From c6ec0bdc7998ea812010d73ecc0416c854791a10 Mon Sep 17 00:00:00 2001 From: Martin Kopec Date: Wed, 18 Jul 2018 08:25:04 +0000 Subject: [PATCH] Don't expose credentials Don't expose credentials to tempest.conf when --create-test-accounts is used. When generating tempest.conf with demo creds, use --create-accounts-file argument so that the argument is tested in the gates. The argument is used only on Devstack. Tempest concurrency of devstack demo job is reduced to 1 because the minimal accounts file is used. Change-Id: Id5c90810666d783cf3939086ef27149ef53277f8 Story: 2003016 Task: 23036 --- .zuul.yaml | 7 +++- config_tempest/accounts.py | 2 -- config_tempest/main.py | 34 +++++++++++-------- config_tempest/tests/test_accounts.py | 2 ++ .../python-tempestconf-tempest-devstack.yaml | 23 +------------ .../python-tempestconf-tempest-packstack.yaml | 2 -- roles/generate-tempestconf-file/README.rst | 7 ++++ .../defaults/main.yaml | 1 + .../tasks/generate-tempestconf.sh.j2 | 4 ++- 9 files changed, 39 insertions(+), 43 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 8cff308e..16dc67fd 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -42,7 +42,7 @@ zuul_copy_output: '{{ devstack_base_dir }}/tempest/tempest.log': 'logs' '{{ devstack_base_dir }}/tempest/etc/tempest.conf': 'logs' - '/etc/openstack/accounts.yaml': 'logs' + '{{ zuul.project.src_dir }}/etc/accounts.yaml': 'logs' irrelevant-files: - config_tempest/tests/.*$ - ^doc/.*$ @@ -65,6 +65,7 @@ - zuul: openstack/tempest - zuul: openstack-dev/devstack vars: + tempest_concurrency: 2 scenario: scenario000 zuul_copy_output: '/opt/stack/tempest/etc/tempest.conf': 'logs' @@ -85,6 +86,7 @@ vars: user: admin cloud_user: devstack-admin + tempest_concurrency: 2 - job: name: python-tempestconf-tempest-devstack-demo @@ -97,6 +99,9 @@ cloud_user: devstack test_demo: True cloud_admin: devstack-admin + # concurrency is reduced in this job, because a minimal accounts + # file is used + tempest_concurrency: 1 - job: name: python-tempestconf-tempest-packstack-admin diff --git a/config_tempest/accounts.py b/config_tempest/accounts.py index 24e997cd..4a595a49 100644 --- a/config_tempest/accounts.py +++ b/config_tempest/accounts.py @@ -13,7 +13,6 @@ # License for the specific language governing permissions and limitations # under the License. -import os import yaml @@ -28,7 +27,6 @@ def create_accounts_file(create, accounts_path, conf): conf.get(section, prefix + 'username'), conf.get(section, prefix + 'password'), conf.get(section, prefix + 'project_name')) - conf.set("auth", "test_accounts_file", os.path.abspath(accounts_path)) def write_accounts_file(path, username, password, project_name): diff --git a/config_tempest/main.py b/config_tempest/main.py index 8d1a32a3..0c159917 100755 --- a/config_tempest/main.py +++ b/config_tempest/main.py @@ -140,7 +140,7 @@ def read_deployer_input(deployer_input_file, conf): def set_options(conf, deployer_input, non_admin, image_path, overrides=[], - test_accounts=None, cloud_creds=None, + accounts_path=None, cloud_creds=None, no_default_deployer=False): """Set options in conf provided by different source. @@ -159,8 +159,8 @@ def set_options(conf, deployer_input, non_admin, image_path, overrides=[], :type image_path: string :param overrides: list of tuples: [(section, key, value)] :type overrides: list - :param test_accounts: Path to the accounts.yaml file - :type test_accounts: string + :param accounts_path: A path where accounts.yaml is or will be created. + :type accounts_path: string :param cloud_creds: Cloud credentials from client's config :type cloud_creds: dict """ @@ -190,11 +190,11 @@ def set_options(conf, deployer_input, non_admin, image_path, overrides=[], if cloud_creds: set_cloud_config_values(non_admin, cloud_creds, conf) - if test_accounts: + if accounts_path: # new way for running using accounts file conf.set("auth", "use_dynamic_credentials", "False") conf.set("auth", "test_accounts_file", - os.path.abspath(test_accounts)) + os.path.abspath(accounts_path)) # set overrides - values specified in CLI for section, key, value in overrides: @@ -274,6 +274,9 @@ def parse_arguments(): raise Exception("Options '--create' and '--non-admin' cannot be used" " together, since creating" " resources requires" " admin rights") + if args.test_accounts and args.create_accounts_file: + raise Exception("Options '--test-accounts' and " + "'--create-accounts-file' can't be used together.") args.overrides = parse_overrides(args.overrides) return args @@ -388,12 +391,15 @@ def config_tempest(**kwargs): remove = parse_values_to_remove(kwargs.get('remove', [])) set_logging(kwargs.get('debug', False), kwargs.get('verbose', False)) - write_credentials = kwargs.get('test_accounts') is None - conf = TempestConf(write_credentials=write_credentials) + accounts_path = kwargs.get('test_accounts') + if kwargs.get('create_accounts_file') is not None: + accounts_path = kwargs.get('create_accounts_file') + conf = TempestConf(write_credentials=accounts_path is None) set_options(conf, kwargs.get('deployer_input'), kwargs.get('non_admin', False), kwargs.get('image_path', C.DEFAULT_IMAGE), - kwargs.get('overrides', []), kwargs.get('test_accounts'), + kwargs.get('overrides', []), + accounts_path, kwargs.get('cloud_creds')) credentials = Credentials(conf, not kwargs.get('non_admin', False)) @@ -421,13 +427,11 @@ def config_tempest(**kwargs): services.set_supported_api_versions() services.set_service_extensions() - if kwargs.get('test_accounts') is None: - accounts_path = kwargs.get('create_accounts_file') - if accounts_path is not None: - LOG.info("Creating an accounts.yaml file in: %s", accounts_path) - accounts.create_accounts_file(kwargs.get('create', False), - accounts_path, - conf) + if accounts_path is not None and kwargs.get('test_accounts') is None: + LOG.info("Creating an accounts.yaml file in: %s", accounts_path) + accounts.create_accounts_file(kwargs.get('create', False), + accounts_path, + conf) # remove all unwanted values if were specified if remove != {}: diff --git a/config_tempest/tests/test_accounts.py b/config_tempest/tests/test_accounts.py index b5acaeb9..f9a5e759 100644 --- a/config_tempest/tests/test_accounts.py +++ b/config_tempest/tests/test_accounts.py @@ -17,6 +17,7 @@ import mock import os from config_tempest import accounts +from config_tempest import main from config_tempest.tests.base import BaseConfigTempestTest @@ -33,6 +34,7 @@ class TestAccounts(BaseConfigTempestTest): @mock.patch('config_tempest.accounts.write_accounts_file') def test_create_accounts_file(self, mock_write): path = "./etc/accounts.yaml" + main.set_options(self.conf, None, False, "", accounts_path=path) # credentials under auth section accounts.create_accounts_file(True, path, self.conf) mock_write.assert_called_with(path, "admin", "adminPass", diff --git a/playbooks/python-tempestconf-tempest-devstack.yaml b/playbooks/python-tempestconf-tempest-devstack.yaml index c8271acc..4ed6b72c 100644 --- a/playbooks/python-tempestconf-tempest-devstack.yaml +++ b/playbooks/python-tempestconf-tempest-devstack.yaml @@ -33,34 +33,13 @@ include_role: name: generate-tempestconf-file vars: + create_accounts_file: True source_credentials_commands: "export HOST_IP={{ ansible_default_ipv4.address }}; source {{ devstack_base_dir }}/devstack/openrc {{ user }} {{ user }}; {{ set_auth_url }}" aditional_tempestconf_params: "auth.tempest_roles Member" - name: Generate tempest configuration file based on cloud credentials include_role: name: generate-tempestconf-file-cloud - # Let's create tempest.conf with admin permissions needed for - # tempest accounts file generation - - name: Generate configuration file for Tempest as admin - include_role: - name: generate-tempestconf-file - vars: - aditional_tempestconf_params: "auth.tempest_roles Member object-storage.operator_role Member" - output_path: "/etc/openstack/tempest_admin.conf" - source_credentials_commands: "export HOST_IP={{ ansible_default_ipv4.address }}; source {{ devstack_base_dir }}/devstack/openrc admin admin; {{ set_auth_url }}" - test_demo_user: False - user: admin - when: test_demo is defined - - name: Generate accounts file for Tempest - include_role: - name: generate-accounts-file - vars: - accounts_file_destination: "/etc/openstack" - source_credentials_commands: "export HOST_IP={{ ansible_default_ipv4.address }}; source {{ devstack_base_dir }}/devstack/openrc admin admin; {{ set_auth_url }}" - tempest_config_file: "/etc/openstack/tempest_admin.conf" - when: test_demo is defined # run-tempest role is inherited from openstack/tempest project - name: Run Tempest Tests include_role: name: run-tempest - vars: - tempest_concurrency: 2 diff --git a/playbooks/python-tempestconf-tempest-packstack.yaml b/playbooks/python-tempestconf-tempest-packstack.yaml index 8fbab7a9..3fb7c6ee 100644 --- a/playbooks/python-tempestconf-tempest-packstack.yaml +++ b/playbooks/python-tempestconf-tempest-packstack.yaml @@ -67,5 +67,3 @@ - name: Run Tempest Tests include_role: name: run-tempest - vars: - tempest_concurrency: 2 diff --git a/roles/generate-tempestconf-file/README.rst b/roles/generate-tempestconf-file/README.rst index a78a1012..9761dec4 100644 --- a/roles/generate-tempestconf-file/README.rst +++ b/roles/generate-tempestconf-file/README.rst @@ -101,3 +101,10 @@ is then copied to tempest directory. test_accounts_file option in auth section of tempest.conf, when test_demo_user is set to True. +.. zuul:rolevar:: create_accounts_file + :type: Boolean + :default: False + + If True and demo user is used a minimal accounts.yaml file will be generated + and used during tempest testing. + diff --git a/roles/generate-tempestconf-file/defaults/main.yaml b/roles/generate-tempestconf-file/defaults/main.yaml index 0606f245..ba264ce7 100644 --- a/roles/generate-tempestconf-file/defaults/main.yaml +++ b/roles/generate-tempestconf-file/defaults/main.yaml @@ -5,3 +5,4 @@ url_cirros_image: "http://download.cirros-cloud.net/0.3.5/cirros-0.3.5-x86_64-di aditional_tempestconf_params: "" test_demo_user: False test_accounts_file: /etc/openstack/accounts.yaml +create_accounts_file: False diff --git a/roles/generate-tempestconf-file/tasks/generate-tempestconf.sh.j2 b/roles/generate-tempestconf-file/tasks/generate-tempestconf.sh.j2 index ab456b98..4462f4a4 100644 --- a/roles/generate-tempestconf-file/tasks/generate-tempestconf.sh.j2 +++ b/roles/generate-tempestconf-file/tasks/generate-tempestconf.sh.j2 @@ -12,8 +12,10 @@ discover-tempest-config \ {% else %} --non-admin \ {% endif %} -{% if test_demo_user %} +{% if test_demo_user and not create_accounts_file %} --test-accounts {{ test_accounts_file }} \ +{% elif test_demo_user and create_accounts_file %} +--create-accounts-file ./etc/accounts.yaml \ {% endif %} identity.uri $OS_AUTH_URL \ auth.admin_password $OS_PASSWORD \