tempest/releasenotes/notes/12/12.1.0-add-scope-to-auth-b5a82493ea89f41e.yaml

7 lines
343 B
YAML
Raw Normal View History

Introduce scope in the auth API Adding the ability to select the scope of the authentication. When using identity v3, this makes it possible to use either project scope or domain scope regardless of whether a project is included or not in the Credentials object. The interface to auth for most tests is the AuthProvider. The scope is defined in the constructor of the AuthProvider, and it can also be changed at a later time via 'set_scope'. In most cases a set of credentials will use the same scope. Test credentials will use project scope. Admin test credentials may use domain scope on identity API alls, or project scope on other APIs. Since clients are initialised with an auth provider by the client manager, we extend the client manager interface to include the scope. Tests and Tempest parts that require a domain scoped token will instanciate the relevant client manager with scope == 'domain', or set the scope to domain on the 'auth_provider'. The default scope in the v3 auth provider is 'projet;, which me must do for backward compatibility reasons (besides it's what most tests expects. We also filter the list of attributes based on scope, so that tests or service clients may request a different scope. The original behaviour of the token client is unchanged: all fields passed to it towards the API server. This maintains backward compatibility, and leaves full control for test that want to define what is sent in the token request. Closes-bug: #1475359 Change-Id: I6fad6dd48a4d306f69da27c6793de687bbf72add
2016-05-05 22:53:38 +01:00
---
features:
- Tempest library auth interface now supports scope. Scope allows to control
the scope of tokens requested via the identity API. Identity V2 supports
unscoped and project scoped tokens, but only the latter are implemented.
Identity V3 supports unscoped, project and domain scoped token, all three
are available.