From 87fc7e9ac0efa9fbe883d4f9375c06a94396b75d Mon Sep 17 00:00:00 2001 From: David Kranz Date: Tue, 28 Jul 2015 14:05:20 -0400 Subject: [PATCH] Allow v3 identity to work without the admin domain name The problem was that the value of admin_domain_name was required in order to use identity v3 even if no admin was being used. A new option auth.default_credentials_domain_name is used instead of admin_domain_name except when requesting admin creds. This defaults to 'Default' which is the name keystone uses for compatibility with v2. Because tenant_isolation and pre-provisioned credentials are mutually exclusive, and to avoid having too many config options, the new option is used instead of tenant_isolation_domain_name as well. Change-Id: I52f0d4c0cc7e5eafa896776b12315ed6154dfae2 --- etc/tempest.conf.sample | 8 ++++---- tempest/common/accounts.py | 2 +- tempest/common/cred_provider.py | 6 +++--- tempest/common/isolated_creds.py | 4 ++-- tempest/config.py | 19 +++++++++++-------- 5 files changed, 21 insertions(+), 18 deletions(-) diff --git a/etc/tempest.conf.sample b/etc/tempest.conf.sample index 724bff469d..1f8c8896bd 100644 --- a/etc/tempest.conf.sample +++ b/etc/tempest.conf.sample @@ -123,10 +123,10 @@ # Roles to assign to all users created by tempest (list value) #tempest_roles = -# Only applicable when identity.auth_version is v3.Domain within which -# isolated credentials are provisioned.The default "None" means that -# the domain from theadmin user is used instead. (string value) -#tenant_isolation_domain_name = +# Default domain used when getting v3 credentials. This is the name +# keystone uses for v2 compatibility. (string value) +# Deprecated group/name - [auth]/tenant_isolation_domain_name +#default_credentials_domain_name = Default # If allow_tenant_isolation is set to True and Neutron is enabled # Tempest will try to create a useable network, subnet, and router diff --git a/tempest/common/accounts.py b/tempest/common/accounts.py index 78e0e72657..27b44f6583 100644 --- a/tempest/common/accounts.py +++ b/tempest/common/accounts.py @@ -216,7 +216,7 @@ class Accounts(cred_provider.CredentialProvider): if ('user_domain_name' in init_attributes and 'user_domain_name' not in hash_attributes): # Allow for the case of domain_name populated from config - domain_name = CONF.identity.admin_domain_name + domain_name = CONF.auth.default_credentials_domain_name hash_attributes['user_domain_name'] = domain_name if all([getattr(creds, k) == hash_attributes[k] for k in init_attributes]): diff --git a/tempest/common/cred_provider.py b/tempest/common/cred_provider.py index 2b7e0dbc5b..783a5fc80a 100644 --- a/tempest/common/cred_provider.py +++ b/tempest/common/cred_provider.py @@ -84,9 +84,9 @@ def get_credentials(fill_in=True, identity_version=None, **kwargs): domain_fields = set(x for x in auth.KeystoneV3Credentials.ATTRIBUTES if 'domain' in x) if not domain_fields.intersection(kwargs.keys()): - # TODO(andreaf) It might be better here to use a dedicated config - # option such as CONF.auth.tenant_isolation_domain_name - params['user_domain_name'] = CONF.identity.admin_domain_name + domain_name = CONF.auth.default_credentials_domain_name + params['user_domain_name'] = domain_name + auth_url = CONF.identity.uri_v3 else: auth_url = CONF.identity.uri diff --git a/tempest/common/isolated_creds.py b/tempest/common/isolated_creds.py index ff4eda9231..7888811feb 100644 --- a/tempest/common/isolated_creds.py +++ b/tempest/common/isolated_creds.py @@ -163,8 +163,8 @@ class IsolatedCreds(cred_provider.CredentialProvider): self.creds_domain_name = None if self.identity_version == 'v3': self.creds_domain_name = ( - CONF.auth.tenant_isolation_domain_name or - self.default_admin_creds.project_domain_name) + self.default_admin_creds.project_domain_name or + CONF.auth.default_credentials_domain_name) self.creds_client = get_creds_client( self.identity_admin_client, self.creds_domain_name) diff --git a/tempest/config.py b/tempest/config.py index 5ea4d10275..46f84ee338 100644 --- a/tempest/config.py +++ b/tempest/config.py @@ -67,12 +67,13 @@ AuthGroup = [ cfg.ListOpt('tempest_roles', help="Roles to assign to all users created by tempest", default=[]), - cfg.StrOpt('tenant_isolation_domain_name', - default=None, - help="Only applicable when identity.auth_version is v3." - "Domain within which isolated credentials are provisioned." - "The default \"None\" means that the domain from the" - "admin user is used instead."), + cfg.StrOpt('default_credentials_domain_name', + default='Default', + help="Default domain used when getting v3 credentials. " + "This is the name keystone uses for v2 compatibility.", + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_isolation_domain_name', + group='auth')]), cfg.BoolOpt('create_isolated_networks', default=True, help="If allow_tenant_isolation is set to True and Neutron is " @@ -1257,9 +1258,11 @@ class TempestConfigPrivate(object): self.baremetal = _CONF.baremetal self.input_scenario = _CONF['input-scenario'] self.negative = _CONF.negative - _CONF.set_default('domain_name', self.identity.admin_domain_name, + _CONF.set_default('domain_name', + self.auth.default_credentials_domain_name, group='identity') - _CONF.set_default('alt_domain_name', self.identity.admin_domain_name, + _CONF.set_default('alt_domain_name', + self.auth.default_credentials_domain_name, group='identity') def __init__(self, parse_conf=True, config_path=None):