diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index bcb1e3e0a7..d610dc524e 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -27,21 +27,13 @@ can be used to: - Generate test credentials on the fly (see `Dynamic Credentials`_) Tempest allows for configuring pre-provisioned test credentials as well. -This can be done in two different ways. - -One is to provide credentials is using the accounts.yaml file (see +This can be done using the accounts.yaml file (see `Pre-Provisioned Credentials`_). This file is used to specify an arbitrary number of users available to run tests with. You can specify the location of the file in the ``auth`` section in the tempest.conf file. To see the specific format used in the file please refer to the accounts.yaml.sample file included in Tempest. -A second way - now deprecated - is a set of configuration options in the -tempest.conf file (see `Legacy Credentials`_). These options are clearly -labelled in the ``identity`` section and let you specify a set of credentials -for a regular user and an alternate user, consisting of a username, password, -project and domain name. - Keystone Connection Info ^^^^^^^^^^^^^^^^^^^^^^^^ In order for Tempest to be able to talk to your OpenStack deployment you need @@ -134,44 +126,6 @@ unexpected failures in some tests. Pre-Provisioned Credentials are also know as accounts.yaml or accounts file. -Legacy Credentials -"""""""""""""""""" -**Starting in the Liberty release this mechanism was deprecated; it will be -removed in a future release.** - -When Tempest was refactored to allow for locking test accounts, the original -non-project isolated case was converted to internally work similarly to the -accounts.yaml file. This mechanism was then called the legacy test accounts -provider. To use the legacy test accounts provider you can specify the sets of -credentials in the configuration file as detailed above with following nine -options in the ``identity`` section: - - #. ``username`` - #. ``password`` - #. ``project_name`` - #. ``alt_username`` - #. ``alt_password`` - #. ``alt_project_name`` - -If using Identity API v3, use the ``domain_name`` option to specify a -domain other than the default domain. The ``auth_version`` setting is -used to switch between v2 (``v2``) or v3 (``v3``) versions of the Identity -API. - -And in the ``auth`` section: - - #. ``use_dynamic_credentials = False`` - #. Comment out ``test_accounts_file`` or keep it empty. - -It only makes sense to use this if parallel execution isn't needed, since -Tempest won't be able to properly isolate tests using this. Additionally, using -the traditional config options for credentials is not able to provide -credentials to tests requiring specific roles on accounts. This is because the -config options do not give sufficient flexibility to describe the roles assigned -to a user for running the tests. There are additional limitations with regard to -network configuration when using this credential provider mechanism - see the -`Networking`_ section below. - Compute ------- diff --git a/releasenotes/notes/remove-legacy-credential-providers-3d653ac3ba1ada2b.yaml b/releasenotes/notes/remove-legacy-credential-providers-3d653ac3ba1ada2b.yaml new file mode 100644 index 0000000000..89b3f41331 --- /dev/null +++ b/releasenotes/notes/remove-legacy-credential-providers-3d653ac3ba1ada2b.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - The deprecated legacy credential provider has been removed. The only way to + configure credentials in tempest now is to use the dynamic or preprovisioned + credential providers diff --git a/tempest/common/credentials_factory.py b/tempest/common/credentials_factory.py index 6cb43f348c..7c73ada430 100644 --- a/tempest/common/credentials_factory.py +++ b/tempest/common/credentials_factory.py @@ -14,7 +14,6 @@ from oslo_concurrency import lockutils from tempest import clients -from tempest.common import cred_provider from tempest.common import dynamic_creds from tempest.common import preprov_creds from tempest import config @@ -62,89 +61,6 @@ def _get_preprov_provider_params(): ])) -class LegacyCredentialProvider(cred_provider.CredentialProvider): - - def __init__(self, identity_version): - """Credentials provider which returns credentials from tempest.conf - - Credentials provider which always returns the first and second - configured accounts as primary and alt users. - Credentials from tempest.conf are deprecated, and this credential - provider is also accordingly. - - This credential provider can be used in case of serial test execution - to preserve the current behaviour of the serial tempest run. - - :param identity_version: Version of the identity API - :return: CredentialProvider - """ - super(LegacyCredentialProvider, self).__init__( - identity_version=identity_version) - self._creds = {} - - def _unique_creds(self, cred_arg=None): - """Verify that the configured credentials are valid and distinct """ - try: - user = self.get_primary_creds() - alt_user = self.get_alt_creds() - return getattr(user, cred_arg) != getattr(alt_user, cred_arg) - except exceptions.InvalidCredentials as ic: - msg = "At least one of the configured credentials is " \ - "not valid: %s" % ic.message - raise exceptions.InvalidConfiguration(msg) - - def is_multi_user(self): - return self._unique_creds('username') - - def is_multi_tenant(self): - return self._unique_creds('tenant_id') - - def get_primary_creds(self): - if self._creds.get('primary'): - return self._creds.get('primary') - primary_credential = get_configured_credentials( - credential_type='user', fill_in=False, - identity_version=self.identity_version) - self._creds['primary'] = cred_provider.TestResources( - primary_credential) - return self._creds['primary'] - - def get_alt_creds(self): - if self._creds.get('alt'): - return self._creds.get('alt') - alt_credential = get_configured_credentials( - credential_type='alt_user', fill_in=False, - identity_version=self.identity_version) - self._creds['alt'] = cred_provider.TestResources( - alt_credential) - return self._creds['alt'] - - def clear_creds(self): - self._creds = {} - - def get_admin_creds(self): - if self._creds.get('admin'): - return self._creds.get('admin') - creds = get_configured_credentials( - "identity_admin", fill_in=False) - self._creds['admin'] = cred_provider.TestResources(creds) - return self._creds['admin'] - - def get_creds_by_roles(self, roles, force_new=False): - msg = "Credentials being specified through the config file can not be"\ - " used with tests that specify using credentials by roles. "\ - "Either exclude/skip the tests doing this or use either a "\ - "test_accounts_file or dynamic credentials." - raise exceptions.InvalidConfiguration(msg) - - def is_role_available(self, role): - # NOTE(andreaf) LegacyCredentialProvider does not support credentials - # by role, so returning always False. - # Test that rely on credentials by role should use this to skip - # when this is credential provider is used - return False - - # Return the right implementation of CredentialProvider based on config # Dropping interface and password, as they are never used anyways # TODO(andreaf) Drop them from the CredentialsProvider interface completely @@ -172,9 +88,8 @@ def get_credentials_provider(name, network_resources=None, name=name, identity_version=identity_version, **_get_preprov_provider_params()) else: - # Dynamic credentials are disabled, and the account file is not - # defined - we fall back on credentials configured in tempest.conf - return LegacyCredentialProvider(identity_version=identity_version) + raise exceptions.InvalidConfiguration( + 'A valid credential provider is needed') # We want a helper function here to check and see if admin credentials @@ -218,7 +133,9 @@ def is_alt_available(identity_version): identity_version=identity_version, name='check_alt', **_get_preprov_provider_params()) else: - check_accounts = LegacyCredentialProvider(identity_version) + raise exceptions.InvalidConfiguration( + 'A valid credential provider is needed') + try: if not check_accounts.is_multi_user(): return False diff --git a/tempest/config.py b/tempest/config.py index 6360c3e9be..f5125b5339 100644 --- a/tempest/config.py +++ b/tempest/config.py @@ -160,41 +160,9 @@ IdentityGroup = [ 'publicURL', 'adminURL', 'internalURL'], help="The endpoint type to use for OpenStack Identity " "(Keystone) API v3"), - cfg.StrOpt('username', - help="Username to use for Nova API requests.", - deprecated_for_removal=True), - cfg.StrOpt('project_name', - deprecated_name='tenant_name', - help="Project name to use for Nova API requests.", - deprecated_for_removal=True), cfg.StrOpt('admin_role', default='admin', help="Role required to administrate keystone."), - cfg.StrOpt('password', - help="API key to use when authenticating.", - secret=True, - deprecated_for_removal=True), - cfg.StrOpt('domain_name', - help="Domain name for authentication (Keystone V3)." - "The same domain applies to user and project", - deprecated_for_removal=True), - cfg.StrOpt('alt_username', - help="Username of alternate user to use for Nova API " - "requests.", - deprecated_for_removal=True), - cfg.StrOpt('alt_project_name', - deprecated_name='alt_tenant_name', - help="Alternate user's Project name to use for Nova API " - "requests.", - deprecated_for_removal=True), - cfg.StrOpt('alt_password', - help="API key to use when authenticating as alternate user.", - secret=True, - deprecated_for_removal=True), - cfg.StrOpt('alt_domain_name', - help="Alternate domain name for authentication (Keystone V3)." - "The same domain applies to user and project", - deprecated_for_removal=True), cfg.StrOpt('default_domain_id', default='default', help="ID of the default domain"), @@ -1250,12 +1218,6 @@ class TempestConfigPrivate(object): self.baremetal = _CONF.baremetal self.input_scenario = _CONF['input-scenario'] self.negative = _CONF.negative - _CONF.set_default('domain_name', - self.auth.default_credentials_domain_name, - group='identity') - _CONF.set_default('alt_domain_name', - self.auth.default_credentials_domain_name, - group='identity') logging.tempest_set_log_file('tempest.log') def __init__(self, parse_conf=True, config_path=None): diff --git a/tempest/tests/common/test_alt_available.py b/tempest/tests/common/test_alt_available.py index d4cfab6a31..27db95cd35 100644 --- a/tempest/tests/common/test_alt_available.py +++ b/tempest/tests/common/test_alt_available.py @@ -49,28 +49,6 @@ class TestAltAvailable(base.TestCase): else: self.useFixture(mockpatch.Patch('os.path.isfile', return_value=False)) - cred_prefix = ['', 'alt_'] - for ii in range(0, 2): - if len(creds) > ii: - username = 'u%s' % creds[ii] - project = 't%s' % creds[ii] - password = 'p' - domain = 'd' - else: - username = None - project = None - password = None - domain = None - - cfg.CONF.set_default('%susername' % cred_prefix[ii], username, - group='identity') - cfg.CONF.set_default('%sproject_name' % cred_prefix[ii], - project, group='identity') - cfg.CONF.set_default('%spassword' % cred_prefix[ii], password, - group='identity') - cfg.CONF.set_default('%sdomain_name' % cred_prefix[ii], domain, - group='identity') - expected = len(set(creds)) > 1 or dynamic_creds observed = credentials.is_alt_available( identity_version=self.identity_version) @@ -97,21 +75,6 @@ class TestAltAvailable(base.TestCase): use_accounts_file=True, creds=['1', '1']) - def test__no_dynamic_creds__no_accounts_file__one_user(self): - self.run_test(dynamic_creds=False, - use_accounts_file=False, - creds=['1']) - - def test__no_dynamic_creds__no_accounts_file__two_users(self): - self.run_test(dynamic_creds=False, - use_accounts_file=False, - creds=['1', '2']) - - def test__no_dynamic_creds__no_accounts_file__two_users_identical(self): - self.run_test(dynamic_creds=False, - use_accounts_file=False, - creds=['1', '1']) - class TestAltAvailableV3(TestAltAvailable): diff --git a/tempest/tests/common/test_configured_creds.py b/tempest/tests/common/test_configured_creds.py deleted file mode 100644 index 3c242b36dc..0000000000 --- a/tempest/tests/common/test_configured_creds.py +++ /dev/null @@ -1,131 +0,0 @@ -# Copyright 2015 Hewlett-Packard Development Company, L.P. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_config import cfg - -from tempest.common import credentials_factory as common_creds -from tempest.common import tempest_fixtures as fixtures -from tempest import config -from tempest.lib import auth -from tempest.lib import exceptions as lib_exc -from tempest.lib.services.identity.v2 import token_client as v2_client -from tempest.lib.services.identity.v3 import token_client as v3_client -from tempest.tests import base -from tempest.tests import fake_config -from tempest.tests.lib import fake_identity - - -class ConfiguredV2CredentialsTests(base.TestCase): - attributes = { - 'username': 'fake_username', - 'password': 'fake_password', - 'tenant_name': 'fake_tenant_name' - } - - identity_response = fake_identity._fake_v2_response - credentials_class = auth.KeystoneV2Credentials - tokenclient_class = v2_client.TokenClient - identity_version = 'v2' - - def setUp(self): - super(ConfiguredV2CredentialsTests, self).setUp() - self.useFixture(fake_config.ConfigFixture()) - self.patchobject(config, 'TempestConfigPrivate', - fake_config.FakePrivate) - self.patchobject(self.tokenclient_class, 'raw_request', - self.identity_response) - - def _get_credentials(self, attributes=None): - if attributes is None: - attributes = self.attributes - return self.credentials_class(**attributes) - - def _check(self, credentials, credentials_class, filled): - # Check the right version of credentials has been returned - self.assertIsInstance(credentials, credentials_class) - # Check the id attributes are filled in - attributes = [x for x in credentials.ATTRIBUTES if ( - '_id' in x and x != 'domain_id')] - for attr in attributes: - if filled: - self.assertIsNotNone(getattr(credentials, attr)) - else: - self.assertIsNone(getattr(credentials, attr)) - - def _verify_credentials(self, credentials_class, filled=True, - identity_version=None): - for ctype in common_creds.CREDENTIAL_TYPES: - if identity_version is None: - creds = common_creds.get_configured_credentials( - credential_type=ctype, fill_in=filled) - else: - creds = common_creds.get_configured_credentials( - credential_type=ctype, fill_in=filled, - identity_version=identity_version) - self._check(creds, credentials_class, filled) - - def test_create(self): - creds = self._get_credentials() - self.assertEqual(self.attributes, creds._initial) - - def test_create_invalid_attr(self): - self.assertRaises(lib_exc.InvalidCredentials, - self._get_credentials, - attributes=dict(invalid='fake')) - - def test_get_configured_credentials(self): - self.useFixture(fixtures.LockFixture('auth_version')) - self._verify_credentials(credentials_class=self.credentials_class) - - def test_get_configured_credentials_unfilled(self): - self.useFixture(fixtures.LockFixture('auth_version')) - self._verify_credentials(credentials_class=self.credentials_class, - filled=False) - - def test_get_configured_credentials_version(self): - # version specified and not loaded from config - self.useFixture(fixtures.LockFixture('auth_version')) - self._verify_credentials(credentials_class=self.credentials_class, - identity_version=self.identity_version) - - def test_is_valid(self): - creds = self._get_credentials() - self.assertTrue(creds.is_valid()) - - -class ConfiguredV3CredentialsTests(ConfiguredV2CredentialsTests): - attributes = { - 'username': 'fake_username', - 'password': 'fake_password', - 'project_name': 'fake_project_name', - 'user_domain_name': 'fake_domain_name' - } - - credentials_class = auth.KeystoneV3Credentials - identity_response = fake_identity._fake_v3_response - tokenclient_class = v3_client.V3TokenClient - identity_version = 'v3' - - def setUp(self): - super(ConfiguredV3CredentialsTests, self).setUp() - # Additional config items reset by cfg fixture after each test - cfg.CONF.set_default('auth_version', 'v3', group='identity') - # Identity group items - for prefix in ['', 'alt_', 'admin_']: - if prefix == 'admin_': - group = 'auth' - else: - group = 'identity' - cfg.CONF.set_default(prefix + 'domain_name', 'fake_domain_name', - group=group) diff --git a/tempest/tests/common/test_credentials.py b/tempest/tests/common/test_credentials.py deleted file mode 100644 index 00f2d39380..0000000000 --- a/tempest/tests/common/test_credentials.py +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2015 Hewlett-Packard Development Company, L.P. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from tempest.common import credentials_factory as credentials -from tempest import config -from tempest import exceptions -from tempest.tests import base -from tempest.tests import fake_config - - -class TestLegacyCredentialsProvider(base.TestCase): - - fixed_params = {'identity_version': 'v2'} - - def setUp(self): - super(TestLegacyCredentialsProvider, self).setUp() - self.useFixture(fake_config.ConfigFixture()) - self.patchobject(config, 'TempestConfigPrivate', - fake_config.FakePrivate) - - def test_get_creds_roles_legacy_invalid(self): - test_accounts_class = credentials.LegacyCredentialProvider( - **self.fixed_params) - self.assertRaises(exceptions.InvalidConfiguration, - test_accounts_class.get_creds_by_roles, - ['fake_role']) diff --git a/tempest/tests/fake_config.py b/tempest/tests/fake_config.py index edd7186712..65164a0615 100644 --- a/tempest/tests/fake_config.py +++ b/tempest/tests/fake_config.py @@ -48,14 +48,9 @@ class ConfigFixture(conf_fixture.Config): self.conf.set_default('auth_version', 'v2', group='identity') for config_option in ['username', 'password', 'project_name']: # Identity group items - for prefix in ['', 'alt_', 'admin_']: - if prefix == 'admin_': - group = 'auth' - else: - group = 'identity' - self.conf.set_default(prefix + config_option, - 'fake_' + config_option, - group=group) + self.conf.set_default('admin_' + config_option, + 'fake_' + config_option, + group='auth') class FakePrivate(config.TempestConfigPrivate):