Don't expose credentials

Don't expose credentials to tempest.conf when
--create-test-accounts is used.

When generating tempest.conf with demo creds, use
--create-accounts-file argument so that the argument
is tested in the gates.
The argument is used only on Devstack.

Tempest concurrency of devstack demo job is reduced to 1
because the minimal accounts file is used.

Change-Id: Id5c90810666d783cf3939086ef27149ef53277f8
Story: 2003016
Task: 23036

.zuul.yaml

@@ -42,7 +42,7 @@
       zuul_copy_output:
         '{{ devstack_base_dir }}/tempest/tempest.log': 'logs'
         '{{ devstack_base_dir }}/tempest/etc/tempest.conf': 'logs'
-        '/etc/openstack/accounts.yaml': 'logs'
+        '{{ zuul.project.src_dir }}/etc/accounts.yaml': 'logs'
     irrelevant-files:
       - config_tempest/tests/.*$
       - ^doc/.*$
@@ -65,6 +65,7 @@
       - zuul: openstack/tempest
       - zuul: openstack-dev/devstack
     vars:
+      tempest_concurrency: 2
       scenario: scenario000
       zuul_copy_output:
         '/opt/stack/tempest/etc/tempest.conf': 'logs'
@@ -85,6 +86,7 @@
     vars:
       user: admin
       cloud_user: devstack-admin
+      tempest_concurrency: 2
 
 - job:
     name: python-tempestconf-tempest-devstack-demo
@@ -97,6 +99,9 @@
       cloud_user: devstack
       test_demo: True
       cloud_admin: devstack-admin
+      # concurrency is reduced in this job, because a minimal accounts
+      # file is used
+      tempest_concurrency: 1
 
 - job:
     name: python-tempestconf-tempest-packstack-admin

config_tempest/accounts.py

@@ -13,7 +13,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-import os
 import yaml
 
 
@@ -28,7 +27,6 @@ def create_accounts_file(create, accounts_path, conf):
                         conf.get(section, prefix + 'username'),
                         conf.get(section, prefix + 'password'),
                         conf.get(section, prefix + 'project_name'))
-    conf.set("auth", "test_accounts_file", os.path.abspath(accounts_path))
 
 
 def write_accounts_file(path, username, password, project_name):

config_tempest/main.py

@@ -140,7 +140,7 @@ def read_deployer_input(deployer_input_file, conf):
 
 
 def set_options(conf, deployer_input, non_admin, image_path, overrides=[],
-                test_accounts=None, cloud_creds=None,
+                accounts_path=None, cloud_creds=None,
                 no_default_deployer=False):
     """Set options in conf provided by different source.
 
@@ -159,8 +159,8 @@ def set_options(conf, deployer_input, non_admin, image_path, overrides=[],
     :type image_path: string
     :param overrides: list of tuples: [(section, key, value)]
     :type overrides: list
-    :param test_accounts: Path to the accounts.yaml file
+    :param accounts_path: A path where accounts.yaml is or will be created.
-    :type test_accounts: string
+    :type accounts_path: string
     :param cloud_creds: Cloud credentials from client's config
     :type cloud_creds: dict
     """
@@ -190,11 +190,11 @@ def set_options(conf, deployer_input, non_admin, image_path, overrides=[],
     if cloud_creds:
         set_cloud_config_values(non_admin, cloud_creds, conf)
 
-    if test_accounts:
+    if accounts_path:
         # new way for running using accounts file
         conf.set("auth", "use_dynamic_credentials", "False")
         conf.set("auth", "test_accounts_file",
-                 os.path.abspath(test_accounts))
+                 os.path.abspath(accounts_path))
 
     # set overrides - values specified in CLI
     for section, key, value in overrides:
@@ -274,6 +274,9 @@ def parse_arguments():
         raise Exception("Options '--create' and '--non-admin' cannot be used"
                         " together, since creating" " resources requires"
                         " admin rights")
+    if args.test_accounts and args.create_accounts_file:
+        raise Exception("Options '--test-accounts' and "
+                        "'--create-accounts-file' can't be used together.")
     args.overrides = parse_overrides(args.overrides)
     return args
 
@@ -388,12 +391,15 @@ def config_tempest(**kwargs):
     remove = parse_values_to_remove(kwargs.get('remove', []))
     set_logging(kwargs.get('debug', False), kwargs.get('verbose', False))
 
-    write_credentials = kwargs.get('test_accounts') is None
+    accounts_path = kwargs.get('test_accounts')
-    conf = TempestConf(write_credentials=write_credentials)
+    if kwargs.get('create_accounts_file') is not None:
+        accounts_path = kwargs.get('create_accounts_file')
+    conf = TempestConf(write_credentials=accounts_path is None)
     set_options(conf, kwargs.get('deployer_input'),
                 kwargs.get('non_admin', False),
                 kwargs.get('image_path', C.DEFAULT_IMAGE),
-                kwargs.get('overrides', []), kwargs.get('test_accounts'),
+                kwargs.get('overrides', []),
+                accounts_path,
                 kwargs.get('cloud_creds'))
 
     credentials = Credentials(conf, not kwargs.get('non_admin', False))
@@ -421,13 +427,11 @@ def config_tempest(**kwargs):
     services.set_supported_api_versions()
     services.set_service_extensions()
 
-    if kwargs.get('test_accounts') is None:
+    if accounts_path is not None and kwargs.get('test_accounts') is None:
-        accounts_path = kwargs.get('create_accounts_file')
+        LOG.info("Creating an accounts.yaml file in: %s", accounts_path)
-        if accounts_path is not None:
+        accounts.create_accounts_file(kwargs.get('create', False),
-            LOG.info("Creating an accounts.yaml file in: %s", accounts_path)
+                                      accounts_path,
-            accounts.create_accounts_file(kwargs.get('create', False),
+                                      conf)
-                                          accounts_path,
-                                          conf)
 
     # remove all unwanted values if were specified
     if remove != {}:

config_tempest/tests/test_accounts.py

@@ -17,6 +17,7 @@ import mock
 import os
 
 from config_tempest import accounts
+from config_tempest import main
 from config_tempest.tests.base import BaseConfigTempestTest
 
 
@@ -33,6 +34,7 @@ class TestAccounts(BaseConfigTempestTest):
     @mock.patch('config_tempest.accounts.write_accounts_file')
     def test_create_accounts_file(self, mock_write):
         path = "./etc/accounts.yaml"
+        main.set_options(self.conf, None, False, "", accounts_path=path)
         # credentials under auth section
         accounts.create_accounts_file(True, path, self.conf)
         mock_write.assert_called_with(path, "admin", "adminPass",

playbooks/python-tempestconf-tempest-devstack.yaml

@@ -33,34 +33,13 @@
       include_role:
         name: generate-tempestconf-file
       vars:
+        create_accounts_file: True
         source_credentials_commands: "export HOST_IP={{ ansible_default_ipv4.address }}; source {{ devstack_base_dir }}/devstack/openrc {{ user }} {{ user }}; {{ set_auth_url }}"
         aditional_tempestconf_params: "auth.tempest_roles Member"
     - name: Generate tempest configuration file based on cloud credentials
       include_role:
         name: generate-tempestconf-file-cloud
-    # Let's create tempest.conf with admin permissions needed for
-    # tempest accounts file generation
-    - name: Generate configuration file for Tempest as admin
-      include_role:
-        name: generate-tempestconf-file
-      vars:
-        aditional_tempestconf_params: "auth.tempest_roles Member object-storage.operator_role Member"
-        output_path: "/etc/openstack/tempest_admin.conf"
-        source_credentials_commands: "export HOST_IP={{ ansible_default_ipv4.address }}; source {{ devstack_base_dir }}/devstack/openrc admin admin; {{ set_auth_url }}"
-        test_demo_user: False
-        user: admin
-      when: test_demo is defined
-    - name: Generate accounts file for Tempest
-      include_role:
-        name: generate-accounts-file
-      vars:
-        accounts_file_destination: "/etc/openstack"
-        source_credentials_commands: "export HOST_IP={{ ansible_default_ipv4.address }}; source {{ devstack_base_dir }}/devstack/openrc admin admin; {{ set_auth_url }}"
-        tempest_config_file: "/etc/openstack/tempest_admin.conf"
-      when: test_demo is defined
     # run-tempest role is inherited from openstack/tempest project
     - name: Run Tempest Tests
       include_role:
         name: run-tempest
-      vars:
-        tempest_concurrency: 2

playbooks/python-tempestconf-tempest-packstack.yaml

@@ -67,5 +67,3 @@
     - name: Run Tempest Tests
       include_role:
         name: run-tempest
-      vars:
-        tempest_concurrency: 2

roles/generate-tempestconf-file/README.rst

@@ -101,3 +101,10 @@ is then copied to tempest directory.
    test_accounts_file option in auth section of tempest.conf, when
    test_demo_user is set to True.
 
+.. zuul:rolevar:: create_accounts_file
+   :type: Boolean
+   :default: False
+
+   If True and demo user is used a minimal accounts.yaml file will be generated
+   and used during tempest testing.
+

roles/generate-tempestconf-file/defaults/main.yaml

@@ -5,3 +5,4 @@ url_cirros_image: "http://download.cirros-cloud.net/0.3.5/cirros-0.3.5-x86_64-di
 aditional_tempestconf_params: ""
 test_demo_user: False
 test_accounts_file: /etc/openstack/accounts.yaml
+create_accounts_file: False

roles/generate-tempestconf-file/tasks/generate-tempestconf.sh.j2

@@ -12,8 +12,10 @@ discover-tempest-config \
 {% else %}
 --non-admin \
 {% endif %}
-{% if test_demo_user %}
+{% if test_demo_user and not create_accounts_file %}
 --test-accounts {{ test_accounts_file }} \
+{% elif test_demo_user and create_accounts_file %}
+--create-accounts-file ./etc/accounts.yaml \
 {% endif %}
 identity.uri $OS_AUTH_URL \
 auth.admin_password $OS_PASSWORD \