2008041
Task: #40703
(cherry picked from commit ed6d8d941104c60f447de852582eb9388b9d2e73)

The policies field has been replaced with the
policy field since Nova API version 2.64[1]

This commit adds a check to make sure the correct field is used.

[1]https://docs.openstack.org/nova/latest/reference/api-microversion-history.html#id59

Change-Id: I06d3211937d822c26070b7f8ad757c365dcbb1bb
Story: #2007822
Task: #40101
(cherry picked from commit 51a1ea65f4d095b073381200e5268f909bf360de)

Keystone let's users remove role assignments that reference non-existent
users and groups. This is nice when keystone backs to an identity store
like LDAP and users or groups are removed.

Previously, openstackclient would validate the user and group existed in
keystone before sending the request to delete the role assignment. This
commit updates the code to bypass that validation so that users can use
IDs to forcibly cleanup role assignments.

Change-Id: I102b41677736bbe37a82abaa3c5b3e1faf2475d5
Story: 2006635
Task: 36848
(cherry picked from commit e24673267093de85beee753860cda1fb224ce4bc)