openstack/tempest
Code Issues Proposed changes

Remove deprecated legacy credentials provider

Browse Source 
This commit removes the legacy credential provider. It's been
deprecated for over a full cycle which has been sufficient time for
users to migrate off of it. Keeping this around just causes more
confusion by having a 3rd path to configuring credentials in tempest.
The credential provider was officially marked as deprecated in change
Ia5132c5cb32355d6f26b8acdd92a0e55a2c19f41

Change-Id: I8c24cd17f643083dde71ab2bd2a38417c54aeccb
This commit is contained in:
Matthew Treinish 2016-01-04 13:16:03 -05:00
parent 0e510e7c85
commit 40847ac308
No known key found for this signature in database
GPG Key ID: FD12A0F214C9E177
8 changed files with 14 additions and 386 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
doc/source/configuration.rst
View File

@ -27,21 +27,13 @@ can be used to:
- Generate test credentials on the fly (see `Dynamic Credentials`_)
Tempest allows for configuring pre-provisioned test credentials as well.
This can be done in two different ways.
One is to provide credentials is using the accounts.yaml file (see
This can be done using the accounts.yaml file (see
`Pre-Provisioned Credentials`_). This file is used to specify an arbitrary
number of users available to run tests with.
You can specify the location of the file in the ``auth`` section in the
tempest.conf file. To see the specific format used in the file please refer to
the accounts.yaml.sample file included in Tempest.
A second way - now deprecated - is a set of configuration options in the
tempest.conf file (see `Legacy Credentials`_). These options are clearly
labelled in the ``identity`` section and let you specify a set of credentials
for a regular user and an alternate user, consisting of a username, password,
project and domain name.
Keystone Connection Info
^^^^^^^^^^^^^^^^^^^^^^^^
In order for Tempest to be able to talk to your OpenStack deployment you need
@ -134,44 +126,6 @@ unexpected failures in some tests.
Pre-Provisioned Credentials are also know as accounts.yaml or accounts file.
Legacy Credentials
""""""""""""""""""
**Starting in the Liberty release this mechanism was deprecated; it will be
removed in a future release.**
When Tempest was refactored to allow for locking test accounts, the original
non-project isolated case was converted to internally work similarly to the
accounts.yaml file. This mechanism was then called the legacy test accounts
provider. To use the legacy test accounts provider you can specify the sets of
credentials in the configuration file as detailed above with following nine
options in the ``identity`` section:
#. ``username``
#. ``password``
#. ``project_name``
#. ``alt_username``
#. ``alt_password``
#. ``alt_project_name``
If using Identity API v3, use the ``domain_name`` option to specify a
domain other than the default domain. The ``auth_version`` setting is
used to switch between v2 (``v2``) or v3 (``v3``) versions of the Identity
API.
And in the ``auth`` section:
#. ``use_dynamic_credentials = False``
#. Comment out ``test_accounts_file`` or keep it empty.
It only makes sense to use this if parallel execution isn't needed, since
Tempest won't be able to properly isolate tests using this. Additionally, using
the traditional config options for credentials is not able to provide
credentials to tests requiring specific roles on accounts. This is because the
config options do not give sufficient flexibility to describe the roles assigned
to a user for running the tests. There are additional limitations with regard to
network configuration when using this credential provider mechanism - see the
`Networking`_ section below.
Compute
-------

5
releasenotes/notes/remove-legacy-credential-providers-3d653ac3ba1ada2b.yaml Normal file
View File

@ -0,0 +1,5 @@
---
upgrade:
- The deprecated legacy credential provider has been removed. The only way to
configure credentials in tempest now is to use the dynamic or preprovisioned
credential providers

93
tempest/common/credentials_factory.py
View File

@ -14,7 +14,6 @@
from oslo_concurrency import lockutils
from tempest import clients
from tempest.common import cred_provider
from tempest.common import dynamic_creds
from tempest.common import preprov_creds
from tempest import config
@ -62,89 +61,6 @@ def _get_preprov_provider_params():
]))
class LegacyCredentialProvider(cred_provider.CredentialProvider):
def __init__(self, identity_version):
"""Credentials provider which returns credentials from tempest.conf
Credentials provider which always returns the first and second
configured accounts as primary and alt users.
Credentials from tempest.conf are deprecated, and this credential
provider is also accordingly.
This credential provider can be used in case of serial test execution
to preserve the current behaviour of the serial tempest run.
:param identity_version: Version of the identity API
:return: CredentialProvider
"""
super(LegacyCredentialProvider, self).__init__(
identity_version=identity_version)
self._creds = {}
def _unique_creds(self, cred_arg=None):
"""Verify that the configured credentials are valid and distinct """
try:
user = self.get_primary_creds()
alt_user = self.get_alt_creds()
return getattr(user, cred_arg) != getattr(alt_user, cred_arg)
except exceptions.InvalidCredentials as ic:
msg = "At least one of the configured credentials is " \
"not valid: %s" % ic.message
raise exceptions.InvalidConfiguration(msg)
def is_multi_user(self):
return self._unique_creds('username')
def is_multi_tenant(self):
return self._unique_creds('tenant_id')
def get_primary_creds(self):
if self._creds.get('primary'):
return self._creds.get('primary')
primary_credential = get_configured_credentials(
credential_type='user', fill_in=False,
identity_version=self.identity_version)
self._creds['primary'] = cred_provider.TestResources(
primary_credential)
return self._creds['primary']
def get_alt_creds(self):
if self._creds.get('alt'):
return self._creds.get('alt')
alt_credential = get_configured_credentials(
credential_type='alt_user', fill_in=False,
identity_version=self.identity_version)
self._creds['alt'] = cred_provider.TestResources(
alt_credential)
return self._creds['alt']
def clear_creds(self):
self._creds = {}
def get_admin_creds(self):
if self._creds.get('admin'):
return self._creds.get('admin')
creds = get_configured_credentials(
"identity_admin", fill_in=False)
self._creds['admin'] = cred_provider.TestResources(creds)
return self._creds['admin']
def get_creds_by_roles(self, roles, force_new=False):
msg = "Credentials being specified through the config file can not be"\
" used with tests that specify using credentials by roles. "\
"Either exclude/skip the tests doing this or use either a "\
"test_accounts_file or dynamic credentials."
raise exceptions.InvalidConfiguration(msg)
def is_role_available(self, role):
# NOTE(andreaf) LegacyCredentialProvider does not support credentials
# by role, so returning always False.
# Test that rely on credentials by role should use this to skip
# when this is credential provider is used
return False
# Return the right implementation of CredentialProvider based on config
# Dropping interface and password, as they are never used anyways
# TODO(andreaf) Drop them from the CredentialsProvider interface completely
@ -172,9 +88,8 @@ def get_credentials_provider(name, network_resources=None,
name=name, identity_version=identity_version,
**_get_preprov_provider_params())
else:
# Dynamic credentials are disabled, and the account file is not
# defined - we fall back on credentials configured in tempest.conf
return LegacyCredentialProvider(identity_version=identity_version)
raise exceptions.InvalidConfiguration(
'A valid credential provider is needed')
# We want a helper function here to check and see if admin credentials
@ -218,7 +133,9 @@ def is_alt_available(identity_version):
identity_version=identity_version, name='check_alt',
**_get_preprov_provider_params())
else:
check_accounts = LegacyCredentialProvider(identity_version)
raise exceptions.InvalidConfiguration(
'A valid credential provider is needed')
try:
if not check_accounts.is_multi_user():
return False

38
tempest/config.py
View File

@ -160,41 +160,9 @@ IdentityGroup = [
'publicURL', 'adminURL', 'internalURL'],
help="The endpoint type to use for OpenStack Identity "
"(Keystone) API v3"),
cfg.StrOpt('username',
help="Username to use for Nova API requests.",
deprecated_for_removal=True),
cfg.StrOpt('project_name',
deprecated_name='tenant_name',
help="Project name to use for Nova API requests.",
deprecated_for_removal=True),
cfg.StrOpt('admin_role',
default='admin',
help="Role required to administrate keystone."),
cfg.StrOpt('password',
help="API key to use when authenticating.",
secret=True,
deprecated_for_removal=True),
cfg.StrOpt('domain_name',
help="Domain name for authentication (Keystone V3)."
"The same domain applies to user and project",
deprecated_for_removal=True),
cfg.StrOpt('alt_username',
help="Username of alternate user to use for Nova API "
"requests.",
deprecated_for_removal=True),
cfg.StrOpt('alt_project_name',
deprecated_name='alt_tenant_name',
help="Alternate user's Project name to use for Nova API "
"requests.",
deprecated_for_removal=True),
cfg.StrOpt('alt_password',
help="API key to use when authenticating as alternate user.",
secret=True,
deprecated_for_removal=True),
cfg.StrOpt('alt_domain_name',
help="Alternate domain name for authentication (Keystone V3)."
"The same domain applies to user and project",
deprecated_for_removal=True),
cfg.StrOpt('default_domain_id',
default='default',
help="ID of the default domain"),
@ -1250,12 +1218,6 @@ class TempestConfigPrivate(object):
self.baremetal = _CONF.baremetal
self.input_scenario = _CONF['input-scenario']
self.negative = _CONF.negative
_CONF.set_default('domain_name',
self.auth.default_credentials_domain_name,
group='identity')
_CONF.set_default('alt_domain_name',
self.auth.default_credentials_domain_name,
group='identity')
logging.tempest_set_log_file('tempest.log')
def __init__(self, parse_conf=True, config_path=None):

37
tempest/tests/common/test_alt_available.py
View File

@ -49,28 +49,6 @@ class TestAltAvailable(base.TestCase):
else:
self.useFixture(mockpatch.Patch('os.path.isfile',
return_value=False))
cred_prefix = ['', 'alt_']
for ii in range(0, 2):
if len(creds) > ii:
username = 'u%s' % creds[ii]
project = 't%s' % creds[ii]
password = 'p'
domain = 'd'
else:
username = None
project = None
password = None
domain = None
cfg.CONF.set_default('%susername' % cred_prefix[ii], username,
group='identity')
cfg.CONF.set_default('%sproject_name' % cred_prefix[ii],
project, group='identity')
cfg.CONF.set_default('%spassword' % cred_prefix[ii], password,
group='identity')
cfg.CONF.set_default('%sdomain_name' % cred_prefix[ii], domain,
group='identity')
expected = len(set(creds)) > 1 or dynamic_creds
observed = credentials.is_alt_available(
identity_version=self.identity_version)
@ -97,21 +75,6 @@ class TestAltAvailable(base.TestCase):
use_accounts_file=True,
creds=['1', '1'])
def test__no_dynamic_creds__no_accounts_file__one_user(self):
self.run_test(dynamic_creds=False,
use_accounts_file=False,
creds=['1'])
def test__no_dynamic_creds__no_accounts_file__two_users(self):
self.run_test(dynamic_creds=False,
use_accounts_file=False,
creds=['1', '2'])
def test__no_dynamic_creds__no_accounts_file__two_users_identical(self):
self.run_test(dynamic_creds=False,
use_accounts_file=False,
creds=['1', '1'])
class TestAltAvailableV3(TestAltAvailable):

131
tempest/tests/common/test_configured_creds.py
View File

@ -1,131 +0,0 @@
# Copyright 2015 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from tempest.common import credentials_factory as common_creds
from tempest.common import tempest_fixtures as fixtures
from tempest import config
from tempest.lib import auth
from tempest.lib import exceptions as lib_exc
from tempest.lib.services.identity.v2 import token_client as v2_client
from tempest.lib.services.identity.v3 import token_client as v3_client
from tempest.tests import base
from tempest.tests import fake_config
from tempest.tests.lib import fake_identity
class ConfiguredV2CredentialsTests(base.TestCase):
attributes = {
'username': 'fake_username',
'password': 'fake_password',
'tenant_name': 'fake_tenant_name'
}
identity_response = fake_identity._fake_v2_response
credentials_class = auth.KeystoneV2Credentials
tokenclient_class = v2_client.TokenClient
identity_version = 'v2'
def setUp(self):
super(ConfiguredV2CredentialsTests, self).setUp()
self.useFixture(fake_config.ConfigFixture())
self.patchobject(config, 'TempestConfigPrivate',
fake_config.FakePrivate)
self.patchobject(self.tokenclient_class, 'raw_request',
self.identity_response)
def _get_credentials(self, attributes=None):
if attributes is None:
attributes = self.attributes
return self.credentials_class(**attributes)
def _check(self, credentials, credentials_class, filled):
# Check the right version of credentials has been returned
self.assertIsInstance(credentials, credentials_class)
# Check the id attributes are filled in
attributes = [x for x in credentials.ATTRIBUTES if (
'_id' in x and x != 'domain_id')]
for attr in attributes:
if filled:
self.assertIsNotNone(getattr(credentials, attr))
else:
self.assertIsNone(getattr(credentials, attr))
def _verify_credentials(self, credentials_class, filled=True,
identity_version=None):
for ctype in common_creds.CREDENTIAL_TYPES:
if identity_version is None:
creds = common_creds.get_configured_credentials(
credential_type=ctype, fill_in=filled)
else:
creds = common_creds.get_configured_credentials(
credential_type=ctype, fill_in=filled,
identity_version=identity_version)
self._check(creds, credentials_class, filled)
def test_create(self):
creds = self._get_credentials()
self.assertEqual(self.attributes, creds._initial)
def test_create_invalid_attr(self):
self.assertRaises(lib_exc.InvalidCredentials,
self._get_credentials,
attributes=dict(invalid='fake'))
def test_get_configured_credentials(self):
self.useFixture(fixtures.LockFixture('auth_version'))
self._verify_credentials(credentials_class=self.credentials_class)
def test_get_configured_credentials_unfilled(self):
self.useFixture(fixtures.LockFixture('auth_version'))
self._verify_credentials(credentials_class=self.credentials_class,
filled=False)
def test_get_configured_credentials_version(self):
# version specified and not loaded from config
self.useFixture(fixtures.LockFixture('auth_version'))
self._verify_credentials(credentials_class=self.credentials_class,
identity_version=self.identity_version)
def test_is_valid(self):
creds = self._get_credentials()
self.assertTrue(creds.is_valid())
class ConfiguredV3CredentialsTests(ConfiguredV2CredentialsTests):
attributes = {
'username': 'fake_username',
'password': 'fake_password',
'project_name': 'fake_project_name',
'user_domain_name': 'fake_domain_name'
}
credentials_class = auth.KeystoneV3Credentials
identity_response = fake_identity._fake_v3_response
tokenclient_class = v3_client.V3TokenClient
identity_version = 'v3'
def setUp(self):
super(ConfiguredV3CredentialsTests, self).setUp()
# Additional config items reset by cfg fixture after each test
cfg.CONF.set_default('auth_version', 'v3', group='identity')
# Identity group items
for prefix in ['', 'alt_', 'admin_']:
if prefix == 'admin_':
group = 'auth'
else:
group = 'identity'
cfg.CONF.set_default(prefix + 'domain_name', 'fake_domain_name',
group=group)

37
tempest/tests/common/test_credentials.py
View File

@ -1,37 +0,0 @@
# Copyright 2015 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.common import credentials_factory as credentials
from tempest import config
from tempest import exceptions
from tempest.tests import base
from tempest.tests import fake_config
class TestLegacyCredentialsProvider(base.TestCase):
fixed_params = {'identity_version': 'v2'}
def setUp(self):
super(TestLegacyCredentialsProvider, self).setUp()
self.useFixture(fake_config.ConfigFixture())
self.patchobject(config, 'TempestConfigPrivate',
fake_config.FakePrivate)
def test_get_creds_roles_legacy_invalid(self):
test_accounts_class = credentials.LegacyCredentialProvider(
**self.fixed_params)
self.assertRaises(exceptions.InvalidConfiguration,
test_accounts_class.get_creds_by_roles,
['fake_role'])

9
tempest/tests/fake_config.py
View File

@ -48,14 +48,9 @@ class ConfigFixture(conf_fixture.Config):
self.conf.set_default('auth_version', 'v2', group='identity')
for config_option in ['username', 'password', 'project_name']:
# Identity group items
for prefix in ['', 'alt_', 'admin_']:
if prefix == 'admin_':
group = 'auth'
else:
group = 'identity'
self.conf.set_default(prefix + config_option,
self.conf.set_default('admin_' + config_option,
'fake_' + config_option,
group=group)
group='auth')
class FakePrivate(config.TempestConfigPrivate):