3e82af7f6c
Adding the ability to select the scope of the authentication. When using identity v3, this makes it possible to use either project scope or domain scope regardless of whether a project is included or not in the Credentials object. The interface to auth for most tests is the AuthProvider. The scope is defined in the constructor of the AuthProvider, and it can also be changed at a later time via 'set_scope'. In most cases a set of credentials will use the same scope. Test credentials will use project scope. Admin test credentials may use domain scope on identity API alls, or project scope on other APIs. Since clients are initialised with an auth provider by the client manager, we extend the client manager interface to include the scope. Tests and Tempest parts that require a domain scoped token will instanciate the relevant client manager with scope == 'domain', or set the scope to domain on the 'auth_provider'. The default scope in the v3 auth provider is 'projet;, which me must do for backward compatibility reasons (besides it's what most tests expects. We also filter the list of attributes based on scope, so that tests or service clients may request a different scope. The original behaviour of the token client is unchanged: all fields passed to it towards the API server. This maintains backward compatibility, and leaves full control for test that want to define what is sent in the token request. Closes-bug: #1475359 Change-Id: I6fad6dd48a4d306f69da27c6793de687bbf72add
81 lines
3.0 KiB
Python
81 lines
3.0 KiB
Python
# Copyright 2012 OpenStack Foundation
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from tempest.common import cred_provider
|
|
from tempest import config
|
|
from tempest import exceptions
|
|
from tempest.lib import auth
|
|
|
|
CONF = config.CONF
|
|
|
|
|
|
class Manager(object):
|
|
"""Base manager class
|
|
|
|
Manager objects are responsible for providing a configuration object
|
|
and a client object for a test case to use in performing actions.
|
|
"""
|
|
|
|
def __init__(self, credentials, scope='project'):
|
|
"""Initialization of base manager class
|
|
|
|
Credentials to be used within the various client classes managed by the
|
|
Manager object must be defined.
|
|
|
|
:param credentials: type Credentials or TestResources
|
|
:param scope: default scope for tokens produced by the auth provider
|
|
"""
|
|
self.credentials = credentials
|
|
# Check if passed or default credentials are valid
|
|
if not self.credentials.is_valid():
|
|
raise exceptions.InvalidCredentials()
|
|
self.auth_version = CONF.identity.auth_version
|
|
# Tenant isolation creates TestResources, but
|
|
# PreProvisionedCredentialProvider and some tests create Credentials
|
|
if isinstance(credentials, cred_provider.TestResources):
|
|
creds = self.credentials.credentials
|
|
else:
|
|
creds = self.credentials
|
|
# Creates an auth provider for the credentials
|
|
self.auth_provider = get_auth_provider(creds, pre_auth=True,
|
|
scope=scope)
|
|
|
|
|
|
def get_auth_provider_class(credentials):
|
|
if isinstance(credentials, auth.KeystoneV3Credentials):
|
|
return auth.KeystoneV3AuthProvider, CONF.identity.uri_v3
|
|
else:
|
|
return auth.KeystoneV2AuthProvider, CONF.identity.uri
|
|
|
|
|
|
def get_auth_provider(credentials, pre_auth=False, scope='project'):
|
|
default_params = {
|
|
'disable_ssl_certificate_validation':
|
|
CONF.identity.disable_ssl_certificate_validation,
|
|
'ca_certs': CONF.identity.ca_certificates_file,
|
|
'trace_requests': CONF.debug.trace_requests
|
|
}
|
|
if credentials is None:
|
|
raise exceptions.InvalidCredentials(
|
|
'Credentials must be specified')
|
|
auth_provider_class, auth_url = get_auth_provider_class(
|
|
credentials)
|
|
_auth_provider = auth_provider_class(credentials, auth_url,
|
|
scope=scope,
|
|
**default_params)
|
|
if pre_auth:
|
|
_auth_provider.set_auth()
|
|
return _auth_provider
|