From 17209bb08304c91ae239e43bc1605de107a77780 Mon Sep 17 00:00:00 2001 From: "Andrea Frittoli (andreaf)" Date: Fri, 22 May 2015 10:16:57 -0700 Subject: [PATCH] Rename isolated creds to dynamic creds Renaming the isolated_creds module to dynamic_creds module, and rename the IsolatedCreds class to DynamicCredentialProvider in preparation to migration to tempest-lib. Partially implements bp tempest-library Change-Id: I78a4884e980ef7d0103639cb3792a54c69fb7761 --- HACKING.rst | 9 +- doc/source/configuration.rst | 54 +++---- .../admin/test_volume_quotas_negative.py | 2 +- tempest/cmd/verify_tempest_config.py | 4 +- tempest/common/accounts.py | 54 +++---- tempest/common/cred_provider.py | 2 +- tempest/common/credentials.py | 18 +-- .../{isolated_creds.py => dynamic_creds.py} | 40 ++--- tempest/config.py | 10 +- tempest/scenario/utils.py | 6 +- tempest/test.py | 14 +- tempest/tests/common/test_admin_available.py | 2 +- ...ant_isolation.py => test_dynamic_creds.py} | 143 +++++++++--------- 13 files changed, 181 insertions(+), 177 deletions(-) rename tempest/common/{isolated_creds.py => dynamic_creds.py} (92%) rename tempest/tests/{test_tenant_isolation.py => test_dynamic_creds.py} (83%) diff --git a/HACKING.rst b/HACKING.rst index e15e213d3d..379904685d 100644 --- a/HACKING.rst +++ b/HACKING.rst @@ -136,7 +136,7 @@ by test classes. Set-up stages are: Tear-down is also split in a series of steps (teardown stages), which are stacked for execution only if the corresponding setup stage had been reached during the setup phase. Tear-down stages are: -- `clear_isolated_creds` (defined in the base test class) +- `clear_credentials` (defined in the base test class) - `resource_cleanup` Skipping Tests @@ -206,9 +206,10 @@ Parallel Test Execution ----------------------- Tempest by default runs its tests in parallel this creates the possibility for interesting interactions between tests which can cause unexpected failures. -Tenant isolation provides protection from most of the potential race conditions -between tests outside the same class. But there are still a few of things to -watch out for to try to avoid issues when running your tests in parallel. +Dynamic credentials provides protection from most of the potential race +conditions between tests outside the same class. But there are still a few of +things to watch out for to try to avoid issues when running your tests in +parallel. - Resources outside of a tenant scope still have the potential to conflict. This is a larger concern for the admin tests since most resources and actions that diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index dd2f56b70b..f228040c64 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -63,39 +63,41 @@ Credential Provider Mechanisms ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Tempest currently also has 3 different internal methods for providing -authentication to tests. Tenant isolation, locking test accounts, and +authentication to tests. Dynamic credentials, locking test accounts, and non-locking test accounts. Depending on which one is in use the configuration of tempest is slightly different. -Tenant Isolation -"""""""""""""""" -Tenant isolation was originally create to enable running tempest in parallel. +Dynamic Credentials +""""""""""""""""""" +Dynamic Credentials (formerly known as Tenant isolation) was originally created +to enable running tempest in parallel. For each test class it creates a unique set of user credentials to use for the tests in the class. It can create up to 3 sets of username, password, and tenant/project names for a primary user, an admin user, and an alternate user. -To enable and use tenant isolation you only need to configure 2 things: +To enable and use dynamic credentials you only need to configure 2 things: #. A set of admin credentials with permissions to create users and tenants/projects. This is specified in the auth section with the - admin_username, admin_tenant_name, admin_domain_name, and admin_password + admin_username, admin_tenant_name, admin_domain_name and admin_password options - #. To enable tenant_isolation in the auth section with the - allow_tenant_isolation option. + #. To enable dynamic_creds in the auth section with the + use_dynamic_credentials option. This is also the currently the default credential provider enabled by tempest, due to it's common use and ease of configuration. It is worth pointing out that depending on your cloud configuration you might -need to assign a role to each of the users created Tempest's tenant isolation. +need to assign a role to each of the users created by Tempest's dynamic +credentials. This can be set using the *tempest_roles* option. It takes in a list of role -names each of which will be assigned to each of the users created by tenant -isolation. This option will not have any effect when set and tempest is not -configured to use tenant isolation. +names each of which will be assigned to each of the users created by dynamic +credentials. This option will not have any effect when set and tempest is not +configured to use dynamic credentials. Locking Test Accounts (aka accounts.yaml or accounts file) """""""""""""""""""""""""""""""""""""""""""""""""""""""""" -For a long time using tenant isolation was the only method available if you +For a long time using dynamic credentials was the only method available if you wanted to enable parallel execution of tempest tests. However this was insufficient for certain use cases because of the admin credentials requirement to create the credential sets on demand. To get around that the accounts.yaml @@ -103,7 +105,7 @@ file was introduced and with that a new internal credential provider to enable using the list of credentials instead of creating them on demand. With locking test accounts each test class will reserve a set of credentials from the accounts.yaml before executing any of its tests so that each class is isolated -like in tenant isolation. +like with dynamic credentials. To enable and use locking test accounts you need do a few things: @@ -117,7 +119,7 @@ To enable and use locking test accounts you need do a few things: #. Provide tempest with the location of your accounts.yaml file with the test_accounts_file option in the auth section - #. Set allow_tenant_isolation = False in the auth group + #. Set use_dynamic_credentials = False in the auth group It is worth pointing out that each set of credentials in the accounts.yaml should have a unique tenant. This is required to provide proper isolation @@ -149,7 +151,7 @@ options in the identity section: And in the auth section: - #. allow_tenant_isolation = False + #. use_dynamic_credentials = False #. comment out 'test_accounts_file' or keep it as empty It only makes sense to use it if parallel execution isn't needed, since tempest @@ -295,28 +297,28 @@ fixed network name is provided it will serve as a fallback in case of a misconfiguration or a missing network in the accounts file. -With Tenant Isolation -""""""""""""""""""""" -With tenant isolation enabled and using nova-network then nothing changes. Your -only option for configuration is to either set a fixed network name or not. +With Dynamic Credentials +"""""""""""""""""""""""" +With dynamic credentials enabled and using nova-network then nothing changes. +Your only option for configuration is to either set a fixed network name or not. However, in most cases it shouldn't matter because nova-network should have no problem booting a server with multiple networks. If this is not the case for your cloud then using an accounts file is recommended because it provides the -necessary flexibility to describe your configuration. Tenant isolation is not +necessary flexibility to describe your configuration. Dynamic credentials is not able to dynamically allocate things as necessary if neutron is not enabled. -With neutron and tenant isolation enabled there should not be any additional +With neutron and dynamic credentials enabled there should not be any additional configuration necessary to enable Tempest to create servers with working networking, assuming you have properly configured the network section to work for your cloud. Tempest will dynamically create the neutron resources necessary to enable using servers with that network. Also, just as with the accounts -file, if you specify a fixed network name while using neutron and tenant -isolation it will enable running tests which require a static network and it +file, if you specify a fixed network name while using neutron and dynamic +credentials it will enable running tests which require a static network and it will additionally be used as a fallback for server creation. However, unlike accounts.yaml this should never be triggered. -However, there is an option *create_isolated_networks* to disable tenant -isolation's automatic provisioning of network resources. If this option is +However, there is an option *create_isolated_networks* to disable dynamic +credentials's automatic provisioning of network resources. If this option is used you will have to either rely on there only being a single/default network available for the server creation, or use *fixed_network_name* to inform Tempest which network to use. diff --git a/tempest/api/volume/admin/test_volume_quotas_negative.py b/tempest/api/volume/admin/test_volume_quotas_negative.py index d1a6db0f49..2477ee78aa 100644 --- a/tempest/api/volume/admin/test_volume_quotas_negative.py +++ b/tempest/api/volume/admin/test_volume_quotas_negative.py @@ -35,7 +35,7 @@ class BaseVolumeQuotasNegativeV2TestJSON(base.BaseVolumeAdminTest): 'volumes': 1, 'snapshots': 1} # NOTE(gfidente): no need to restore original quota set - # after the tests as they only work with tenant isolation. + # after the tests as they only work with dynamic credentials. cls.quotas_client.update_quota_set( cls.demo_tenant_id, **cls.shared_quota_set) diff --git a/tempest/cmd/verify_tempest_config.py b/tempest/cmd/verify_tempest_config.py index 4fcdf8b305..2811070d9e 100755 --- a/tempest/cmd/verify_tempest_config.py +++ b/tempest/cmd/verify_tempest_config.py @@ -348,7 +348,7 @@ def main(): CONF_PARSER = moves.configparser.SafeConfigParser() CONF_PARSER.optionxform = str CONF_PARSER.readfp(conf_file) - icreds = credentials.get_isolated_credentials('verify_tempest_config') + icreds = credentials.get_credentials_provider('verify_tempest_config') try: os = clients.Manager(icreds.get_primary_creds()) services = check_service_availability(os, update) @@ -370,7 +370,7 @@ def main(): CONF_PARSER.write(outfile) outfile.close() finally: - icreds.clear_isolated_creds() + icreds.clear_creds() if __name__ == "__main__": diff --git a/tempest/common/accounts.py b/tempest/common/accounts.py index 5fab85b942..d843fea937 100644 --- a/tempest/common/accounts.py +++ b/tempest/common/accounts.py @@ -51,7 +51,7 @@ class Accounts(cred_provider.CredentialProvider): self.hash_dict = self.get_hash_dict(accounts) self.accounts_dir = os.path.join(lockutils.get_lock_path(CONF), 'test_accounts') - self.isolated_creds = {} + self._creds = {} @classmethod def _append_role(cls, role, account_hash, hash_dict): @@ -230,38 +230,38 @@ class Accounts(cred_provider.CredentialProvider): LOG.info("%s returned allocated creds:\n%s" % (self.name, clean_creds)) def get_primary_creds(self): - if self.isolated_creds.get('primary'): - return self.isolated_creds.get('primary') + if self._creds.get('primary'): + return self._creds.get('primary') net_creds = self._get_creds() - self.isolated_creds['primary'] = net_creds + self._creds['primary'] = net_creds return net_creds def get_alt_creds(self): - if self.isolated_creds.get('alt'): - return self.isolated_creds.get('alt') + if self._creds.get('alt'): + return self._creds.get('alt') net_creds = self._get_creds() - self.isolated_creds['alt'] = net_creds + self._creds['alt'] = net_creds return net_creds def get_creds_by_roles(self, roles, force_new=False): roles = list(set(roles)) - exist_creds = self.isolated_creds.get(six.text_type(roles).encode( + exist_creds = self._creds.get(six.text_type(roles).encode( 'utf-8'), None) # The force kwarg is used to allocate an additional set of creds with # the same role list. The index used for the previously allocation - # in the isolated_creds dict will be moved. + # in the preprov_creds dict will be moved. if exist_creds and not force_new: return exist_creds elif exist_creds and force_new: new_index = six.text_type(roles).encode('utf-8') + '-' + \ - six.text_type(len(self.isolated_creds)).encode('utf-8') - self.isolated_creds[new_index] = exist_creds + six.text_type(len(self._creds)).encode('utf-8') + self._creds[new_index] = exist_creds net_creds = self._get_creds(roles=roles) - self.isolated_creds[six.text_type(roles).encode('utf-8')] = net_creds + self._creds[six.text_type(roles).encode('utf-8')] = net_creds return net_creds - def clear_isolated_creds(self): - for creds in self.isolated_creds.values(): + def clear_creds(self): + for creds in self._creds.values(): self.remove_credentials(creds) def get_admin_creds(self): @@ -320,36 +320,36 @@ class NotLockingAccounts(Accounts): return self._unique_creds('tenant_id') def get_primary_creds(self): - if self.isolated_creds.get('primary'): - return self.isolated_creds.get('primary') + if self._creds.get('primary'): + return self._creds.get('primary') primary_credential = cred_provider.get_configured_credentials( credential_type='user', identity_version=self.identity_version) - self.isolated_creds['primary'] = cred_provider.TestResources( + self._creds['primary'] = cred_provider.TestResources( primary_credential) - return self.isolated_creds['primary'] + return self._creds['primary'] def get_alt_creds(self): - if self.isolated_creds.get('alt'): - return self.isolated_creds.get('alt') + if self._creds.get('alt'): + return self._creds.get('alt') alt_credential = cred_provider.get_configured_credentials( credential_type='alt_user', identity_version=self.identity_version) - self.isolated_creds['alt'] = cred_provider.TestResources( + self._creds['alt'] = cred_provider.TestResources( alt_credential) - return self.isolated_creds['alt'] + return self._creds['alt'] - def clear_isolated_creds(self): - self.isolated_creds = {} + def clear_creds(self): + self._creds = {} def get_admin_creds(self): creds = cred_provider.get_configured_credentials( "identity_admin", fill_in=False) - self.isolated_creds['admin'] = cred_provider.TestResources(creds) - return self.isolated_creds['admin'] + self._creds['admin'] = cred_provider.TestResources(creds) + return self._creds['admin'] def get_creds_by_roles(self, roles, force_new=False): msg = "Credentials being specified through the config file can not be"\ " used with tests that specify using credentials by roles. "\ "Either exclude/skip the tests doing this or use either an "\ - "test_accounts_file or tenant isolation." + "test_accounts_file or dynamic credentials." raise exceptions.InvalidConfiguration(msg) diff --git a/tempest/common/cred_provider.py b/tempest/common/cred_provider.py index 5e80f509bd..1221fc7bc4 100644 --- a/tempest/common/cred_provider.py +++ b/tempest/common/cred_provider.py @@ -128,7 +128,7 @@ class CredentialProvider(object): return @abc.abstractmethod - def clear_isolated_creds(self): + def clear_creds(self): return @abc.abstractmethod diff --git a/tempest/common/credentials.py b/tempest/common/credentials.py index 71d905f824..691bd34768 100644 --- a/tempest/common/credentials.py +++ b/tempest/common/credentials.py @@ -15,7 +15,7 @@ import os from tempest.common import accounts from tempest.common import cred_provider -from tempest.common import isolated_creds +from tempest.common import dynamic_creds from tempest import config from tempest import exceptions @@ -25,15 +25,15 @@ CONF = config.CONF # Return the right implementation of CredentialProvider based on config # Dropping interface and password, as they are never used anyways # TODO(andreaf) Drop them from the CredentialsProvider interface completely -def get_isolated_credentials(name, network_resources=None, +def get_credentials_provider(name, network_resources=None, force_tenant_isolation=False, identity_version=None): # If a test requires a new account to work, it can have it via forcing - # tenant isolation. A new account will be produced only for that test. + # dynamic credentials. A new account will be produced only for that test. # In case admin credentials are not available for the account creation, # the test should be skipped else it would fail. - if CONF.auth.allow_tenant_isolation or force_tenant_isolation: - return isolated_creds.IsolatedCreds( + if CONF.auth.use_dynamic_credentials or force_tenant_isolation: + return dynamic_creds.DynamicCredentialProvider( name=name, network_resources=network_resources, identity_version=identity_version) @@ -53,8 +53,8 @@ def get_isolated_credentials(name, network_resources=None, # creds area vailable. def is_admin_available(): is_admin = True - # If tenant isolation is enabled admin will be available - if CONF.auth.allow_tenant_isolation: + # If dynamic credentials is enabled admin will be available + if CONF.auth.use_dynamic_credentials: return is_admin # Check whether test accounts file has the admin specified or not elif (CONF.auth.test_accounts_file and @@ -75,8 +75,8 @@ def is_admin_available(): # are available so we can do a single call from skip_checks if alt # creds area vailable. def is_alt_available(): - # If tenant isolation is enabled admin will be available - if CONF.auth.allow_tenant_isolation: + # If dynamic credentials is enabled admin will be available + if CONF.auth.use_dynamic_credentials: return True # Check whether test accounts file has the admin specified or not if (CONF.auth.test_accounts_file and diff --git a/tempest/common/isolated_creds.py b/tempest/common/dynamic_creds.py similarity index 92% rename from tempest/common/isolated_creds.py rename to tempest/common/dynamic_creds.py index 3850e0e66c..f0b66253d5 100644 --- a/tempest/common/isolated_creds.py +++ b/tempest/common/dynamic_creds.py @@ -28,21 +28,21 @@ CONF = config.CONF LOG = logging.getLogger(__name__) -class IsolatedCreds(cred_provider.CredentialProvider): +class DynamicCredentialProvider(cred_provider.CredentialProvider): def __init__(self, identity_version=None, name=None, network_resources=None): - super(IsolatedCreds, self).__init__(identity_version, name, - network_resources) + super(DynamicCredentialProvider, self).__init__( + identity_version, name, network_resources) self.network_resources = network_resources - self.isolated_creds = {} + self._creds = {} self.ports = [] self.default_admin_creds = cred_provider.get_configured_credentials( 'identity_admin', fill_in=True, identity_version=self.identity_version) (self.identity_admin_client, self.network_admin_client, self.networks_admin_client) = self._get_admin_clients() - # Domain where isolated credentials are provisioned (v3 only). + # Domain where dynamic credentials are provisioned (v3 only). # Use that of the admin account is None is configured. self.creds_domain_name = None if self.identity_version == 'v3': @@ -205,17 +205,17 @@ class IsolatedCreds(cred_provider.CredentialProvider): router_id, subnet_id) def get_credentials(self, credential_type): - if self.isolated_creds.get(str(credential_type)): - credentials = self.isolated_creds[str(credential_type)] + if self._creds.get(str(credential_type)): + credentials = self._creds[str(credential_type)] else: if credential_type in ['primary', 'alt', 'admin']: is_admin = (credential_type == 'admin') credentials = self._create_creds(admin=is_admin) else: credentials = self._create_creds(roles=credential_type) - self.isolated_creds[str(credential_type)] = credentials + self._creds[str(credential_type)] = credentials # Maintained until tests are ported - LOG.info("Acquired isolated creds:\n credentials: %s" + LOG.info("Acquired dynamic creds:\n credentials: %s" % credentials) if (CONF.service_available.neutron and not CONF.baremetal.driver_enabled and @@ -240,15 +240,15 @@ class IsolatedCreds(cred_provider.CredentialProvider): def get_creds_by_roles(self, roles, force_new=False): roles = list(set(roles)) # The roles list as a str will become the index as the dict key for - # the created credentials set in the isolated_creds dict. - exist_creds = self.isolated_creds.get(str(roles)) + # the created credentials set in the dynamic_creds dict. + exist_creds = self._creds.get(str(roles)) # If force_new flag is True 2 cred sets with the same roles are needed # handle this by creating a separate index for old one to store it # separately for cleanup if exist_creds and force_new: - new_index = str(roles) + '-' + str(len(self.isolated_creds)) - self.isolated_creds[new_index] = exist_creds - del self.isolated_creds[str(roles)] + new_index = str(roles) + '-' + str(len(self._creds)) + self._creds[new_index] = exist_creds + del self._creds[str(roles)] return self.get_credentials(roles) def _clear_isolated_router(self, router_id, router_name): @@ -289,8 +289,8 @@ class IsolatedCreds(cred_provider.CredentialProvider): def _clear_isolated_net_resources(self): net_client = self.network_admin_client - for cred in self.isolated_creds: - creds = self.isolated_creds.get(cred) + for cred in self._creds: + creds = self._creds.get(cred) if (not creds or not any([creds.router, creds.network, creds.subnet])): continue @@ -317,11 +317,11 @@ class IsolatedCreds(cred_provider.CredentialProvider): self._clear_isolated_network(creds.network['id'], creds.network['name']) - def clear_isolated_creds(self): - if not self.isolated_creds: + def clear_creds(self): + if not self._creds: return self._clear_isolated_net_resources() - for creds in six.itervalues(self.isolated_creds): + for creds in six.itervalues(self._creds): try: self.creds_client.delete_user(creds.user_id) except lib_exc.NotFound: @@ -334,7 +334,7 @@ class IsolatedCreds(cred_provider.CredentialProvider): except lib_exc.NotFound: LOG.warn("tenant with name: %s not found for delete" % creds.tenant_name) - self.isolated_creds = {} + self._creds = {} def is_multi_user(self): return True diff --git a/tempest/config.py b/tempest/config.py index b7aafeb4d8..dd16f94602 100644 --- a/tempest/config.py +++ b/tempest/config.py @@ -53,7 +53,7 @@ AuthGroup = [ "at least `2 * CONC` distinct accounts configured in " " the `test_accounts_file`, with CONC == the " "number of concurrent test processes."), - cfg.BoolOpt('allow_tenant_isolation', + cfg.BoolOpt('use_dynamic_credentials', default=True, help="Allows test cases to create/destroy tenants and " "users. This option requires that OpenStack Identity " @@ -61,6 +61,8 @@ AuthGroup = [ "test cases and parallel execution, can still be " "achieved configuring a list of test accounts", deprecated_opts=[cfg.DeprecatedOpt('allow_tenant_isolation', + group='auth'), + cfg.DeprecatedOpt('allow_tenant_isolation', group='compute'), cfg.DeprecatedOpt('allow_tenant_isolation', group='orchestration')]), @@ -76,9 +78,9 @@ AuthGroup = [ group='auth')]), cfg.BoolOpt('create_isolated_networks', default=True, - help="If allow_tenant_isolation is set to True and Neutron is " - "enabled Tempest will try to create a usable network, " - "subnet, and router when needed for each tenant it " + help="If use_dynamic_credentials is set to True and Neutron " + "is enabled Tempest will try to create a usable network, " + "subnet, and router when needed for each tenant it " "creates. However in some neutron configurations, like " "with VLAN provider networks, this doesn't work. So if " "set to False the isolated networks will not be created"), diff --git a/tempest/scenario/utils.py b/tempest/scenario/utils.py index 28410600f5..63847c33d2 100644 --- a/tempest/scenario/utils.py +++ b/tempest/scenario/utils.py @@ -104,11 +104,11 @@ class InputScenarioUtils(object): 'subnet': False, 'dhcp': False, } - self.isolated_creds = credentials.get_isolated_credentials( + self.cred_provider = credentials.get_credentials_provider( name='InputScenarioUtils', identity_version=CONF.identity.auth_version, network_resources=network_resources) - os = clients.Manager(self.isolated_creds.get_primary_creds()) + os = clients.Manager(self.cred_provider.get_primary_creds()) self.images_client = os.images_client self.flavors_client = os.flavors_client self.image_pattern = CONF.input_scenario.image_regex @@ -120,7 +120,7 @@ class InputScenarioUtils(object): return nname def clear_creds(self): - self.isolated_creds.clear_isolated_creds() + self.cred_provider.clear_creds() @property def scenario_images(self): diff --git a/tempest/test.py b/tempest/test.py index 142488c35e..490ee82b8a 100644 --- a/tempest/test.py +++ b/tempest/test.py @@ -224,7 +224,7 @@ class BaseTestCase(testtools.testcase.WithAttributes, Tear-down is also split in a series of steps (teardown stages), which are stacked for execution only if the corresponding setup stage had been reached during the setup phase. Tear-down stages are: - - clear_isolated_creds (defined in the base test class) + - clear_credentials (defined in the base test class) - resource_cleanup """ @@ -258,7 +258,7 @@ class BaseTestCase(testtools.testcase.WithAttributes, cls.skip_checks() try: # Allocation of all required credentials and client managers - cls.teardowns.append(('credentials', cls.clear_isolated_creds)) + cls.teardowns.append(('credentials', cls.clear_credentials)) cls.setup_credentials() # Shortcuts to clients cls.setup_clients() @@ -467,7 +467,7 @@ class BaseTestCase(testtools.testcase.WithAttributes, identity_version = getattr(cls, 'identity_version', None) identity_version = identity_version or CONF.identity.auth_version - cls._creds_provider = credentials.get_isolated_credentials( + cls._creds_provider = credentials.get_credentials_provider( name=cls.__name__, network_resources=cls.network_resources, force_tenant_isolation=force_tenant_isolation, identity_version=identity_version) @@ -515,12 +515,12 @@ class BaseTestCase(testtools.testcase.WithAttributes, return clients.Manager(credentials=creds, service=cls._service) @classmethod - def clear_isolated_creds(cls): + def clear_credentials(cls): """ - Clears isolated creds if set + Clears creds if set """ if hasattr(cls, '_creds_provider'): - cls._creds_provider.clear_isolated_creds() + cls._creds_provider.clear_creds() @classmethod def set_validation_resources(cls, keypair=None, floating_ip=None, @@ -589,7 +589,7 @@ class BaseTestCase(testtools.testcase.WithAttributes, :return: network dict including 'id' and 'name' """ - # Make sure isolated_creds exists and get a network client + # Make sure cred_provider exists and get a network client networks_client = cls.get_client_manager().compute_networks_client cred_provider = cls._get_credentials_provider() # In case of nova network, isolated tenants are not able to list the diff --git a/tempest/tests/common/test_admin_available.py b/tempest/tests/common/test_admin_available.py index 9f47cccd4e..cd02597415 100644 --- a/tempest/tests/common/test_admin_available.py +++ b/tempest/tests/common/test_admin_available.py @@ -30,7 +30,7 @@ class TestAdminAvailable(base.TestCase): def run_test(self, tenant_isolation, use_accounts_file, admin_creds): - cfg.CONF.set_default('allow_tenant_isolation', + cfg.CONF.set_default('use_dynamic_credentials', tenant_isolation, group='auth') if use_accounts_file: accounts = [{'username': 'u1', diff --git a/tempest/tests/test_tenant_isolation.py b/tempest/tests/test_dynamic_creds.py similarity index 83% rename from tempest/tests/test_tenant_isolation.py rename to tempest/tests/test_dynamic_creds.py index 5aba2c7001..5f57268458 100644 --- a/tempest/tests/test_tenant_isolation.py +++ b/tempest/tests/test_dynamic_creds.py @@ -17,7 +17,7 @@ from oslo_config import cfg from oslotest import mockpatch from tempest_lib.services.identity.v2 import token_client as json_token_client -from tempest.common import isolated_creds +from tempest.common import dynamic_creds from tempest.common import service_client from tempest import config from tempest import exceptions @@ -30,10 +30,10 @@ from tempest.tests import fake_http from tempest.tests import fake_identity -class TestTenantIsolation(base.TestCase): +class TestDynamicCredentialProvider(base.TestCase): def setUp(self): - super(TestTenantIsolation, self).setUp() + super(TestDynamicCredentialProvider, self).setUp() self.useFixture(fake_config.ConfigFixture()) self.stubs.Set(config, 'TempestConfigPrivate', fake_config.FakePrivate) self.fake_http = fake_http.fake_httplib2(return_type=200) @@ -44,10 +44,10 @@ class TestTenantIsolation(base.TestCase): self._mock_list_ec2_credentials('fake_user_id', 'fake_tenant_id') def test_tempest_client(self): - iso_creds = isolated_creds.IsolatedCreds(name='test class') - self.assertTrue(isinstance(iso_creds.identity_admin_client, + creds = dynamic_creds.DynamicCredentialProvider(name='test class') + self.assertTrue(isinstance(creds.identity_admin_client, json_iden_client.IdentityClient)) - self.assertTrue(isinstance(iso_creds.network_admin_client, + self.assertTrue(isinstance(creds.network_admin_client, json_network_client.NetworkClient)) def _mock_user_create(self, id, name): @@ -142,12 +142,12 @@ class TestTenantIsolation(base.TestCase): @mock.patch('tempest_lib.common.rest_client.RestClient') def test_primary_creds(self, MockRestClient): cfg.CONF.set_default('neutron', False, 'service_available') - iso_creds = isolated_creds.IsolatedCreds(name='test class') + creds = dynamic_creds.DynamicCredentialProvider(name='test class') self._mock_assign_user_role() self._mock_list_role() self._mock_tenant_create('1234', 'fake_prim_tenant') self._mock_user_create('1234', 'fake_prim_user') - primary_creds = iso_creds.get_primary_creds() + primary_creds = creds.get_primary_creds() self.assertEqual(primary_creds.username, 'fake_prim_user') self.assertEqual(primary_creds.tenant_name, 'fake_prim_tenant') # Verify IDs @@ -157,7 +157,7 @@ class TestTenantIsolation(base.TestCase): @mock.patch('tempest_lib.common.rest_client.RestClient') def test_admin_creds(self, MockRestClient): cfg.CONF.set_default('neutron', False, 'service_available') - iso_creds = isolated_creds.IsolatedCreds(name='test class') + creds = dynamic_creds.DynamicCredentialProvider(name='test class') self._mock_list_roles('1234', 'admin') self._mock_user_create('1234', 'fake_admin_user') self._mock_tenant_create('1234', 'fake_admin_tenant') @@ -168,7 +168,7 @@ class TestTenantIsolation(base.TestCase): self.addCleanup(user_mock.stop) with mock.patch.object(json_iden_client.IdentityClient, 'assign_user_role') as user_mock: - admin_creds = iso_creds.get_admin_creds() + admin_creds = creds.get_admin_creds() user_mock.assert_has_calls([ mock.call('1234', '1234', '1234')]) self.assertEqual(admin_creds.username, 'fake_admin_user') @@ -180,7 +180,7 @@ class TestTenantIsolation(base.TestCase): @mock.patch('tempest_lib.common.rest_client.RestClient') def test_role_creds(self, MockRestClient): cfg.CONF.set_default('neutron', False, 'service_available') - iso_creds = isolated_creds.IsolatedCreds('v2', 'test class') + creds = dynamic_creds.DynamicCredentialProvider('v2', 'test class') self._mock_list_2_roles() self._mock_user_create('1234', 'fake_role_user') self._mock_tenant_create('1234', 'fake_role_tenant') @@ -191,7 +191,8 @@ class TestTenantIsolation(base.TestCase): self.addCleanup(user_mock.stop) with mock.patch.object(json_iden_client.IdentityClient, 'assign_user_role') as user_mock: - role_creds = iso_creds.get_creds_by_roles(roles=['role1', 'role2']) + role_creds = creds.get_creds_by_roles( + roles=['role1', 'role2']) calls = user_mock.mock_calls # Assert that the role creation is called with the 2 specified roles self.assertEqual(len(calls), 2) @@ -208,26 +209,26 @@ class TestTenantIsolation(base.TestCase): @mock.patch('tempest_lib.common.rest_client.RestClient') def test_all_cred_cleanup(self, MockRestClient): cfg.CONF.set_default('neutron', False, 'service_available') - iso_creds = isolated_creds.IsolatedCreds(name='test class') + creds = dynamic_creds.DynamicCredentialProvider(name='test class') self._mock_assign_user_role() self._mock_list_role() self._mock_tenant_create('1234', 'fake_prim_tenant') self._mock_user_create('1234', 'fake_prim_user') - iso_creds.get_primary_creds() + creds.get_primary_creds() self._mock_tenant_create('12345', 'fake_alt_tenant') self._mock_user_create('12345', 'fake_alt_user') - iso_creds.get_alt_creds() + creds.get_alt_creds() self._mock_tenant_create('123456', 'fake_admin_tenant') self._mock_user_create('123456', 'fake_admin_user') self._mock_list_roles('123456', 'admin') - iso_creds.get_admin_creds() + creds.get_admin_creds() user_mock = self.patch( 'tempest.services.identity.v2.json.identity_client.' 'IdentityClient.delete_user') tenant_mock = self.patch( 'tempest.services.identity.v2.json.identity_client.' 'IdentityClient.delete_tenant') - iso_creds.clear_isolated_creds() + creds.clear_creds() # Verify user delete calls calls = user_mock.mock_calls self.assertEqual(len(calls), 3) @@ -248,12 +249,12 @@ class TestTenantIsolation(base.TestCase): @mock.patch('tempest_lib.common.rest_client.RestClient') def test_alt_creds(self, MockRestClient): cfg.CONF.set_default('neutron', False, 'service_available') - iso_creds = isolated_creds.IsolatedCreds(name='test class') + creds = dynamic_creds.DynamicCredentialProvider(name='test class') self._mock_assign_user_role() self._mock_list_role() self._mock_user_create('1234', 'fake_alt_user') self._mock_tenant_create('1234', 'fake_alt_tenant') - alt_creds = iso_creds.get_alt_creds() + alt_creds = creds.get_alt_creds() self.assertEqual(alt_creds.username, 'fake_alt_user') self.assertEqual(alt_creds.tenant_name, 'fake_alt_tenant') # Verify IDs @@ -263,22 +264,22 @@ class TestTenantIsolation(base.TestCase): @mock.patch('tempest_lib.common.rest_client.RestClient') def test_no_network_creation_with_config_set(self, MockRestClient): cfg.CONF.set_default('create_isolated_networks', False, group='auth') - iso_creds = isolated_creds.IsolatedCreds(name='test class') + creds = dynamic_creds.DynamicCredentialProvider(name='test class') self._mock_assign_user_role() self._mock_list_role() self._mock_user_create('1234', 'fake_prim_user') self._mock_tenant_create('1234', 'fake_prim_tenant') - net = mock.patch.object(iso_creds.networks_admin_client, + net = mock.patch.object(creds.networks_admin_client, 'delete_network') net_mock = net.start() - subnet = mock.patch.object(iso_creds.network_admin_client, + subnet = mock.patch.object(creds.network_admin_client, 'delete_subnet') subnet_mock = subnet.start() - router = mock.patch.object(iso_creds.network_admin_client, + router = mock.patch.object(creds.network_admin_client, 'delete_router') router_mock = router.start() - primary_creds = iso_creds.get_primary_creds() + primary_creds = creds.get_primary_creds() self.assertEqual(net_mock.mock_calls, []) self.assertEqual(subnet_mock.mock_calls, []) self.assertEqual(router_mock.mock_calls, []) @@ -291,18 +292,18 @@ class TestTenantIsolation(base.TestCase): @mock.patch('tempest_lib.common.rest_client.RestClient') def test_network_creation(self, MockRestClient): - iso_creds = isolated_creds.IsolatedCreds(name='test class') + creds = dynamic_creds.DynamicCredentialProvider(name='test class') self._mock_assign_user_role() self._mock_list_role() self._mock_user_create('1234', 'fake_prim_user') self._mock_tenant_create('1234', 'fake_prim_tenant') - self._mock_network_create(iso_creds, '1234', 'fake_net') - self._mock_subnet_create(iso_creds, '1234', 'fake_subnet') + self._mock_network_create(creds, '1234', 'fake_net') + self._mock_subnet_create(creds, '1234', 'fake_subnet') self._mock_router_create('1234', 'fake_router') router_interface_mock = self.patch( 'tempest.services.network.json.network_client.NetworkClient.' 'add_router_interface_with_subnet_id') - primary_creds = iso_creds.get_primary_creds() + primary_creds = creds.get_primary_creds() router_interface_mock.called_once_with('1234', '1234') network = primary_creds.network subnet = primary_creds.subnet @@ -322,73 +323,71 @@ class TestTenantIsolation(base.TestCase): "description": args['name'], "security_group_rules": [], "id": "sg-%s" % args['tenant_id']}]} - iso_creds = isolated_creds.IsolatedCreds(name='test class') + creds = dynamic_creds.DynamicCredentialProvider(name='test class') # Create primary tenant and network self._mock_assign_user_role() self._mock_list_role() self._mock_user_create('1234', 'fake_prim_user') self._mock_tenant_create('1234', 'fake_prim_tenant') - self._mock_network_create(iso_creds, '1234', 'fake_net') - self._mock_subnet_create(iso_creds, '1234', 'fake_subnet') + self._mock_network_create(creds, '1234', 'fake_net') + self._mock_subnet_create(creds, '1234', 'fake_subnet') self._mock_router_create('1234', 'fake_router') router_interface_mock = self.patch( 'tempest.services.network.json.network_client.NetworkClient.' 'add_router_interface_with_subnet_id') - iso_creds.get_primary_creds() + creds.get_primary_creds() router_interface_mock.called_once_with('1234', '1234') router_interface_mock.reset_mock() # Create alternate tenant and network self._mock_user_create('12345', 'fake_alt_user') self._mock_tenant_create('12345', 'fake_alt_tenant') - self._mock_network_create(iso_creds, '12345', 'fake_alt_net') - self._mock_subnet_create(iso_creds, '12345', - 'fake_alt_subnet') + self._mock_network_create(creds, '12345', 'fake_alt_net') + self._mock_subnet_create(creds, '12345', 'fake_alt_subnet') self._mock_router_create('12345', 'fake_alt_router') - iso_creds.get_alt_creds() + creds.get_alt_creds() router_interface_mock.called_once_with('12345', '12345') router_interface_mock.reset_mock() # Create admin tenant and networks self._mock_user_create('123456', 'fake_admin_user') self._mock_tenant_create('123456', 'fake_admin_tenant') - self._mock_network_create(iso_creds, '123456', - 'fake_admin_net') - self._mock_subnet_create(iso_creds, '123456', - 'fake_admin_subnet') + self._mock_network_create(creds, '123456', 'fake_admin_net') + self._mock_subnet_create(creds, '123456', 'fake_admin_subnet') self._mock_router_create('123456', 'fake_admin_router') self._mock_list_roles('123456', 'admin') - iso_creds.get_admin_creds() + creds.get_admin_creds() self.patch('tempest.services.identity.v2.json.identity_client.' 'IdentityClient.delete_user') self.patch('tempest.services.identity.v2.json.identity_client.' 'IdentityClient.delete_tenant') - net = mock.patch.object(iso_creds.networks_admin_client, + net = mock.patch.object(creds.networks_admin_client, 'delete_network') net_mock = net.start() - subnet = mock.patch.object(iso_creds.network_admin_client, + subnet = mock.patch.object(creds.network_admin_client, 'delete_subnet') subnet_mock = subnet.start() - router = mock.patch.object(iso_creds.network_admin_client, + router = mock.patch.object(creds.network_admin_client, 'delete_router') router_mock = router.start() remove_router_interface_mock = self.patch( 'tempest.services.network.json.network_client.NetworkClient.' 'remove_router_interface_with_subnet_id') return_values = ({'status': 200}, {'ports': []}) - port_list_mock = mock.patch.object(iso_creds.network_admin_client, + port_list_mock = mock.patch.object(creds.network_admin_client, 'list_ports', return_value=return_values) port_list_mock.start() - secgroup_list_mock = mock.patch.object(iso_creds.network_admin_client, - 'list_security_groups', - side_effect=side_effect) + secgroup_list_mock = mock.patch.object( + creds.network_admin_client, + 'list_security_groups', + side_effect=side_effect) secgroup_list_mock.start() return_values = (fake_http.fake_httplib({}, status=204), {}) remove_secgroup_mock = self.patch( 'tempest.services.network.json.network_client.' 'NetworkClient.delete', return_value=return_values) - iso_creds.clear_isolated_creds() + creds.clear_creds() # Verify default security group delete calls = remove_secgroup_mock.mock_calls self.assertEqual(len(calls), 3) @@ -432,18 +431,18 @@ class TestTenantIsolation(base.TestCase): @mock.patch('tempest_lib.common.rest_client.RestClient') def test_network_alt_creation(self, MockRestClient): - iso_creds = isolated_creds.IsolatedCreds(name='test class') + creds = dynamic_creds.DynamicCredentialProvider(name='test class') self._mock_assign_user_role() self._mock_list_role() self._mock_user_create('1234', 'fake_alt_user') self._mock_tenant_create('1234', 'fake_alt_tenant') - self._mock_network_create(iso_creds, '1234', 'fake_alt_net') - self._mock_subnet_create(iso_creds, '1234', 'fake_alt_subnet') + self._mock_network_create(creds, '1234', 'fake_alt_net') + self._mock_subnet_create(creds, '1234', 'fake_alt_subnet') self._mock_router_create('1234', 'fake_alt_router') router_interface_mock = self.patch( 'tempest.services.network.json.network_client.NetworkClient.' 'add_router_interface_with_subnet_id') - alt_creds = iso_creds.get_alt_creds() + alt_creds = creds.get_alt_creds() router_interface_mock.called_once_with('1234', '1234') network = alt_creds.network subnet = alt_creds.subnet @@ -457,18 +456,18 @@ class TestTenantIsolation(base.TestCase): @mock.patch('tempest_lib.common.rest_client.RestClient') def test_network_admin_creation(self, MockRestClient): - iso_creds = isolated_creds.IsolatedCreds(name='test class') + creds = dynamic_creds.DynamicCredentialProvider(name='test class') self._mock_assign_user_role() self._mock_user_create('1234', 'fake_admin_user') self._mock_tenant_create('1234', 'fake_admin_tenant') - self._mock_network_create(iso_creds, '1234', 'fake_admin_net') - self._mock_subnet_create(iso_creds, '1234', 'fake_admin_subnet') + self._mock_network_create(creds, '1234', 'fake_admin_net') + self._mock_subnet_create(creds, '1234', 'fake_admin_subnet') self._mock_router_create('1234', 'fake_admin_router') router_interface_mock = self.patch( 'tempest.services.network.json.network_client.NetworkClient.' 'add_router_interface_with_subnet_id') self._mock_list_roles('123456', 'admin') - admin_creds = iso_creds.get_admin_creds() + admin_creds = creds.get_admin_creds() router_interface_mock.called_once_with('1234', '1234') network = admin_creds.network subnet = admin_creds.subnet @@ -488,23 +487,23 @@ class TestTenantIsolation(base.TestCase): 'subnet': False, 'dhcp': False, } - iso_creds = isolated_creds.IsolatedCreds(name='test class', - network_resources=net_dict) + creds = dynamic_creds.DynamicCredentialProvider( + name='test class', network_resources=net_dict) self._mock_assign_user_role() self._mock_list_role() self._mock_user_create('1234', 'fake_prim_user') self._mock_tenant_create('1234', 'fake_prim_tenant') - net = mock.patch.object(iso_creds.networks_admin_client, + net = mock.patch.object(creds.networks_admin_client, 'delete_network') net_mock = net.start() - subnet = mock.patch.object(iso_creds.network_admin_client, + subnet = mock.patch.object(creds.network_admin_client, 'delete_subnet') subnet_mock = subnet.start() - router = mock.patch.object(iso_creds.network_admin_client, + router = mock.patch.object(creds.network_admin_client, 'delete_router') router_mock = router.start() - primary_creds = iso_creds.get_primary_creds() + primary_creds = creds.get_primary_creds() self.assertEqual(net_mock.mock_calls, []) self.assertEqual(subnet_mock.mock_calls, []) self.assertEqual(router_mock.mock_calls, []) @@ -523,14 +522,14 @@ class TestTenantIsolation(base.TestCase): 'subnet': False, 'dhcp': False, } - iso_creds = isolated_creds.IsolatedCreds(name='test class', - network_resources=net_dict) + creds = dynamic_creds.DynamicCredentialProvider( + name='test class', network_resources=net_dict) self._mock_assign_user_role() self._mock_list_role() self._mock_user_create('1234', 'fake_prim_user') self._mock_tenant_create('1234', 'fake_prim_tenant') self.assertRaises(exceptions.InvalidConfiguration, - iso_creds.get_primary_creds) + creds.get_primary_creds) @mock.patch('tempest_lib.common.rest_client.RestClient') def test_subnet_without_network(self, MockRestClient): @@ -540,14 +539,14 @@ class TestTenantIsolation(base.TestCase): 'subnet': True, 'dhcp': False, } - iso_creds = isolated_creds.IsolatedCreds(name='test class', - network_resources=net_dict) + creds = dynamic_creds.DynamicCredentialProvider( + name='test class', network_resources=net_dict) self._mock_assign_user_role() self._mock_list_role() self._mock_user_create('1234', 'fake_prim_user') self._mock_tenant_create('1234', 'fake_prim_tenant') self.assertRaises(exceptions.InvalidConfiguration, - iso_creds.get_primary_creds) + creds.get_primary_creds) @mock.patch('tempest_lib.common.rest_client.RestClient') def test_dhcp_without_subnet(self, MockRestClient): @@ -557,11 +556,11 @@ class TestTenantIsolation(base.TestCase): 'subnet': False, 'dhcp': True, } - iso_creds = isolated_creds.IsolatedCreds(name='test class', - network_resources=net_dict) + creds = dynamic_creds.DynamicCredentialProvider( + name='test class', network_resources=net_dict) self._mock_assign_user_role() self._mock_list_role() self._mock_user_create('1234', 'fake_prim_user') self._mock_tenant_create('1234', 'fake_prim_tenant') self.assertRaises(exceptions.InvalidConfiguration, - iso_creds.get_primary_creds) + creds.get_primary_creds)