Add CTST tests for storage usage reporting API

[delthas]

Summary

• Add end-to-end CTST tests for the new GET /instance/{uuid}/reporting/usage Pensieve route
• Tests cover: StorageManager happy path (200 + structure validation), unauthorized Keycloak user (403), multi-account presence, and metric accuracy (objectsTotal/bytesTotal strict equality)
• Extend managementAPIRequest with optional username/password params for testing different Keycloak users
• Extend prepareMetricsScenarios with objectSize/objectCount options for uploading non-empty test objects

Issue: ZENKO-5202

[bert-e]

Hello delthas,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
/after_pull_request	Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval	Bypass the pull request author's approval	⭐
/bypass_build_status	Bypass the build and test status	⭐
/bypass_commit_size	Bypass the check on the size of the changeset TBA	⭐
/bypass_incompatible_branch	Bypass the check on the source branch prefix	⭐
/bypass_jira_check	Bypass the Jira issue check	⭐
/bypass_peer_approval	Bypass the pull request peers' approval	⭐
/bypass_leader_approval	Bypass the pull request leaders' approval	⭐
/approve	Instruct Bert-E that the author has approved the pull request.		✍️
/create_pull_requests	Allow the creation of integration pull requests.
/create_integration_branches	Allow the creation of integration branches.
/no_octopus	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity	Change review acceptance criteria from one reviewer at least to all reviewers
/wait	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
/help	Print Bert-E's manual in the pull request.
/status	Print Bert-E's current status in the pull request TBA
/clear	Remove all comments from Bert-E from the history TBA
/retry	Re-start a fresh build TBA
/build	Re-start a fresh build TBA
/force_reset	Delete integration branches & pull requests, and restart merge process from the beginning.
/reset	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

[bert-e]

Waiting for approval

The following approvals are needed before I can proceed with the merge:

• the author

• 2 peers

[delthas]

Depends on https://github.com/scality/pensieve-api/pull/351 and https://github.com/scality/vault2/pull/189

[bert-e]

Waiting for approval

The following approvals are needed before I can proceed with the merge:

• the author

• 2 peers

The following reviewers are expecting changes from the author, or must review again:

• @DarkIsDude

[bert-e]

Waiting for approval

The following approvals are needed before I can proceed with the merge:

• the author

• 2 peers

The following reviewers are expecting changes from the author, or must review again:

• @DarkIsDude

[francoisferrand]

• missing tests for "AccountOwner" persona (and multiple accounts): to verify he can see only his own account only
• missing tests for "StorageReporter" persona

[delthas]

• AccountOwner: The /reporting/usage endpoint doesn't support per-account permissions — authorization is all-or-nothing (403 fails fast before any account filtering). An AccountOwner test would behave identically to StorageManager (200 with all accounts) or get 403, neither of which tests account-scoped visibility. We'd need per-account filtering in pensieve-api first.
• StorageReporter: No StorageReporter Keycloak role exists in the test environment yet. On it

[delthas]

Actually, for StorageReporter this needs a new user, which is a bit cumbersome in the current version of Zenko. This will change in https://github.com/scality/cli-testing/pull/96 / #2341

I suggest keeping this aside for now, and adding the user + tests after that Zenko PR is merged. Will be easier. I tested it end to end on my end.

[francoisferrand]

we can work incrementally, but:

• we need these extra tests to complete the work; so if we don't do this yet, the topic (and EPIC) stays open for longer.... esp. since most of the work was done so that we could have non-admin users with this capability...
• what is the ETA for that PR/change ? If this is a couple of hours or maybe days, why not ; but if there is no ETA we should really consider an alternative, less optimal, approach (i.e what is the actual cost of this "cumbersome-ness") and/or put more focus on that prerequisite change
• in that case need to "split" the current ticket, so we have a followup (and put it in sprint)

[delthas]

The PR #2341 already has 2 approves, just a few remaining comments. Planned to be merged by early next week.

Ticket created at https://scality.atlassian.net/browse/ZENKO-5219 , assigned, added to sprint.

[DarkIsDude]

Can you check the CI ?

[francoisferrand]

what are really these "values" : the names of keycloak users? the keycloak role? the IAM role?

overal, I think this may actually be the name of the keycloak user, as defined in keycloak_config.json file ?

• we should probably rename these to make it clear what this is this → storage_manager_identity, etc...
• the is a fundamental inconsistency here, as we have hard-coded references here while we pass a KeycloakUsername in the Zenko World... To make/keep the tests portable, we will need to either handle some mapping in the world, or just create "our own" identities in the test (and just require a keycloak user to do this setup). Not sure how far we can go in this PR (certainly not the whole cleanup), but worth reviewing and checking we don't introduce more implicit coupling than there already is...

[delthas]

Addressed: the Examples values are now World parameter keys (StorageManagerUsername, DataConsumerUsername) rather than raw Keycloak usernames, and the column is labeled persona. The step resolves them via this.parameters[persona] with a fallback for local dev.

[delthas]

Reverted to raw Keycloak usernames (storage_manager, data_consumer). Here's why using World parameters doesn't work:

Two separate user populations exist in Keycloak:

1. Base users (storage_manager, data_consumer, storage_account_owner) — created by importing keycloak_config.json during cluster setup. These have the instanceIds attribute (set inline in the JSON), which the management API (pensieve) requires for token validation.

2. CTST users (ctst_storage_manager, ctst_data_consumer, etc.) — created by seedKeycloak.sh during test setup. These do not have instanceIds set. They're used for ARWWI (AssumeRoleWithWebIdentity) flows in S3/IAM tests, where instanceIds isn't needed.

World parameters point to the wrong population:

• StorageManagerUsername → ctst_storage_manager (no instanceIds → 401 from management API)
• DataConsumerUsername → ctst_data_consumer (same issue)
• KeycloakUsername → storage_manager (works, but only exists for one user)

There's no World parameter for the base data_consumer username.

The base usernames have no env var source either:

• storage_manager is hardcoded in keycloak_config.json line 81. OIDC_USERNAME in end2end.yaml is a separate duplicate of the same value — it's used for keycloak_user.json (admin user template) and the -norights user, not for keycloak_config.json.
• data_consumer and storage_account_owner are hardcoded in keycloak_config.json with no env var at all.

So there's already duplication between end2end.yaml (OIDC_USERNAME: 'storage_manager') and keycloak_config.json ("username": "storage_manager"). Adding World parameters would just be a third copy of the same hardcoded strings with no actual decoupling.

Properly fixing this would mean either: (a) templating all usernames in keycloak_config.json through env vars, or (b) setting instanceIds on the ctst_ users too. Both are out of scope for this PR.

[delthas]

I think for users we need a proper refactoring, the env vars + json config + ctst thing + cli testing is a bit all over the place. Maybe in a separate PR later?